17. Monitoring & Review
Guidance
17.1 Introduction
Managing an anti-bribery programme is a continuous, iterative process. It involves close scrutiny of the design of the programme to ensure that it is meeting its objectives. Effective anti-bribery monitoring will cover all activities within the company and its controlled entities, as well as the activities carried out on its behalf by intermediaries and other third parties. The outcome of such monitoring activities and the reporting thereof to the Board, contribute to the adequacy of a company's overall governance and oversight procedures.
A company operates within a dynamic environment. The business products, service and markets may change; it may make acquisitions or mergers, acquire new employees and business partners. The external environment evolves too with new regulations and laws, societal changes, emerging risks and ever-advancing new technology. Risk assessment and monitoring work together to ensure that the anti-bribery programme remains valid for the key risks facing the company.
Reasons for Monitoring
- Checking controls are working effectively
- Identifying and investigating red flags and mitigating risks
- Acting as a preventive measure
- Detecting bribery
- Driving continuous improvement
- Giving confidence to the senior management and the Board on the effective implementation of the programme
- Providing information for public reporting on the anti-bribery programme
17.2 Assign Responsibilities
Responsibilities for monitoring should be appropriately allocated, for example, it may be appropriate for a manager to direct the overall monitoring programme at both country and business unit level. Responsibility for carrying out monitoring and improvement is commonly assigned to the compliance function which should work with other functions to design and implement the monitoring programme. Compliance should work with the internal audit team, external consultants and independent assurers on testing systems and identifying areas for improvement. Compliance should also draw upon other functions for monitoring including legal, finance, human resources and security. Ultimately, however, the design of the monitoring programme and the allocated resources should be shaped by the company’s risk approach and the results of risk assessments.
The responsibilities and roles of the Board, audit committee and non-executive directors have come under focus following several major corporate scandals and have led to the introduction of new accounting and governance legislation in many countries. The roles of the audit committee and non-executive directors are being evaluated and refocused to provide increased responsibility whilst remaining independent within the governance structure of the company, including risk assessment and reporting.
Responsibility for oversight of monitoring will typically be given to the audit committee but may be assigned to other committees such as ethics, governance or corporate responsibility. The reviewing committee should be made up of non-executive directors that are independent of any influence or conflict of interest. However, the Board provides ultimate oversight.
17.3 Systematic Approach
At first sight, the prospect of monitoring the entirety of a company’s activities which pose a potential anti-bribery risk may seem daunting but it can be manageable through the creation of a clear plan and process for systematic monitoring. It is good practice to:
- Allocate adequate resources, recognising that testing for effectiveness of implementation demands greater resources than evaluating the design of an anti-bribery programme.
- Focus on the highest risk business units, countries or transactions, such as contracting and procurement.
- Spread the demand on resources by a rolling programme across forms of transactional risk, geography and business unit or function.
- Ensure effective and consistent monitoring across the company with methods and results fully documented culminating in reports to senior management.
- Mobilise the contribution of functional departments and business units by self-monitoring and identifying deficiencies and improvements.
- Use technology to carry out automated monitoring, gather and store information, including audit trails, for use in future reviews, and for visualisation of results and generation of reports.
- Automate data analysis and transaction monitoring. This needs to be managed to avoid generating excessive numbers of flagged transactions. For automated data analysis, the company will need to ensure the quality and focus of the data. This means being precise in specifying what is being sought, making sure that the data addresses actual risks. The danger is that large volumes of poor quality and meaningless data will flood the process.
- Check for quality: Ensure the quality of data used is sufficient, carry out spot checks using a statistically valid approach.
- Detect and act: Act systematically and promptly in response to red flags and unusual activity and use 'lessons learned' to drive continuous improvement.
17.4 Monitoring Activities
Keeping in mind the aim of focusing on the highest risks, the questions for the compliance manager to consider are:
- What to look for?
- What should be monitored?
- How should this be done?
- What do we do with the results?
17.4.1 What Should We Look For?
The company should look to test that its systems and controls are working as intended. The compliance manager should carry out necessary checks to ensure that the anti-bribery procedures are being implemented effectively and efficiently across the business; that improvement areas are being accurately identified; and that red flags, unusual activity and violations of the anti-bribery policy are detected.
17.4.2 What Should Be Monitored?
Anti-bribery is an area where detailed project management, technology tools and documentation will assist the company to makes sure it covers the most vulnerable functions adequately. In particular, companies should ensure that it monitors vulnerable functions which will include the following:
- Procurement and contracting
- Sales and marketing, especially to public officials
- Mergers and acquisitions
- Third parties.
- Projects
- Logistics
- Recruitment and Board appointments
- Public or corporate affairs, especially in relation to political engagement
- Sponsorship management
- Community affairs: Charitable donations
- Finance, including accounts payable and assets management
- Facilities management
- Functions engaged in obtaining critical regulatory approvals
In addition, transactions should be regularly and systematically monitored, for example:
- Financial systems and records: Checks should include general ledger account review and samples of transactional records making sure that they are correctly accounted for in the books and supported by adequate documentation.
