Introduction

Accounting, auditing and financial controls may seem somewhat marginal to the main task of fighting bribery and other forms of corruption. This is not the case, for three reasons:

  • All acts of bribery trigger movements of cash or other assets, so physical and accounting controls over such transactions are key to their detection and, preferably, prevention.
  • Proof of bribery is often extremely problematical, and a record of the transaction in the accounting and financial records is often the only hard evidence that can be produced in court.
  • Inaccurate recording of transactions in accounting systems may itself be a violation of laws and regulations of some countries and can lead to improper treatment for tax purposes, potentially causing civil or criminal exposures for companies and personnel involved.

Rules prescribing the accurate and complete recording of all transactions, and the internal and external checks in place to help achieve this, therefore, go to the core of the fight against bribery and other forms of corruption.

[Page79:]

The need for integrity in corporate accounting systems has been highlighted by recent investigations into allegations of large scale bribery involving a number of companies from major exporting companies. More than 2000 companies were also implicated in the UN Oil-for-Food Programme bribery scandal. Since 2002, in the wake of the Enron and WorldCom accounting frauds, reforms have been enacted in a number of countries affecting stock exchange listing requirements, corporate governance, and oversight of the accounting profession and the conduct of other professionals. These include the Sarbanes-Oxley Act in the United States and J-SOX.

Change is also being driven from within corporations. Senior executives and those charged with governance are increasingly treating bribery and corruption as common business risks in an era of globalization, which need to be managed to protect the reputation and value of their companies. They are deploying techniques such as Enterprise Risk Management (ERM), Governance, Risk and Compliance (GRC) or Fraud Risk Management (FRM) to bring more sophisticated processes to this issue. They are founding their anti-bribery and anti-corruption approaches on a careful analysis of their company’s specific risks, based on the nature of their business, location of operations and the reputation of their business partners on ethical issues. And increasingly they are basing their policies and the related implementation efforts on the standards provided by ICC Rules of Conduct or on the TI Business Principles for Countering Bribery or the Partnering Against Corruption Initiative (PACI) Principles of the World Economic Forum, themselves derived from the TI Principles.

Greater clarity in corporate structures and in the related recording of transactions in the books can enhance a company’s credibility in capital markets, strengthen its reputation and better protect against corrupt managers enriching themselves at the expense of employees and shareholders. This is the wider dimension of the matters covered in this chapter.

RELEVANT PROVISIONS OF ICC RULES, THE OECD CONVENTION AND THE UN CONVENTION AGAINST CORRUPTION (UNCAC)

Both ICC Rules and the OECD Convention prohibit the establishment or use of off- the-books accounts to conceal the source and use of funds that are used to pay illegal bribes. They also prohibit the use of false documents and invoices; the making of inadequate, ambiguous, or deceptive bookkeeping entries; and any other accounting procedure, technique or device that would hide or otherwise disguise illegal bribery payments made by or on behalf of a company.

[Page80:]

ICC Rules

Article 4 of ICC Rules, Financial Recording and Auditing, states:

  1. All financial transactions must be properly and fairly recorded in appropriate books of account available for inspection by boards of directors, if applicable, or a corresponding body, as well as auditors.

  1. There must be no ‘off-the-books’ or secret accounts, nor may any documents be issued which do not properly and fairly record the transactions to which they relate.

  1. Enterprises should take all necessary measures to establish independent systems of auditing in order to bring to light any transactions which contravene the present Rules of Conduct. Appropriate corrective action must then be taken.

Off-balance-sheet entities

by Rick Wayman, www.investopedia.com (excerpted)

“The term ‘off-balance-sheet’ can refer to many things. Typically, it refers to separate legal entities (separate companies of which the parent holds less than 100% ownership) or contingent liabilities such as letters of credit or loans to separate legal entities that are guaranteed by the parent …

Bad things happen when economic reality differs significantly from the assumptions that were used to justify the off-balance-sheet entity … Enron exemplifies how ego can be the basis for the misuse of off-balance- sheet items. Here, off-balance-sheet vehicles appear to have been used to pump up financial results rather than for legitimate business purposes. What started as a plan to legitimately use off-balance-sheet vehicles morphed into ways to manufacture earnings as trades went bad.”

