Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial anti-corruption legislation, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts.
Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring.
The bribery and illegal payment risks are usually linked to:
- where the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)
- who is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)
- what service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)
- how the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)
Risk mapping for corruption should balance “the where”, “the who”, “the what” and “the how”. Many companies often link their bribery risks only to high-corruption countries, and they are missing the general environment for a transaction.
Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny.
Compliance and Internal Audit may combine their reviews to detect illicit payments by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach.
Testing the control design by Internal Audit
- Review of segregation of duties in approving new vendors, contracts, service receptions and payments, assuring the appropriate seniority of approvers and their effective counterbalance.
- Review of anti‐corruption obligations in contracts with business partners and the appropriate indemnities and warranties clauses.
- Ensure that the accounting staff is trained to properly book to proper purchasing and payment categories, and to add meaningful and clear descriptions for entries. No auxiliary spreadsheet should support a global journal entry without disclosing itemized information about the service and the supplier.
- Ensure that the financial controllers are trained about the anti-bribery, travel and expense rules, cash and bank controls, and how to identify red flags.
Substantive testing for control efficiency by Compliance (reassured by Internal Audit)
- Test the effectiveness of the pre-contract due diligence, the verification of services and the fairness of the paid amount by selecting payments linked to all levels of risk (including any suspiciously unnecessary contracting by non-statistical sampling). Focusing the payment testing only to high-risk transactions or statistical sampling may be ineffective to cover all risks.
- Audit of third parties (on‐site compliance audits): background checks on executives, owners and assigned employees (party screening); assure the training on extortion and bribery provisions and controls for vendor employees; and confirm the circumstances under the third party was engaged and instructed; check that the service was engaged after the due diligence was finished.
- Review the existence of enquiries from the approvers to validate the service legitimacy. Approvals should be based on a statement of received services, summarizing the woks and deliveries provided. The review need to cover the disclosed conflicts of interest.
Monitoring by Compliance (quarterly watch-lists to trigger specific reviews by Internal Audit)
- Automatic queries to list gifts, meals, entertainment, travel expenses, sponsorships, and political and charitable contributions to link them to the approval by sr. executives and limits.
- Automatic queries to list payments to third parties, including vendors, suppliers, resellers, distributors, agents and consultants (lawyers and accountants).
- Payments to offshore bank account or in different locations or currencies.
- Automatic queries to list upfront payments, advances and customer rebates.
- Out of tendency paid commissions by type of service or versus monthly average.
- Substantial price increases or decreases.
- Automatic queries to highlight changes in lease expenses, in particular for equipment.
Get the latest in corporate governance, risk, and compliance on Twitter