institute of internal auditors - audit and internal controls survey - march 2010

1 GAIN – The IIA’s Premier Benchmarking Program Copyright © 2010 The Institute of Internal Auditors

The U.S. Foreign Corrupt Practices Act:

Current internal audit and compliance practices Type: Executive Summary Report

Date: 3/22/2010 Number of Responses Analyzed: 129

Total number of invitations: 1802 (7.2% response rate)

1: Does your organization perform business transactions outside the United States? (Respondents could only choose a single response)

Response Chart Frequency Count

Yes 63.6% 82

No 36.4% 47

Valid Responses 129

Total Responses 129

2: How does your organization approach compliance with the FCPA? (Respondents could only choose a single response)


We have a robust, formal program including policies,

procedures, monitoring, and

training

46.3% 38

We have an informal program

including some of the elements noted above, but no plans to move to a

formal program

18.3% 15

We have an informal program and are planning on, or in the process of,

implementing a more formal program

24.4% 20

We do not have a companywide

program for FCPA compliance; please explain why not (below):

11.0% 9

Valid Responses 82

Total Responses 82


2-1: Why does your organization not have a companywide program for FCPA compliance?

Response

We are a Canadian company.

Does not apply as we are a German company.

FCPA is covered in our Code of Conduct and discussed occasionally. We are planning a more formal

approach.

We have minimal international presence; provide services not financial transactions.

No foreign locations; transactions with entities outside the U.S. are highly structured when they do occur.

Our activity is only outside the U.S.; non-U.S. company.

Senior management has never seen it as a priority.

Very limited exposure.

We never thought about it.

Responses 9


3: Please state what you believe to be the top three organizational practices to ensure compliance with the FCPA as stated in your organization’s policies and procedures:

Response Count

Employee, vendor, and stakeholder awareness activities and training (e.g., annual training on FCPA compliance, mandatory training, communication of policy, direct communication from the legal department, code of conduct training)

57

Implementation of internal processes and controls to ensure compliance in addition to the organization’s code of conduct or ethics (e.g., the department, officer, employee, or agent acting on behalf of the company are responsible for maintaining accurate, detailed records of foreign transactions for three years; segregation of duties; properly recording facilitation payments in books and records; procedures’ documentation, implementation of an FCPA policy; implementation of a conflict of interest policy; legal policy, approval processes and cash controls; due diligence processes, discouraging and/or requiring legal oversight for higher risk disbursements to government officials and related parties; contractual safeguards, due diligence on any government interaction activity; ensuring authority for foreign expenditures resides with the business unit leader after a review by the legal department; increased oversight and approvals required before entering into business relationships with foreign government officials and related parties; legal division's continuous interaction with business development function)

40

Compliance audits and monitoring (e.g., testing of controls; scrutiny of gifts and payments; reviews of books and records to ensure no issues appear to have occurred; quarterly certifications attesting to compliance; periodic/ongoing reviews of established protocols; independent monitoring on internal controls; follow-up monitoring and internal audit verification; including FCPA audit steps in every foreign audit; audit reviews of vendor master records and disbursements at foreign offices; performing audits on antitrust and corruption activities and insider trading, monitoring of disbursements by foreign subsidiaries, monitoring via surveys)

37

Implementation of and annual certification of compliance with business conduct policies (e.g., third-party certification of compliance employee and third-party compliance certification with the organization’s code of conduct or ethics policies and procedures)

33

Implementing formal guidelines pertaining to the use of third-party (e.g., written agreements with business partners; third-party certification of compliance; proper due diligence when hiring agents and other third parties; using sales intermediaries such as distributors, having formal agent and distributor guidelines, implementing contractual safeguards and payment and documentation requirements when contracting with third parties who have interactions with foreign government officials; ensuring FCPA compliance is part of all contractual agreements, such as drafting FCPA compliance wording in select contracts with suppliers and/or independent contractors; no facilitation or grease payments without approval by the compliance function)

12

Tone at the Top and management involvement/support (e.g., oversight, executive-level emphasis on compliance)

11

Implementing a confidential reporting mechanism for compliance breaches 6

Stating and enforcing clear penalties under the organization’s code of conduct for not complying with the FCPA policy

4

Audits of accounts payable activities 2

Performing a risk assessment that detects areas of compliance concerns (e.g., risk definition) 2

Performing a background check on key players 1

Use of IT controls (e.g., use of an automated system to run data through) 1

Dealing exclusively with publicly traded foreign companies 1

Ensuring a fair market value for fees and services 1

Implementing an FCPA oversight body (e.g., FCPA steering committee) 1

Translation of policies into all languages the company operates in 1

Organization incentives 1

Not applicable 1


4: Over the past three years, has the level of attention that the organization pays to FCPA: (Respondents could only choose a single response)


Increased, see 4-1 for

reason(s): 70.7% 58

Decreased, see 4-2 for

reason(s): 2.4% 2

Stayed the same 26.8% 22

Valid Responses 82

Total Responses 82

4-1: For what reasons has the level of attention that the organization pays to FCPA increased?