The OECD Convention and 1997 Revised Recommendations adopt some of the language of ICC Rules, but are narrower in the sense that they direct sanctions against accounting frauds used to hide bribes to foreign public officials rather than reflecting the broader provisions of ICC Rules, which prohibit these practices for any reason. To more effectively combat the payment of bribes to government officials, the Convention recommends, not only that countries impose sanctions on the commission of illegal acts of bribery (Articles 1 and 3), but also that they impose similar, additional sanctions for the failure of a company to truthfully account for or adequately disclose illegal bribery payments after they have been made.

[Page81:]

Article 8 of the Convention, Accounting, and states:

“In order to combat bribery of foreign public officials effectively, each Party shall take such measures as may be necessary, within the framework of its laws and regulations, regarding the maintenance of books and records, financial statement disclosures, and accounting and auditing standards, to prohibit the establishment of off-the-books accounts, the making of off-the-books or inadequately identified transactions, the recording of non-existent expenditures, the entry of liabilities with incorrect identification of their object, as well as the use of false documents, by companies subject to those laws and regulations, for the purpose of bribing foreign public officials or of hiding such bribery.”

Under Article 8(2) of the OECD Convention, countries are called upon to establish “effective, proportionate and dissuasive civil, administrative or criminal penalties for such omissions and falsifications in respect of the books, records, accounts and financial statements” of companies subject to the country’s laws and regulations governing the maintenance of books and records, financial statement disclosures and accounting and auditing standards. The OECD does not require internal controls to be legislated, but there is a strong recommendation that companies should follow the practice in this area recommended by professional bodies or required under the listing rules of many stock exchanges.

The UN Convention Against Corruption (UNCAC) which came into effect in 2005 lists in Article 12 an almost identical set of provisions regarding the integrity of the books and records of a company as noted above for the OECD Convention. Article 12 additionally calls for the business world to develop appropriate internal controls and audit procedures and to establish codes of conduct.

Corporate responsibilities and practices

The “accounting provisions” of ICC Rules and of the laws and regulations of the countries implementing the OECD Convention reflect sound standards of corporate governance in respect of the duties of accountability to a company’s owners, government agencies and other stakeholders. They require the focused attention of a company’s executives, the members of its audit committees and board of directors (or bodies serving similar functions), as well as its internal and external auditors.

Responsibilities of management and those charged with governance

Management should implement and periodically update written anti-bribery and anti-corruption policies that reflect a commitment to honesty in business transactions and accounting and are therefore consonant with the Convention and the respective anti-bribery laws and regulations of the home and host countries.

[Page82:]

Management should also design, implement and periodically update the managerial and accounting processes and internal controls necessary to implement their anti- bribery and other anti-corruption policies.

Those charged with governance such as boards of directors, audit committees or other governing bodies should exercise oversight over management’s actions in the fight against bribery and corruption, to help ensure that management discharges its responsibilities effectively.

Accounting, auditing and financial controls

Violations of laws, regulations, rules, standards and policies are generally a result of deficiencies in corporate governance. Unless these deficiencies are identified and corrected, compliance breakdowns will occur. What is needed is top-level accountability (“tone at the top”); the adoption and use of a code of conduct and compliance programme, as described in Chapter Five (“The Responsibilities of Enterprises”) in this manual; a clear definition of roles and responsibilities; management’s reporting on effectiveness of internal controls, hiring, training, performance evaluation, compensation and incentive programmes that encourage and support compliance; and monitoring, including monitoring bodies independent of management, such as audit committees. Without all of these, the sustained effectiveness of a company’s anti-bribery and anti-corruption programme is endangered.

Companies can use published internal control frameworks to develop internal control systems to protect against non-compliance with applicable laws and regulations. Such frameworks include, “The Combined Code: Committee on Corporate Governance” (1998, UK); “CoCo: Guidance on Control and Governance” (1995, Canada); and “COSO: Internal Control-Integrated Framework” (1992, US). The internal control system should be customized to the specific individual enterprise and should allow exercise of reasonable judgement in its application.