- Cash disbursements: Checks that the controls for cash payments are being implemented and recorded correctly.
- Payments to high-risk third parties: Checks that the fees or payments to/from third parties are appropriate for the services, that the payments match contracts and are paid through appropriate channels, rather than off-shore accounts.
- Transaction testing: Checks should cover:
- The nature and purpose of transactions
- That adequate supporting documentation exists, including authorisation from management
- Transactions are in accordance with controls, correctly described and recorded
- There is sign-off of acceptance of services or goods in line with the contract
- There are payment approvals and proper recording of the transaction in the company's books and records
17.4.3 How Should This Be Done?
Companies can ensure effective monitoring is taking place by undertaking the following activities:
- Conducting interviews with management, employees, third parties. For an example of good practice, see here.
- Obtaining feedback from training and exit interviews, manager appraisals, employee suggestions, reports on use of whistleblowing channels and hotlines.
- Conducting transactional analysis, which may lead to forensic investigations.
- Conducting internal operational audits: for example, checking whether new employees receive appropriate induction; that training programmes reach all employees; if policies exist and whether they are being followed in practice. Audits should also cover how incidents of bribery are dealt with, and whether appropriate sanctions are applied.
- Ensuring that all stages of high risk processes are checked
- Carrying out spot checks.
- Engaging external companies to provide independent review and assurance of the anti-bribery systems and controls in place.
17.5 Self-Assessment & Benchmarking
Apart from regular monitoring, audits and external reviews, the company can carry out periodic self-assessment and benchmark its programme against best practice in its respective industry. Benchmarking is a method that companies can use to assess the extent to which the company’s approach to anti-corruption meets all the recommended industry best-practice standards.
- Benchmarking allows a company to assess how its anti-bribery programme is positioned against best practice as well as promote inter-company discussion on how to improve. TI-UK has developed a Corporate Anti-Corruption Benchmark to help companies assess their programme.
- Self-assessment can be an informal process where the compliance function takes a fresh look at the anti-bribery programme or it can use a survey tool.
- Collective action and industry groups working on anti-bribery practice can be used for benchmarking. For example, AIM-PROGRESS, a forum of leading Fast Moving Consumer Goods (FMCG) manufacturers and common suppliers working on business integrity.
- Consultants and professional advisers can provide tools and templates for continuous improvement and benchmarking initiatives.
- Codes and guidance publications can be used to check the programme against best practice frameworks such as Transparency International’s Business Principles for Countering Bribery and the Anti-Bribery Certification Standard ISO 37001.
Self-Assessment and benchmarking can help to assess whether:
- The company fosters an environment in which staff are consistently supported to act with integrity and not to engage in corruption.
- The company has comprehensive lists of all third parties on which the business relies.
- The training the company offers is tailored to positions at higher risk of corruption.
- All anti-bribery and corruption training materials are subject to annual reviews and updates if necessary.
- The results of the risk assessment are reported to internal stakeholders, validated and then discussed with the business.
17.6 Independent Voluntary Assurance & Certification
Assurance and certification can form part of the monitoring process. Independent anti-bribery assurance is not currently standard practice but it may well become so in the future. Anti-bribery certification is an established practice and was taken to a new level with the publication in October 2016 of the ISO standard 37001.
When considering assurance or certification, a company may choose to pilot assurance or certification to make sure that any improvement areas or inadequacies are dealt with before going public. Audits can test the design of the anti-bribery programme and may extend to the actual performance of the programme. If a company is operating in many locations and countries, it may decide to narrow the scope of work or phase it over more than one year in order to contain the cost.
Whether using general financial audit assurance, specific anti-bribery assurance or carrying out certification, the external assurors or assessors should have a good knowledge of international and local anti-bribery laws. Ideally, the appointed assurors or assessors would train their audit staff in forensic accounting techniques so that suspicions can be raised where documents may have been falsified or where prices are out of line with market rates. Where the company operates in high-risk industries or countries where corruption is prevalent, consideration of bribery issues should enter into the auditors’ assessment of risk and influence the scope of audit testing. Where suspected cases of bribery are discovered during an audit, top management and/or the audit committee should be notified and the appropriate law enforcement agency informed as necessary.
17.7 Internal and External Audits
Internal and external audits are a useful method in reviewing the efficacy of corporate anti-corruption measures. Focusing specifically on internal audits, allows internal auditors to probe into significant areas of concern highlighted in previous audits. For example, if senior management commitment is an area of concern, an audit can look at whether there was a tailored reminder from senior management about the importance of ethics and integrity. A conclusion around senior management’s commitment to anti-corruption measures can then be derived from investigating this area of concern. External audits may then be used to support internal audits by providing an independent assessment of the anti-bribery and corruption procedures in place within a company.
Companies are increasingly seeking the help of behavioural scientists to aid in these audits. These scientists are tasked with uncovering the link between how the company manages its approach to anti-corruption and the behavioural changes of employees. In taking this approach, companies are able to move away from a standard benchmark towards a critical assessment of the effectiveness of measures as well as a root cause analysis that considers human psychology and goes beyond the scope of the usual auditor’s remit.
