IACC-Logo, back to IACC-Home

Programme Call for Papers Organisers Sponsors

Lima Declaration

Privacy Policy


The Papers

Role of Internal Auditors in the Anti-Corruption

John Flaherty

The Challenge
Bribery, and other illicit payments are contrary to the public good. They thwart the competitive process and circumvent laws, regulations, and procedures put in place for the public good. They divert funds from owners, shareholders, and are usually paid as fees, commissions, or are paid without record. The cost to the public totals millions of dollars annually. The US Government is aware of almost 100 cases in which foreign bribes undercut the ability of US firms to win contracts valued at $45 billion in the 12 months before May 1995.

"Corruption occurs when someone has monopoly power over a good or a service, has the discretion to decide whether or not you receive it and how much you receive, and lacks accountability." (Robert Klitgaard, Controlling Corruption, 1988). The level of corruption in international business transactions continues to be a critical problem. Companies need both the motivation and the governance practices to discontinue these payments. An effective internal audit function is a major weapon in a company's battle against corruption.

Measuring corruption trends is a daunting task but I believe we all can agree that the current level of corruption around the world is totally unacceptable. We are here in Lima because of our concern about corruption and our interest in reducing it. The focus for reduction is shifting from the recipients to the companies paying the bribes. This is the area of corruption where auditors can have the best opportunity of prevention, detection, and prosecution.

One Effective Change - Legislation
Companies will stop paying bribes when the risk to the management or the company itself is greater than the perceived benefit to be gained from the bribe. In many cases, the payment will be a business decision not a moral one. U.S. companies' motivation to pay bribes changed dramatically with the passage of the Foreign Corrupt Practices Act (FCPA) in 1977. The strong criminal sanctions of the FCPA usually prevailed over the perceived benefit from the bribe. A recent study of 18 countries by Professor Johann Lambsdorff and sponsored by Transparency International concludes that U.S. companies are least likely to pay bribes while companies from Belgium, France, and Italy are most likely to pay bribes. The U.S. does not hold the high moral ground here. The obvious conclusion is that strong laws like the FCPA vigorously enforced, will significantly reduce payment of bribes.

The 29 members of The Organisation for Economic Co-operation and Development (OECD) are committed to developing a treaty that would make it illegal for companies from member countries to bribe foreign officials and end the tax deductibility for foreign bribes. The proposed laws would have to be adopted by each member country with laws that criminalize bribery abroad. If and when this happens, and if enforcement is vigorous, then OECD countries will have the same motivation as U.S. companies.

Other international anti-corruption initiatives include:

  • Inter-American Convention against Corruption was signed in 1996, but not yet ratified. It provides for ciminalization of bribery and various domestic reforms.
  • World Trade Organisation agreed in December 1996 to study proposals to increase transparency in government procurement.
  • World Bank tightened guidelines for public procurement contracts. They included provisions for sanctions on borrower countries and companies which engage in corrupt practices.
  • International Chamber of Commerce approved in 1996 a strengthened Code of conduct on illicit payments.

Response of the Organisation to Unacceptable Risk - Motivating Change
Motivation is the first key step but it must be followed by strengthened corporate governance and a change in corporate culture. The FCPA law recognised this by requiring US companies to maintain an adequate system of internal accounting control. A key theme underlying the law was that sound internal control should provide in effective deterrent to illegal payments. Internal auditors play a vital role in monitoring the internal control process.

Ongoing Prevention, Detection, and Remediation
Corporate governance is a vital component of a company's ethical compass. In the U.S. the board of directors establishes the organisation's governance process through written policy statements which define the roles to the board, senior management, internal audit, and others. The role of the board is to oversee senior management's activities and, with the assistance of the internal and external auditors, to secure assurance concerning the state of the organisation's system of internal control. Senior management is responsible for overseeing the establishment, administration, and evaluation of internal controls.

COSO Framework
Internal control is defined as a process - effected by an entity's board of directors, management, and other personnel - designed to provide reasonable assurance regarding the achievement of the following objectives:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
So the board is generally responsible for internal control and specifically responsible for ensuring compliance with laws. How does it do this? It relies on senior management to install an "effective control process" but it also clearly states its own expectations in this area. Effective board members are objective, capable, and inquisitive. Management may be in a position to override controls or stifle communication from subordinates. A strong, active board will be sure it has open lines of communication with the people in the organisation especially the internal and external auditors.