Companies may also find helpful the guidance paper, “Managing the Business Risk of Fraud: A Practical Guide”, published in 2008, which provides guidance concerning internal control processes for dealing with various types of fraud, including bribery and corruption.1

We shall now discuss the different elements of effective accounting, auditing and financial controls relating to anti-bribery and anti-corruption.

[Page83:]

Risk assessment

To prevent and detect bribery and other forms of corruption, companies should first perform a risk assessment. This identifies what could go wrong, the related likelihood of such an occurrence and the magnitude of the resulting consequences. For example, to evaluate the risks of bribery and corruption in the procurement process, one might analyse the means and methods that might be employed by the engineering department to create specifications that favour specific vendors, how purchasing may unfairly award contracts and how accounting may record bribes. The risk assessment process provides a foundation for designing appropriate internal controls to accomplish the company’s policy objectives to prevent and detect bribery and corruption.

This risk assessment can be performed on a stand-alone basis. However, it is increasingly common for companies to integrate it with a broader assessment of risks the company faces, such as those performed for Enterprise Risk Management (ERM) purposes. Greater detail may be required to address bribery and corruption risks than for some other areas, but integration has several advantages:

  • It can avoid inconsistencies between separate risk assessments and their documentation that could otherwise arise and create legal and regulatory exposures;
  • It can help to ensure the risk assessment is updated regularly, when other risks are re-assessed;
  • It can help to ensure the risk assessment receives appropriate attention from senior management, the board of directors, the audit committee or others charged with governance, when they discuss the key risks identified in an overall risk assessment.

Anti-corruption policy

Accounting and auditing controls are linked to the company’s overall anti- corruption policy. Chapter 5 stresses the importance of developing a clear, concise written statement of the policy. It also reviews how the company should treat gifts and entertainment. The basic question of how to employ and treat agents is discussed in Chapter 4 “The Role of Intermediaries”. Chapter 10 “Political Contributions” gives concrete advice on how contributions to political parties should comply with applicable laws. All of these issues are closely linked to the need to maintain proper accounting and control procedures.

Internal controls over financial reporting

The company’s accounting policy should require that it maintain a system of internal controls and record-keeping so that its books and records accurately reflect its transactions and disposition of assets. The internal control system should be[Page84:]supported by the establishment of a code of corporate conduct and enforced by a compliance programme as outlined in Chapter 5 of this manual. An audit committee composed of independent outside directors should oversee the structure of internal controls, the internal audit function, and the employment of independent auditors.

Accounting policies

The company’s accounting policy should have explicit prohibitions against “off- the-books”, false, or “masking” entries. Off-the-books accounts are typically funded by methods such as cash (versus credit) sales, sales of scrap, kickbacks, payments received on fictitious invoices or sales recorded on a second set of books. Records and documentation for payments/reimbursements should be maintained in accordance with records retention and archiving policy that is consistent with tax and other applicable laws and regulations, e.g., laws against money laundering (see Chapter Nine). All transactions should be fully identified, adequately described and accurately and properly classified in the accounts. In addition, the accounting requirements should provide for an adequate audit trail for the external and internal auditors.

Precise accountability for enforcing these policies and procedures should be established at various levels of the organization (departments, divisions, locations, subsidiaries, corporate, etc.) and should be consistently applied.

Policies for approving expenses

To determine that expenses are legitimate and that they do not get out of hand, company policies on approving expenses should require that:

  • There be independent approval at a higher level than the one at which the expense was incurred;
  • There be limits for gifts, entertainment and business courtesies to and from clients, vendors and government officials (local and foreign);
  • “High risk” expenses/payments, e.g., in ambiguous situations and exceptions, have prior senior-management approval;
  • Above a specified nominal amount, no expenses be approved without complete back-up documentation, e.g., invoices, receipts, and contracts;
  • The department processing the payment/reimbursement, such as the accounting or accounts payable department, verify that proper approval and documentation exists;
  • There be adequate segregation of duties between the authorization, approval and payment/reimbursement processes;
  • There is an account provision in the company’s general ledger to segregate “facilitation payments” and “business courtesy” payments.

