AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
FCPA Audit Procedures: A Practical Framework For Testing Anti-Bribery Controls
The Role Of Periodic Testing In FCPA Compliance
An effective Foreign Corrupt Practices Act compliance program requires more than policies and training. It requires periodic testing of the controls designed to prevent, detect, and respond to corrupt payments. Testing reveals whether the controls that management has designed are actually functioning in practice, identifies areas of vulnerability that may not be visible through routine monitoring, and provides the evidentiary foundation for demonstrating program effectiveness to regulators in the event of an inquiry.
The DOJ and SEC Resource Guide to the U.S. Foreign Corrupt Practices Act, originally published in 2012 and updated in 2020, identifies testing as a hallmark of an effective compliance program. The DOJ Evaluation of Corporate Compliance Programs, most recently updated in 2023, specifically asks whether the organization conducts periodic reviews and testing of its compliance controls, and whether the results of that testing inform updates to the program. The DOJ guidance makes clear that prosecutors will evaluate not only whether testing occurs but whether the organization acts on the results, updating policies, controls, and risk assessments to address identified weaknesses.
The FCPA contains two distinct sets of provisions that create compliance obligations. The anti-bribery provisions prohibit the payment of anything of value to foreign government officials for the purpose of obtaining or retaining business. The books and records and internal accounting controls provisions under Sections 13(b)(2)(A) and 13(b)(2)(B) of the Securities Exchange Act require issuers to maintain books and records that accurately and fairly reflect transactions and to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed and recorded in accordance with management's authorization. These accounting provisions apply regardless of whether a bribe has occurred and are frequently the basis for enforcement actions even in the absence of a proven corrupt payment. An effective FCPA audit program must test controls that address both sets of provisions.
The following framework organizes common FCPA audit procedures by control domain, providing a structured approach for internal audit, compliance, and external advisors conducting periodic reviews.
Entity-Level And Program-Level Controls
The foundation of any FCPA audit begins with an evaluation of the organization's entity-level anti-corruption controls, meaning the policies, governance structures, and oversight mechanisms that establish the compliance framework within which all transaction-level controls operate.
Anti-Corruption Policies And Procedures. The audit should verify that the organization maintains clearly articulated FCPA and anti-corruption policies and procedures that are applicable to all company personnel, directors, officers, and third-party intermediaries including agents, consultants, distributors, and joint venture partners. The policies should address not only the FCPA but also the UK Bribery Act 2010, France's Sapin II, and other applicable extraterritorial anti-corruption laws under which the organization may have obligations. Policies that address only the FCPA without acknowledging other applicable regimes create compliance gaps that the audit should identify.
Policy Communication And Accessibility. The audit should confirm that anti-corruption policies have been communicated to all levels of employees, including personnel in overseas operations, and that translations are available in the local languages of every jurisdiction where the organization operates. Communication should not be limited to initial distribution. The audit should evaluate whether periodic reinforcement occurs and whether employees are required to acknowledge receipt and understanding of the policies.
Training Programs. The audit should assess whether mandatory anti-corruption training is provided to all personnel with FCPA-relevant responsibilities, including sales and business development teams, legal staff, internal audit, accounting and finance personnel, and management at all levels. Training should also extend to agents, sub-agents, distributors, and business partners who act on behalf of the organization. The audit should evaluate whether training content is tailored to the specific risks of each audience, whether it is refreshed periodically to reflect changes in the regulatory environment and enforcement trends, and whether completion is tracked and enforced.
Whistleblower And Reporting Mechanisms. The audit should verify the existence and effectiveness of a compliance hotline or other reporting mechanism that allows employees and third parties to report suspected violations confidentially and, where permitted by local law, anonymously. The evaluation should extend beyond the existence of the channel to assess whether the mechanism is accessible, trusted, and actively used. Low reporting volumes may indicate either a strong ethical culture or a channel that employees do not trust or know about. The audit should examine how reports are triaged, investigated, and resolved, and whether the organization tracks reporting trends and response times as compliance metrics.
