Strong risk assessments coupled with internal and external reviews can help companies strengthen their policies and avoid missteps

Written by Shruti Shah and Claudia Dumas

Imagine you are the Chief Compliance Officer at a multinational pharmaceutical company. You receive an informal inquiry letter from the US Securities and Exchange Commission asking about your company’s sales practices in China. You know that your company does business in China with state-owned hospitals and that doctors at the state-owned hospitals regularly prescribe your company’s drugs. But your company has a code of conduct that prohibits improper payments and the code also extends to your third parties. Your company’s employees in China are trained annually on the code of conduct. Should you be concerned?

Further review indicates that your company has spent a substantial amount of money on travel agents in China. You call the company’s internal audit director who informs you that China is not a location that is material in terms of the company’s sales volume and the internal audit team has accordingly not performed an audit in China in the past several years.

Now you have a sinking recollection that you have heard about other companies in your industry being in the news for allegations of massive corruption involving travel agencies used to funnel bribes to doctors and public health officials. How could this have been prevented? Did you miss any red flags?

What can companies do to mitigate the impact of a possible industry sweep or a Foreign Corrupt Practices Act (FCPA) investigation? Maintaining an effective and risk-based anti-corruption compliance program before an FCPA probe is the ideal strategy. Most companies have adopted anti-corruption compliance programs but many need to invest resources in ensuring that their programs are effective.

It is, of course, impossible to visit every location, interview every employee, and test every transaction. So what can companies do to evaluate their anti-corruption programs for effectiveness? One approach would be to start with a strong corruption risk assessment. A risk assessment is crucial to allocate finite compliance resources in an effective and efficient manner, including identifying business units and geographies with the highest corruption risks so that those units and locations are prioritized.

Reviews are most valuable, and also cost effective, when keyed to a company’s unique circumstances and risk profile. In this example, a consideration of risks presented by the company’s geographic location, industry sector, nature of the company’s transactions, and extent of its interactions with government officials would have revealed China as a high-risk location.

The next step after a risk assessment is to conduct regular internal reviews, including site visits at high-risk locations. One cannot test for compliance from the corporate center. A reviewer needs to visit locations, interview employees, test transactions, assess internal controls, and analyze interactions with third parties and other business partners.

Interviewing employees, including those who manage government relationships, may help a reviewer understand the major points of interaction with the government, including: whether the company’s employees entertain personnel of the government and state-owned enterprises; whether gifts and other benefits are provided to government personnel; whether employees understand the company policies on entertainment, gifts, and travel expenses; and also, whether or not there is an atmosphere that encourages the prompt reporting of suspected wrongdoing.

Testing a sample of transactions may be the only way to find out if the controls put in place are actually effective, if a company is adequately documenting expenses, and if there is appropriate and reliable third-party supporting documentation for the selected transactions. Testing of transactions may also help a reviewer understand the substance and business purpose of the transaction over its form.

In the example above, testing may reveal whether due diligence was performed on travel agents, if travel agency expenses are reasonable given fair market value, if fake invoices have been used, and whether expense claims by employees have irregularities.

Companies often find that the reality in the field is very different from the program envisioned at headquarters. One may find that hotlines are not available in the local language, that the training has not been understood in the field, or that the policies and procedures developed at headquarters are not implemented at locations. On-site internal reviews are an element of good business practice and can help prevent misconduct and uncover new risks.

In addition to improving the efficacy of the program, reviews can help a company demonstrate its compliance efforts if it finds itself in front of a prosecutor. A company may have to show that its anti-corruption compliance program exists, what the program consists of, and evidence of enhancements to it based on continually evolving information. A properly documented review undertaken in a systematic manner will help a company demonstrate the credibility of its program.

Companies should supplement internal reviews with independent external reviews on a regularly planned basis. External reviews can help a company take a fresh look at an existing program to learn about weak spots and areas for improvement, benchmark its program against other companies, or undertake a more comprehensive risk assessment. These external reviews need not cover the entire corporate entity, but can be tailored to a specific geographic region, business line, or a third-party supplier.

Generally, using an independent external reviewer forces a company to look at itself more critically than it might otherwise have done. Although external reviews are not a guarantee against improper conduct, they generally provide recommendations for improvement and strengthen a company’s efforts in creating a sustainable program.

In short, a strong risk assessment and internal reviews coupled with regular external reviews can help companies ensure that their programs are effective in preventing and detecting corruption. These and other recommendations are highlighted in Transparency International-USA’s (TI-USA) recently published report, Verification of Corporate Anti-Corruption Compliance Programs. Based on original research on the most commonly used methods of compliance verification, consultations with companies, anti-corruption practitioners, and investor groups regarding their compliance verification approaches and experience, as well as input from an expert advisory committee of US and international experts, the report is available at

Companies are still struggling with demonstrating that their compliance programs are effective. The numerous FCPA cases in recent years highlight that struggle. In 2013 alone, companies paid $731.1 million to resolve FCPA cases.

[1] Two of the 12 corporate actions in 2013 also made their way into the top 10 FCPA cases.[2] TI-USA hopes that its report and implementable guidance will address this gap and result in strengthened corporate anti-corruption compliance programs and improved credibility regarding their effectiveness.

[1] “2013 FCPA Enforcement Index,” The FCPA Blog, 2014, available at

[2] id.