Last October, the Securities and Exchange Commission sent a clear message to companies with significant operations overseas: ensure that a robust anti-bribery program is in place and functioning properly or pay the price.
The SEC sent that message via a $10 million fine against Sussex, Wisconsin-based printing and marketing company Quad/Graphics Inc. Even though the company voluntarily reported that a Peruvian subsidiary repeatedly paid or promised to pay bribes to government officials to secure business, and the company proposed a series of reforms to guard against future offenses, the SEC still came down hard on the printing company.
As the SEC explains in its administrative order noting the settlement of the chargers, it hit Quad/Graphics with the $10 million fine partly because the company neglected to conduct any internal audits of its anti-bribery and anti-corruption programs. “Internal audit had no visible role in anti-corruption testing and the company failed to conduct broad FCPA or ethics training until approximately 2012,” the SEC wrote in its order.
The SEC also documented several instances of faulty or non-existent controls at the company to discourage such wrongdoing. “Quad lacked a system of internal accounting controls sufficient to detect or prevent the payments despite the presence of numerous red flags, including vendor invoices with rounded dollar amounts, large invoice amounts that were disproportionate to the services described, invoices that were consecutively numbered (sometimes with the same date), and invoices without purchase orders or other supporting documentation,” the SEC wrote.
Companies that want to avoid Quad/Graphic’s fate will want to ensure that the internal audit function is conducting regular audits of the anti-bribery and anti-corruption program based on a solid assessment of the company’s risk of non-compliance with the Foreign Corrupt Practices Act and other bribery laws.
Not Just U.S. Regulation
Most internal auditors will be familiar with the U.S.’s Foreign Corrupt Practices Act, which prohibits any U.S. business—including those that trade on U.S. exchanges—and their employees from making payments to government officials or politicians anywhere in the world to influence business dealings. But there are other bribery laws around the world that internal auditors must also be familiar with.
For example, the United Kingdom finalized the U.K. Bribery Act in 2010, which defines bribery even more broadly than the FCPA. In addition to bribery, the U.K. Bribery Act outlaws facilitation payments or what are sometimes called “grease payments.” These are payments to officials to expedite a business transaction or government service, such as the movement of goods in or out of a country. Other countries, including China, Brazil, Australia, and many others have enacted their own bribery and corruption laws or they have recently launched crackdowns on bribery.
Conducting a Risk Assessment
A good assessment of the anti-bribery and corruption program will often start with a risk assessment. A comprehensive risk assessment identifies and analyzes bribery and corruption risks throughout the organization, including all locations and types of business. The review will look at the countries where the organization conducts business and the level of corruption in those countries. The risk assessment should also look at the types of products and services its units provide, with special attention paid to those products and services that are typically sold to governments, such as defense and healthcare.
While selling products and services directly to foreign governments will certainly increase the risks of an FCPA violation, it doesn’t mean organizations that don’t transact directly with foreign governments have no bribery and corruption risk. Walmart, for example, settled FCPA charges this June with the SEC and U.S. Department of Justice for $282 million. The agencies alleged that the retail giant made illegal payments to an intermediary to obtain construction permits in Brazil.
As it did in the Quad/Graphics case, the U.S. Justice Department also accused Walmart of having lax internal controls, particularly in Brazil, China, India, and Mexico. “In numerous instances, senior Walmart employees knew of failures of its anti-corruption-related internal controls involving foreign subsidiaries, and yet Walmart failed for years to implement sufficient controls comporting with U.S. criminal laws,” the agency noted in a statement announcing the settlement.
In a Practice Guide from the Institute of Internal Auditors titled, “Auditing Anti-Bribery and Anti-Corruption Programs,” the IIA listed some sample review questions to help companies assess their bribery and corruption risks. They include:
- Does the organization use business intelligence resources to identify bribery and corruption risks when exploring business opportunities in established and emerging markets?
- Does the organization regularly conduct due diligence on third-party providers?
- Does the organization’s due diligence process meet regulatory requirements for scope and thoroughness?
- Are third-party agreement approvals in place?
- Is there a history of lawsuits, fines, and penalties related to bribery and corruption?
