The Cutting Edge of Anti-Corruption Compliance: Proactive Audits
The FCPA world is fast-becoming the leader in new compliance strategies. The Justice Department and the SEC have embraced the requirement for conducting “proactive audits.”
Recent settlements have included new compliance program requirements for a company to conduct proactive audits of high-risk areas. It is a new and growing area for anti-corruption compliance.
The concept of a “proactive” audit, however, is nothing new. The strategy has been employed for years in other contexts but now has gained traction in the anti-corruption area.
The importance of proactive audits is even more significant in the anti-corruption context. As everyone knows, financial audits are not designed to identify illegal bribes because they hinge on “materiality.” Numerous bribery schemes have been carried out underneath the “materiality” radar screen because they do not involve significant amounts of money. On the other hand, “forensic audits” are designed to identify illegal bribes, and often incorporate transaction testing and other techniques.
A proactive audit is akin to transaction testing but with a big difference – it is focused on a high-risk operation.
The first step in the proactive audit is to identify those “high-risk” operations. It is easy to rely on the annual Corruption Perceptions Index to identify those high risk operations but a broader focus is needed.
For each “high-risk” country of operation, it is important to consider:
- how much business is conducted in the country;
- the nature and extent of government interactions;
- the business and compliance history of the company’s operations in the area;
- local business regulation and enforcement in the country; and
- the compliance and ethics reputation and performance of key personnel in each country.
A risk-ranking matrix based on all of these factors should be developed to prioritize those operations for audits.
While it may be desirable to audit almost every office, the available resources (time and money) will dictate how many offices can be audited. It is unlikely that a company will be able to audit every “high-risk” operation.
The high risk audit program has to be dynamic. It has to adjust as new risks and factors are identified. New information has to be incorporated into the analysis. As audits are completed, new information will be learned and factors may be re-assessed.
Proactive audits require a team approach – lawyers, auditors and compliance personnel need to be included in each audit team. A coordinated audit requires careful coordination among these personnel. A detailed protocol needs to be adopted and followed in each audit.
The process needs to be supervised from the top down in the company. The Compliance Committee needs to sign off on the program, the compliance office needs to manage and design the process with the assistance of the legal and auditing offices.
Thank you for this article. I have one question. Once the red flags have been detected though these audits, is there regulatory guidance or emerging best practice on the documentation of remediation actions taken by the issue owners? I would imagine that in the unfortunate event of an enforcement action, proper documentation of the remediation efforts would be very beneficial. Any ideas? Thanks.