March 18, 2009
Many companies routinely require audit rights in their agreements with intermediaries, -- and why not? Audit rights strike most compliance professionals as a simple, low-cost process improvement that is easy to incorporate in contracts alongside standard FCPA language.
But this decision deserves more attention than it usually gets. Due diligence addresses the FCPA’s “knew or should have known” standard. But with audit rights in place, doesn’t the universe of what companies “should have known” expand? The additional burden shouldn’t be adopted lightly.
The companies we have asked fall into one of three categories on audit rights: (i) they don’t ask intermediaries for audit rights and they don’t want them; (ii) they include audit rights in their contracts, knowing that they can’t afford to exercise them; or (iii) they get audit rights with the unspoken (or, occasionally the explicit), understanding that the intermediary would never really permit the company to exercise them. Only a handful of companies have audit rights and exercise them with any regularity. So, what is worse from an FCPA compliance perspective – not having audit rights at all, or having audit rights and failing to exercise them? And is it true that having them and failing to exercise them creates a bigger compliance problem than not having them at all?
At a recent International Corporate Compliance conference in Washington, an anti-corruption compliance panel wandered into a discussion over whether audit rights had become somewhat of a “false standard” in the FCPA compliance repertoire.
A representative of the DOJ defended the audit rights standard, while acknowledging that their effectiveness depends on the resources a company has to enforce and exercise such rights. According to the panelist, audit rights should not be overly burdensome to a company if they are only used after a triggering event occurs and then exercised in accordance with a specific scope. Consistent with the general consensus on this issue, the panelists agreed that push back from an intermediary on the exercise of audit rights is a “red flag” in itself.
But an intermediary could resist an audit for many reasons. The great majority of third party intermediaries are relatively small entities. They don’t keep segregated accounts for different principals and they can’t permit one principal to rifle through the records of another.
Many intermediaries are already convinced that US companies are overreaching with their invasive due diligence, their mandatory training and their ongoing monitoring. They are likely to see audit rights as a further intrusion into their business. A company can keep robust records without wanting to make them available to every company that asks to see them.
Simply concluding that intermediaries “must have something to hide” if they don’t embrace your team of auditors may miss the business and cultural realities.
Demanding audit rights may sound like a better idea than it will prove to be in practice. Before a company includes audit rights in its agreements, whether out of an abundance of caution, out of habit or simply out of vague good intentions, it makes sense to think through the consequences of having “rights” that may prove impractical, offensive or simply too costly to exercise.