As in-house counsel for a company with operations spanning the globe, you’ve invested your blood, sweat, and tears (not to mention your company’s hard earned money) devising a stellar anti-bribery/anticorruption (ABAC) compliance program which consists of training, third-party due diligence, and periodic risk assessments. However, your company is aggressively entering countries where corruption is deeply ingrained. Unsurprisingly, you sometimes wake up in a cold sweat wondering if your company is truly “walking the walk” in relation to your ABAC compliance program.

After you’ve calmed your nerves with your second cup of Chamomile tea, you start to think about how you can detect ABAC violations or risks in your business to ensure that your company has more than just a “paper” compliance program. But what can you do? Evidence of ABAC risks is often buried deep in your company’s books and records, which are housed in various enterprise resource planning systems. You majored in political science, not accounting or computer science!

What if you could form a partnership with your internal audit department that would enable you to detect ABAC violations and risks? It may be a challenge, but the end result will help your company proactively and systematically detect violations of ABAC laws and related company policies. You will also be able to make appropriate adjustments and continuously improve your program.

This article addresses the need for a robust ABAC auditing program, outlines the elements of an effective ABAC audit program, and provides guidance on how in-house legal departments and internal audit departments can collaborate to effectively detect ABAC violations and continuously improve your ABAC compliance program.

The need for an effective ABAC auditing program

Although most ABAC compliance programs have a strong focus on preventing ABAC violations (for good reason), companies cannot turn a blind eye to the importance of detection. An effective ABAC audit program will help you detect violation of laws as well as your company’s policies and procedures.

The importance of monitoring and detecting ABAC risks has been reinforced by a number of regulatory authorities:

Section §8B2.1 (b)(5)(A) of the US Sentencing Guidelines provides that an “organization shall take reasonable steps ... to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”

The 2010 UK Ministry of Justice Guidance on the UK Bribery Act provides that “commercial organizations [should] consider how to monitor and evaluate the effectiveness of their bribery prevention procedures and adapt them where necessary.”

The 2012 Resource Guide to the US Foreign Corrupt Practices Act provides that “an organization should take time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.”

The DOJ’s 2017 Evaluation of Corporate Compliance Programs asks companies facing findings of misconduct if they have “reviewed and audited [their] compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data and interview of employees and third parties?”

While the case in support of ABAC auditing and continuous improvement is clear, the design and execution of an ABAC detection program can be a challenge for in-house counsel. Before embarking on the design of a detection program, in-house counsel should work with the internal audit team to ensure that the program meets professional audit standards, and can be executed with available resources.

Although most ABAC compliance programs have a strong focus on preventing ABAC violations (for good reason), companies cannot turn a blind eye to the importance of detection. An effective ABAC audit program will help you detect violation of laws as well as your company’s policies and procedures.

Breaking down barriers between legal and internal audit

As noted earlier, the detection of ABAC violations poses a challenge for in-house lawyers because many ABAC risk indicators (or red flags) lie buried in a company’s books and records. In-house lawyers rarely have the skills necessary to locate, extract, and test high-risk transactions.

The Three Lines of Defense Model of auditing could also serve as an obstacle to collaboration between internal audit and the legal department. In this model, the business serves as the first line of defense against control risks. The compliance program owner serves as the second line of defense. Internal audit serves as the independent third line of defense. This model works well in the context of many compliance risks, but bribery is unique in that businesses (the first line of defense) and legal departments (often the compliance program owner and thus the second line of defense) lack the skills necessary to effectively play their respective roles. As a result, the barriers between the program owners and internal audit may need to be broken down to enable compliance program owners to leverage internal audit’s forensic skills.

There is a strong case to be made for collaboration with your internal audit team. They are likely aware of the enormous ABAC penalties imposed by global regulators and the attention that ABAC matters receive from your company’s audit committee. As a result, a collaborative partnership between your respective teams presents an opportunity for each to play a leadership role in managing one of your company’s most significant compliance risks.

Elements of an effective ABAC auditing program

This section will focus on the five key elements of an effective ABAC auditing program:

1. Identifying high risk businesses and locations;
2. Developing auditing tools;
3. Planning and conducting audits;
4. Documenting and communicating the audit results; and,
5. Following up on the audit action plan.

1. Identifying high-risk businesses and locations

For multinational corporations with operations in high-risk countries and industries, the selection of a specific business or location to audit can be a challenge. Is a business in Country A higher risk than a business in Country B? Is your gizmo business riskier than your widget business? If the US Department of Justice (DOJ) were to investigate your business and ask about your ABAC audit program, could you explain why you audited your gizmo business in Country A rather than your widget business in Country B?

One approach to this challenge is to assess and then quantify your ABAC risks in different businesses and locations. You should start by pulling data from prior ABAC risk assessments, audit results, investigations, hotline complaints, and third-party data on country or industry risks (e.g., Transparency International’s Corruption Perceptions Index). This information can then be mapped to each business and/or location and quantitatively scored (e.g., a weighted average). Factors to consider in the quantitative analysis include internal bribery risk areas such as gifts and entertainment, third-party intermediaries, transactions with state-owned entities, charitable contributions, cash payments, and import/export activities.