Response Count

The organization’s international/global growth, existing international operations, or plans to

expand in a foreign or high-risk market has led to an increased focus in FCPA compliance (e.g.,

Asian acquisition, business activities are expanding in new countries; more operations in companies with a high corruption index)

20

Increased regulatory attention and enforcement (e.g., increased Department of Justice/SEC attention has led to heightened FCPA focus)

12

Previous incidents have led to a heightened focus on FCPA compliance (e.g., recent and fairly

recent federal research contractor requirements, FCPA violation identified in Latin America operation, a previous agreement may have overlooked the related risks)

6

Increased media coverage (e.g., increased news coverage for offenders) 4

Overall increased attention to policies and training on FCPA 4

Compliance with the FCPA is mandatory due to the organization’s operations 3

Due to a heightened awareness of the requirements by management, the board, or audit committee

2

FCPA is now a compliance concerns as the organization is publicly traded 2

The economic slowdown has led to heightened focus on FCPA compliance. 2

To mitigate risks identified in the risk assessment 1

Put an automated system into place 1

We started with zero attention 1

4-2: For what reasons has the level of attention that the organization pays to FCPA decreased?

Response

Lack of time and prioritization by management

Not applicable

Responses 2


5: Board-level responsibility for FCPA is executed: (Choose all that apply) (Respondents were allowed to choose multiple responses)


By the full board 26.8% 22

By the audit committee 59.8% 49

By another board-level committee 7.3% 6

Through receiving regular reports on the state of the FCPA program and results

20.7% 17

Through receiving reports of any alleged FCPA violations

26.8% 22

Through internal audit reports on FCPA 26.8% 22

Through receiving reports only of identified

FCPA violations 18.3% 15

Other, explained below: 9.8% 8

Valid Responses 82

Total Responses 82

5-1: How else is board-level responsibility for FCPA executed?

Response

Audits and law reports on subject

Code of Conduct

Not at all

Not reported (2 responses)

Not yet that formalized

Presentation to the audit committee of controls and monitoring

Reporting of known issues

Responses 10


6: What role does the internal audit activity have in investigating alleged violations of the FCPA? (Respondents could only choose a single response)


Internal auditing is primarily responsible for

conducting or managing FCPA investigations 24.4% 20

Another area of the company is primarily

responsible for investigations; internal auditing participates with that area in

investigations or providing support as needed or requested

45.1% 37

Another area of the company is primarily

responsible for investigations; internal auditing does not actively participate in the

investigations

2.4% 2

Third parties are hired by internal auditing to

conduct the investigations 2.4% 2

Third parties are hired by the area responsible for FCPA to conduct investigations

6.1% 5

Other, specify below: 19.5% 16

Valid Responses 82

Total Responses 82

6-1: If not listed above, what role does the internal audit activity have in investigating alleged violations of the FCPA?

Response

Audit or outside audit (language reasons)/law or outside counsel

Audit's involvement is determined by documented protocol for all investigations

CAE leads FCPA steering committee for the audit committee

Combination of internal auditing and third parties hired by internal auditing

Communicating policy

Compliance to Canadian criminal code infraction, not FCPA

Internal auditing audits FCPA compliance; the fraud investigations group performs any investigations.

Issues are investigated by the legal function.

No instances to investigate (6 responses)

Planning on formalizing activities among internal auditing, in-house general counsel, and president on

all international operations.

Third parties hired by audit committee to conduct FCPA investigations.

Would be decided on a case by case basis

Responses 17


7: Compared to 2008 and 2009, have FCPA internal audit efforts increased, decreased, or stayed the same in your organization for 2010? (Respondents could only choose a single response)


Increased 45.1% 37

Decreased 2.4% 2

Stayed the same 46.3% 38

Don’t know 6.1% 5

Valid Responses 82

Total Responses 82

7a: Please indicate the percentage by which FCPA internal audit efforts have increased since 2008:

