The Role of Internal Audit in Your Anti-Corruption Program

14 Jun

Several others have tackled this subject.  Some of their points I agree with, and those points inform this post.  Some I disagree with, and I’ll address those as I go along.

To my mind, the truly correct answer to the question of the proper role of your Internal Audit function in your anti-corruption compliance program lies with the deeper question of what are the capabilities of your IA function?  In my experience, IA is good a some things, but not good at others.  And the most dangerous person is the one who doesn’t know his own limitations.  Also in my experience, IA not only is really bad at certain things, but they don’t know that they’re bad.

The other piece to the puzzle—and one to always, always keep in mind—is the audience that IA plays to.  IA’s reports go to at least the CEO, General Counsel, CFO, senior business leaders, and let’s not forget, the Audit Committee of the Board of Directors.  That’s a huge bullhorn they’ve got.  Which is fine when they’re playing to their strengths.  But when they’re out of their wheelhouse, reading their reports is an exercise in controlling your cringing.

What, in my opinion, are the strengths of IA?  There are two, in my experience.  First is testing compliance with policy through sampling.  Second is conducting financial-records investigations.  IA is, inherently, a check-the-box function.  I’m not saying it’s not necessary, or that check-the-box isn’t sufficient to what they do.  It is and it is.  When IA is doing their job, they go into a market, pull, say, 20 transactions, and ask for proof that those transactions comply with the policy that is the subject of the audit.

So, let’s posit that there’s a policy that requires that business units find out 10 things about a third party before hiring them, and that the contract with that third party contain 4 FCPA-specific contract terms.  IA will go in, scope the audit at a certain number of third parties, and examine that number to see if the 10 things are there, and if the 4 contract terms are there.  Then they report out on the results.

If that’s where IA stopped, I’d be a huge fan.  But they don’t, and, admittedly, I’m not.  In my experience, IA goes beyond the role I described.  They tend to get into discussions—either in the report itself or in the “action items” that come out of the report—of whether the policy itself is sufficient.

No, no, no, no, no, no, and no.

They might, might, be able to opine on whether asking the business to collect 10 things and include 4 provisions is realistic.  If a significant number of third party files fail to comply with the policy, that might be a reasonable conclusion for IA to draw.  But what I see too often is IA telling the business that they’re asking for the wrong 10 things, or that the 4 provisions are the wrong ones to include.  In other words, criticizing the policy itself, not just determining whether the business is following the policy as written.

In my opinion, IA has no business telling their audience that policies are bad.  Here’s where my first point comes in, however.  If IA has experts with greater knowledge than I do about anti-corruption compliance, then opine away.  Tell me I’ve set up the wrong program.  Most likely, however, I’ve trained the IA people on anti-corruption, and they don’t know more.

This isn’t just anti-corruption, by the way.  I’ve seen IA talk about the sufficiency of anti-money laundering controls, sanctions controls, and privacy controls.

I don’t mind getting into a dialogue about what controls are right, and what controls aren’t worth the effort, but it’s not up to IA to tell me that I need 15 items of due diligence and 7 contract provisions.  It’s even worse when they start suggesting which ones to include.  It wouldn’t be so bad if I controlled the content of the final report.  But I don’t.  Neither do you.  That’s in the bailiwick of the General Auditor.  And now we come back to the audience that IA plays to.  Because as soon as the report is issued, you either have to have a damn good justification for ignoring IA plus be willing to spend some political capital you desperately need for other things, or you end up going along to get along.  Which means that your SME isn’t setting the priorities any more.  How many of you think that’s a good plan?

Similarly, it isn’t IA’s job to tell me that I need a technology control in place versus a manual one.  IA isn’t the arbiter of best practices.  I find myself often thinking to myself—and sometimes saying out loud—that IA should mind their own damn business until they hire some experts.

I always want feedback on whether my processes are working in the field.  That’s a crucial function, and one which IA does very, very well.  I also don’t mind people challenging my decisions (I mind it even less if it’s before the decision is made.)  If I can’t justify exactly why I’m doing something, it frankly needs to be rethought anyway.  But ultimately, if it’s anti-corruption, and I’m the anti-corruption compliance expert, then it should be my decision, and I should set the priorities.  There shouldn’t be a function with direct access to the Board and senior leadership muddying up the message.

If IA stays within their boundaries, they play a crucial part in testing the effective implementation of your program.  If they don’t, they do more harm than good.

Do you have similar experiences?



2 Responses to “The Role of Internal Audit in Your Anti-Corruption Program”

  1. Stephen Clayton June 14, 2011 at 2:07 pm #

    I have found IA to be an essential ally in the in-house anti-corruption effort. The key is to bring them into the process, let them explain to you what they do and how they do it, explain to them what you do and you need and discuss how you think they could do it, and train them so they know why they are looking for the data you need. As you point out, they can be essential for testing aspects of the company’s anti-corruption program. The relationship should be an alliance, not adversarial.

    My advice is to go out of your way to make IA part of the anti-corruption compliance team. IA is out in the field and is well placed to observe Red Flags and report back to you. Train them, especially on the types of schemes you have seen and the red flags in your industry. Talk with them frequently so they understand what you are doing and why and so you understand the range of issues they handle. After you have trained them in depth, discuss matters they handled in the past 5 years that now strike them as presenting FCPA red flags – if you dare.

    In their job IA is going to be looking at many other areas such as revenue recognition, tax payments, export controls, which frequently feature manipulated books and records and can be Red Flags of FCPA issues. Work with the IA team so they understand the connections and so they notify you every time they find evidence of falsified corporate records. Get their input and have the discussions on how much is enough in advance, so you do not have the potential problems you discuss in this post.

    • Howard@OpenAir June 14, 2011 at 6:45 pm #

      I spoke on a webinar today about how to break through roadblocks between Legal and IT. One of my main points was to try to see things through their worldview.

      I know I should take my own advice, and that you’re right, I should try to make a friend out of IA. They do have their uses: I was the first one to admit that.

      And I completely agree that IA needs to be trained. But a little training is a lot dangerous. They’re going to assume a level of expertise that they just don’t have. Or maybe we should do it differently. Maybe IA programs should hire subject-matter experts. It makes sense, and it would help with the mission. But until they do, I’d be afraid my training would come back to haunt me.

      They are, as I said, also good at financial investigations. That’s in their strike zone.

      You’re right, you’re right, I know you’re right. I just have a hard time with it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: