James Tillen discusses best practices for FCPA compliance audits and monitoring, saying that an effective monitoring and evaluation system must include a compliance-program assessment, risk assessment, and an FCPA compliance audit. "These audits require unique skills," because FCPA audits are unique, he said.

The deferred prosecution agreement that the Department of Justice struck with Johnson & Johnson in April is particularly instructive when it comes to FCPA audits, Tillen said. In the J&J case, the company is "required to conduct periodic audits to detect violations of anti-corruption laws and regulations, and identify no less than five sites that are high risk, based on risk assessments, and conduct FCPA audits of those sites at least once every three years," he said. Such practices should serve as a model for other companies, Tillen added.

As the J&J case demonstrates, an FCPA audit requires training in more investigative-type skills than is required for a normal audit, Tillen said. The J&J settlement required the company to conduct, where appropriate, on-site visits by personnel from the compliance and legal departments, he added. "Where appropriate, feasible, and permissible under local law," company auditors should also review the books and records of distributors and other third parties, Tillen suggested. "Companies should seek audit rights with third-party vendors who might subject them to FCPA issues, and they should exercise that audit right," he said.