Leaders in Global Risk Management
Freeh Group International Solutions graphic

Anti-Bribery and Corruption Compliance: The Role of Transactional Testing in a Proactive Review

Elliott Leary, Jennifer Hammond, and Steven Szaroleta April 23, 2014

Introduction

Evaluating Anti-Bribery and Corruption (A-B&C) internal controls through the testing of accounting transactions highlights the difference between an adequate anti-corruption program and one that is exceptional. Transactional testing can expose gaps and identify weaknesses in the existing control environment. The process ensures that there is an early-warning system in place and demonstrates that an organization is committed to the highest levels of A-B&C compliance.

The United States Department of Justice (DOJ) and United States Securities and Exchange Commission (SEC) brought a total of 27 Foreign Corrupt Practices Act (FCPA) enforcement actions in 2013 against both corporations and individuals. This is an increase from the 23 enforcement actions brought by the DOJ and SEC in 2012.[1] This trend supports the fact that the United States continues to place a high priority on the enforcement of the U.S. FCPA statute.

As a result of this trend, there has been exhaustive guidance from law firms, accounting firms, consultants, and government entities on how organizations can create an effective compliance program. According to the DOJ and the SEC, the hallmarks of an effective FCPA compliance program include, among other things, commitment from senior management, a clearly articulated policy against corruption, a code of conduct, compliance policies and procedures, ongoing training and advice, as well as continuous improvement in the form of periodic testing and review.[2] When performed proactively, periodic transactional testing and review meets the highest level of expectations by the regulators in every jurisdiction. Specifically, transactional testing that targets corruption is an organization’s best defense against a violation of the FCPA.

According to the DOJ, the FCPA “requires companies whose securities are listed in the United States to meet its accounting provisions. See 15 U.S.C. § 78m. These accounting provisions, which were designed to operate in tandem with the anti-bribery provisions of the FCPA, require corporations covered by the provisions to (a) make and keep books and records that accurately and fairly reflect the transactions of the corporation and (b) devise and maintain an adequate system of internal accounting controls.”[3] Generally, a program designed to comply with the FCPA, and that also bans commercial bribery and facilitating payments, would satisfy the requirements under the U.K. Bribery Act of 2010 (the U.K. Bribery Act) as well as those of other jurisdictions actively working to fight bribery and corruption.

Transactional Testing Defined

When conducting transactional testing of internal controls, the goal is to identify those controls related to A-B&C compliance and to develop a process to test the effectiveness of each control. This will identify gaps where controls are needed and ineffectiveness in the existing controls. The point is not to identify potential violations in the historical data. Conducting a historical review for potential violations would likely require a different and much more extensive set of procedures.

Transactional testing involves the selection and examination of relevant, specific transactions and the associated supporting documentation for those transactions. Ultimately, the testing examines the underlying purpose and relevant available support for the transactions in an effort to ensure that the financial books and records are governed by effective controls.

The Process of Transactional Testing

Performing a Transactional Risk Assessment
In order to select an appropriate sample for effective testing, a transactional-focused risk assessment across the organization is performed. This is a supplement to the organization-wide A-B&C risk assessment undertaken as part of an effective A-B&C compliance program. This transactional risk assessment will help to identify the internal controls, accounts and transactions that are the most relevant to the A-B&C testing. It is typically best for an organization with anti-corruption compliance risks to hire an independent expert (a “reviewer”) who has the skills and experience in conducting transactional risk assessments and testing related to A-B&C compliance. Most organizations will not have this expertise in-house, so working with an outside professional will ensure that the process is effective and efficient.

The purpose of the transactional risk assessment is to identify areas that carry the highest risk for a potential violation of an anti-corruption regulation. The reviewer, in performing a transactional risk assessment, will work hand-in-glove with the organization to understand the business to identify the appropriate corruption risks. For example, the reviewer should set out to identify things such as: in which countries the business has operations; whether or not the business uses third parties and to what extent; the level of due diligence that is performed on third parties including customers, suppliers and contractors; and whether the business has any interactions with foreign government officials, among other factors. At the completion of the transactional risk assessment, the reviewer should possess enough of an understanding of the business operations and internal controls in place to be able to identify the highest-risk areas and accounts for transactional testing.

Identifying Controls for Testing
A thorough understanding of the relevant internal controls in place at an organization is essential to performing effective transactional testing. These controls will be identified through a review of the existing policies and procedures as well as by interviewing organization personnel. The reviewer should obtain from the business all policies and procedures relevant to A-B&C. These policies and procedures will contain some of the details required for the reviewer to make appropriate requests for supporting data related to the transactions. In addition, as part of the assessment, the reviewer can begin to identify weaknesses or gaps in the current internal control structure that could benefit from enhancement.

