FCPAméricas Blog
Answers from Internal Audit on FCPA Compliance
6.06.2012
FCPAméricas recently asked the question: how does Internal Audit do it all at a time when FCPA practitioners keep asking it for more? Top executives at Compliance Week’s 2012 Annual Conference offered some helpful answers.
Communication. In the audit world, relationships are key. Internal Audit teams that prioritize communication with other parts of the business more effectively manage their many responsibilities, including FCPA work. For example, one major technology company established a formal structure designed to facilitate communication whereby leaders from Internal Audit, Compliance, Legal, and business groups meet quarterly and collaborate on issues. When Compliance knows that an FCPA compliance audit will soon be necessary, it will proactively bring it to Internal Audit’s attention early on. If Internal Audit has previously reviewed a business sector or third party currently under review by Legal, it will share that information up front so that Legal’s work can be more targeted.
Similarly, at a major manufacturing company, the senior internal auditor shapes the audit plan to meet FCPA needs by scheduling regular meetings with the Chair of the Audit Committee and educating that person on the FCPA. In this way, the goals of Internal Audit are better aligned with the goals of the Audit Committee.
Refined Risk-Based Approach. To elevate FCPA matters, some Internal Audit departments take a risk-based approach to prioritizing their work. This involves recognizing subtle challenges at play. One auditor said, “risk means different things to different people.” To elevate FCPA risks, he must first understand them, so he goes to great lengths to work with Legal. Before finalizing the audit plan, he also reviews the Enterprise Risk Management plan to ensure that the two plans are generally aligned. When communicating the audit plan to the Audit Committee, he is careful not to completely exclude any one company function, even though its associated risks might be minimal. This is because, even in a risk-based approach, no Board member wants to completely ignore any one area.
Quick Hits. Some expressed the view that, before tackling FCPA matters in some companies, especially those for which an internal audit department is new, Internal Audit must first build credibility. One way to do this is by making “quick hits.” By focusing first on basics like petty cash and travel and entertainment expenses, and showing that it can increase efficiencies and generate savings, Internal Audit gradually builds support within the organization. Eventually it will gain the clout necessary to address higher value areas, like hotline tips.
None of this is to say that the Internal Audit Department’s job is an easy one. Building consensus between business units is not a simple task. Achieving independence and credibility is a slow process. Add to this the fact that practically every auditor at the conference said that he or she must work within the tightest of budgets and with the smallest of staffs. This appears to be the case, even when Internal Audit is able to show that the resources it is saving for the company exceed its own budget.
But the good thing is that FCPA compliance is on internal auditors’ minds. As it should be.
The FCPAméricas blog is not intended to provide legal advice to its readers. The blog entries and posts include only the thoughts, ideas, and impressions of its authors and contributors, and should be considered general information only about the Americas, anti-corruption laws including the U.S. Foreign Corrupt Practices Act, issues related to anti-corruption compliance, and any other matters addressed. Nothing in this publication should be interpreted to constitute legal advice or services of any kind. Furthermore, information found on this blog should not be used as the basis for decisions or actions that may affect your business; instead, companies and businesspeople should seek legal counsel from qualified lawyers regarding anti-corruption laws or any other legal issue. The Editor and the contributors to this blog shall not be responsible for any losses incurred by a reader or a company as a result of information provided in this publication. For more information, please contact Info@MattesonEllisLaw.com.
The author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.
© 2012 Matteson Ellis Law, PLLC
Post authored by Matteson Ellis, FCPAméricas Founder & Editor
Comments
July 2nd, 2012 at 8:41 pm
[…] work with internal audit to design periodic compliance reviews of a program’s effectiveness (see this previous post for a discussion of internal audit’s role in […]