Recent aggressive, anti-bribery actions by various governments are indicative of new challenges that businesses with global operations or supply chains are encountering. Although the U.S. Foreign Corrupt Practices Act (FCPA) has been the preeminent anti-corruption law for most companies with international operations or financial ties, in recent years other countries have become assertive in enforcing their own regulations, further complicating an organization’s governance, risk management, and compliance efforts (see “Sharper Focus on Foreign Bribery” below).
This growing complexity reinforces the importance of a system of strong internal controls backed by an effective, independent internal audit function. An internal auditor supplies to an organization’s governing body and senior management comprehensive assurance that anti-bribery controls are in place, designed appropriately, and operating as prescribed. Moreover, a leading practice is to map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. After you have mapped the controls (Suggest using COSO 2013 Framework) you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program.
For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.
Remember that internal control is a process, effected by those charged with governance or an entity’s board of directors, as well as management, and other personnel, designed to provide reasonable, not absolute (emphasis added) assurances that policies, procedures, monitoring, and training are in place to help mitigate risk by ensuring that company assets are used properly, with proper review and approval, so that transactions are properly recorded in the books and records. “Reasonable assurances” is further defined as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs and recognizes that the costs of internal controls should not exceed the benefits expected to be derived.
The International Standards for the Professional Practice of Internal Auditing (Standards) points out that although internal auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, they must possess the requisite knowledge to evaluate the potential for fraud — including corruption — to occur, along with the methods the organization uses to manage fraud risk. Enforcement actions by authorities in several nations provide valuable insight into the tools, processes, and procedures regulators expect organizations to follow to manage fraud risk. By reviewing such actions in the context of recent global anti-corruption trends, internal auditors can build the knowledge needed to meet their professional responsibilities.
Growing Roster of Enforcers
The U.S. has pursued foreign bribery cases more actively than other countries in recent years. U.S. authorities imposed sanctions against individuals and companies in 128 foreign bribery cases during the 15-year period covered by the Organisation for Economic Co-operation and Development’s (OECD’s) 2014 Foreign Bribery Report. Germany sanctioned individuals and companies in 26 cases, South Korea imposed sanctions in 11 cases, and Italy, Switzerland, and the U.K. each imposed sanctions in six cases. Four anti-bribery laws are notable.
U.S. The authority for most U.S. anti-corruption cases is the FCPA, which applies to all U.S.-based businesses, citizens, and residents. Moreover, the FCPA also governs any “U.S. issuer,” a broad term that encompasses all foreign companies trading on U.S. exchanges as well as any other company that is required to file periodic reports with the U.S. Securities and Exchange Commission (SEC). It also applies to foreign subsidiaries of U.S. companies and U.S. subsidiaries of foreign companies.
In addition to the anti-bribery requirement, publicly traded companies are subject to FCPA accounting provisions that mandate that the books and records accurately reflect all transactions and internal control provisions that require companies to have appropriate internal controls to prevent, detect, and remedy FCPA violations. Internal audit has a separate role in testing the books and records, as well as in assisting with designing and implementing internal controls and then testing them.
German-based Siemens AG and Daimler AG, U.K.-based BAE Systems, France’s Total S.A., and Japan’s JGC Corp. are among the prominent companies that have been required to pay steep FCPA-related fines in recent years. As of the end of 2014, eight of the 10 largest penalties imposed by the U.S. government in FCPA cases were assessed on companies headquartered outside the U.S. Moreover, the Latin American Law & Business Report newsletter notes that, “foreign individuals and foreign companies that do not trade on U.S. exchanges can also violate the FCPA if they cause an act in furtherance of a corrupt payment within the U.S.”
U.K. Several other countries’ laws are even broader in scope. For example, the U.K.’s Bribery Act of 2010 applies to a wider range of companies and makes a greater array of conduct illegal than the FCPA does. It has authority over any company that engages in any business or part of a business in the U.K. In addition to prohibiting the bribery of both government officials and non government individuals, the Bribery Act penalizes the bribe receiver, not just the bribe payer, as the FCPA does.
The U.K. act also prohibits de minimis “facilitation payments” for certain routine government actions that do not provide the payer with an unfair competitive advantage. A common example is the payment of a fee to speed up installation of telephone service by a state-owned telephone company. Practices such as this, regarded as a routine cost of doing business in some countries, are afforded an exemption under the FCPA but not under the Bribery Act.
Canada In 2013, changes Canada made to its Corruption of Foreign Public Officials Act aligned it more closely with the FCPA. However, in some respects, such as the prohibition of facilitation payments, the Canadian law is more similar to the U.K. Bribery Act.
Brazil Also in 2013, Brazil’s congress passed the Clean Company Act, which went into effect in January 2014. It is similar to the FCPA in that it targets only public corruption and not commercial bribery. But other aspects, such as those covering defendants’ state of mind and knowledge, are more similar to the U.K. Bribery Act.
The Brazilian law is particularly significant in that companies — not just individuals — are now subject to prosecution for bribery. Companies found guilty could face fines of up to 20 percent of their gross annual revenue, along with possible suspension of operations, confiscation of assets, and even dissolution. The law covers both bribery of foreign officials by Brazilian companies and bribery of local officials by any company.
The Clean Company Act also spells out a particularly strong oversight role by a company’s internal audit function. Under the law, having strong compliance programs in effect is not an affirmative defense against corruption charges, but authorities can consider compliance efforts to reduce penalties. These compliance efforts can be evaluated on three factors: 1) the structure of the program, including reporting mechanisms, training, policies and procedures, and periodic risk assessments; 2) specifics about the legal entity, including specific compliance risks; and 3) an evaluation of the program’s efficiency, including a case-by-case verification of the program’s effectiveness by internal audit.