[Page85:]

Channels for communication

As described in Chapter 7, companies should provide channels for communications by, and protection for, persons unwilling to violate professional standards or ethics under instructions or pressure from hierarchical superiors. For SEC-registered companies, this is now a legal requirement in relation to the manipulation of financial information.

Training

Management should provide anti-bribery and anti-corruption training to employees and agents upon hiring and refresher courses periodically thereafter. The training should explain the application of the company’s policies to specific situations the employees and agents may encounter. It should note that the policy applies on a worldwide basis, at least to company-controlled entities.

Detection and monitoring

Effective detection and monitoring controls can serve as a strong deterrent for bribery and corruption as well as helping to detect such activities promptly if they occur, reducing their adverse impact on the company. Key aspects of such controls include:

  • Bribery and corruption-focused due diligence prior to making acquisitions and entering into significant arrangements with business partners;
  • Continuous monitoring of transactions in business areas of heightened bribery or corruption risk to identify those meriting additional scrutiny;
  • Data mining in areas where continuous monitoring is not feasible;
  • Focused internal auditing to detect bribery and corruption.

Evaluating internal controls

Management should periodically evaluate the design and operating effectiveness of their internal controls to prevent and detect bribery and corruption, assessing their adequacy in light of the results of the company’s most recent risk assessment. When evaluating internal controls, it is important that an entity adopt a horizontal process view in addition to a vertical functional/organizational view. Since processes link functions to achieve an objective – such as procurement linking engineering, finance, accounting, and purchasing – control gaps can be overlooked when controls are viewed only from a functional (e.g., financial) perspective. Where actual bribe payments are detected, an analysis of internal controls should be part of the internal review process to identify and remedy any weaknesses disclosed.

[Page86:]

Reporting on internal controls and on anti-corruption policies

Companies should follow the OECD’s Recommendation that senior management of the organization make a statement in their annual report to shareholders about their internal control mechanisms, including those that contribute to preventing bribery. Management reporting on the effectiveness of the internal control system helps keep management and others in the company focused on the importance of such control procedures. In addition, such reporting keeps those to whom the company is accountable informed about its internal control activities.

Pressure to state publicly a company’s anti-corruption policies and to report on issues around their implementation and monitoring are currently growing, driven by increased interest in this area of risk by capital market analysts (e.g., the criteria established by FTSE4Good) and by the reporting requirements of such voluntary commitments as the UN Global Compact and the PACI of the World Economic Forum.

Responsibilities of internal auditors

The internal auditors have responsibilities with respect to fighting bribery. Under the professional standards of The Institute of Internal Auditors (IIA), internal auditors must be alert to indicators of fraud, including the payment and acceptance of bribes. Internal auditors also assist in the deterrence of illegal payments through their reviews of controls and investigation of transactions. The existence of an internal audit function fosters a control consciousness. When internal auditors become aware of illegal bribery or fraud, professional standards dictate that they must inform management and/or the competent authorities and follow up on the implementation of appropriate remedial controls. Internal auditors also report to the board and senior management on significant risk exposures and control issues. Internal audit standards require the auditor to encourage the development and adoption of adequate internal controls by evaluating the effectiveness and efficiency of controls and promoting continuous improvements.

Under a proposed new Institute of Internal Auditors’ standard scheduled to be approved in summer 2008, internal auditors would be required to evaluate both the potential for fraud to occur and how the company manages fraud risk. A proposed revision of an existing standard would require internal auditors to consider the probability of fraud when developing the objectives for each audit performed. If these proposed standards are approved as expected, the IIA co-sponsored guidance paper referred to earlier, Managing the Business Risk of Fraud: a Practical Guide, may quickly be widely used by internal auditors in their evaluations.

[Page87:]

Managing the Business Risk of Fraud

Published by the Institute of Internal Auditors (IIA), July 2008 (excerpted)

“Only through diligent and ongoing effort can an organization protect itself against significant acts of fraud.”

Key principles for proactively establishing an environment to effectively manage an organization’s fraud risk include:

Principle 1 As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.

Principle 2 Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.

Principle 3 Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization.

Principle 4 Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

Principle 5 A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.”

