Board Matters Quarterly, January 2014
Anti-corruption compliance and big data analytics
In today’s regulatory environment, US companies doing business globally are under greater pressure to improve their anti-bribery and corruption compliance programs to prevent and detect potentially improper payments that expose the company to risk under the Foreign Corrupt Practices Act (FCPA).
Anti-corruption compliance continues to be a top priority for audit committees, boards and senior management at many multinational companies.
It is clear from recent regulatory enforcement actions and settlement agreements that the bar has been raised from the regulators’ perspective. Simply having an anti-corruption compliance program is not sufficient. The keys to compliance are effective governance, controls and monitoring activities, among other components.
Integrating advanced techniques as part of a robust anti-corruption program or investigation enables today’s chief compliance officers, general counsels and chief audit executives to be more proactive in their queries.
Anti-bribery and corruption analytics test of controls incorporate big data concepts that integrate multiple data sources: third-party watch lists; transactional data; text mining; and even social media and email to prioritize and isolate areas of risk or rogue activity.
Integrating these techniques as part of a robust anti-corruption program or investigation enables today’s chief compliance officers, general counsels and chief audit executives to be more proactive in their queries. They can use advanced tools and detection methods to ask more poignant and specific questions of their data in an effort to identify concerns or flush out deeper issues in a more timely way.
Executives can now investigate regions or business units where increased risks are surfacing based on multiple attributes in the data — not just from one source or an isolated test. This focused analysis yields significantly higher-quality results.
At the same time, executives can reduce overall internal audit or compliance field work costs by leveraging these anti-corruption analytics as a component of the company’s risk assessment process to determine which locations to audit, rather than running analytics after the fact.
It will be more common for the audit committee to ask the chief audit executive or chief compliance officer, “What are we doing around FCPA and global corruption?”
New questions, new answers
Internal audit and compliance teams can now utilize big data to identify possible areas of concern by making inquiries such as:
- Show high-risk vendors, with multiple fraud risk indicators in accounts payable
- Match identified vendors to international sanctions databases and adverse media databases
- Show local office employee travel and entertainment expenses
- Search email communications where sensitive words are mentioned
Beyond a simple duplicative payment or currency analysis, overlaying vendor activity across these multiple data sources helps the analyst apply a “risk score” to vast amounts of data in an effort to focus on those that meet multiple risk criteria.
Further, when combined with new innovations in text mining, data visualization and statistical analysis, internal auditors and compliance professionals can better leverage their knowledge of the business and industry to spot irregular patterns or trends.
As anti-corruption compliance continues to gain focus, it will be more common for the audit committee to ask the chief audit executive or chief compliance officer, “What are we doing around FCPA and global corruption?”
An adequate answer might be that the organization has begun a more comprehensive anti-corruption program that is taking into account tangible analytics and reporting metrics to the board that focus on corruption risk areas and targeted tests of transactions that look for potentially improper payments or other illegal acts.
Questions for the audit committee to consider
- Is the company currently conducting business in emerging markets or high-growth economies, particularly China, India, Africa, South America and Eastern European countries? If so, what tactics are being used to oversee anti-corruption compliance in these markets?
- Beyond compliance policies, training and education, what is the internal audit or compliance department doing to test the effectiveness of the controls in place? Does the board receive periodic updates from internal audit or the compliance department on the results of these tests?
- Has management communicated to the board if the monitoring activities conducted are relying on simple rules-based tests derived from traditional internal audit procedures, or do they incorporate multiple data sources, data visualization, text mining and targeted anti-corruption/FCPA-specific tests?