ANTI-CORRUPTION

n late April, an investigative report in The New York Tiw alleged systematic bribery totaling more than US $24 million "played a persistent
and significant role" in the rapid grovwh of the Mexico subsidiary of
Wal-Mart Stores Inc. The article is replete with allegations of accounting
fraud, inadequate internal controls, inappropriate internal investigations,
cover ups, and even rewritten internal audit reports. Wal-Mart imrnediately expressed its deep concern about the allegations, announced it had
launched an aggressive investigation of the matter, and said it was taking
steps in Mexico and elsewhere to strengthen compliance with the U.S. Foreign
Corrupt Practices Act of 1977 (FCPA).

An effective
FCPA compliance
program can help
the organization
avoid severe
financial penalties
and prevent
reputational harm

Mexican authorities, the U.S. Securities and Exchange Commission (SEC), the
U.S. Department of Justice (DOJ), and even the U.S. Congress also quickly began
looking into the matter. And although these investigations still are proceeding, the
Reuters news service reported in July that other retailers have since reported to the
U ^ . government suspicions of their own potential violations, which in turn have
prompted the Justice Department and the SEC to consider a wholesale compliance
sweep of the industry. Corruption, however, is much more than a one company or

Albert G. Holzinger

Counterin
OCTOBER 2012

INTERNAL AUDITOR

47

COUNTERING CORRUPTION

on an organization," observes Mike

industry issue. In fact, it appears to be a
Koehler, assistant professor at the
significant risk globally.
The Association of Certified Fraud Southern Illinois University School of
Law and author of the website FCPAExaminers' (ACFE's) 2012 Report to
Professor.com. "The ultimate financial
the Nations on Fraud and Occupapenalty amounts often are far lower
tional Abuse says more than one-third
than the pre-enforcement-action costs
ofthe 1,388 occupational frauds investigated by the organization's members
during 2010-2011 were corruption
schemes. Moreover, the risk of corruption fraud may be even greater than
the ACFE data suggests. For example,
nearly half of the 400 chief financial
officers (CFOs) who participated in
the 2011 global survey that underpins
of investigating and understanding
the recent Ernst &C Young LLP report
the issue and conducting a worldwide
Growing Beyond: A Place for Integrity
review of compliance operations."
admit they could justify corrupt pracInternal auditors can add substantices to help their organization survive
tial value to their organization's effort
during an economic downturn.
to develop, implement, monitor, and
enforce
policies and procedures designed
In view of this risk, strong antito
ensure
employees and business partcorruption programs are important to
ners
do
not
offer cash bribes or other
all organizations. And they are vital to
unlawfij
inducements
to public officials
U.S.-listed companies with business
to
win
or
retain
business.
Yet internal
dealings abroad, which are subject
audit
"has
been
one
ofthe
most overto the FCPA. The number of FCPA
looked
corruption-fighting
resources
enforcement actions against multimost
organizations
have,"
Koehler
says.
national companies resolved by the
"Many
unlawful
practices
probably
could
SEC grew from three in 2004 to 31
.
have
been
nipped
in
the
bud
if
internal
in 2010. Actions initiated by the SEC
auditors had been trained and encourand the DOJ against company offiaged to recognize them."
cials, including a few chief audit executives (CAEs), grew correspondingly.
MITIGATING COMPLIANCE RISKS
Moreover, the consequences of FCPA
The DOJ "has been trying hard in a
violations can be severe. The largest
proactive way to help organizations
monetary settlement by the SEC and
develop better FCPA compliance prothe DOJ with U.S.-based compagrams," observes Larry Harrington,
nies Houston-based Halliburton
Co. and KBR Inc. in 2009 is a com- CAE of Waltham, Mass.-based defense
and aerospace systems provider Raybined US $579 million; the longest
theon Co. He utges internal auditors
federal prison sentence, assessed last
to review the agency's setdement agreeyear to Joel Esquenazi, former presiments regularly with violators, which he
dent of Terra Communications Corp.,
says "can help them understand what
is 15 years.
went wrong in each case the agency
Even those alarming numbers,
investigated, where controls broke
however, do not paint a complete picdown, and what remediation requireture ofthe undesirable consequences
ments were imposed on the offending
of running afoul of the DOJ and the
company." The remedial actions proSEC. "FCPA scrutiny alone can be a
scribed by these agreements, Koehler
crippling financial and resource drain

notes, are based largely on the Good

Practice Guidance on Intetnal Controls,
Ethics, and Compliance issued in February 2010 by the Paris-based Organisation for Economic Co-operation
and Development (see "Leading FCPA
Compliance Practices" on page 49).

