Articles You May Have Missed

Tools of The Trade

At ethics and compliance conferences, compliance professionals often debate techniques to answer one fundamental and persistent compliance question: How do I know my compliance program is doing what it’s supposed to do?

Written by Erin R. Schrantz, Partner, Jenner & Block LLP

At ethics and compliance conferences, compliance professionals often debate techniques to answer one fundamental and persistent compliance question: How do I know my compliance program is doing what it’s supposed to do? The discussion often circles around tried-and-tested strategies that compliance professionals have employed over the years with varying degrees of success:

  • Peer review: Have a compliance professional in your industry review your company’s compliance program to identify areas of improvement.

  • Benchmarking: Review what your competitors are doing with their compliance programs and assess how your program measures up.

  • Employee feedback: Whether accomplished through surveys or focus groups, solicit feedback from employees on their views of the efficacy of the company’s compliance program.

Each of those tools plays an important part in measuring, testing and improving an organization’s compliance program. Yet, in the anti-corruption arena, these tools may not go far enough to detect high-risk conduct before it balloons into criminal exposure under the Foreign Corrupt Practices Act, the U.K. Bribery Act, and the myriad of local anti-corruption laws that multinational corporations must contend with every day. They may also fall short in testing whether the company has bred and nurtured a culture of compliance.

Peer reviews and benchmarking focus on the compliance infrastructure. They look at whether an organization has the requisite components of an effective compliance framework, such as appropriate policies and procedures, a robust training program and a mechanism to monitor compliance. Yet, neither peer review nor benchmarking is very effective at detecting whether specific conduct is afoot that may put a company at risk of violating anti-corruption laws.

Focus groups and employee surveys can be targeted to identify specific instances of non-compliance, but they suffer from a different weakness. By design, these tools elicit self-selected information – employees will only share with you what they choose to share with you. Not surprisingly, wrongdoers rarely confess their wrongdoing in a survey response. And employees who suspect others of wrongdoing often do not voice their concerns—or, they voice them too late.

Perhaps the most effective tool to probe the efficacy of a company’s anti-corruption compliance measures is a risk-based audit. Think of a preemptive, small-scale review targeted to uncover high-risk behavior before an issue surfaces on the company’s hotline, or worse, becomes the subject of a whistleblower complaint. Many organizations use their internal audit function to monitor compliance with company policies and procedures, but internal audit teams are often trained to spot financial control weaknesses, not corruption risk. Or, the internal auditors simply lack the resources to attack the corruption risk areas in a systematic and regular fashion.

A properly designed anti-corruption compliance audit can be a very effective tool to measure a company’s culture of compliance and help ferret out specific risky behavior before a company trips over anti-corruption laws. Carrying out periodic anti-corruption audits can be expensive. Yet, the benefits of a strong, well-tested compliance program make the investment worthwhile by minimizing the risk of costly fines, penalties and reputational damage. Periodic anti-corruption audits can also help companies make continuous improvements to their compliance programs – an important compliance “hallmark” that the Department of Justice and the Securities and Exchange Commission called out in their November 2012 FCPA Guidance.

Designing The Anti-Corruption Compliance Audit

Compliance professionals can follow some straight-forward steps to carry out an effective anti-corruption audit. A careful risk assessment – described in Step One below – should inform the degree to which a company implements the subsequent audit steps. As your corruption risk level increases, the harder your audit should push on the potential soft spots.

Step One: Identify corruption high-risk areas within the organization.

Know which aspects of the company’s business pose the greatest corruption risk. Consider these questions:

  • Does the company have operations in countries with low corruption perception index scores from Transparency International?
  • What are the company’s touch points with government organizations in those countries? For example, government relations, customs and tax departments typically have routine interaction with government officials, or use brokers and consultants who interact with officials on the company’s behalf. Any company department that has regular business pending before government agencies, or interacts frequently with government officials, may pose an enhanced corruption risk.

Based on the answers to these questions, develop a list of the company’s business units that pose the highest corruption risk. Perhaps start with the customs group in Brazil, the government relations office in Beijing or the logistics department in Uzbekistan. The particular business unit to be audited first is not critical. The point is that the audit team has developed a risk-based list of business units to test as part of a periodic, anti-corruption audit schedule.

Step Two: Identify employees in high-risk areas who may be in harm’s way.

Identify the specific employees in high-risk business units who have the most face time with government officials. To put it simply, they are the most likely in harm’s way when it comes to corruption risk. The type of interaction may vary from business unit to business unit. In the government relations unit, for example, the most senior director may have the most direct interaction with officials. In the tax department, the lower-level tax employee who manages the tax consultant relationship may be most exposed to risk. Here are some steps to find the right people to include in the audit:

  • Review the org charts and job descriptions for employees in the high-risk business units.
  • Consult with local management and local legal and compliance leads as needed to help identify the right people.
  • Pick the top one or two employees from the high-risk business unit that have the most direct, substantial interaction with government officials, either directly or through their work with third parties.

Step Three: Solicit documents and information from high-risk employees.