Financial reporting and disclosure

Despite management’s best efforts at designing policies, procedures, and controls to prevent illegal payments, such controls are not infallible. If such incidents arise, determinations must be made concerning: (1) the fact of the bribe or other illegal payment; (2) any direct effects that the illegal payment has on financial statement amounts; and/or (3) any resulting actual or contingent liabilities or losses (e.g., penalties assessed or assessable against the company, revocation of a government contract) arising from the illegal payment.

The company must then determine whether or not the laws (including legislation implementing the OECD Convention), governmental regulations, or generally accepted accounting principles of the applicable countries (or the company’s own policies) mandate disclosure of such activities and/or any consequent actual or contingent losses or liabilities. The safest and the most appropriate course are to provide for full disclosure.

[Page88:]

Disclosure is generally required when:

  • The illegal payments themselves have a material and direct effect on the determination or classification of financial statement amounts;
  • The fines and penalties paid or imposed on illegal activities are material;
  • The allegation or determination of illegal payments gives rise to a material contingent liability for fines, penalties and/or legal expenses;
  • The illegal activity exposes the company to the risk of other material contingent liabilities and losses – such as the loss of government contracts or significant business relationships and their associated revenues, losses and liabilities resulting from the enforced discontinuance of operations in another country, or the threat of expropriation of the company’s assets located in that country.

In determining whether an actual or contingent amount is “material”, both the magnitude (individually and in the aggregate) and the nature of the item (e.g., amounts resulting from illegal activities, may have a lower materiality threshold than other amounts) must generally be considered. Materiality may also be influenced, or even dictated, by other considerations such as legal and regulatory requirements of the home country, the requirements established by legislation implementing the OECD Convention and particularly adverse publicity and the effect on corporate reputation and the price of its shares.

If the national accounting standards followed by a company do not meet or exceed International Accounting Standards (IAS), the company should consider the disclosure requirements of the IAS as well. The accounting standards followed should include a requirement to address disclosure in the financial statements of the full range of material contingent liabilities, as described above.

False accounting: a slippery slope

From “Tackling International Corruption” by John Brademas and Fritz Heimann in the September/October 1998 issue of Foreign Affairs.

“A company that decides to bribe must engage in a pattern of deception involving off-the-books transactions and secret bank accounts. The normal control system, including auditors, lawyers, and boards of directors, must be kept in the dark. The absence of accountability will lead to additional abuses. Middlemen and even company employees will pocket money ostensibly intended for government officials. As abuses expand, exposure becomes ever more likely.”

From “Tackling International Corruption” by John Brademas and Fritz Heimann in the September/October 1998 issue of Foreign Affairs.

[Page89:]

Responsibilities of external auditors

Companies should require their auditors to follow auditing standards of high quality, which meet or exceed IAS requirements including ethics standards, particularly in those pertaining to auditor independence. For example, ISA (International Standards on Auditing) 240, 250, 260 and 400 require auditors, among other things, to consider laws and regulations in an audit of financial statements, communicate their findings on a timely basis to management and others charged with governance and understand the accounting and internal control systems.

From the perspective of the external auditor, illegal bribes generally fall into three categories:

1. Inadequately disclosed illegal bribery payments and/or fines and penalties paid or imposed on account of illegal activities that have a material and direct effect on the determination or classification of financial statement amounts (i.e., amounts described in the first bullet point in the preceding section)

For example, if material and non-deductible illegal bribe payments have been improperly recorded on a company’s books as ordinary business expenses, those amounts would not only be mislabelled on the financial statements (i.e., their true identity as an illegal bribe would be concealed), but they would also have a direct effect on the amount of the company’s tax accrual, and hence its net after-tax income (which would be overstated).

The responsibility of a company’s external auditor for detection of misstatements resulting from these types of illegal bribe payments, fines or penalties is generally the same as its responsibility for detecting fraud. Upon detection of such amounts, the auditor generally has the additional responsibility of determining whether these illegal activities might also give rise to material indirect effects that may require additional disclosures.

2. Illegal activities, whether or not properly recorded, which have no direct material effect on the financial statements (or which have material direct effects that have been properly accounted for and disclosed), but which have material indirect effects that have not been adequately identified and disclosed.

