Monitoring Anti-Corruption and Bribery Compliance Program

Anti-corruption monitoring is one of the most important elements of your compliance program. At the minimum, the U.S. Department of Justice requires that companies have a system in place to monitor their compliance program for effectiveness, as well as to perform regular audits to find any red flags. A compliance program is put into place to prevent corruption. However, when it does not, it must have policies to detect corruption and fix any violations that it finds.

Monitoring a compliance program allows a company to determine the effectiveness of its program. It also allows the company to determine what additional or new efforts need to be made to further reduce risk.

Audits are done to check for any red flags in the company's operation, as well as to audit for compliance. An audit can uncover new risks; therefore, acting as an assessment process as well as an audit. When a company conducts an audit, the audit should be an independent, stand-alone process. It should not be part of other procedures. In other words, it should not be combined with other auditing processes.

Building a Monitoring Program

A risk assessment is the best approach to building a monitoring program. The risk assessment will guide you as to what your monitoring program should include. It also allows a company to rank its departments and locations by their relative risks.

Once the risks are discovered and prioritized, the company can then decide how to conduct monitoring. Monitoring will be reviewing the risks the company faces, then making sure there are controls, policies, and procedures in place to mitigate the risks. The company will have to decide how to allocate resources so that it can make sure risks are being mitigated. It may decide to do in-depth reviews of high level risks and simply high-level reviews for more minor risks. Even low risks should be monitored, since low risks can evolve into higher risks over time.

The risk assessment can be performed by having each department or location complete a questionnaire. The questionnaire is designed to gather information about the following things:

1.       Significant government customers.

2.       Requirements that are related to anti-corruption training.

3.       The sales volume from government customers.

4.       The anti-corruption policies and procedures that exist.

A company should assign roles and responsibilities for the monitoring program based on the resources available, the size of the company, and risks where the company does business. According to the Federal Sentencing Guidelines, the monitoring program needs high-level oversight. It should only be conducted by ethical employees. Some companies appoint an anti-corruption compliance officer to oversee monitoring.

The Compliance Audit 

The purpose of a compliance audit is to make sure the compliance program is effective, as well as to discover any bribery or corruption risks that exist. Any red flags that are uncovered during an audit should be dealt with using the company's compliance program.

The people who perform the audit should have the skills and expertise necessary so that the audit is effective. Skills needed for people who perform the audit include:

Knowledge of the FCPA, U.K. Bribery Act, and any other needed anti-corruption laws and regulations, such as those in countries where the company does business.

1.       Analytical skills.

2.       Experience conducting interviews.

3.       Experience selecting high-risk transactions for testing.

4.       Experience that will allow them to spot red flags.

5.       Experience using data analytics tools.

6.       Experience with FCPA, anti-corruption, or fraud investigations. However, an audit is not an investigation.

7.       Knowledge of accounting principles (GAAP)

8.       Knowledge of control systems.

If a company uses its own staff to conduct the audit, people involved are usually from the audit, compliance, and legal departments. However, it is not uncommon for companies to hire external forensic accountants to perform the audits.

Interested in learning more? Why not take an online Global Anti-Corruption and Bribery course?

Planning the Audit

Before an audit is performed, it is helpful to plan for the audit. You will want to define the purpose of the audit, the results of the last audit, the size and scope of the company, and the staff who will be involved in the audit. Create a planning document that includes organized steps to take.

In addition, before the audit is started, those tasked with performing the audit should have and confirm an organizational chart for the company that includes the responsibilities for all personnel and officers.

The audit team will need to identify and talk to managers and others in key roles to make sure they are familiar with all policies and procedures, as well as confirm that those policies and procedures available for everyone. If a company has employees who speak different language, then the policies and procedures should be available in those languages.

Management should also be aware of the corruption risks in their market or region, including any violations and responses to past violations. They should also be aware of their department or location's interaction with foreign government officials. The audit team should also talk to employees to get a feel for the message they are getting from the compliance and ethics policies and procedures, as well as how comfortable and familiar they are with them.

Reviewing Prior Incidents

Before the audit begins, the audit team should become familiar with past risk assessments and audits that were performed. Any suspected or known anti-corruption issues should be noted.

Review of the Training Program

A part of any audit must be to review the training program and make sure that all training is up-to-date. The audit team should review the training program to make sure a current version is being used and that training is available for those who speak a foreign language. It should also be checked to make sure that all employees are participating in training. If they are not, the reason why they are not needs to be discovered. If an employee is non-compliant with regular training, the consequences to the employee also need to be given.

One of the most important parts of an audit is the third party due diligence. The audit team will look at the money going out to these third parties, such as invoice requirements, documentation requirements, etc. They should also look at who the third parties are, then verify that they have gone through the due diligence process. Contracts can also be reviewed to ensure they have the required provisions.

