Internal Audit Playing Bigger Role in Anti-Bribery Efforts

As companies continue to push into global markets and regulators intensify scrutiny of risk-management practices, internal auditors are playing a greater role in evaluating and mitigating bribery and corruption risks.

“Bribery and corruption are top risks for many companies,” says Princy Jain, a partner in PwC's risk assurance practice. Because of the regulatory focus on anti-corruption and more companies expanding globally, “we've seen greater need over the last couple of years for involving internal audit in the anti-corruption compliance process,” he says.

Regulators have noticed that need, too. The Department of Justice and the Securities and Exchange Commission have turned up the heat on internal auditors when it comes to their role—or lack thereof—in anti-corruption compliance programs.

In the past, one of the first questions asked by regulators when a fraud was uncovered was, “where were the outside auditors?” says Raymond Sloane, a director at consulting firm Berkeley Research Group. “More frequently that question is now coupled with, ‘where were the internal auditors? Why didn't they catch this?'”

Where internal audit can add the most value to anti-corruption compliance programs, say risk-management experts, is on the front-end by helping senior management establish the risk-assessment process at a strategic level.

Specifically, internal audit can aid executive management in identifying and prioritizing the risk areas that need the most attention, the likelihood and significance of those risks, and how to go about designing an anti-corruption program that is proportionate to the company's risk appetite and business strategy, says Stephen Arietta, vice president of internal audit for United Online, a Web marketing and retail company that operates such sites as FTD and Classmates.

“Internal audit is in a unique position to have visibility into the various operations of a company,” says Arietta. “So when you're assessing corruption risks, internal audit can really lead the facilitation process for the conversations being held with senior management.”

Still, internal audit will have to make some adjustments to transition to assessing bribery risks. For example, the amount of the bribes may not always be material, a key consideration in traditional auditing, but could still present a potential violation, says Sloane. Thus, the cost of an investigation into potential improper payments could be disproportionate to the amount of the alleged bribery payments, “so what we see are companies enhancing their audits in these areas,” he says.

“The more you can do up front and the better a job you can do with your training and communication, the better off you're going to be in the long-run,” says Charlie Wright, vice president of internal audit at Devon Energy. “It's all about being proactive and setting up processes and procedures and training and communication—making sure all those things are in place.”

Compliance and Internal Audit Working Together

Because every company has its own unique structure and culture, the role of the internal audit function differs significantly from company to company. At some companies, for example, internal audit works directly with the risk-management team. 

“Internal audit is in a unique position to have visibility into the various operations of a company. So when you're assessing corruption risks, internal audit can really lead the facilitation process for the conversations being held with executive management.”

—Stephen Arietta,

VP of Internal Audit,

United Online

At Ryder System, internal audit co-chairs the enterprise risk-management program with the compliance group, “and we use that as an offshoot for our audit plan for the year,” says Cliff Zoller, senior vice president of audit services for Ryder. Compliance and audit also jointly train both employees and third-party agents in their local countries on the company's code of ethics and on what behavior is and is not acceptable, he says.

At Devon Energy, the compliance group establishes the compliance program and internal audit reviews activities in the operating units to ensure compliance with the company's policies. “We're in a little bit of a unique situation at Devon because we've recently divested most of our international properties to be able to invest more in our North American operations,” says Wright.

The internal audit function also adds significant value in helping their companies monitor compliance with anti-corruption compliance programs, whether that involves “performing certain audits in certain countries, or looking at certain data trends on a periodic or continuous basis,” says Jain.

At Ryder, for example, internal audit spends roughly 25 percent of its time on continuous auditing of the locations of its largest operations, says Zoller. On a quarterly basis, internal audit requests to see a listing of all accounts payable activities that took place in those countries, which are then closely scrutinized for any potential type of facilitation payment, he says.

“You can't look at every transaction; it has to be a risk-based approach based on areas of the world where the company operates,” says Sloane. What the regulators want to see is that the testing of the compliance program by the internal audit function is focusing on those areas that are most vulnerable to bribery and corruption, he says.

ROLE OF INTERNAL AUDIT IN FCPA CASES

Below are examples of FCPA cases where the Justice Department and the SEC have cited alleged internal audit failures and successes.

Examples of FCPA cases where the Justice Department and SEC have cited internal audit failures:

SEC v. Biomet (2012): Biomet's compliance and internal audit functions failed to stop improper payments paid to doctors in Argentina, even after learning about the illegal practices. “Executives and internal auditors at Biomet's Indiana headquarters were aware of the payments as early as 2000, but failed to stop it.”

SEC v. Oracle (2012): Oracle “failed to audit and compare” distributor margins against end user prices to “ensure excess margins were not being built into the pricing structure.” In addition, Oracle “failed to seek transparency in or audit third-party payments made by distributors on Oracle India's behalf.”

SEC v. Eli Lilly (2012): Eli Lilly's audit department had “no procedures specifically designed to assess the FCPA or bribery risks of sales and purchases.”

Examples of FCPA cases where the Justice Department and SEC have credited internal audit:

U.S. v. BizJet (2012): “following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants ...”

SEC v. Pride International (2010): “during a routine audit, Pride International discovered an allegation of bribery ...”

SEC v. Statoil (2006): “Statoil's internal audit department reported to Statoil's [CFO] that Statoil had paid $5.2 million under a consulting agreement to an entity that had not been named in the contract ...”

SEC v. Chiquita Brands (2001): “Chiquita's internal audit staff discovered the payment during an audit review ...”

Sources: SEC; Justice Department.

In the event that a potential violation is discovered, internal audit must make senior management aware of the problem or “report it directly to the audit committee or board of directors,” says Sloane.

In the event of an investigation, internal audit needs to keep in mind that their internal reports are going to be closely scrutinized, “so it's important that if issues arise they see them through to their logical conclusion,” says Sloane. “They need to make sure they're identifying red flags that represent potential areas of corruption and follow up on them.”

A truly robust internal audit function will consistently monitor management's remediation efforts on any compliance weaknesses and follow up on their status. Internal audit should “remain independent from the implementation of any of those remediation efforts, but reviewing it and assessing it from a design perspective is appropriate,” says Arietta.

Investigations

In the event of a government investigation, internal audit can help identify issues, accumulate the data to provide to the government, and help identify who to interview. Collaboration is an important component of any investigation related to a potential fraud or corruption issues, ensuring that “each subject matter expert play their particular role,” says Zoller.

Because allegations of bribery and corruption are particularly sensitive, internal audit has to be objective in their review, says Jain. “They have to take into consideration all facts and circumstances.” 

In any investigation, issues of attorney-client and work-product privilege must be carefully considered as well. “It's important, where internal audit is involved in assisting in the internal investigation, that they do so at the direction of, and report to, general counsel or external counsel,” says Sloane.

Increasingly, when companies settle an investigation, they're being tasked with conducting their own reports assessing the compliance program and whatever enhancements they have put in place. “If a company has its own self-assessment and reporting requirements, that's going to put additional responsibility on internal audit to prepare those reports,” says Sloane, particularly since “one of the things regulators look for are any reports that were issued by the internal audit group on the problem area.”