1% to 10%

11% to 25%

26% to 50%

51% to 75%

76% to 100%

More than 100%

Total

From 2008

to 2009

Count 14 3 1 3 4 1 26

% by Row 53.8% 11.5% 3.8% 11.5% 15.4% 3.8% 100.0%

From 2009

to 2010

Count 13 12 0 5 1 3 34

% by Row 38.2% 35.3% 0.0% 14.7% 2.9% 8.8% 100.0%

Total Count 27 15 1 8 5 4 60

% by Row 45.0% 25.0% 1.7% 13.3% 8.3% 6.7% 100.0%

7b: Please indicate the percentage by which FCPA internal audit efforts have decreased since 2008:

1% to 10% 11% to 25%

26% to 50%

51% to 75%

76% to 100%

Total

From 2008

to 2009

Count 1 1 0 0 0 2

% by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%

From 2009

to 2010

Count 1 1 0 0 0 2

% by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%

Total Count 2 2 0 0 0 4

% by Row 50.0% 50.0% 0.0% 0.0% 0.0% 100.0%


8: As part of its planning process, does the internal audit activity complete a risk assessment that identifies risks pertaining to FCPA compliance? (Respondents could only choose a single response)


Yes, please explain how FCPA compliance

risks are identified (see 8-1): 74.4% 61

No, explained below in 8-2: 25.6% 21

Valid Responses 82

Total Responses 82

8-1: Please explain how FCPA compliance risks are identified: Response Count

By performing a risk assessment that includes FCPA risks (e.g., during the annual audit plan risk assessment or by assessing risks for each relevant process, assessing risk of fraud) 15

Corruption perception index from Transparency International (e.g., company locations are rated based on the corruption perception index) 11

Based on the business unit, process, or activity (e.g., based on the business unit to be audited or business activities associated with agents, reviewing travel activity) 10

Based on geographical location (e.g., of the organization or the activity or process being audited, high-risk country) 10

Based on discussions with senior or executive management (e.g., country risk is evaluated through discussions with management, risk interviews with leaders of finance team and business unit leaders directing global activities) 9

Based on previous experience (e.g., past FCPA issues, previous allegations, prior knowledge of FCPA issues) 6

Based on questionnaire/checklist responses (e.g., agent questionnaire responses) 4

Compliance testing and monitoring (e.g., entity-level internal control testing, compliance reviews of business conduct policy, monitoring of contracts and payments, compliance with policies) 3

Based on the audit type (e.g., , FCPA compliance risks are discussed with internal audit stakeholders during the audit’s planning phase; have FCPA scope incorporated into an audit in the event there is an area with exposure to FCPA risk)

2

Data mining and interview 2

Financial statement analysis (e.g., reviewing finance general ledgers) 2

Pre-audit planning activities (e.g., research) 2

Working with legal, compliance, and/or international business units 2

List of potential transactions that could result in FCPA issues 1

Country transparency rating 1

CSA approach 1

Discussions with buyers 1

Overall discussions/interviews on FCPA topics 1

By using an external risk list 1

Based on the level of interaction with government officials 1

Process mapping 1


8-2: Please explain why the internal audit activity does not complete a risk assessment that identifies risks pertaining to FCPA compliance as part of its planning process.

Response

Not specifically (2 responses)

1-man shop; no time

Does not apply to German company

Done outside of normal planning process with legal department

Hard to evaluate; inferences are indirect.

Never considered it.

Ongoing program vs. annual risk assessment

Only communicate policy

Probably will, don't know yet.

Risk is considered minimal.

The risk is perceived to be inherent in certain locations of operation. No other specific risk indicator has been identified.

There is a risk assessment, but no specific consideration of FCPA during that process. There will be for 2011.

Responses 13

9: Does your internal audit activity perform audits surrounding FCPA compliance? (Respondents could only choose a single response)


Yes 61.0% 50

No, explained below: 39.0% 32

Valid Responses 82

Total Responses 82


9-1: Please explain why your internal audit activity does not perform audits surrounding FCPA compliance: Response

No audits are focused solely on FCPA. Specific audits, however, may contain scope including FCPA if that is a significant risk for the area being audited or for international review. (9 responses)

Has not made it to the high-risk category (3 responses)

Planned for 2011 (3 responses)

1-man shop; no time

Does not apply to German company

Never thought about it

Not formal

Only communicate policy

Only reviews, awareness training, and investigations of potential incidents

Our company's program is not robust, therefore there is little to audit.

