December 12, 2013
This is part two in a series on combating bribery and corruption. Read part one here.
In part one, the focus was on common roadblocks that can hinder an organization’s goal of having an effective and demonstrable anti-bribery and anti-corruption program. This article addresses common approaches to overcome these challenges. They’re outlined below as the three pillars to support the implementation of a solid anti-bribery and anti-corruption program.
It’s important to keep in mind that even those companies that have stellar reputations and the best intentions to conduct business in the most ethical and efficient way possible may employ a bad apple or two. The overarching objective shouldn’t be to eradicate bad behavior, as this is nearly impossible. Instead, an organization being investigated for an FCPA violation can have its case dismissed without penalties if it can demonstrate that it had an effective system of internal controls in place, as in the Morgan Stanley case.
The first step in ensuring that a company is on the right track to developing an effective program is a thorough assessment that includes internal control and policy reviews to determine the likelihood of bribery and corruption risks within the markets where the company is currently operating. This first pillar of the program is crucial, as it provides a visual depiction of where the red flags might arise in terms of risk and indicates where continuous monitoring systems must be implemented.
An example: an organization was undergoing an assessment of a distribution partner, during which it came to light that they were reporting revenue in “event planning.” Given that event planning wasn’t part of the company’s core competencies, it raised some questions—and those questions resulted in the discovery that the partner was putting on extravagant events to woo potential government clients.
When it comes to actually building a self-assessment program, starting from scratch isn’t necessary. Audit and compliance roundtables are an effective source, websites such as AuditNet are another and vendors, including ACL, have assessment program templates in their audit management software, built from best practices gathered from organizations that had to perform their own self-assessments.
The final question often asked when having a discussion about this type of program is, “who should be in charge of the assessment process?” Many organizations respond by relying on external consulting assistance, which may not be optimal. The people who know the business best are those that would be able to most easily identify where the questionable lines of business exist. In other words, the company’s internal auditors and compliance officers are best equipped to lead this initiative.
Once the high-risk markets have been singled out, it’s time to implement strong detective controls that will quickly bring potential instances of bribery and/or corruption to the forefront.
Rather than spending resources and exhaustive efforts on building preventative application system controls that hinder business agility, an organization can implement detective controls, enabling the business to continue to operate without delays.
Because there are typically several different application systems that must be merged and accessed, it’s best to implement a common data model that will allow each department to report across the organization, as opposed to in silos. The use of anti-bribery and anti-corruption analytics is an effective and efficient method of ensuring that systems are consistent across the business. Areas in which this technology is appropriate include vendor management, purchase-to-payment (P2P), general ledger (GL), payroll, travel and expenses (T&E), etc. Any of these business processes can be used in providing payments to third parties, foreign officials or any other entities that shouldn’t be on the receiving end. In addition, as mentioned in part one of this series, these analytics are often distinctly separate from cost management or financial reporting controls.
In order to derive value from the data generated from any analytics system, it’s essential to document follow-up and remediation. This is the “demonstrable” part of a demonstrable and effective system of internal controls. It’s critical that a continuous monitoring system include the ability to track the remediation status of the exceptions, how timely they were investigated and what the end result of the investigation was. In other words, was there corrective action, such as additional employee training?
Let’s briefly look at some example target areas for continuous monitoring for anti-bribery and anti-corruption. It’s clear that a keyword search in critical data fields across all external facing transactions would be important. Words such as “consultant,” facilitation,” “charity” or “donation” should be collected, updated and translated into the appropriate language sets for comparing against transactions. Also, consider that keyword analysis can be combined with other criteria. For instance, let’s say that an account is established for charities and an invoice is discovered (based on keyword searching) that is a charity donation, but it doesn’t ultimately hit that charity account. That is a huge red flag!
A keyword search is a key component to any anti-bribery monitoring program, but there are dozens of high-value tests that should accompany it, from looking for high-dollar transactions to new vendors to phantom employees and merchants and excessive write-offs and discounts. For more detailed information on analytics for anti-bribery and anti-corruption compliance, here is a list of the top 10 anti-bribery tests.
The final pillar involves placing the results of an organization’s assessment and monitoring activities in the right hands. It is during this stage that senior management must review assessment deliverables and continuous monitoring activities to ensure that they’re being tended to. It’s imperative that executives review the effectiveness of internal controls to consider whether or not there needs to be further assessment or adjustments to policies and procedures.
Finally, executives are going to want interactive reports that will enable them to drill down from the high-level, global view to transactional detail very quickly so that if they identify potential areas of risk, they can review specific transactions in that area of the business or regional market and see whether those transactions are legitimate.
In closing, building a demonstrably effective anti-bribery program is challenging. Going from drafting a policy to self-assessment against that policy to ultimately structuring a continuous monitoring and executive visibility dashboard is a major undertaking.
Hopefully, the approach illustrated above will help guide a successful and sustainable implementation, rather than one that fails to gain momentum or collects dust on a shared drive somewhere in the office.
(Source: Corporate Compliance Insights)