For example, material contingent liabilities and losses may arise when an illegal bribe has been illegally offered or promised but was never actually paid. In such cases, unless the activity has been detected by the authorities and subjected to fines and penalties, these bribes would not usually have any direct effect on financial statement amounts.

The external auditor’s responsibility to detect hidden or disguised illegal payments that do not have a material direct effect on the financial statements, or those that have been offered or promised but not paid is, in general, significantly less that it is for detecting illegal payments that have a material direct effect. An external audit will[Page89:]generally not detect the former payments or activities unless the auditors are informed of them by the company’s management, legal counsel or employees, or unless the auditors find evidence of an investigation or an enforcement proceeding in documents reviewed in the normal course of conducting an audit (e.g., directors’ meeting minutes).

Although the indirect financial statement effects of such payments or activities could be material, audits conducted in accordance with the auditing standards of most countries generally do not provide assurance that such payments will be detected or that any resulting contingent liabilities will be identified and disclosed.

However, when auditors are informed by the company, or when, in the course of conducting the audit, they otherwise become aware that the company has engaged in illegal activities, the auditors must identify any contingent liabilities or losses that may result from these illegal activities, then assess the likelihood that such contingencies will ultimately mature into liabilities and losses that could have a material direct effect on the company’s financial statements or on the future conduct of its operations.

3. Illegal activities that do not have a material direct or indirect effect on the determination or classification of financial statement amounts

Except where otherwise provided by a country’s anti-bribery laws or other anti- corruption regulations, a company’s external auditor generally does not have responsibility to detect hidden or disguised illegal activities that do not have either a material direct or a material indirect effect on the financial statements. An external audit will generally not detect these payments or activities unless the auditors are otherwise informed of such payments by the company’s management, legal counsel or employees, or unless they find evidence of an investigation or an enforcement proceeding in documents that are reviewed in the normal course of conducting an audit.

Whether cases of bribery or fraud fall under 1, 2 or 3 above, it is reasonable to expect that in evaluating risks affecting their audit and in assessing the effectiveness of the internal control and compliance systems, auditors will have indicated to management weaknesses which might allow illegal activities to pass undetected. Such warnings can assist in the prevention of bribery and fraud.

Where the auditor becomes aware that an illegal activity, whether or not material in amount, has been paid, offered or promised, the following procedures should be considered:

  • Management involvement: If the audit team discovers that illegal payments were disguised or hidden in the company’s records, it should conduct an investigation to determine whether one or more members of senior management (as opposed to low-level employees or agents) were involved in the payment or in its cover-up. Involvement of senior management has much broader [Page91:]
  • Corrections and adjustments: When the effect of illegal payments on one or more of the company’s account balances (and/or other quantified disclosure data) becomes known, the audit team should propose the appropriate adjustments, and the client should make the entries required to correct its accounting books and records. If the direct effects of all such corrections and adjustments on amounts set forth in the financial statements are material, the auditors should propose, and the client should make, the necessary revisions to them. Note also that disclosure is generally required when a material misstatement is discovered in previously issued financial statements.
  • Other financial statement disclosures: The auditors and the company, usually with the assistance of legal counsel, should identify and attempt to quantify any loss or liability contingencies that might reasonably be expected to result from the company’s illegal payments, offers or promises. The auditors and the company must then evaluate the adequacy of disclosure in the financial statements of the identified loss contingencies and other potential effects of the illegal payments on the company’s prospective operations. Whether the illegal payments or the existence of material loss contingencies must be disclosed in the financial statements will be determined by reference to any applicable laws or governmental regulations of the country involved, or by reference to that country’s generally accepted accounting principles.

In this regard, it should be noted that payment of an illegal activity in violation of management policy may be indicative of a significant deficiency or material weakness in the company’s internal control systems, which itself may constitute a violation of the country’s anti-bribery or other anti-corruption laws and give rise to penalties or sanctions. For example, in the United States under amendments to securities law enacted as part of the Foreign Corrupt Practices Act of 1977, severe penalties may result from a company’s failure to “devise and maintain a [sufficiently reliable] system of internal control … ”. The US Federal Sentencing Guidelines for Organizations provide for a significant reduction in punishments and fines for organizations found guilty of crimes should they have an effective programme to detect and prevent violations of laws and regulations.