High-profile Enforcement Actions
In addition to expanding their statutory authority, governments are undertaking more vigorous anti-corruption enforcement actions. Several recent cases provide useful insights into the internal controls that must be in place and internal auditors’ responsibilities for helping their organizations maintain compliance.
GlaxoSmithKline PLC (GSK) One of the highest-profile actions in recent years has been an ongoing corruption investigation in China. The case culminated in September 2014 in the conviction of U.K.-based GSK for paying bribes to boost its business. China fined GSK a record US$491 million — the amount of the alleged bribery — and the former top GSK executive in China, four other company managers, and two ancillary GSK-hired investigators received criminal convictions.
The Chinese government’s entry into the international fight against corruption and bribery is a game changer. Foreign companies are now on notice: Doing business the old way will no longer be tolerated, and companies operating in China have a new risk to consider — possible prosecution under domestic Chinese law.
The Chinese example also could encourage additional anti-corruption enforcement around the globe. When other countries with endemic corruption issues see that they can attack their domestic corruption issues by prosecuting international businesses operating within their borders, there may be an appetite for additional prosecutions.
The GSK case also offers lessons about the potential cost of internal audit failures. Ironically, as various news sources have noted, GSK had more compliance officers in China than in any country except the U.S. and has conducted up to 20 internal audits a year in China. Nevertheless, the company was unprepared when Chinese officials accused it of using travel agencies to funnel bribes to doctors and officials under the guise of medical conferences and other events.
Although the cost of monitoring such payments would be high and would involve the tedious work of verifying numerous receipts and scrutinizing countless transactions for signs of fraud, the use of practices such as GSK’s to hide payments to doctors was a well-recognized risk. One lesson internal auditors can draw from the case is clear: If the risks for a certain pattern of corruption are well-known, a company must devote whatever resources are necessary to verify its compliance with relevant laws.
Avon Another case of bribery allegations involved cosmetic maker Avon Products Inc. According to settlement agreements with the SEC and the U.S. Department of Justice, the company’s Chinese subsidiary paid US$8 million in bribes to Chinese officials in 2004 in the form of cash, gifts, travel, and entertainment. The purpose was to gain access to officials who were drafting and implementing new direct-selling regulations in China.
The Avon case demonstrates the high cost of a failure by the internal audit function — in this case fines and investigative costs of more than US$500 million. The bribes reportedly were detected by Avon’s internal audit function in 2005 and 2006, but the company’s CAE at the time was persuaded to withdraw the internal audit report and destroy all evidence. This information was never presented to Avon’s board, which learned of the corruption only because of an internal whistleblower.
Petrobras The GSK case in China might be a harbinger of international anti-corruption enforcement actions based on domestic anti-bribery laws, but a case now underway in Brazil could turn out to be even larger. In fact, the investigation into Brazil’s state-owned energy company Petrobras eventually could become the world’s largest corruption investigation.
Petrobras CEO Maria das Gracas Foster and five board members have been forced to resign, and Brazilian President Dilma Rousseff has come under pressure because of her former role as minister of energy and president of the Petrobras board. The company’s former head of refining operations has told prosecutors that construction budgets for new projects were routinely inflated by 3 percent of their value to cover bribes and kickbacks, some of which were then routed to major Brazilian political parties. Another defendant has testified that more than a dozen of Brazil’s largest construction companies paid bribes to obtain contracts.
The case also has significant global implications. In addition to banks in Switzerland and the Cayman Islands, where funds allegedly were deposited, companies ranging from shipyards in Singapore to U.K.-based Rolls-Royce plc also have been accused of paying bribes.
Although the allegations in the Petrobras case occurred before the passage of Brazil’s Clean Company Act, the prosecution of the case is being watched closely for any precedents that could affect the new law’s implementation.
Internal Audit’s Approach
Examples such as Avon, GSK, and Petrobras can provide useful lessons for internal audit functions to help their organizations fight bribery and corruption. The IIA practice guide, Auditing Anti-bribery and Anti-corruption Programs, recommends internal audit assess the effectiveness of anti-bribery and corruption programs to help anticipate the risk and identify the existence of potential and actual incidents.
Two different, but complementary, approaches may be used, either separately or together: 1) auditing each component of the anti-bribery and corruption program, and 2) incorporating an assessment of anti-bribery and corruption measures in all audits, as appropriate. With the latter approach, bribery and corruption risks are incorporated into the risk assessment and scoping process of each audit. This process may:
▪ Include procedures to assess bribery and corruption risks.
▪ Evaluate potential bribery and corruption scenarios.
▪ Evaluate the control environment and anti-bribery and corruption programs in that audit area.
▪ Link the scope of an audit area’s procedures to its assessed risks.
In some situations, management may not want internal audit’s findings about potential corruption brought to the board’s attention. This is why any compliance program must include structural protection that allows internal audit to share its concerns with the board or, at a minimum, the audit committee.
Moreover, it is a best practice in compliance programs for the board or audit committee to seek out and ask the tough questions about whether internal audit has uncovered any evidence of FCPA violations. There must be internal audit independence, an independent reporting channel to the board, and board fulfillment of its role in a compliance regime.
Internal audit’s role in anti-bribery and corruption programs depends on an organization’s governance structure. In addition, internal audit’s level of involvement should be recommended by the CAE and approved by the board. In all cases, however, it is critical that the function has the independence from senior management necessary to report directly to the board when violations of law are uncovered. By adhering to the Standards — and by understanding and applying the lessons from recent enforcement actions — internal auditors can be better prepared to provide the crucial third line of defense against fraud and corruption.
Jonathan T. Marks, CPA, CFE
Thomas R. Fox, JD
Article originally appeared in Internal Auditor Magazine and modified.