Very small component of business, leverage compliance office reviews

We don’t

Responses 24

9a: Please select the response that best describes your internal audit activity’s FCPA compliance efforts: (Choose all that apply) (Respondents were allowed to choose multiple responses)


FCPA audits are incorporated into other internal audits of operating units or processes

70.0% 35

Operating units or processes are subject to regular, separate audits for FCPA compliance

32.0% 16

Operating units or processes are audited for FCPA

compliance if there is some indication of FCPA compliance problems

28.0% 14

An enterprise wide audit of the FCPA program is executed

26.0% 13

A continuous monitoring program is conducted to

assess FCPA compliance 14.0% 7


Valid Responses 50

Total Responses 50

9a: If not listed above, how does your internal audit activity comply with the FCPA? Response

N/A

Quarterly questionnaires

Responses 2


10: Please select from the following list the steps necessary to achieve the success of FCPA internal audit programs: (Choose all that apply) (Respondents were allowed to choose multiple responses)


There is joint coordination between the

internal audit activity and legal department on matters pertaining to FCPA compliance

and testing

76.8% 63

We use dedicated and properly trained internal

auditors to focus on FCPA compliance and audits;

please specify the number of internal auditors dedicated to FCPA compliance: (none of the 5 respondents specified how many)

6.1% 5

We perform regular, stand-alone FCPA assessments

that are solely focused on foreign transactions 22.0% 18

We perform FCPA-specific risk assessments for proactive location and scope selection

31.7% 26

We use third-party expertise to supplement resources, knowledge, and tools

29.3% 24

We use data analytic tools to identify high risk transactions

29.3% 24

We execute the documented approach and

methodology under the company’s overarching FCPA policy

30.5% 25

Other, specified below: 15.9% 13

Valid Responses 82

Total Responses 82

10-1: Please select from the following list the steps necessary to achieve the success of FCPA internal audit programs:

Response

We do not have FCPA audit programs (4 responses)

Agree with all but will not happen until such work is performed

Audit preparation is 6-8 weeks; onsite execution is 3 weeks

FCPA may be scoped into individual audits on a case-by-case basis depending on assessment of the FCPA

risk in the area being audited.

FCPA testing is performed as part of the operational and financial audits.

Policies, training, etc. are monitored for compliance, including of FCPA.

We build FCPA audit procedures into process audits, for example expense report audits.

We closely review the A/P ledger and look into finder's fee and other transactions that could disguise a

bribe.

Responses 11


11: Please select which of the following elements are part of the internal audit activity’s FCPA compliance responsibilities: (Choose all that apply) (Respondents were allowed to choose multiple responses)


Conducting broad FCPA risk assessments that identify potential high-risk areas based

on analysis

47.6% 39

Assessing management’s FCPA knowledge

and compliance activities 43.9% 36

Testing policies and procedures for awareness and effectiveness

74.4% 61

Accumulating electronic data and conducting interviews

37.8% 31

Applying automated controls and proactive

data anomaly detection tools 13.4% 11

Selecting samples of high-risk transactions

for further analysis 54.9% 45

Testing transactions to determine whether

FCPA controls are working as intended 52.4% 43

Reporting findings to compliance officers,

audit committees, and legal counsel 68.3% 56

Driving policy and procedural change using identified risks and gaps

37.8% 31

Training foreign employees 23.2% 19

Obtaining or reviewing annual employee

compliance declarations 39.0% 32

Testing employees for FCPA policies and

requirements 25.6% 21

Sharing with employees lessons learned from prior FCPA matters

23.2% 19


Valid Responses 82

Total Responses 82

11-1: What other elements are part of the internal audit activity’s FCPA compliance responsibilities?

Response

Internal auditing works closely with the compliance director for anti-corruption matters in all aspects of

the compliance program for anti-corruption.

No FCPA audit programs are in place.

Reviewing at international locations the knowledge and training of individuals.

Will be decided when the time comes.

Responses 4


12: Which risks factors are considered during the risk assessment process? (Choose all that apply) (Respondents were allowed to choose multiple responses)


The history of FCPA violations in the

industry and company 54.9% 45

The company’s geographic location

and its corruption rating from

Transparency International

67.1% 55

The country’s anti-corruption

enforcement level and ongoing investigations or schemes

36.6% 30

Business unit susceptibility to FCPA violations related to the use of third

parties

64.6% 53

Employee, vendor, and agent knowledge and awareness of FCPA rules from

efforts such as training, surveys, and certification

51.2% 42

Findings from previous transactions

tests, audits, surveys, and hotlines 56.1% 46

Previous internal control deficiencies and

vulnerabilities 59.8% 49

Recent business unit changes in

management or business composition 47.6% 39

Compensation standards for employees and executives

14.6% 12

International business unit revenues 25.6% 21

The dollar amount and percentage of

government business activities 37.8% 31

The number and dollar amount of

accounts payable transactions 18.3% 15

Payments to third parties including sales

agents and commercial agents 54.9% 45

Payments for professional services 42.7% 35

Discretionary, noninventory spending 20.7% 17

Growth rates 12.2% 10

Budget to actual variances 18.3% 15

The nature of time and expense

reporting 19.5% 16


Valid Responses 82

Total Responses 82


12-1: What other risks factors are considered during the risk assessment process?

