Although an expectation of irreproachable ethics and honesty ideally sets the bar for corporate accountability around the globe, bribery and corrupt practices come to light all too often in the business world. It’s not as though organizations don’t know better. Corruption is nothing new and laws and regulations have been on the books for decades.
However, as more organizations have expanded their global footprint, the risks have also increased. A strong tone at the top is essential to ensure strong internal control and effective governance if an organization seeks to limit exposure that could threaten the best interests of its stakeholders, as well as its very sustainability.
Notable organizations are undergoing investigations to determine whether previous or current employees were involved in corrupt practices such as conflicts of interest, self-dealing, or illegal activities. Even when such organizations fully cooperate with federal authorities, conduct internal investigations, and self-report, the financial loss of corruption can ultimately be in the millions, if not billions, and the reputational impact can be even more devastating.
In 2010, the G20 issued a nine-point anti-corruption action plan designed to challenge G20 countries to lead by example, adopt and enforce laws, prevent corrupt officials from accessing the global financial system and from travelling abroad, and protect whistleblowers. However, Transparency International reports that the results of a recent survey indicate that more than half of the citizens in G20 countries believe corruption has increased in their countries over the past three years. This is in spite of additional anti-bribery legislation in China, Russia, and the U.K. and pending legislation in India and Indonesia.
Vulnerability and Liability
An organization’s governance entity sometimes finds itself under investigation when the organization fails to comply with requirements such as those mandated by anti-bribery and corruption laws. For example, according to the U.S. Federal Sentencing Guidelines, the board of directors must exercise reasonable oversight with respect to the implementation and effectiveness of the organization’s compliance and ethics program. And it is essential that the board obtain the information required to make an independent judgment.
Without adequate and accurate information about policies, practices, and risks, the board cannot possibly fulfill its critical governance role.
Often, directors become defendants in shareholder actions. In the case of FCPA, companies are prohibited from indemnifying directors for any fines. To protect themselves, board members must be prepared. According to the global law firm of Jones Day, the best way to begin is by asking the right questions. On its website, the firm suggests 10 FCPA-compliance issues on which the board of directors should be well informed. For the purpose of this publication, we are addressing several of these issues from a broad perspective — regardless of the geographic location, specific law, or regulation — along with the internal auditors’ role in each.
Questions Directors Should Ask
■■ Do we set and communicate the right tone at the top?
Those at the top are undeniably responsible for setting the tone for organizational behavior. By not only “talking the talk,” but also “walking the walk,” the most ethical and effective boards and executive management demonstrate unwavering integrity as a model for employees at all levels of their organizations. They are diligent in communicating key messages regarding corporate ethics and behavioral expectations, and ensure there is no doubt in anyone’s mind that questionable practices by managers, employees, and contract personnel are strictly prohibited. They also make it known that, should such behavior be discovered, swift and severe actions will take place.
Answer: As a part of their assessment of “soft controls,” internal auditors can assess the tone at the top and to what extent it is communicated. Should they find that the messages are confusing or conflicting, they can make recommendations to management for more effectively communicating the code of conduct and expectations of ethical behavior.
■■ Do we effectively assess our compliance risks?
Assessing these risks is an essential part of an organization’s enterprise risk management process. Examining the possibilities for compliance-related exposure and vulnerability must be built into the risk assessment process.
Answer: Internal auditors can assess opportunities for corruption at all levels, all locations, and under all circumstances and report their findings, along with their assessment of the accompanying controls, to those at the top. This also enables the auditors to consider corruption risks when developing their risk assessments, specifically around whether the organization is in compliance with federal and international laws.
■■ Do we have effective standards, policies, and processes to address our compliance risks?
Standards set the bar for effective internal controls. Policies, procedures, and processes should support and contribute to the effectiveness of the standards, reinforce core ethical values, and uphold the prescribed code of conduct.
Answer: Internal auditors can evaluate the standards and determine whether accompanying policies and procedures are being followed, assess the risk management practices to mitigate compliance exposure, and assess the effectiveness of the organization’s internal control to manage compliance risk.
■■ How do we monitor and audit to detect inappropriate conduct?
It is essential that internal control keeps pace with change, and monitoring — both by supervisory personnel and internal audit — is critical in any dynamic environment.
Answer: An important role for internal audit is to assess whether the internal controls are strong enough to mitigate the organization’s risks. The function can determine whether controls are adequately designed and are operating effectively. If a determination is made that existing controls are inadequate, internal audit may offer recommendations for how management can strengthen the design and/or operating effectiveness of the control environment.
■■ How do we review the effectiveness of our compliance program?
Organizations should take reasonable steps to evaluate whether their compliance and ethics programs are effective. Processes such as control self-assessment (CSA) often are implemented to review compliance program effectiveness. Other measures include tracking activities that determine whether the internal auditors’ recommendations have been implemented, providing statistics on employee complaints and disciplinary actions, and gauging the level of training that has been provided. Once this information has been gathered, in-depth assessment should take place to determine whether enough is being done to ensure compliance.
Answer: Internal auditors are well equipped to play a key role throughout this assessment process. Often, they are directly involved in some aspect of assessing risk management, conducting CSA workshops, reviewing employee hotline information, collecting data on recommendation implementation, and assessing whether there are gaps in employee training that present additional risks to an effective and ethical corporate culture.
Detection and Prevention
Although there are no guarantees for insulating today’s high-tech global business environment from bribery and corruption, knowing that the internal auditors are always listening, watching, monitoring, and assessing can significantly increase an organization’s confidence that it is doing the right thing and being viewed in a positive light.
Internal auditors should be key players in any detection and prevention initiative. They contribute to the organization’s safety net and — in regard to laws and regulations — are invaluable in helping ensure compliance and internal control effectiveness.
This article originally appeared in The Institute of Internal Auditors’ Tone at the Top August 2012 newsletter. With more than 170,000 members in 165 countries, The Institute of Internal Auditors is internationally recognized as the global voice and standard-setting body for the internal audit profession.
Tone at the Top provides executive management, boards of directors, and audit committees with concise, leading-edge information on issues such as ethics, internal control, governance, and the changing role of internal auditing.
This article originally appeared on corporatecomplianceinsights