The control environment (corporate culture) set by management and the board regarding corruption must be absolute and clear. Management must convey the message that integrity and ethical values cannot be compromised and employees must receive and understand the message. Management must continually demonstrate, through words and actions, a commitment to high ethical standards. This culture issue is seen is the cornerstone of a well managed and well controlled company in the 1992 Internal Control - Integrated Framework published by the Committee of Sponsoring Organisations (COSO) in the U.S. This is a private sector initiative of five professional financial, auditing, and accounting organisations with a mission to prevent fraudulent financial reporting.

This group has identified five interrelated components for the internal control process. Each off these components is also critical in an critical in an entity's effort to prevent corruption payments. They are:

  1. Control environment - The proper corporate culture (discussed below)
  2. Risk assessment - Identification of business areas transactions at risk for corruption
  3. Control activities - Policies and procedures that help ensure management directives are carried out
  4. Information and communication - Free and open communication throughout organisation
  5. Monitoring - assess the quality of the internal control system over time
Although each of these five components bears directly on preventing corruption, the control environment is the foundation for anti-corruption and all other control objectives COSO recommends the following actions establish the proper control environment:
  • Codes of Conduct and other policies regarding acceptable business practices
  • Establishment of the proper "Tone at the Top" and communication throughout the organisation
  • Appropriateness of remedial action taken in response to violations
  • Management's attitude toward override of controls
  • Avoid pressure to meet unrealistic performance targets
A 1995 survey showed that 70% of top 500 U. S. companies have their own codes and most chief executives think that these help maintain standards. However, the risk of falling standards were growing because of the greater use of contract staff, the career structure has disappeared, and the disproportionate gap between executive and shop-floor remuneration.

The Internal Auditor's Role
Internal auditing is defined as "an independent appraisal function established within an organisation to examine and evaluate its activities as a service to the organisation." The internal auditing process involves identifying the internal auditing universe, assessing business risk, designing and gaining approval of the audit plan and performing individual internal audits. Consequently, the entity's internal auditors should have a key role in the overall internal control process. This role includes the prevention and detection of corrupt actions.

The profession of internal auditing is governed by The Institute of Internal Auditors. This is a world-wide organisation of 60.000 members based in Florida in the USA. It promulgates standards of code of ethics, training and certification program. Professional rule related to the prevention of corruption include:

  • Independence - The auditor must be independent of the activity being audited and of adequate organisational status to be influential
  • Communication - The auditor must freely report the results of his work to management and the board when appropriate
  • Scope of Work - Requires auditors to determine compliance with laws and regulations
  • Code of Ethics - Calls for higher standards of honesty, objectivity and diligence.

In my experience, both the board and management should rely heavily on the internal auditor to prevent corrupt payments. Very often the head of internal audit acts as the conscience of the organisation. When a questionable payment or contract is being considered by an entity, the approval of the internal auditor will be sought beforehand . The internal audit department also often administers the entity's Code of Conduct and will review all exception items reported by employees. Including questionable payments. Of course the internal auditors are also monitoring the internal control system to ensure the appropriate policies and safeguards are in place and being followed.

While the focus of this paper has been on the entity paying, the bribe the receiving party should also be subject to internal audit scrutiny . Understandably, it usually is easier for the receiving entity to conceal the payment but the same level of controls and scrutiny should apply.

In summary, internal auditors should be a key element in an entity's program to prevent corrupt payments. The auditor, must operate within the proper internal control framework created by the board and management in order to be effective. The most important element of that framework is the control environment or corporate culture:

  • Creating an ethical environment that makes bribery unthinkable--An ethical business environment supports global trade preserves the organisation's image, improves employee morale, and reduces fraud
  • Determining the adequate of records that surfaces payments that are illegal
  • Training managers to be vigilant
  • Reviewing and evaluating the system of internal controls by internal and external auditors
  • Disseminating prompt remedies when a deviation occurs.

return to table of contents