Risk assessments and internal controls - a podcast by Thomas Fox

Next, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assessing whether the internal controls are sufficient to mitigate the risks. 
One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The compliance function should understand the corporate or business unit controls over the international business in addition to the necessary controls over agents. Some of the questions you might consider are the following: Is there a U.S. based international sales manager who is responsible for growing the business? What is the incentive compensation plan? How good are the SODs? In other words, can the international sales manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are these internal controls documented?
What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a U.S. based sales force which only travels to locations outside the U.S. for temporary visits of generally short duration. This situation minimizes, retains and shifts some compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside the company. The retained risks are the risks associated with gifts, travel and entertainment; approval of credit terms to customers; product pricing; special arrangements with customers such as providing product samples; knowing who the ultimate customer is and where the goods are ultimately shipped; and use of freight forwarders and customs agents. Shifted risks are created if there is no physical location outside the U.S. because the accounting must be done in the U.S. This means that compliance risks regarding the accounting function simply shift to the U.S. accounting department where transactions are processed and recorded and where the financial statements are prepared. 
These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for U.S. employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the U.S., not only due to language but also due to traditional local business practices, cultures and customs.
Three key takeaways:

Third party risks are still your highest risks under the FCPA so use your internal controls appropriately to help prevent this risk from becoming a violation. 

Use mapping and a gap analysis to collate risks to existing controls. 

Always consider the regional and geographic variances. 

Further episodes of 31 Days to a More Effective Compliance Program

Further podcasts by Thomas Fox

Website of Thomas Fox