  • Effects on auditors’ report: If the auditor concludes that the company’s financial statements are materially affected by illegal payments, the company should revise its financial statements and make any necessary disclosures. If it refuses to do so, the auditor should issue a qualified or adverse opinion, disclosing all of the substantive reasons for doing so. Conversely, if the external auditor is prevented by the client from obtaining sufficient evidence to evaluate whether material illegal payments have been made or how such payments may affect the financial statements, the auditor should ordinarily:
  • Disclaim an opinion because of a scope limitation;
  • Report its findings to the audit committee, board of directors or similar body;[Page92:]
  • Determine whether other actions, such as resignation, may be required to comply with his professional responsibilities or with the country’s laws and regulations.

Communication with the company’s audit committee, board of directors or similar bodies may also be required or advisable when:

  1. The auditor has uncovered evidence indicative of senior management’s involvement in illegal bribery and/or its cover-up;
  2. Management refuses to properly investigate unresolved issues regarding the possible illegal payments and/or the propriety or legality of the accounting procedures used to record such amounts;
  3. Scope limitations are imposed by circumstances beyond the company’s control;
  4. The company refuses to make the revisions to the financial statements and financial statement disclosures which the auditor concludes are required in order to properly account for illegal payments;
  5. The auditors have found illegal payments that have material direct and/or indirect effects on the financial statements and related disclosures. The assessment of the implications that such payments have for the company’s internal control system should also be communicated.

Management and the board of directors typically have the primary responsibility for determining the extent to which illegal payments and/or the failure to properly account for them must be reported to government regulatory agencies or other outside parties. However, when the company fails to adequately meet this obligation, the independent auditor may, in some countries, have a legal or a professional responsibility to report the improprieties to third parties.

Summary of the ICC Recommendations on accounting, auditing and financial controls

The provisions on auditing and accurate record-keeping are among the most important sections of ICC Rules and the OECD Convention. These provisions deal, not only with putting proper financial controls in place, but also with what to do if incidents of bribery nevertheless arise. The results of bribery and other illegal activities can remain masked and pose a threat to a company for an extended period if proper supervision of financial transactions is not implemented. A failure to

[Page94:]

Therefore companies should:

  • Have an accounting policy with explicit prohibitions against off the books or false entries;
  • Establish accountability for enforcing these prohibitions at various levels of the organization;
  • Require that expenses be approved at a higher level than the one at which the expenses were incurred;
  • Adhere to international, national and local laws and regulations regarding disclosure of illegal bribes or other illegal payments;
  • Develop and maintain adequate internal controls, including a code of conduct and compliance programme;
  • Adopt and maintain an internal audit programme;
  • Report on internal controls in their annual report;
  • Consider reporting on the company’s anti-bribery and other anti-corruption policies and their effectiveness in the annual report.

External auditors should:

  • Determine whether illegal practices, such as the paying of bribes, have a material effect on companies’ financial statements;
  • Investigate whether senior management were involved in any hidden illégal payments;
  • When illegal payments are discovered, propose appropriate adjustments to correct a company’s accounts and financial records;
  • Evaluate the adequacy of disclosure in the company’s financial statements;
  • Give a qualified or adverse opinion of the company’s practices if the company fails to respond to suggestions to revise its financial statements or to provide disclosure;
  • In certain countries, report the company’s violations to third parties, such as government regulatory agencies or other outside parties.

Jermyn Brooks was previously a Global Managing Partner of PricewaterhouseCoopers and is currently Director of Private Sector Programmes for Transparency International.

Frank Piantidosi is the Chairman and CEO of Deloitte Financial Advisory Services LLP. The authors have revised and updated the chapter by Mritunjay Singh and David W. LaRue, as updated for the 2003 edition by Jermyn Brooks and Tom Milan.

.

1
Institute of Internal Auditors / American Institute of Certified Public Accountant / Association of Certified Fraud Examiners, Managing the Business Risk of Fraud : a Practical Guide, 2008.