FCPA enforcement actions in the recent past, as well as the FCPA Guidance, highlight the importance of including audit rights in written contracts with third-party contractors. But just including them is not enough. The Assistant Director of the SEC’s FCPA Unit, Tracy Price, has publicly stated that enforcement agencies are also looking at how companies choose to exercise these rights. This post provides four practical tips for exercising audit rights.
Think ahead. Companies should be prepared to exercise audit rights and take steps to reduce difficulties in exercising them long before they have to do so. In Latin America, for example, the enforceability of audit clauses is often extremely difficult, time consuming, and costly. Contracts with third parties frequently mention a “right to audit,” but contain few specifics, complicating the ability to act on an expedited basis, or even to enforce the clause at all. When drafting audit clauses, counsel should be careful to expressly mention, among other things, all types of information and documentation that need to be provided, determine who can define the scope of the audit and select the auditors, and establish record keeping obligations for the third party. Some suggestions for avoiding pitfalls when drafting audit rights in Latin America can be found here. Other provisions that counsel should consider for third party contractors to control FCPA exposure in the region can be found here and here.
Define the third parties that will be audited. Companies often do business with numerous third parties. Exercising audit rights on every one would likely be impractical, if not impossible. Instead, companies should focus exercising audit rights on the third parties that represent highest risks from an anti-corruption perspective. For example, if a company uses 200 distributors and sales agents to commercialize its products, it could focus on those that sell to government entities. If the number of third parties to be audited is still impractical, the company should take a risk-based approach and select a sample of distributors and sales agents based on volume of sales to government entities, countries (or the region of countries) in which they do business, etc. Companies should consider not only third parties that sell to the government, but also third parties that interact with government officials on the companies’ behalf (e.g., customs brokers, despachantes, etc.). The DOJ and SEC may not look kindly on a situation in which a long-term third party providing significant services for a company in a high-risk jurisdiction has never been audited, especially if a compliance issue related to that third party arises at some point. Companies should also consider exercising audit rights on their third parties in the case of allegations (publically or not) of improper conduct by the third party.
Define the scope of the audit. The exact scope of the audit will vary depending on the context in which it is conducted. If carried out in the context of an internal investigation, the audit will likely be more focused on specific transactions that need to be clarified. In the context of regular audits, companies should consider checking the anti-corruption practices of the third party in general. This includes examining the history of anti-corruption trainings, existing compliance-related policies and procedures, and the history of compliance complaints received on the target’s hotline. The exact scope of the audit will depend on a number of factors, including the nature of the services provided by the third-party and the volume of transactions. If the third party sells to government entities, for example, the company may consider checking documentation related to tenders.
Document the audit. To reduce FCPA risks, companies must document their compliance efforts. They should have a record showing their risk-based approach to selecting third parties for auditing. They should document the steps taken during the audit itself, its main findings and the remedial actions that were taken, when applicable. It is a good practice to keep such records while the relationship with the third party in ongoing and for an additional period of at least 5 years after it is discontinued or terminated.
The opinions expressed in this post are those of the author in his or her individual capacity, and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.
© 2014 FCPAméricas, LLC
Post authored by Carlos Henrique da Silva Ayres, FCPAméricas Contributor