Skip to main content

How Internal Controls Can Detect & Prevent Bribery

Internal Controls
How to detect and prevent bribery using internal controls
4 min read
Mike Rost
SVP, Investor Relations & Corporate Development
Published: February 18, 2016
Last Updated: March 16, 2023

As recently reported in The Wall Street Journal, the SEC and the Justice Department have stepped up their efforts to enforce the Foreign Corrupt Practices Act (FCPA) in recent years.

As previously discussed in this blog post, fraud typically falls under one of three umbrellas: corruption, asset misappropriation, and financial statement fraud.

According to the Report to the Nations on Occupational Fraud and Abuse from the Association of Certified Fraud Examiners, corruption is the second most common of the three. It lasts undetected for a median duration of 18 months and covers conflicts of interest, legal gratuities, bribery, and economic extortion.

Recent investigations have uncovered bribery in large, prominent U.S.-based organizations. For these companies, bribery has both a direct and indirect financial cost and is regularly reported in their earnings calls. Enforcement actions have forced these companies to take a closer look at their compliance programs and go back to the basics.

To avoid bribery, every FCPA compliance program should center around three questions:

  1. What did you do to prevent it?
  2. What did you do to detect it?
  3. What did you do, in past instances, once you found out about it?
Three Lines of Defense: Enabling High-Performing Organizations

In a recent webinar, Tom Fox, attorney and FCPA expert at Advanced Compliance Solutions LLC, and Joe Howell, Co-Founder and Executive Vice President of Workiva, discussed how to detect and prevent bribery through internal controls.

During their conversation, there was a consensus that in order to prevent bribery, companies need to focus on the design of internal controls and practices of prevention. When thoughtfully designing controls, companies need to define their culture, educate and remind employees, and most importantly, document everything.

Typically, companies that have robust internal controls are better run companies, but many are falling short with controls that do not have the proper documentation to prove anything.

"Whatever you do, document," said Fox who also pointed out that CCOs and their general counsel need to understand that compliance internal controls and SOX internal controls are focused on meeting FCPA requirements. The key to getting everyone to understand that this is a business solution to a legal issue is removing the siloed nature of these groups and sharing information seamlessly across them.

When examining common areas of focus for fraud and bribery, Fox and Howell recommend companies develop and document the following parts of their culture in order to prevent it:

  • Policies
    The need to document applies especially to policies. Companies should make sure to document and communicate policies to the entire employee population in an easily understood language and platform.

  • Practices and procedures
    Each policy should have a corresponding practice and documentation procedure. This could be as simple as an employee reimbursement form. The practice of using forms acts as a control and helps to remind employees of the moral implications.

  • Enforcement
    Most individuals understand regulatory obligations for documentation, but companies and their employees are falling short. If policies and practices are well-documented and in accordance with regulatory requirements, a company's internal audit program is in much better shape for monitoring and is less likely to come under enforcement action.

  • Whistleblowing
    Employees have a moral obligation to speak up when something doesn't seem right and they need to feel comfortable doing so. Companies should celebrate the employees who allow them to bring a business solution to a legal issue.

Implementing and maintaining the above components of culture alone will not eliminate bribery all together. Companies also need to lessen the siloed nature of their SOX, compliance, and internal audit functions. It is clear that when these groups are siloed, there is no way to have a single source of truth. This is a structural defect that doesn't provide companies the data they need to make decisions.

"We need to think through the siloed nature of compliance, SOX reporting, and internal audit," said Fox. "We need to find a way to bridge this gap with a tool that allows each of these disciplines to communicate with the others and have line of sight."

In order to bridge this gap, organizations should leverage technology that was created to help companies organize and maintain concurrent evidence, as well as remind employees of their moral obligations. Get a sneak peek of one solution here.

About the Author
illustration of mike rost at Workiva
Mike Rost

SVP, Investor Relations & Corporate Development


As senior vice president of corporate development and investor relations, Mike Rost is a key contributor to the organization's growth with a focus on corporate development initiatives, emerging business areas, and developing relationships with investors and key stakeholders. Since joining Workiva in 2015, he has served in various leadership roles helping to drive the organization's growth, including the scaling of Workiva’s marketing and partner & alliance functions.

With more than 25 years of experience assisting organizations to optimize business processes, Mike has an extensive background in finance, accounting, enterprise performance management and Governance, Risk and Compliance (GRC) technology. Prior to Workiva, Mike served as vice president of marketing at Metricstream and vice president of strategic marketing at Thomson Reuters. Prior to that, he spent more than a decade in product management and marketing positions for SaaS companies and held finance positions at Pillsbury and Rollerblade, Inc.

Mike has been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). He was also a founding member of XBRL International (eXtensible Business Reporting Language), the global not for profit consortium for open international standards for digital business reporting. He has also been a frequent speaker at industry conferences on subjects such as finance transformation, data and reporting, and risk and compliance technology. He received his Bachelor of Science in Economics and his MBA from the University of Minnesota.


Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at