Combatting Corruption Through Compliance: Part 3: Internal Controls, Training, and Audit

July 06, 2020
By: Scott Nance, Principal, Langley Compliance Consulting LLC*

Detecting and preventing corruption should be an integral part of any organization’s efforts in the battle against financial and economic crime.

Though we often think of corruption involving public officials, corruption also occurs at the commercial level. An effective anti-corruption compliance program should always seek to address both varieties of corruption. As with other areas of financial and economic crime, preventing corruption within an organization requires an effective and robust internal compliance system.

Similarly to the OFAC’s “Framework for Compliance Commitments”, the OECD handbook, the Department of Justice’s Guide to the FCPA, and the UN Practitioner’s Guide all identify the following as elements of an effective anti-corruption program.

  1. Commitment by Top Management;
  2. Risk Assessment;
  3. A System of Internal Controls;
  4. Periodic Testing and Audit; and
  5. Training

In this series on combatting corruption, each of the above components will be discussed and analyzed to provide tips on how your organization can best build an effective compliance system and ensure compliance with global anti-corruption laws.

In Part Three, we will explore the final three components: Internal Controls, Testing and Audit, as well as Training.

Internal Controls

The chief purpose of a risk assessment is to enable the organization to formulate and apply mitigating measures. Among others, these take the form of internal controls: requirements regarding how various processes and procedures must be performed. To determine what internal controls are necessary, the organization must map the risks it has identified onto its business processes, so that it can see precisely where and how a given risk might arise. It can then establish controls to prevent, or at least reduce, the risk.

Common Types of Corruption

While corruption risks can take a variety of forms, certain forms of corruption occur again and again. In devising your organization’s corruption compliance system, it may be useful to take these various forms of corruption into consideration.

Common forms of corrupt behavior include:

Bribery Payments to public officials, either directly or through a third party, to use their powers for the benefit of the person paying the bribe. Bribes may take the form of direct cash payments, or they may be disguised as sales at prices that are too high or too low, political or charitable contributions, or sponsorship of an event or an organization.


Kickbacks The secret return to a payor of part of the sum paid, usually in connection with the sale of goods or services


Facilitation payments Payments, typically but not always relatively small, to persuade a government official to perform their legal duty, such as clearing a shipment through customs.


Gifts, entertainment, and travel expenses


All of these expenses may be legitimate, or they may also be used illicitly to convince a government official or business partner to engage in favorable conduct.


Conflict of interest A situation where one party to a transaction has competing interests, usually between their official position and their personal benefit.


Revolving doors and patronage


Promising a public official, or one of their relatives or clients, a position in return for the official taking favorable action.


Other types of behavior Includes collusion (bid rigging, cartels, price fixing), illegal information brokering, insider trading, and tax evasion.

The types of corruption risks an organization faces will vary by the business activity involved. Sales, for example, may encounter risks of bribery and excessive gifts and travel expenses. The function responsible for obtaining licenses, which is often a major issue in large energy or mining projects, for example, may also expose the organization to a risk of bribery. Procurement, on the other hand, is more likely to represent a risk of kickbacks.

Common Internal Control Measures

While the precise internal controls necessary to mitigate these risks will vary according to the organization’s business and structure, certain general types of internal controls are common to most anti-corruption compliance systems. Incidentally, the same controls are often part of an anti-money laundering compliance system. These internal controls include:

