In the Evaluation of Corporate Compliance Programs under the section entitled, “Continuous Improvement, Periodic Testing and Review” it stated, “Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?” 

Interestingly, Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed, audits are specifically delineated in the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. 

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls. 

In addition to the collection and analysis of evidence, an auditor's objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company's management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted. 

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place you must actually do the work going forward. 

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing: 

• Contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
• Determine that actual due diligence took place on the third party.
• Review the compliance training program for any third party; both the substance of the program and attendance records.
• Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
• Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
• Review expense reports for employees in high risk positions or high risk countries.
• Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
• Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
• Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
• With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing. 

Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Three Key Takeaways

1. Auditing takes a deep dive into your high-risk compliance areas.
2. Internal audit should test your key FCPA risk areas as a part of their regular auditor rotation.
3. The findings uncovered in an audit must be used in your compliance regime going forward. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.