In our last post we discussed developing procedures and controls to prevent foreign bribery (that is, bribery of foreign officials in connection with international business transactions), including the importance of targeting your procedures and controls to the unique risks your company faces when it does business abroad. In spite of best efforts to prevent wrongful conduct, though, mistakes do happen. Some employees may also try to get around preventive controls for their own reasons. Finding out when these controls are circumvented allows a company to take prompt remedial steps.
As with preventing foreign bribery, the best procedures and controls to detect foreign bribery and other forms of corruption target the type, severity and likelihood of the risks your company faces. In general, there are three primary avenues for receiving information about potential wrongdoing at a company: (1) accountants and auditors, (2) local managers, and (3) other personnel. The procedures and controls for detecting non-compliance may overlap to some extent; for example, all company personnel may be required to report suspicious conduct to their manager or to a compliance officer. But there are also differences, based on the types of information each group has access to.
- Accounting and auditing. Accountants and auditors (both internal and independent) understand your company’s business and regularly review your books and records. As such, they can be an invaluable resource for information about whether or not certain accounting entries are consistent with the financial procedures and controls that underpin your anti-corruption program. A good accountant or auditor generally has a “questioning attitude,” coupled with strong professional and ethical standards applicable to his/her work.
Consider the following procedures and controls that may help management detect potentially wrongful conduct through accountants and auditors:
- An internal audit plan that involves thorough reviews of accounting entries in higher corruption risk geographies or situations, with treatment of this topic included in the final report – for review by the Audit Committee of the Board and the Chief Compliance Officer, among others
- An investigation protocol that includes mandatory notice to the General Counsel or Chief Compliance Officer, as the case may be, if there is discovery of an apparent attempt to intentionally avoid an anti-corruption procedure or control, or discovery of a material process weakness
- Local managers. Local managers are often role models for the personnel they supervise. They are also usually in the best position to understand what is happening on the ground in their business unit. Consider the following procedures and controls (separate and apart from periodic anti-corruption program certification) that can help them communicate with headquarters about the issues they face:
- A working agreement between each local manager and his or her immediate supervisor(s) that includes an obligation for the manager to communicate with the supervisor(s) about any situation the local manager observes or hears about that may bring the company’s integrity and reputation into question
- A plan for regular training of all managers on how to handle local corruption risks and fulfill their anti-corruption policy obligations
- Involvement by the local managers in local business groups that offer forums for sharing leading practices on commonly faced issues, such as corruption
- Other personnel. All company personnel should be alert to potentially suspicious conduct in the course of their duties. The following procedures and controls may help:
- A regular plan for training of all personnel regarding the specific corruption risks they may face in their individual business units and geographies, as well as their obligation to report suspicious conduct
- Regular certification of adherence to the anti-corruption compliance program
- A compliance program communications plan that includes tactical advice regarding what might be considered suspicious conduct and what to do if one observes such conduct
- Procedures for handling communications containing concerns or complaints, so that no individual who raises issues is subject to reprisal or retaliation
- A whistleblower hotline that allows any person (employees or others) to confidentially report suspected wrongful conduct
A popular misconception is that “no news is good news” – that not receiving reports of wrongdoing means nothing inappropriate is happening. It is quite possible, however, that “no reports” simply means that no one is reporting suspicious or wrongful conduct.
Do not fear receiving these reports, but rather accept and embrace this process. The types of reports your company receives say a lot about your employees’ feelings about the company and their concerns (concerns you can then work to address). Your response says a lot about the company’s culture and its real attitude towards compliance.
In our next post we will discuss response issues and procedures in more detail.