Compliance Governance And Oversight. The audit should confirm that responsibility for FCPA compliance has been assigned to one or more senior executives with adequate authority, resources, and access to the board or audit committee. The DOJ Evaluation of Corporate Compliance Programs specifically examines whether the compliance function has sufficient autonomy, stature, and resources to be effective and whether the compliance officer has direct access to the board.
Disciplinary Framework. The audit should evaluate whether the organization maintains and enforces appropriate disciplinary procedures for anti-corruption violations. The disciplinary framework should be applied consistently across all levels of the organization, including senior management. The DOJ guidance specifically examines whether disciplinary measures have been applied and whether senior employees have been held to the same standards as junior staff.
Facilitation Payments. The FCPA contains a narrow statutory exception for facilitating or expediting payments made to foreign officials to secure the performance of routine governmental actions such as processing permits, visas, or customs clearances. However, this exception is narrowly construed, does not exist under the UK Bribery Act or most other international anti-corruption laws, and has been the subject of increasing regulatory scrutiny. Many multinational organizations have eliminated the facilitation payment exception from their policies entirely. The audit should evaluate the organization's policy on facilitation payments, determine whether any such payments are being made, and if so, assess whether they fall within the narrow statutory exception. If the organization maintains a general ledger account or cost center for facilitation payments, the audit should examine all transactions recorded to that account, evaluate whether the payments genuinely qualify for the exception, and assess whether the accounting treatment accurately reflects the nature of the transactions. The existence of a dedicated facilitation payment account should itself be evaluated as a potential control weakness, because it may normalize a category of payment that carries significant legal and reputational risk.
Legal And Commercial Risk Identification
The audit program should include procedures designed to identify legal and commercial arrangements that create elevated FCPA risk, often through transactions and relationships that are not flagged by routine financial controls.
International Business Arrangements. Working with legal advisors and business managers, the audit team should identify international business agreements where corruption risk may be elevated. This includes contracts that were not competitively bid or awarded through non-transparent processes, ongoing governmental disputes or tax controversies that may create incentives for improper payments to resolve them, commercial litigation in foreign courts where the organization may be vulnerable to extortion or solicitation, and any arrangement where the commercial rationale for the terms or the selection of the counterparty is not clearly documented.
Government Touchpoints. The audit should map the organization's interactions with foreign government officials across all business functions, including sales, permitting, customs, tax, regulatory compliance, and litigation. Each touchpoint represents a potential corruption exposure, and the audit should evaluate whether adequate controls exist at each point of interaction.
Commercial Cycle Testing
The commercial cycle presents significant FCPA exposure because it encompasses the transactions through which corrupt payments are most commonly disguised.
Transactions With Government-Related Counterparties. The audit should identify and examine transactions with customers, suppliers, and distributors that are government-owned or government-controlled entities, or that involve individuals who are foreign government officials as defined under the FCPA. This definition extends beyond traditional government employees to include employees of state-owned enterprises, public international organizations, and political parties, as well as candidates for political office. The audit should also scrutinize one-off or unusual payments within otherwise recurring commercial relationships, as irregular transactions may indicate concealed improper payments.
Pricing Anomalies And Invoice Adjustments. The audit should review discounts, rebates, refunds, promotional incentive programs, and other invoice adjustments for evidence of payments that lack a legitimate commercial justification. Unusual pricing patterns, particularly when applied to government-related customers or in high-corruption-risk jurisdictions, may indicate that value is being transferred as a disguised bribe.
Agent And Distributor Audits. The organization should conduct periodic compliance audits of its key agents and distributors, particularly those operating in high-risk jurisdictions or those whose compensation structure includes success-based fees, commissions, or other variable arrangements. These audits should evaluate the agent's compliance with the organization's anti-corruption policies, verify the legitimacy and delivery of services for which the agent has been compensated, and assess whether the agent has sub-contracted or delegated responsibilities to additional intermediaries without the organization's knowledge or approval.
Commission And Finder's Fee Analysis. The audit should analyze all commission, finder's fee, and referral fee payments to determine whether the amounts are reasonable and proportionate to the services provided, whether the payment terms are consistent with industry norms, and whether the recipients have been subject to appropriate due diligence. Commissions that exceed industry benchmarks, that are paid to entities in jurisdictions unrelated to the underlying transaction, or that are structured as success fees tied to the award of a government contract warrant heightened scrutiny.
Government Contract Review. The audit should examine all contracts with government entities or government-controlled counterparties, evaluating the procurement process, the pricing terms, the performance of contractual obligations, and the involvement of any intermediaries in securing the contract.
Contract Compliance Review. The audit should review standard provisions in commercial agreements, distribution contracts, and renewals to confirm that they contain the anti-corruption representations, warranties, audit rights, and termination clauses required by the organization's policies and the FCPA compliance program.
Credit Terms And Pricing Review. The audit should evaluate whether favorable or abnormal credit terms, extended payment periods, or below-market pricing have been extended to any counterparties without documented commercial justification. These arrangements may represent the transfer of value to a corrupt counterparty or their associates.
Customs, Duties, And Logistics. The audit should identify unusual duties, taxes, or charges involving excessive processing, shipping, or logistics fees. These cost categories are frequently used to disguise improper payments, particularly in jurisdictions where customs clearance involves direct interaction with government officials.
Services And Professional Fees Testing
Professional service engagements provide one of the most common mechanisms for disguising corrupt payments, because the intangible nature of services makes it difficult to verify delivery and value.
Consultant And Intermediary Scrutiny. The audit should examine payments to consultants, sales representatives, agents, attorneys, lobbyists, marketing firms, and other professional service providers. For each engagement, the audit should verify that the intermediary is fulfilling a legitimate and documented business need, that a written rationale for the engagement exists and was approved before the services commenced, and that the intermediary's qualifications, resources, and track record are consistent with the services billed. Engagements where the services are described in vague or unspecified terms, where deliverables cannot be identified or confirmed, or where the intermediary was recommended by a foreign government official are significant red flags.
Third-Party Due Diligence Verification. The audit should verify that pre-engagement due diligence was completed for all third-party intermediaries before the relationship was established. Due diligence should include verification of beneficial ownership, sanctions and watchlist screening, review of the intermediary's reputation and business history, and assessment of whether the intermediary has any relationships with government officials that could create a conflict of interest. The DOJ and SEC Resource Guide identifies due diligence on third-party partners as one of the most critical components of an effective FCPA compliance program.
Commission And Bonus Reasonableness. The audit should confirm that commissions, bonuses, and success fees paid to intermediaries fall within expected and reasonable ranges for the type of service, the jurisdiction, and the industry. Compensation that significantly exceeds market norms warrants investigation into whether the excess is being passed through to government officials.
FCPA-Sensitive Account Auditing. The audit should specifically examine transactions recorded to accounts that are commonly associated with FCPA risk, including gifts, hospitality, entertainment, travel, rebates, refunds, commissions, charitable and political donations, professional fees, event sponsorships, credit card charges and advances, and logistics and shipping expenses. These account categories should be tested through both targeted sampling based on risk indicators and data analytics that identify outliers, unusual patterns, and transactions that match known corruption typologies.
Keyword And Text Mining. Where the organization's ERP and financial systems permit, the audit should deploy automated queries to search transaction descriptions, invoice text, and supporting documentation for keywords associated with corruption risk. These searches should be conducted in multiple languages relevant to the organization's operating jurisdictions and should include terms associated with improper payments such as commission, fee, discount, charitable, bonus, expedite, facilitation, and similar terms in the applicable local languages. The search terms should be periodically updated to reflect emerging corruption typologies and the specific terminology observed in recent enforcement actions.
Treasury And Cash Management Testing
Treasury operations require specific FCPA audit attention because they involve the movement of funds and the potential for payments to be routed through structures designed to obscure their ultimate destination.
Unusual Payment Identification. The audit should flag unusual payments or financial arrangements for investigation, including payments to consultants or service providers routed through offshore entities or holding companies, payments directed to jurisdictions where the organization does not conduct business, payments to newly established entities with no operating history, and payments involving multiple intermediary accounts before reaching the stated beneficiary.
Cash And Bank Transaction Review. The audit should review cash payments and bank transactions, with particular attention to transactions involving rounded values, payments structured to fall below approval or reporting thresholds, and payments that lack adequate supporting documentation. In SAP and other ERP environments, automated exception reports can be configured to identify these patterns systematically.