Customers and Vendors

The audit team should also review the sales and contracting process with customers, suppliers, and contracts. They should screen the list of customers, suppliers, and vendors against international watch lists, such as OFAC. Special attention should be paid to interactions with state-owned enterprises, as well as suppliers and contractors from a government agency.  

Accounting Policies and Payments

The audit teams should review a sampling of contracts, as well as review payments made. They should make sure that the amount and manner of payments are in compliance with policies and procedures. In addition, they should make sure all payments were authorized. If they find unsual payments, the transactions relating to the contract should be reviewed and traced to bank accounts.

The payment red flags that are usually seen when related to bribery, theft, or fraud are:

1.       Multiple receipts or authorizations in same handwriting, but written on multiple days. This usually points to the documentation all being written on the same day.

2.       Suspicious documentation.

3.       Payment traced to a bank account that does not match.

4.       A payment completed by an employee who was not authorized.

5.       Large payments for services or products that should not require large payments.

6.       Payments without an invoice or contract.

7.       No documentation.

8.       Unusual items being purchased or unusual descriptions for items.

Cash Disbursements

The audit team should also test cash disbursements to vendors by getting a summary disbursement schedule by vendor that includes the total amount spent by vendor for the year that is being reviewed. The vendor names and dollar volume by vendor should be reviewed. The audit team should ensure disbursements are compliant with the accounting controls and policies, and there are new unusual expenses.

Petty Cash and Facilitation Payments

Petty cash should be reviewed by the audit team for any unusual expenses or patterns. What's more, the audit team should take a hard look at any facilitation payments made to ensure that they are compliant with policies and procedures, and there are not any red flags. 

Charitable Gifts

The documentation for any charitable gifts should be examined to make sure due diligence policies were followed. If necessary, the audit team should interview employees about any charitable giving to make sure that due diligence policies were followed.

Relatives of Foreign Officials

Another part of the audit process is examining the employee list of the company, then finding out from HR if any employee is connected with a foreign official. If an employee is related or connected to a foreign official, the audit team should check to make sure that proper hiring procedures were followed and the employee was qualified to do the job for which they were hired.

Reporting by Employees

The audit team should also review and assess the employee reporting system. The employee reporting system is how employees report claims or suspicion of corruption. Part of the audit team's job will be to make sure that whistle-blower policies are followed and to examine how any reports were handled. The audit team should ensure that reports were escalated properly according to policy.

Further Testing

Other areas that should be tested by the audit team include:

  •          Meals, entertainment and gifts involving government officials.
  •          Employee expenses
  •          Employee credit cards.
  •          Payroll records. 
  •          Credit notes processes.
  •          Licenses, permits, fines, and settlements - or government oversight
  •          International logistics providers and dealings with customs.


    The results of an audit should be included in a report Although there are not any standards for such a report, the following things should be included: the scope of the audit, the time frame for testing, and interviews. The report should also go into detail in reporting non-compliance issues, as well as suggestions for improvement. Non-compliance issues listed in the report should describe the type of non-compliance. If there are policy violations or inadequate policies or procedures, those should be detailed as well. The report can also contain recommendations for improving accounting and financial controls.

    Using Data Analytics in Monitoring

    Financial systems are becoming more automated. That makes the use of data analytics for monitoring an efficient and effective option for companies. Data analytics can be used to monitor the effectiveness of a compliance program, but it can also be used for transaction testing during an audit. It can also be used to monitor certain accounts or payments.

    There are several analytical tools a company can use to identify and measure risk. Vendor analytics is a data analysis tool can be used to find risk traits that are associated with higher risk vendors. It can help identify high risk locations, offshore banking, associations with government officials, vendors with similar addresses, etc.

    Listed below are some effective data analysis tools that companies use:

    1.       Suspicious Key Word Matching. This data analysis tool looks for payment transactions that have suspicious words in certain fields, such as gifts, facilitation, and cash.

    2.       Repeat Even Dollar Transactions. This looks for employees who have a particular number of even-dollar cash expenses that are above a specified amount in a specified period of time.

    3.       PEP/OFAC Sanctioned Providers Name Matching. This tool identifies expense transactions where the vendor name closely matches a name found on the OFAC list - or another supplied list.

    4.       Transactions with High Risk Countries. Payments made to vendors or people in high risk countries are identified.

    5.       Overpaid Purchase Orders. Purchase orders are identified where the total payment was larger than the amount on the purchase order.

    6.       Flip-Flop Bank Accounts. This tool identifies vendors that have had multiple bank account changes over a specified period of time.

    It's important to use the right data analytics tools to find and assess risk. The data will speak for itself and reveal any anomalies. However, it's just as important to have a trained staff that can interpret and recognize anomalies in the data.