As internal auditors stretch into new areas of corporate risk, audit techniques around anti-corruption programs are starting to mature.

Highly regulated companies, or companies that have been stung by some kind of violation of anti-corruption rules, are becoming the pioneers in determining how to satisfy authorities that they are doing all they can to prevent corruption, according to experts who are helping develop new anti-corruption practices for the internal audit profession to model.

“It’s a mixed bag out there right now,” says Vikas Agarwal, a partner in PwC’s risk assurance practice. “There’s a large focus by financial services companies and those that are more heavily regulated to have a much stronger anti-corruption program. As you move down, you have multinational companies, technology and software companies, and large retail companies that are very quickly moving up the curve with heightened scrutiny.”

Companies are employing a variety of methods and techniques to audit the anti-corruption effort, says Agarwal, beginning with a strong risk assessment and continuing with advanced technology, such as data analytics. “Companies are using data to see what might be an office, a region, or a transaction that they want to scrutinize more,” he says.

Tom O’Reilly, director of internal audit at technology company Analog Devices, says he’s developed a method for auditing the company’s anti-corruption efforts by following guidance from the Justice Department found in many deferred-prosecution agreements. It’s become something of an audit framework, he says. “It’s like a step-by-step guide,” he says.

“There’s a large focus by financial services companies and those that are more heavily regulated to have a much stronger anti-corruption program”
Vikas Agarwal, Partner, Risk Assurance Practice, PwC

The Justice Department cites 13 action items in recent DPAs as “corporate compliance program best practices.” They cover areas such as a corporate code of conduct, tone at the top, policies and procedures, risk assessments, annual reviews, senior management oversight and reporting, internal controls, training, discipline, ongoing advice and guidance, use of agents and other business partners, contractual compliance, and ongoing assessments.

“This is what a third party, the Department of Justice says, is recommended so you don’t have violations in the future,” O’Reilly says. “So any auditor who takes this guide and performs an audit using these 13 steps—it’s a much more robust audit to provide assurance to the audit committee, the board of directors, and executive management that we’ve covered all these areas.”

Following those 13 steps as an audit framework helps focus attention on specific areas beyond a simple yes-or-no answer to whether specific elements of an anti-corruption program exist, O’Reilly says. “Even though someone says they are doing something, that doesn’t mean it’s as mature as it could or should be.” He focused on training as an example. The company may provide a once-a-year online training module for employees, but what else is done to support it? “What else can we do?” he asks.

Raytheon Co. asked itself that question when it faced problems with FCPA compliance in the late 2000s. Tom Sanglier, director of internal audit at Raytheon, says that experience sparked management to “up its game” around anti-corruption efforts. The company formed a cross-functional task force that meets weekly to review the program and improvement initiatives. The company makes extensive use of data analytics, he says, to review transactions and communications, looking for red flags that warrant further inquiry.


The following is an excerpt from Ernst & Young’s anti-corruption compliance report.
Anti-corruption audits are preferably stand-alone audits that are not integrated into a larger set of procedures. Generally integrating anti-corruption audit procedures into larger audit programs is not the most effective practice; it commonly leads to situations where the auditor doing the testing lacks the necessary training and experience, focus, supervision or time to do the work properly. To avoid “audit fatigue” commonly expressed by business units, the timing can coincide with an internal audit of the same business unit but the activity should remain separate.
In conducting substantive testing, the purpose is to identify potential corruption violations or red flags. The audit is not an investigation. It is a business process like other internal audits a company might undertake—a predetermined set of procedures designed to assess corruption risk and test for compliance with company policies. Serious violations or red flags uncovered in the audits are typically reported to legal or compliance professionals for further investigation. Protocols should be put in place for immediate consultation when a potential violation is uncovered. Often such audits are conducted at the direction of a company’s general counsel and are subject to the attorney-client privilege.
Source: Ernst & Young.

“We do a lot of transaction monitoring, depending on the risks,” Sanglier says. “We use data analytics to make sure we’re looking not just at dollar amounts, but also keyword searches to identify any potentially corrupt transactions. We also put our reps and consultants through an extensive due diligence process.”

Internal audit’s role, Sanglier says, includes traveling to up to a dozen international locations to perform on-site reviews and transaction testing, meeting with selected representatives and consultants, and questioning them directly about their understanding of the company’s policies on bribery and corruption. His staff also performs select audits at the enterprise level to examine how the overall process is functioning.

Auditing an anti-corruption program is much like auditing other functional areas of the business, says Bill Henderson, a partner in fraud investigation and dispute services for EY—namely, that it begins with an assessment of risk. “Generally, what you’re doing is taking a risk-based approach and looking at where the greatest corruption risks are for the company,” he says. “Those are the risks you focus on in doing your audit procedures.”

Companies at greater risk for corruption tend to be more active in auditing their programs, Henderson says. Companies with heavy overseas operations, or those in higher-risk industries (defense, oil and gas, telecommunications, and the like), are more likely to be auditing their anti-corruption programs. “This is an area that lends itself to monitoring and auditing as being an important part of the program,” he says.

Jeff Maimon, a partner in advisory services at EY, says the adoption of the 2013 COSO Internal Control-Integrated Framework has led companies to take a closer look at what they are doing to prevent and detect fraud, which then is leading some to consider what more they can do to audit those efforts. “Do we have sufficient programs, processes, and procedures to both prevent and detect corruption and fraud?” he says.

In addition, many internal audit shops across the profession are being asked (as always) “to do more with less,” Maimon says. That has inspired some internal audit shops to assure they are not operating in that second line of defense as defined by the Institute of Internal Auditors, where risk functions are overseen. Instead, some internal auditors are looking to provide assurance about the anti-corruption effort rather than hold responsibility for directly overseeing it, he says.

In Henderson’s view, the Justice Department guidance contained in deferred-prosecution agreements is a reasonable starting point, encompassing elements that should be present (and therefore audited) in any anti-corruption program. The firm likes to point companies to the resource guide on the Foreign Corrupt Practices Act published jointly by the Justice Department and Securities and Exchange Commission as a starting point for planning an internal audit, he says.

“It’s a lot of the same information,” he says. “Those are the leading practices.”