Next week, I have the privilege of moderating a panel about “Running the Modern Audit Function” at Compliance Week’s 2012 Annual Conference [1]. The panelists are an impressive group – senior executives from Starbucks Coffee, Intel, and Hasbro. What would one ask when given such an opportunity?
As an FCPA attorney, I would ask this – how do you do it all? I describe what I mean below. I also ask for your own comments and ideas about this or other questions to consider for the session.
My question is rooted in the fact that the importance of FCPA compliance only continues to grow and, with every development, we seem to expect more and more from internal audit departments. They are asked to develop and perform periodic compliance audits to ensure that programs are effective. This requires a unique knowledge of FCPA requirements, a knowledge that can be distinct from that of Sarbanes-Oxley (SOX) requirements. For example, even non-“material” issues must be addressed in the FCPA context. Thus, internal auditors are required to do things like review backup documentation to understand why certain payments exist no matter the size, make sure that documentation is consistent with relevant invoices and contracts, verify that the services paid for actually took place, and make sure transactions are recorded properly so that books and records accurately reflect the company’s expenses.
In addition, we sometimes ask internal auditors to conduct internal reviews when allegations of wrongdoing arise, including whistleblower tips. Depending on the scenario, they might be best positioned as first-responders. Anyone who has conducted an internal investigation knows that this can be significant and time-consuming work.
We also sometimes put the internal audit department in an oversight role over the Chief Compliance Officer. Having to oversee the work of such an important officer can be daunting.
But doesn’t internal audit already have enough to do? Its responsibilities are extensive, even before FCPA work is included. The obvious ones are handling SOX and financial reporting obligations. But internal audit departments must also ensure that fiduciary safeguards are in place and review how departments handle their money, which can involve everything from payroll to reimbursing expenses to vendors to treasury management. They must conduct operational audits which can involve a whole host of activities, everything from whether certain units are getting rid of their old inventory fast enough to whether the company is achieving its efficiency objectives. They must help manage enterprise-wide risks, like risks of fraud, theft, and other losses, and help ensure related safeguards are in place to secure assets.
Responsibilities do not stop there. Internal audit must make recommendations, must make sure the recommendations are being communicated to the right people, and then must make sure that recommendations are being implemented appropriately.
Gosh. If Internal Audit’s mandate is so broad, then how do FCPA responsibilities fit into the picture? How does something as important as anti-corruption compliance get prioritized when so many other important matters are battling for Internal Audit’s attention? Are the priorities expressed by the Board or Audit Committee sometimes different from those expressed by management? Do these differ from Internal Audit’s own priorities given that it often sits closest to the issues on the ground? Where does the FCPA rank on the scales?
Maybe some Internal Audit departments choose to prioritize these issues based on risk. But don’t these different business areas implicate many different types of risk – legal, reputational, environmental, economic, etc? Are there not limits to Internal Audit’s own ability to evaluate effectively these different risk areas? After all, the FCPA ultimately creates risks that are legal in nature. Should not the legal team get involved to make sure they are handled correctly? Without the participation of legal, how are internal auditors equipped to convey the weight of their findings to the right people that need to know it? If other departments do participate, what intra-organizational communication challenges arise as a result?
This should certainly be an interesting session among many at Compliance Week’s annual conference. What would you want to know?
The FCPAméricas blog is not intended to provide legal advice to its readers. The blog entries and posts include only the thoughts, ideas, and impressions of its authors and contributors, and should be considered general information only about the Americas, anti-corruption laws including the U.S. Foreign Corrupt Practices Act, issues related to anti-corruption compliance, and any other matters addressed. Nothing in this publication should be interpreted to constitute legal advice or services of any kind. Furthermore, information found on this blog should not be used as the basis for decisions or actions that may affect your business; instead, companies and businesspeople should seek legal counsel from qualified lawyers regarding anti-corruption laws or any other legal issue. The Editor and the contributors to this blog shall not be responsible for any losses incurred by a reader or a company as a result of information provided in this publication. For more information, please contact Info@MattesonEllisLaw.com [2].
The author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.
© 2012 Matteson Ellis Law, PLLC