Charitable And Political Contributions. The audit should monitor all charitable donations and political contributions to determine whether they were properly authorized, whether the recipient organization has been subject to due diligence, and whether there is any connection between the contribution and a pending or anticipated government decision affecting the organization. Charitable contributions have been used in FCPA enforcement cases as a mechanism for channeling value to government officials through entities they control or are affiliated with.
Expense Report Review. The audit should examine employee expense reports, with targeted review of high-risk expense categories including meals, entertainment, travel, and gifts involving foreign government officials. The audit should verify that expense reports are submitted through the accounts payable process with appropriate approvals and supporting documentation, that expenses involving government officials comply with the organization's gifts, hospitality, and entertainment policy, and that no expenses have been reimbursed outside the normal expense reporting process through direct invoice payment or other alternative channels.
Risk Mapping And Corruption Risk Assessment
The audit program should be informed by a corruption risk assessment that evaluates the organization's exposure across multiple dimensions.
Country Risk. The organization should assess FCPA risk by jurisdiction, incorporating objective indicators such as the Transparency International Corruption Perceptions Index, the World Bank Worldwide Governance Indicators, and country-specific enforcement history. However, as discussed in the earlier post on detecting illegal payments, country risk is only one dimension of a comprehensive corruption risk assessment and should not be used as the sole determinant of audit scope.
Industry And Product Risk. Certain industries carry elevated corruption risk due to the nature of their interaction with government authorities and the structure of their commercial relationships. These include oil and gas, energy, infrastructure and construction, defense and aerospace, telecommunications, medical devices and pharmaceuticals, and any industry operating in heavily regulated markets where government approvals, permits, or procurement decisions are required. The audit scope should reflect the specific risk profile of the organization's industry and product portfolio.
Third-Party And Channel Risk. The organization should assess the corruption risk associated with its sales channels and intermediary relationships, with particular attention to joint ventures and collaborative arrangements with government-related entities, sales channels that require the use of third-party agents or distributors to interact with government officials, transactions where intermediaries are involved in both pre-sale and post-sale activities, and relationships with intermediaries who were recommended or required by government counterparties.
Transaction And Regulatory Interaction Risk. Transactions that involve direct interaction with foreign regulators, including permitting, licensing, inspection, customs clearance, and tax administration, present inherent FCPA risk that the audit program should address through targeted testing procedures.
Mergers, Acquisitions, And Structural Changes
The DOJ and SEC have consistently emphasized that pre-acquisition FCPA due diligence and post-acquisition integration of the target's compliance program are critical components of an effective anti-corruption compliance framework. The audit program should include procedures to evaluate whether FCPA due diligence was conducted before the organization completed any acquisition, investment, or joint venture involving international operations, and whether the target's compliance program has been integrated into the acquiring organization's standards within a reasonable period following the transaction.
Several significant FCPA enforcement actions have involved conduct at acquired companies that was not identified during due diligence or not remediated during post-acquisition integration. The audit should assess whether the organization's M&A due diligence process includes anti-corruption risk assessment, third-party review, and books and records evaluation as standard components.
From Testing To Program Improvement
FCPA audit procedures are not an end in themselves. They are the mechanism through which the organization validates the effectiveness of its anti-corruption controls and generates the information needed to improve the compliance program continuously. Every finding from the audit program should be evaluated for its implications for the organization's corruption risk assessment, its policies and procedures, its training content, its third-party due diligence requirements, and its monitoring and detection capabilities.
The DOJ Evaluation of Corporate Compliance Programs explicitly examines whether the organization has a process for incorporating lessons learned from its testing, investigations, and enforcement developments into its compliance program. An audit program that identifies weaknesses but does not drive remediation and program evolution provides limited value and may actually increase the organization's regulatory exposure by creating documented evidence of known deficiencies that were not addressed.
The organizations that derive the greatest value from FCPA testing are those that treat it not as a periodic compliance obligation but as a continuous source of intelligence about the effectiveness of their anti-corruption controls and the adequacy of their risk assessment. This orientation transforms the audit function from a retrospective assurance exercise into a forward-looking component of the organization's anti-corruption governance.
Get the latest in corporate governance, risk, and compliance on Twitter