"FCPA scrutiny alone can be a crippling

financial and resource drain/'

48

INTERNAL AUDITOR

Although successRil compliance

programs generally have a dozen or more
elements that vary based on the organization type, industry, operating model, and
geogtaphic presence, common to all are
support from the board and senior management, a corruption risk assessment,
policies and procedures backed by periodic training, and ongoing monitoring
and performance reporting.
Support From the Top "I like to go
back to fundamentals when I advise
organizations on FCPA compliance,"
says Jonathan Marks, fraud, ethics,
and anti-corruption services leader for
Crowe Horwath LLP. "The culture is
the bedrock on which the governance
ofthe organization rests. If you have a
culture that is gelatinous, the organization's FCPA compliance framework will
wobble and create opportunities for
bad things to happen and slip througjh
the cracks."
Of course, that culture is established largely by the board of directors
and top management. The tone at the
top is key to organizational culture and
helps lay the groundwork for ethical
behavior organizationwide. Moreover,
Harrington says it is important to be
able to demonstrate to the DOJ and
SEC if necessary that senior management has "ongoing comprehensive
involvement" in FCPA compliance
activities, backed by adequate funding

OCTOBER 2012

TO COMMENT on this article, EMAiL tiie

author at aibert.hoizinger(>theiia.org

m
and other resources. "While everyone
owns compliance, there should be a
designated member of senior management who is responsible for overseeing the anti-corruption compliance
program and making sure it is evolving
and working the way it is designed to
work," Harrington says.
Risk Assessment Bill Pollard, a
leader of the FCPA consulting practice
of Deloitte Financial Advisory Services LLP, says organizations cannot
put effective compliance policies and
procedures in place until they conduct
a formal corruption risk assessment.
Although this assessrhent must be
thoughtful and comprehensive, it does
not have to be an expensive and

protracted exercise. "We counsel taking

a practical approach ro risk assessment,"
Pollard says. "Not every company is
going to have a large, multimilliondollar legal or compliance department,
but certainly most can effectively put
some methodology around identifying
where the risks are and concentrating
resources around developing a program
for mitigating them."
Pollard reminds organizations that
are hesitant to devote resources to identifj/ing and mitigating corruption risks
they probably already are doing much
of the requisite work. "Companies for
hundreds of years have put in place
processes, controls, and monitoring
activities to look for the risks of unauthorized payments fraud, for example,"

he says. Pollard also points to the U.S.

Sarbanes-Oxley Act of 2002 requirement for U.S.-listed companies to
perform a fraud risk assessment. "There
is no reason why they can't enhance
that risk assessment by asking questions
about corruption," he says.
Policies and Procedures The nature
and specificity of policies and procedures
needed to mitigate identified risks will
vary from organization to organization,
but Pollard says that to be effective, they
all need to be as straightforward as they
are comprehensive. "Anti-corruption
guidance must be written in simple,
direct, easy-to-understand language, not
legjese," he says. "It needs to explain
the dos and don'ts of interacting with

