It is surprising how little attention is paid to the issue of monitoring an anti-corruption compliance program. I guess implementing a compliance program is like finishing a painting – you stand back and marvel at your accomplishment. In reality, compliance is always a continuous process. Once you think you are finished, it is time to start all over again.
Your starting point for all compliance projects is your risk assessment. Even when it comes to monitoring, you start with relative risks – where in the company are you most at risk? What controls are needed to minimize those risks? How and when should your financial and compliance audits be conducted?
Two tools are often used in the monitoring process – questionnaires and compliance audits. Questionnaires can be completed by managers within the company and used to measure the level of risk. Based on such information, relative risks can be assigned inside the company. This same calculation can be used for assigning relative monitoring risks.
Compliance audits are more resource intensive but provide a more accurate picture of the performance of the compliance program. Some companies have employed random audits on business units as a way to maximize internal compliance efforts.
Compliance audits need to be conducted by teams made up of personnel from the compliance team, internal audit and legal. In preparation for any audit, the team needs to gather relevant financial and compliance information relating to an entity that they intend to audit.
The focus of the compliance audit includes a review of: anti-corruption policies and procedures; the accounting system; cash payments; and review of third-party agents.
A review of anti-corruption policies and procedures is important as a basic measure of performance. An audit may reveal areas where businesses are not following policies and procedures. It may also reveal that additions or modifications to the program are needed.
A financial review starts with examining the business accounts – the general ledger account headings may reveal accounts which could mask or contain bribes (e.g. gifts, travel, marketing, entertainment, charitable donations, consultant fees, licenses and permits, commissions). When looking at specific accounts, the team needs to review specific transactions and examine any potentially troubling transactions.
As part of a financial review, cash disbursements need to be reviewed. A summary of each vendor or third-party agent should be prepared and specific examinations should be conducted on those which are identified based on potential corruption risks. Individual transactions and supporting documentation for these transactions have to be reviewed. Additional financial testing should be conducted on bank accounts, petty cash accounts, travel and entertainment, credit cards, gifts, meals and entertainment, regulatory fees, and charitable donations.
The audit team needs to conduct interviews of key personnel as part of the review. The focus of these interviews has to be familiarity with the compliance program and adherence to the applicable procedures. The interviews should be tough and pointed, with a focus on those personnel who may have involvement of knowledge of illegal payments.
The audit also needs to examine records of employee training. The team needs to make sure that employees have completed training. The training materials should be reviewed for accuracy.
Finally, the audit teams needs to prepare a detailed written report which addresses the strengths and weaknesses of the compliance program, instances of non-compliance, and recommendations for improvements to the compliance program.