Response

We do not perform FCPA risk assessments (4 responses)

Commissions paid

Contributions, marketing expense, and accounts payable

Responses 6

13: Which testing procedures are used to confirm whether controls and processes over illegal payments are working as intended? (Choose all that apply) (Respondents were allowed to choose multiple responses)


Selected general ledger accounts 52.4% 43

Accounts payable data for high-risk transactions

63.4% 52

Accounts receivable data for US $0 invoices or credits to customers

24.4% 20

Anti-bribery provisions in agreements with agents

50.0% 41

Activities and payments related to sales

to government customers 45.1% 37

Purchases from partially or wholly

government-owned entities 32.9% 27

Payments to government entities for

goods, services, and other regulatory

matters such as fines, penalties, licenses, and permits

59.8% 49

Employee expense reports 72.0% 59

Bank statement reconciliations and

details 36.6% 30

Petty cash activities 43.9% 36


Valid Responses 82

Total Responses 82


13-1: What other testing procedures are used to confirm whether controls and processes over illegal payments are working as intended?

Response

Have never done an audit for FCPA violations or have an audit FCPA program (3 responses)

To be determined when applicable.

Quarterly questionnaires

Logs of gifts given on behalf of the company to government officials

Valid Responses 6

DEMOGRAPHICS 14: What is the size of your internal audit activity (calculated in total full-time equivalents)? (Respondents could only choose a single response)


1–2 14.0% 18

3–6 39.5% 51

7–15 30.2% 39

16–20 4.7% 6

21–30 3.9% 5

More than 30 7.8% 10

Valid Responses 129

Total Responses 129

15: Select the annual revenue range that best fits your organization: (Respondents could only choose a single response)


Less than USD 10 million 2.3% 3

USD 10 million to less than USD 50 million 1.6% 2



USD 500 million to less than USD 1 billion 24.8% 32

USD 1 billion to less than USD 10 billion 41.1% 53

USD 10 billion or more 8.5% 11

Valid Responses 129

Total Responses 129


16: What best describes your title or is equivalent to your current position or role within your organization? (Respondents could only choose a single response)


Chief audit executive (CAE) 75.8% 97

Internal audit director or direct report to CAE 11.7% 15

Manager or supervisor 8.6% 11

Internal audit professional with 3 or more

years of internal audit experience 2.3% 3

Internal audit professional with less than 3

years of internal audit experience 0.0% 0


Not Answered 1

Valid Responses 128

Total Responses 129

16-1: If not listed above, what best describes your title or is equivalent to your current position or role within your organization?

Response

director erm

Responses 1


17: Which category best describes your organization's primary industry? (Respondents could only choose a single response)


Aerospace and defense 0.8% 1

Agriculture / forestry / fisheries 0.0% 0

Communication / telecommunication services

1.6% 2

Construction / engineering / architecture

1.6% 2

Consulting services 0.0% 0

Consumer packaged goods 0.8% 1

Distribution 0.0% 0

Educational services 5.6% 7

Energy / oil and gas 2.4% 3

Financial services / banking / real

estate 10.4% 13

Gaming / lotteries 0.0% 0

Health services 6.4% 8

Hospitality / entertainment /

restaurant 3.2% 4

Insurance carriers / agents 9.6% 12

Local government 1.6% 2

National / federal government 0.0% 0

Manufacturing 26.4% 33

Mining 0.8% 1

Nonprofit sector 1.6% 2

Pharmaceuticals 4.0% 5

Public accounting / accounting

services 0.8% 1

State / provincial government 3.2% 4

Technology 4.8% 6

Transportation 1.6% 2

Utilities 4.0% 5

Wholesale / retail 5.6% 7

Other 3.2% 4

Not Answered 4

Valid Responses 125

Total Responses 129


18: Is your organization listed in the: (Respondents could only choose a single response)


Fortune 100 3.7% 4

Fortune 250 3.7% 4

Fortune 500 8.3% 9

Fortune 1000 22.2% 24

Global 2000 2.8% 3

Other 59.3% 64

Not Answered 21

Valid Responses 108

Total Responses 129

19: In approximately how many countries does your organization do business outside of your own? (Respondents could only choose a single response)


1–10 47.0% 47

11–20 23.0% 23

21–30 9.0% 9

More than 30 21.0% 21

Not Answered 29

Valid Responses 100

Total Responses 129

institute of internal auditors - audit and internal controls survey - march 2010

Documents