LEADING FCPA COMPLIANCE PRACTICES

n July 17,2012, the Nordam Group Inc. agreed to pay a US $2 million penalty for violating the U.S. Foreign Corrupt Practices Act of 1977 (FCPA). Terms of this nonprosecution agreement with the U.S. Department of Justice (DOJ) reflect the agency's current thoughts about the best practices an FCPA compliance program should
address. These practices, derived from the Good Practice Guidance on Internal Controls, Ethics, and Compliance
issued in February 2010 by the Paris-based Organisation for Economic Co-operation and Development, are:
1. A clearly written code of conduct that prohibits violations of the FCPA and other global anti-corruption laws.
2. Strong, explicit, and visible senior management support of the conduct code.
3. Policies and procedures "designed to reduce the prospect of violations of anti-corruption laws and the organization's compliance code."
4. A risk assessment that takes into account factors such as where the organization operates and its use of thirdparty business partners.
5. Annual or more frequent review and update of the organization's compliance program and corruption risks.
6. Autonomous senior management oversight of the organization's anti-corruption program.
7. Financial and accounting procedures, including a system of internal control, "reasonably designed to ensure the
maintenance of fair and accurate books, records, and accounts."
8. Effective methods for communicating about the organization's anti-corruption program.
9. Ongoing compliance advice and guidance organizationwide and to third parties.
10. Disciplinary procedures that ensure, when misconduct is discovered, "reasonable steps" are taken to remedy the
violation and prevent reoccurrences.
11. Due diligence of agents and other business partners.
12. Third-party contract terms and conditions that are "reasonably calculated to prevent violations of anticorruption laws."

13. Merger and acquisition policies and procedures for conducting risk-based due diligence on potential new business
entities before reaching an agreement or reporting to the DOJ any corruption uncovered during this process.
14. Ongoing assessments and testing of the anti-corruption code of conduct, policies, and procedures.

OCTOBER 2012

INTERNAL AUDITOR

49

COUNTERING CORRUPTION

government officials, what constitutes

an improper payment, and what to do if
one is requested."
Pollard also notes that policies and
procedures must be written in the local

curious questions," Koehler adds. For

example, instead of simply asking to
see the backup for suspicious expense
reports, he says, auditors need to ask.
"Why does this employee always have

"Internal auditors need to conduct their

work wearing a pair of FCPA goggles."
language of the areas in which the company operates, and they need to be sensitive to the local culture. Moreover, he
says, those policies and procedures will
be mere words on pieces of paper unless
they are frequently communicated via
Web-based and live training customized
by role such as sales or accounting.

VISIT OUR
MOBILE APP
to see a video
of Deloitte
Forensic Center's
Toby Bishop
discussing trends
in fraud and
corruption.

50

INTERNAL AUDITOR

Ongoing Monitoring Even strong,

well-written, and widely communicated policies and procedures will be
ineffective in mitigating corruption
risk unless compliance is carefully and
systematically monitored, Marks notes.
He says management, staff, compliance
personnel, and internal auditors alike
should constantly be on the lookout
for violation red flags, which he defines
as observable events that can be linked
to a concealment strategy and cause
someone to stop, assess the situation,
and respond appropriately. Internal
audit needs to identify the organization's corruption red fiags as part of its
risk assessment process and design audit
procedures with the level of precision
necessary to detect them wherever they
arise in the organization, Marks says.
Similarly Koehler says, "Internal
auditors need to conduct their work
wearing a pair of FCPA goggles." They
need to have a working knowledge of
the statute and be able to spot violation
risks and red flags in their early stages,
he says. Internal auditors who spot red
flags such as unusual employee spending patterns must "ask intellectually

the largest travel and entertainment

or miscellaneous expenses in his or
her ftinction?" If the answer still is
suspicious, Koehler says internal audit
should launch an investigation.
INTERNAL AUDIT'S LARGER ROLE
Still, internal audit's capability for adding value to the organization's corruption risk identification and mitigation
program is far greater than merely
looking for red flags of violations during audits. Internal audit also can act in
a consulting capacity as management
undertakes its corruption and bribery
risk assessment, designs or modifies is
compliance program, and develops and
administers its related training. "FCPA
consulting is about getting involved,
getting engaged, and being knowledgeable enough that you can help your
company clearly understand what is
required and what might need to be
changed," Harrington asserts.
CAEs and their teams also need ro
be staunch anti-corruption advocates on
an ongoing basis, he says, adding that
internal audit should help management
understand the importance of compliance programs to the well-being of the
organization. "While supporting effective anti-bribery compliance programs
can sometimes be expensive, not having
an effective program in place can result
in far cosdier damage to the brand and
the bottom line," Harrington says.
"Over the past few years the
majority of the audit activities we've

OCTOBER 2012

VISIT http://bit.ly/Ka0zSa to view an IIA webinar panel discussion

of FCPA lessons learned for CAEs (available to IIA members).