Interviews
Once the reviewer has an understanding of the policies and procedures and has identified the related internal controls, the next step is for the reviewer to talk to the personnel who work in the system on a daily basis. This is an excellent way for an external reviewer to gain knowledge about the inner workings of the organization’s business and identify potential risks. The employees should range in level from executive to operational, in order to fully understand the processes from all perspectives. Further, the employees should have responsibilities that either directly or indirectly pertain to A-B&C risks. By speaking to a wide spectrum of employees in various roles, the reviewer is able to make better recommendations to the organization at the end of the internal control review and testing process. The reviewer may speak with people from the compliance or the legal department who are responsible for creating and implementing the A-B&C program, the accounting department personnel who work with the books and records and live with the controls on a daily basis, and others, including the internal audit department members who are responsible for reviewing the results of the organization’s activity.

Data Acquisition
One of the most important elements in the review process is the acquisition and filtering of the relevant data set. The sophistication and experience of the information technology (IT) department will determine the ease with which data can be acquired for testing. Even when working with a very savvy IT group, the requests for this type of data may be well outside of the normal inquiry they receive. There may be multiple hurdles to overcome, and it may be appropriate to have an outside forensic technology expert assist in the process.

Depending on the size of the entity and the relative number of transactions identified, the data could be acquired in multiple ways. If a smaller number of transactions is being considered, then a spreadsheet program may be sufficient to meet the objectives of the reviewer. However, if the number of transactions exceeds the limitations of conventional spreadsheet programs, then a tailored database, designed by a forensic technology expert, may be the better option. Once appropriately acquired, the reviewer must next consider filtering the data for high-risk transactions from an A-B&C perspective.

Filtering Data for High-Risk Transactions
In order to be effective and efficient, specific categories of accounts should be identified based on the review of all relevant A-B&C documents provided and the results of the transactional risk assessment and interviews. This will assist with the filtering of data for high-risk transactions. Generally, categories of accounts could include, but are not limited to, government relationships, commissions, sponsorships, donations, gifts and hospitality, facilitating payments, and other areas that appear A-B&C-relevant based on the work performed to date. Once the accounts are selected, than a relevant sample needs to be selected for testing. If the IT department is not able to perform the required filtering, it will become the responsibility of the reviewer to filter the data for high-risk transactions.

Distinguishing between Transactional Data Types
The reviewer will want to request from the organization all relevant transactions that relate to the identified A-B&C account categories. Transactions will generally fall into one of the following data types: invoice data or expense data. Depending on the organization and line of business, the data types could vary and include customer refunds, charitable contributions and any other unusual types of transactions that may be relevant. The reviewer will ensure all relevant transactional data for testing has been requested and received by performing completeness testing on the sample. This can take various forms, including tying the sample out to the general ledger or trial balances to ensure all the relevant transactions have been provided.

The specific risks to be tested will vary based on the structure of the entity and the types of transactions being conducted. For example, in a recent engagement, our risk assessment and interviews confirmed that the transactions of the highest risk occurred in two particular jurisdictions. We concentrated much of our effort in testing the controls relevant to those jurisdictions and the transactions types occurring there. This included employee expense reimbursements, third-party service providers, and any transactions involving cash – areas that are inherently risky. We reviewed supporting documents for a much larger sample of these transactions than we did in low-risk jurisdictions. In some cases, our recommendations pertained to just these high-risk areas; in other cases, the recommendations were relevant across the entire organization.

Findings and Recommendations
The ultimate goal of the internal controls review and transactional testing is to identify those areas with gaps or weakness that can be improved. The reviewer should present a report with findings and recommendations to the organization to correct these areas. Another benefit of this process is that the organization also will have an evaluation of the areas that have strong and effective A-B&C controls.

Conclusion

Proactive transactional testing is a very effective way to identify potential weaknesses of an organization’s established A-B&C compliance program and to strengthen the related internal controls. When undertaken on a periodic basis as part of an organization’s ongoing compliance efforts, this process also provides evidence to anyone who should inquire that the entity is doing everything possible to monitor, enhance and strengthen their A-B&C compliance program. While many elements of an effective A-B&C compliance program are necessary, proactive transactional testing in an A-B&C compliance review is one of an organization’s best defenses against an anti-corruption violation.


[1] 2013 FCPA Year in Review; Steptoe & Johnson LLP; February 28, 2014.
[2] A Resource Guide to the U.S. Foreign Corrupt Practices Act; United States Department of Justice and United States Securities and Exchange Commission; November 14, 2012.
[3] http://www.justice.gov/criminal/fraud/fcpa/.