Compliance professionals are implementing their own monitoring and auditing strategies.  Internal audit does not have the resources nor the time to assume responsibility for this function.  If possible, internal audit may support, advise and assist in the monitoring and auditing functions.  Frankly, a partnership between compliance and internal audit in this area is ideal but compliance cannot wait for internal audit to join the mission.  Compliance has to take responsibility for this function, especially as they implement automated third-party solutions.

Building on the six issues identified in yesterday’s posting, a tailored approach has to be developed so that a consistent process is executed. This is only a general list of issues and specific circumstances can vary depending on the exact risk profile.

Issue 1 – Distribution Chain and Foreign Government Interactions:  Under this issue, the risks fall into two categories: foreign government sales and tenders and regulatory interactions, whether carried out directly by distributor or with assistance of sub-distributors in distribution chain.  Under the sales and tender issues, compliance has to focus on a sample of tenders based on risk factors: (i) existence of established procedures and confirmation of following such procedures (including information disclosure re RFP and absence of favoritism); (ii) communications and interactions with key members of foreign officials and/or tender committee, if present; (iii) involvement of other parties in tender process and role they played in the process; and (iv) ultimate award and selection criteria.  Ideally, the company should maintain controls surrounding the review and approval of a tender submission.

Issue 2 – Outflow of Money:  Compliance should examine the proper use of funds that may be given by the company to the distributor for marketing or promotion, rebates and/or pricing discounts.  Hopefully, there are existing controls for these situations and documentation should exist for review purposes.  In the marketing or promotional allowance, such expenditures have to be confirmed by documentation from the distributor that the funds (or a credit note) were used for proper purposes.

Issue 3 – Transaction Review – If the company has access to distributor sales transactions (which is rare), then unusual situations should be sampled.  To the extent that a distributor purchases product from the company for significant discounts, such transactions are high risk and compliance should seek confirmation and documentation related to this small number of transactions, including the ultimate mark-up to determine the portion of the discount that was passed to the customer. In the recent Microsoft FCPA enforcement action, Microsoft funded its bribery scheme by passing on only a portion of any discount to the customer.

Issue 4 – Sanctions Risks – The Epsilon case from last year (Here) demonstrated the significant risks companies face that a distributor in certain geographic locations may resale products to prohibited persons or countries (e.g. Iran, North Korea and Cuba).  Distributors that operate in these high risk locations in close proximity to prohibited countries have to be subject to additional documentation and verification requirements.  If end user/customer documentation is not available or required, compliance has to sample various transactions and seek documentation (bill of lading etc.) confirming who and where the ultimate customer is located.

Issue 5 – Confirmation of Training Participation – If the company provided training, either in person or online, to the distributor, compliance should confirm attendance records and identify any persons who failed to undergo compliance.

Issue 6 – Distributor Contract Compliance – A review of the distributor’s contract and specific requirements for certifications, documentation of invoices, and other compliance requirements should be conducted.  If deficiencies are identified, compliance has to work with the business to ensure proper communication of deficiencies to the distributor and development of a remediation plan or consideration of additional measures, including possible breach or other remedies.

Under this issue, compliance should seek verification that the distributor secured appropriate compliance assurances from sub-distributors and other persons or entities in the distribution chain.  If the contract includes specific requirements for documentation of these assurances, the distributor should produce such documentation to confirm compliance by members of the distribution chain.