seen in companies focused broadly on

providing assurance that elements of
the compliance program are in place
and, in fact, operating effectively," Pollard says. "Now we see internal audit
moving into more robust testing for
potential corrupt activity, looking at
areas that are higher risk like gifi:s and
travel and entertainment and charitable
contributions, among others."
Because so many of the FCPA
actions initiated by the SEC and the
DOJ allege violations of the statute's
internal control and books and records
provisions, internal audit's scope of
work in this regard needs to extend
beyond assessing the appropriateness
and accuracy of accounting transactions,
Harrington notes. For example, the
organization could be prosecuted if the
human resources function were found
to have hired a person who is a close
relative of a contracting officer or other
public official. "So when you think
about following the money, you need

relationships. And he advises asking

third parties for nonpublic information
such as the ownership structure of the
business, names of the individuals who
will be doing business on the organization's behalf, code of conduct, policies
and procedures related to bribery and
corruption, and training programs the
third party follows or has in place.
"The key is putting in place a
methodology they can defend," Pollard
says. "You are not going to find all the
risKs in every third party, but if you can
create a defensible process so the organization can make a thoughtful, informed
decision about whether the third party
represents an acceptable risk, that's sufficient" in the eyes of the DOJ and SEC.
WHEN A VIOLATION OCCURS
"Regardless of how good your organization is, regardless of whether it has
implemented all the best FCPA compliance practices, it still has a residual
ride an incident will happen," warns

Neglecting corruption-related duties

could place auditors in jeopardy.
to think about it in a broad sense," he
saysin partnership with the compliance fiinction and the legal department.
Pollard says internal audit also
should closely examine agreements
between the organization and its overseas business partners such as agents,
sales representatives, distributors, and
suppliers. "If you read the enforcement
actions and look at where the government has been coming out and identifying improper payments, the No. 1
area is third-party intermediaries," he
says. Pollard also counsels management
and internal audit alike to conduct
public records and media searches to
uncover events that would "give a company some pause" about its third-party

OCTOBER 2012

Doug Anderson, global finance director and former CAE of Dow Chemical
Co. in Midland, Mich. "And every time
there is suspicion of a bribery incident,
it is always a surprise, so you need to
prepare for the unexpected."
Anderson maintains internal
audit is positioned to be a key driver
of bribery investigations, but he says it
is important to prepare to assume this
role if needed by knowing in advance
of a suspected incident who in internal
audit will lead, execute, and oversee
the investigation. He adds that CAEs
aljo need to determine in advance what
processes staff will follow and how
investigation results will be documented
and reported. "If you don't know this

today, if you cannot tell your audit committee chair how an investigation would
be done and what the process would
be," he says, "you have some work to do
to prepare for that eventuality."
Internal audit's plan for responding to a suspected violation should
include how and when to escalate the
issue to those who need to know about
it, Anderson says. These parties likely
will include the audit committee chair,
general counsel, the chief financial officer, and the CEO. Timely investigation
and escalation are essential to achieving
good otitcomes.
"An effective response to a potential FCPA violation can help save
the company in a number of ways,"
Anderson says. "The quality of the
organization's compliance program
and violation remediation efforts can
have a substantial impact on how it is
treated by the federal government, if it
comes to that." In addition, Anderson
says dealing with a potential problem
quickly and decisively can forestall
some of the negative impact on the
organization's image, brand, and trading partners.
Conversely, internal auditors who
do not discharge their corruptionrelated duties may find themselves in
jeopardy. "The internal audit function
has been elevated in stature in recent
yearsnow we report to the CEO
and we report to the board, and they
have an expectation internal audit
is going to be actively Involved in
helping the organization develop and
maintain an effective FCPA compliance program," Harrington says. "If
there's an issue and internal audit
has not done this job effectively or
internal auditors are found to be part
of the problem, they can be judged
personally liable and be at grave professional risk." lEI
ALBERT G. HOLZINGER is a freelance
writer based in Savannati, Ca.

INTERNAL AUDITOR

51

Copyright of Internal Auditor is the property of Internal Auditor and its content may not be copied or emailed to
multiple sites or posted to a listserv without the copyright holder's express written permission. However, users
may print, download, or email articles for individual use.