  • General and specific policies. An organization may have a general policy that it will not engage in any type of corruption, or that it will abide by all applicable laws. Specific organization-wide policies can supplement this, such as policies regarding political charitable contributions or facilitation payments.
  • Screening and due diligence. Screening involves matching the names of potential business partners against a list, such as OFAC’s Specially Designated Nationals List. In addition to screening against a list, an organization might also want to:
    • identify public officials and politically exposed persons (PEPs);
    • identify whether a company is state-owned, as such business partners represent a special risk of corruption;
    • check whether a party has been subject to adverse media coverage;
    • screen the names of customers’ business partners, and also undertake additional due diligence regarding each partner to assess, for example, their reputation and whether they are connected to public officials; and
    • screen for outgoing and incoming payments, to identify either totals or per unit prices that appear unrealistic.
  • Review and approval. While the extent to which different business functions can make decisions will vary according to a number of factors, it may be wise to subject certain types of transactions to a special review and approval process. This could include all contracts with state-owned entities over a certain value, as well as payments to third parties for “consulting services” that could serve as a vehicle for distributing bribes.
  • Post-transaction review. The periodic review of transactions after they occur may also uncover instances of corruption where pre-approval was not possible. This may be relevant, for example, to travel expenses, to ensure that they satisfy corporate policies and limits. Post-transaction review is also another opportunity to confirm that prices were within acceptable limits, as well as to determine whether the goods or services involved were appropriate for the buyer. Of course, regular financial review and audit can play a key role in this process.
  • Reporting and document retention. Policies should require reporting of any attempts by business partners to solicit bribes or kickbacks. The reporting procedure should include a way for members of the organization to report potential corruption with a guarantee of absolute anonymity. Reporting should also require periodic reports on the overall operation and performance of the anti-corruption system, including key performance indicators, to upper management. The procedures should also set forth strict rules regarding document retention, including storage of e-mails and records of telephone conversations.

All internal controls should be fully documented. Within the written policies and procedures, it is helpful to link the measure to specific types of risks identified in the risk assessment. The internal controls should also include a discussion of residual risks, i.e., risks that are being accepted without the imposition of internal controls, with an explanation of why the level of residual risk is deemed acceptable.

Structure and Organization

As well as the controls themselves, an organization will need a structure to formulate, implement, and operate those controls. This need not be an internal organization devoted solely to anti-corruption. In fact, it is likely that most or all of these controls will be operated within existing business units or functions. However, it is a good idea to have one person who is formally responsible for the organization’s anti-corruption efforts as a whole. It is also advisable to have a “competence center” for corruption within the organization, someone with expertise who can answer questions and give guidance. Finally, of course, the organization must commit adequate resources to the anti-corruption system to enable it to perform its functions effectively.

Testing and Audit

A key component of an effective anti-corruption compliance system is review and audit. The organization should test the operation of the system on an ongoing basis. This review should be performed by something other than the function responsible for the specific procedure; the compliance or internal audit functions are commonly tasked with this. Review should occur both on a scheduled basis and in response to individual incidents.

In addition to more-or-less ongoing review, the system should be subject to periodic formal audit. Audit in this sense refers to a review of the operation of the entire system. Audits may be performed by the internal audit function, or by an outside body. Typically audits occur every year or two. The results of the audit should set forth the auditors’ conclusions, including an identification of specific defects. The system of internal controls should in turn include a procedure for assessing the results of reviews and audits and making changes to existing policies and procedures to reflect those results. The procedures for review and audit should be set forth in detail as part of the overall system of internal controls.


Even the best system of internal controls is inadequate without proper training. The level and types of training regarding corruption will necessarily depend on such factors as the organization’s size and sophistication, as well as the relevant risk factors.

Training will generally fall into two overall categories:

  1. Training about what corruption is and how to avoid it, and
  2. Training on the organization’s specific policies and procedures.

If the risks of corruption are significant, an organization should consider providing training on-line to all employees about what corruption is, and what the organization is doing to prevent it. Persons with specific anti-corruption responsibilities should receive specialized training that shows them what the relevant procedures are and how they operate.

Training may vary by function within the organization. Sales, for example, could receive different training from procurement or legal, with a focus on the types of corruption sales personnel are most likely to encounter. Training may also vary by location, with training focusing on the individual laws and relevant corruption risks within a given country. As noted in the first article, senior management should receive training directed specifically towards them.

As with all types of training, the organization should retain copies of training materials, as well as records of when training was offered and who took it. Depending on the risk profile, it may be necessary to renew training periodically.

Lastly, the organization should regularly update its training materials to reflect its own experiences, as well as any changes to the applicable laws and other significant developments.

* Scott Nance is the Principal of Langley Compliance Consulting LLC, based in Washington, D.C., and the former Global Head of Sanctions Compliance for ING in Amsterdam. Scott is a member of the ACSS Editorial Task Force and the ACSS Certification Task Force.

Recent Articles