The Department of Justice and the Securities and Exchange Commission just released A Resource Guide to the U.S. Foreign Corrupt Practices Act. What is the Foreign Corrupt Practices Act, and how does it affect information security? What controls are necessary, and how does the act map to regulations and standards we comply with now, such as SOX?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Foreign Corrupt Practices Act (FCPA) is a U.S. federal law passed in 1977 that applies to all U.S. individuals and businesses. At its heart, the FCPA has two major provisions. The first is a set of rules that prohibit bribe payments (whether monetary or nonmonetary) from U.S. persons and businesses to foreign officials. The second is a set of accounting rules that require all companies publicly traded in the U.S. to keep a consistent set of records that reflect the business transactions of the organization. These accounting provisions are designed to ensure that companies are not able to hide bribe payments through intentionally sloppy accounting practices.
From an information security perspective, there's not really much to address under the anti-bribery provisions of FCPA, unless you're in the habit of paying bribes related to information security! (If you are, don't do that.) However, the accounting provisions do affect security professionals. Specifically, FCPA requires that businesses implement a set of internal controls that:
- Ensures that transactions are executed with authorization from management;
- Ensures that transactions are recorded in a manner that allows preparation of accurate financial statements and asset tracking;
- Permits access to assets only with management authorization; and
- Performs periodic reconciliations between financial records and assets.
Information security professionals will often be called upon to perform risk assessments and design specific provisions of these controls. Security professionals at publicly traded companies should already be familiar with these practices from Sarbanes-Oxley Act compliance. Internal controls should be applied to all financially significant systems and often include ensuring adequate logging, verification of the proper functioning of access control mechanisms and performing periodic account reviews.
This was first published in April 2013