Another aspect of bribery and corruption risk is the country where the business activity is being conducted. Indeed, different countries can have widely varying corruption risk profiles. Anti-bribery watchdog organization Transparency International publishes an annual guide that provides a corruption score for many countries that may also help companies assess the risks of doing business there.
In its latest iteration of its Corruption Perception Index, for example, Denmark, New Zealand, Finland, Singapore, and Sweden were considered the least risky countries to do business in, from a bribery and corruption standpoint. On the other end of the spectrum, Somalia, Syria, South Sudan, Yemen, and North Korea were considered to have the highest risks for public sector corruption.
Program Design and Control Activities
Once the risks are assessed, the internal audit can focus on high-risk areas. A good place to start is with a review of the company’s policies and procedures on anti-bribery and corruption. “The organization’s anti-bribery and anti-corruption standards should be clearly defined in well-documented policies. Detailed underlying procedures should explain how employees, business partners, and third parties should behave, and clearly specify what behavior is unacceptable and noncompliant,” the IIA notes in its practice guide. All policies should be documented properly, approved by appropriate management, comply with applicable laws and regulations, and communicated regularly to all employees.
Policies are just one set of controls to guard against bribery and corruption. The Committee of Sponsoring Organization’s internal control framework recommends these other examples of anti-bribery and anti-corruption controls:
- Corporate ethics and anti-corruption and anti-bribery policies
- Provisions for compliance with anti-bribery regulations included in contracts with third parties
- Anti-fraud and anti-corruption training provided to employees
- A whistleblower program
- Requirement for employees to record events where they had contact with government officials, political parties and officials, or political candidates and their families
- Enforcement of delegation-of-authority limits
- Procurement policies and procedures and periodic compliance reviews
- Political contributions approved by the board of directors
- User access and segregation of incompatible duties controls
As mentioned above, training is another important aspect of any organization’s anti-bribery program. Employees, especially those who interact with government officials or related third parties, should receive training on anti-bribery and corruption. Employees should be trained on what constitutes bribery, how it can harm the organization, and how to report it whether through the whistleblower hotline or to a company official.
Continuous Monitoring
A good anti-bribery program should also include monitoring activities and more mature programs or those with higher risks should consider implementing continuous monitoring. A continuous monitoring system for anti-bribery has the ability to raise red flags on particular transactions nearly in real time. For example, a series of payments to an individual in a foreign country who has not been vetted as an official vendor of the company might be flagged by the system automatically for further inspection.
Automated data analysis and transaction monitoring can go a long way to protecting against bribery and corruption violations. The system, however, needs to be well programed to avoid generating too many flagged transactions that are not problematic, know as false positives. For automated data analysis, the company will also need to ensure the quality and relevancy of the underlying data. This means being precise in specifying what data is being captured and making sure that the data addresses actual risks. Controls can be implemented to ensure transactions can’t be completed outside the system where they can’t be monitored.
In addition to continuous monitoring, a good anti-bribery and anti-corruption program should also have an element of self-assessment and benchmarking. Internal audit can help the managers who are ultimately responsible for anti-bribery compliance to do their own self-assessments as an addition to regular internal audits of the program. That will ensure that those managers are considering improving the elements of the program on a regular basis and not just when an audit is planned.
Tone at the Top
One last word on auditing the anti-bribery program: Perhaps the most important element of any anti-bribery program is the culture of the company as conveyed by the tone at the top. Companies can have all the policies and internal controls in place, but if there is a culture of corruption or a “win at all cost” mentality, then there will always be a higher risk of bribery and corruption violations. So any audit of the anti-bribery and corruption program should include some examination of the culture of the organization and the tone of its leaders and how they contribute to a compliant or non-compliant environment.
The SEC and the Department of Justice—not to mention regulatory agencies in other countries—are still pursuing bribery and FCPA cases at a feverish pitch. Companies that can demonstrate that they have a solid anti-bribery program in place and that they have conducted audits of it on a regular basis will fare much better than those that have not ensured that internal controls and other aspects of the program are in place and that they are functioning properly. Just ask Quad/Graphics. 
Joseph McCafferty is Editor & Publisher of Internal Audit 360°