How Internal Controls Can Detect & Prevent Bribery
As recently reported in The Wall Street Journal, the SEC and the Justice Department have stepped up their efforts to enforce the Foreign Corrupt Practices Act (FCPA) in recent years.
As previously discussed in this blog post, fraud typically falls under one of three umbrellas: corruption, asset misappropriation, and financial statement fraud.
According to the Report to the Nations on Occupational Fraud and Abuse from the Association of Certified Fraud Examiners, corruption is the second most common of the three. It lasts undetected for a median duration of 18 months and covers conflicts of interest, legal gratuities, bribery, and economic extortion.
Recent investigations have uncovered bribery in large, prominent U.S.-based organizations. For these companies, bribery has both a direct and indirect financial cost and is regularly reported in their earnings calls. Enforcement actions have forced these companies to take a closer look at their compliance programs and go back to the basics.
To avoid bribery, every FCPA compliance program should center around three questions:
- What did you do to prevent it?
- What did you do to detect it?
- What did you do, in past instances, once you found out about it?
In a recent webinar, Tom Fox, attorney and FCPA expert at Advanced Compliance Solutions LLC, and Joe Howell, Co-Founder and Executive Vice President of Workiva, discussed how to detect and prevent bribery through internal controls.
During their conversation, there was a consensus that in order to prevent bribery, companies need to focus on the design of internal controls and practices of prevention. When thoughtfully designing controls, companies need to define their culture, educate and remind employees, and most importantly, document everything.
Typically, companies that have robust internal controls are better run companies, but many are falling short with controls that do not have the proper documentation to prove anything.
"Whatever you do, document," said Fox who also pointed out that CCOs and their general counsel need to understand that compliance internal controls and SOX internal controls are focused on meeting FCPA requirements. The key to getting everyone to understand that this is a business solution to a legal issue is removing the siloed nature of these groups and sharing information seamlessly across them.
When examining common areas of focus for fraud and bribery, Fox and Howell recommend companies develop and document the following parts of their culture in order to prevent it:
The need to document applies especially to policies. Companies should make sure to document and communicate policies to the entire employee population in an easily understood language and platform.
- Practices and procedures
Each policy should have a corresponding practice and documentation procedure. This could be as simple as an employee reimbursement form. The practice of using forms acts as a control and helps to remind employees of the moral implications.
Most individuals understand regulatory obligations for documentation, but companies and their employees are falling short. If policies and practices are well-documented and in accordance with regulatory requirements, a company's internal audit program is in much better shape for monitoring and is less likely to come under enforcement action.
Employees have a moral obligation to speak up when something doesn't seem right and they need to feel comfortable doing so. Companies should celebrate the employees who allow them to bring a business solution to a legal issue.
Implementing and maintaining the above components of culture alone will not eliminate bribery all together. Companies also need to lessen the siloed nature of their SOX, compliance, and internal audit functions. It is clear that when these groups are siloed, there is no way to have a single source of truth. This is a structural defect that doesn't provide companies the data they need to make decisions.
"We need to think through the siloed nature of compliance, SOX reporting, and internal audit," said Fox. "We need to find a way to bridge this gap with a tool that allows each of these disciplines to communicate with the others and have line of sight."
In order to bridge this gap, organizations should leverage technology that was created to help companies organize and maintain concurrent evidence, as well as remind employees of their moral obligations. Get a sneak peek of one solution here.
Three Lines of Defense: Enabling High-Performing Organizations
To be successful, different lines must work together and share information.