Identifying the right kinds of documents and asking employees for them is a basic audit tool and can be used effectively in a corruption audit. Here’s one way to approach it:

  • Pick discrete categories of documents that are most relevant to the audit. For example, if a high-risk business unit had a major transaction pending approval before the Ministry of Finance in 2012, consider requesting all communications with Ministry of Finance officials for that year.
  • Develop a short list of questions to elicit the names of third parties whom interface with government officials on behalf of the business unit. For example, ask for a list of all customs clearing agents the business unit has used for the past two years.
  • Send an email to the high-risk employees (i) letting them know the compliance department is conducting a routine audit and (ii) asking them to provide the relevant information and documents by a certain date.
  • Consider setting up an electronic mailbox to which the high-risk employees can submit the requested documents and information.

Step Four: Pull emails from the high-risk employees.

Emails are enormously useful in a corruption audit, both in showing that employees are adhering to the rules or, regrettably, that there is a need for improvement. The scope of email review when testing compliance systems can be far more targeted than when there is full-fledged litigation or an investigation, the contexts in which most litigators are familiar with document review. Consider these strategies to keep the email collection focused:

  • Leverage the information learned from the documents and data collected in Step Three. Use that information to craft narrow search terms and date ranges around particular transactions, government officials’ names or other key data. Do not forget to include local variations on corruption terms in your searches.
  • Work closely with the company’s in-house IT team or an outside IT consultant. Emails can be pulled discreetly if they are stored on a central server.
  • Do not forget local data privacy laws! In some jurisdictions, local laws restrict the ability to collect and review employee emails absent documented suspicion of wrongdoing.
  • Keep search syntax fluid. Revisit and revise search terms and date ranges as the audit team learns new information from the email review.

Step Five: Identify and analyze relevant accounting data.

Like a financial audit, accounting records may be critical to an anti-corruption audit. Bribes and improper payments can sit on a company’s books in the guise of “consulting fees,” “miscellaneous expenses” or other vaguely described and ill-supported expenses. Based on the information learned in Steps Three and Four, determine which accounting records will aid the audit process. For example, your audit team may want to peek at the following kinds of records:

  • Expense reports for high-risk employees who interface with government officials
  • Invoices and contracts for third-party vendors who interact with officials on behalf of the audited business unit.
  • Accounts payable entries for identified high-risk vendors.

Importantly, be careful not to “silo” the accounting review and email review. The output from the audit will only be as good as the information sharing that occurs during the audit. As the audit team learns information from the emails – such as the name of a suspicious vendor – the information must migrate to the individuals reviewing the accounting records. This two-way street of information ensures the whole audit team has the benefit of each team member’s knowledge in real time.

Step Six: Consider witness interviews.

If the audit surfaces concerning behavior that poses a risk of violating anti-corruption laws, consider interviewing the relevant employees and personnel. At this stage of the audit, you will want to assess whether such interviews should be handled by the audit team, compliance staff, in-house counsel or outside counsel.

Step Seven: Analyze and document the audit findings.

Like a financial audit, document the findings of the anti-corruption audit, specify next steps and remedial measures and hold the business unit to them. The audit report may describe:

  • Instances of non-compliance with company policies or procedures.
  • The necessity for a full-blown internal investigation.
  • The necessity of improved training for particular employees or business units.
  • Recommended changes to company policies or procedures.
  • Recommended remedial measures with respect to particular employees or third-party vendors.

Internal audit teams are well trained to make sure specific financial improvements and controls get implemented. Leverage that expertise to ensure that the specific anti-corruption remedial measures are implemented per the audit findings.

Who Should Conduct the Audit?

There is no one-size-fits-all answer to the question of who should wield this anti-corruption audit tool. One option is to train a handful of internal auditors on corruption risk and leverage them as an internal resource. If the company lacks the internal resources for that approach, consider using outside counsel in tandem with the company’s internal accounting staff. Outside counsel may be more expensive, but the cost of a preemptive anti-corruption audit may save the company a much heftier price tag down the road. Outside counsel may also bring the benefit of experience performing similar audits for other companies, and with that experience, an independent assessment of how the company’s compliance program compares to others. Another important consideration is the attorney-client privilege: Using outside counsel to perform the audit may bring with it the protections of the attorney-client privilege, depending on the jurisdiction.

In an era of increasing FCPA and anti-corruption enforcement activity, every compliance effort counts. Tone at the top, strong policies and procedures, and excellent training are the bedrocks of any effective compliance program. Yet, a focused and risk-based audit protocol emerges as a critical tool to test the waters, as it can assess whether your employees are following the rules or engaging in risky behavior that may subject the company to exposure down the road.


Erin R. Schrantz is a litigator with experience in a broad range of complex commercial matters and white collar investigations. Clients seek her counsel on tort claims, breach of contract disputes, and statutory claims in state and federal courts. She conducts internal investigations and provides compliance counseling for large corporate clients who are faced with potential allegations of wrongdoing, including on the Foreign Corrupt Practices Act. She can be reached at [email protected]

Subscribe to our bi-weekly newsletter Ethisphere Insights for the latest articles, episodes, and updates.


Free Magazine Access!

Fill out the form below, and get access to our Magazine Library

Free Magazine Access!

Fill out the form below, and get access to our Magazine Library