Based upon the scores in the heat map, you should select the businesses or locations you will audit over the next 12 to 18 months. The risk score should drive your decision, but don’t ignore factors that may not be considered in your heat map such as geographic or business diversity (i.e., don’t conduct all of your audits in one high-risk country or industry) or the size of the business (i.e., gross investment or revenue).

Risk area selection

After you’ve selected a business or location to audit, review the heat map to identify the relevant bribery risk areas for such business or location. For example, the gizmo business in Country A in Figure 1 operates in a high-risk country and industry, provides gifts and entertainment to government officials, provides charitable contributions at the suggestion of government officials, uses third parties to interact with government officials, and has been the subject of a prior ABAC investigation. Depending upon your resources, you could choose to audit for all of the risks or perhaps a few that you consider to be the most significant.

2. Developing ABAC auditing tools

Once you’ve prioritized your bribery risks, you need to develop tools to conduct your audit. The tools should consist of document requests, interview questions, and a sampling and data analytics protocol.

Document requests

Internal audit can play a key role in crafting document requests for specific risk areas based upon their extensive experience in auditing a variety of financial and operations risks. However, in-house counsel should educate internal audit on the type of transactions that can trigger ABAC risks such as third-party intermediaries, gifts and entertainment, cash payments, and charitable donations.

Interview questions

The interview questions can be similar to those used in your risk assessments, but they should go a step further by inquiring about specific business processes around a particular risk which can then be tested:

• What is the process for offering a gift to a government official?
• Who is involved in the process?
• Where can the underlying approval or process records be found?

The interview questions should align with the document requests and should be modified to address findings gleaned from the document review.

Sampling and data analytics protocol

Finally, internal audit teams should take the lead in developing a sampling and data analytics protocol to ensure that the audit can be conducted efficiently and that it will be defensible if challenged by a regulator. Data analytics are qualitative and quantitative techniques used to extract, categorize, and analyze data. You also need to be able to test a representative sample of transactions because you cannot test every transaction. Your available audit resources will drive, in large part, your sampling and data analytics protocol.

Questions that should be addressed in developing this protocol include:

• What kind of transactions will your review?
• How many transactions will you review?
• Whose transactions will you review?

Finally, internal audit teams should take the lead in developing a sampling and data analytics protocol to ensure that the audit can be conducted efficiently and that it will be defensible if challenged by a regulator. Data analytics are qualitative and quantitative techniques used to extract, categorize, and analyze data.

3. Planning and conducting audits

Audit team

The team conducting the audit can consist of personnel from various functions including internal audit, finance, and your in-house legal department. Many companies also rely on external auditors or law firms to help them design or conduct audits. It’s preferable that one or more members of the audit team are exclusively dedicated to the ABAC audit to ensure that the work is appropriately prioritized. Make sure the team has the skill set necessary to perform the audit and that they are independent from the business being audited. If the legal team is not a member of the ABAC audit team, it should stay in close contact with the audit team throughout the audit to ensure that risk indicators are identified and appropriately addressed.

Privilege

Due to the sensitive nature of audit findings and proposed action plans, in-house counsel should ensure that internal audit and other audit team members are conducting their work under the protection of attorney-client privilege. In addition, care must be taken to ensure that documents are handled carefully to protect the privilege. Attention must also be paid to local privilege or confidentiality rules.

Types of audits

Traditionally, internal audit groups have relied on site visits to perform audits because they allow the auditors to have face-to-face discussions with key personnel and thus gain a deeper insight into business processes. However, off-site or remote audits are becoming increasingly popular due to technological advances that enable data to be extracted and reviewed from anywhere in the world.

In either case, the auditor should test the supporting documentation furnished by the business and document the results. If such tests reveal ABAC violations or risks, the auditor should take additional steps to investigate such as additional interviews or documents requests. As noted above, auditors should involve the legal department in these decisions.

4. Documenting and communicating the results

The audit team should prepare a report of their findings and submit it to in-house counsel for review. In-house counsel should then prepare a final audit report for distribution to the business which includes findings and a proposed action plan to address any violations or risks identified in the audit. Action items could include new or enhanced policies, systematic training, or additional due diligence.

5. Following up on the audit action plan

Never underestimate the importance of following up on your audit action plan. Proposing action in response to audit findings and failing to confirm that action was taken could put your company at great risk — perhaps even more risk than if you had never conducted the audit in the first place. If you propose that a business take action in response to a risk that you identified, you need to ensure that you have the processes in place to follow up and confirm that such steps are taken. Your internal audit team will likely have processes in place for you to leverage.

Conclusion

While most companies spend the majority of their ABAC compliance resources on preventing violations of law or corporate policy, in-house counsel should not ignore the need to effectively detect these same violations. Without a strong detection program, your company’s sizable investment in compliance could end up being classified as a “paper” compliance program. The best way to develop and execute an effective ABAC audit program is to forge a strong partnership with internal audit that combines the legal department’s subject-matter expertise and internal audit’s forensic expertise. These two functions can work together to identify high-risk businesses or locations, develop audit tools, plan, and conduct the audits, communicate the results, and follow up on action plans. The end result will enable you to effectively detect ABAC risks and continuously improve your ABAC control program. In addition, you should be able to sleep better at night and reduce your Chamomile tea expenditures.