The Department of Justice and the Securities and Exchange Commission just released A Resource Guide to the U.S. Foreign Corrupt Practices Act. What is the Foreign Corrupt Practices Act, and how does it affect information security? What controls are necessary, and how does the act map to regulations and standards we comply with now, such as SOX?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Foreign Corrupt Practices Act (FCPA) is a U.S. federal law passed in 1977 that applies to all U.S. individuals and businesses. At its heart, the FCPA has two major provisions. The first is a set of rules that prohibit bribe payments (whether monetary or nonmonetary) from U.S. persons and businesses to foreign officials. The second is a set of accounting rules that require all companies publicly traded in the U.S. to keep a consistent set of records that reflect the business transactions of the organization. These accounting provisions are designed to ensure that companies are not able to hide bribe payments through intentionally sloppy accounting practices.
From an information security perspective, there's not really much to address under the anti-bribery provisions of FCPA, unless you're in the habit of paying bribes related to information security! (If you are, don't do that.) However, the accounting provisions do affect security professionals. Specifically, FCPA requires that businesses implement a set of internal controls that:
- Ensures that transactions are executed with authorization from management;
- Ensures that transactions are recorded in a manner that allows preparation of accurate financial statements and asset tracking;
- Permits access to assets only with management authorization; and
- Performs periodic reconciliations between financial records and assets.
Information security professionals will often be called upon to perform risk assessments and design specific provisions of these controls. Security professionals at publicly traded companies should already be familiar with these practices from Sarbanes-Oxley Act compliance. Internal controls should be applied to all financially significant systems and often include ensuring adequate logging, verification of the proper functioning of access control mechanisms and performing periodic account reviews.
Dig deeper on Sarbanes-Oxley Act
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.