17.8 Assurance
Assurance is defined by AccountAbility as: ‘The methods and processes employed by an assurance practitioner to evaluate an organisation's public disclosures about its performance as well as underlying systems, data and processes against suitable criteria and standards in order to increase the results of the assurance process in an assurance statement credibility of public disclosure. Assurance includes the communication of the results of the assurance process in an assurance statement.’
Anti-bribery assurance at present remains largely restricted to that exercised in examining the company’s compliance with laws and requirements to maintain accurate books and records. Few companies verify their anti-bribery programme. This is in part due to the accounting profession not having developed an accounting approach yet for verification of anti-bribery programmes.
External assurance can be used in support of internal audits by establishing whether anti-bribery and corruption risks are within the organisation’s risk appetite. External assurance can provide an independent assessment of the effectiveness of the anti-corruption approach taken on by a company. It also incorporates a level of expertise, ensuring that the review is rigorous and thorough. The success of external assurance rests on employee interviews which test the effectiveness of the anti-corruption programme.
Investors are also increasingly recognizing the importance of external assurance. Investors such as Norges Bank Investment Management are requiring companies to “disclose whether they undertake regular, independent external assurance of their anti-corruption programme and whether the findings of such assurance are communicated to the board.”
Related general assurance standards are the AA1000 Assurance Standard (AA1000AS) and the International Standard on Assurance Engagements (ISAE3000). These cover the quality and effectiveness of policies and procedures and provide for reporting on data relating to the performance of the procedures. The assured company can also comment on the materiality of reported information, its completeness and the company’s responsiveness to stakeholders.
TI published an Assurance Framework in 2012. There are three issues which have prevented widespread take up of the Framework.
- Difficulty in determining the materiality of bribery: Anti-bribery assurance is not the same as a financial statement or operational auditing though aspects may cover some of the same ground. Most importantly, there is no materiality limit for bribery. A small bribe can have significant consequences. Monitoring and testing looks at areas beyond books and records systems and supporting documentation – it examines the design of procedures and their implementation.
- Credibility gap: There is the danger that stakeholders may judge an assurance opinion as indicating that the assured company is free or will be free of bribery – there is a concern here for auditors about liability risks.
- Cost: The cost of an anti-bribery assurance engagement can be potentially quite high. An assurance of design of a programme could be contained within a manageable level but the cost of testing implementation of a programme could be substantial.
17.9 Certification
Certification is a seal of approval, from a third party body, that a company operates according to a recognised management system. Certification can be used to support a company’s credibility and capability, for example, when bidding for contracts or to give stakeholders reasonable confidence in the company’s systems. Certification is concerned with the quality of design of a process; it is not a monitoring tool but it can contribute to monitoring insofar as the process of obtaining certification from an external assessor can provide confidence in the design of a process if not in the effectiveness of its implementation.
Unlike assurance, anti-bribery certification has made progress. The BSI Specification for an anti-bribery management system 10500 published in 2010 was replaced in October 2016 by ISO 37001. Click here to see the pros and cons of ISO370001.
17.10 Review by Senior Management and the Board
Senior management, through receiving regular reports, will be able to form a judgement as to whether the anti-bribery programme is being applied appropriately, to identify any deficiencies or risks that may not be dealt with adequately and to decide on actions to strengthen and improve the programme. Senior management should also identify any successes in implementing the programme and recognise employee and third party performance accordingly. This forms part of the organisation’s culture and tone from the top. Senior management should make regular reports to the audit committee on the monitoring of the programme. A procedure for regular reporting to the Board and audit committee will compel management to focus their attention on their responsibilities.
The culmination of the monitoring process, including both internal and any external assurance, should be contained in reports to a Board committee, such as the audit committee. The credibility and effectiveness of the company's oversight and monitoring of the anti-bribery programme will depend on a truly independent view provided by a Board committee, comprised of non-executive directors. This will protect the interests of shareholders and other stakeholders. To objectively assess the implementation of the programme, the Board committee will need to be informed about relevant anti-bribery legislation, what constitutes accepted best anti-bribery practice, understand the bribery risks identified for the business by management and how those risks are mitigated and the controls monitored.
The reports to the Board committee should include the results of both internal and external audits. The audit committee’s oversight, in addition to assisting management to fulfil its responsibilities, can also act as a deterrent to any Board members or senior management engaging in bribery. The committee should report to the Board in a summary form and recommend any necessary actions. Senior management and Board reviews will assist the Board in exercising its governance responsibilities and to meet any legal requirements to report publicly on relevant risks to the company.
Reporting to management should be regular, for example, once a quarter, and at least once a year to the audit committee. Reporting should be comprehensive, covering the company’s operations and should follow a consistent pattern to allow comparison between reports. The Board should then make its assessment and agree appropriate actions including any external report of its findings and assessment.
The reviews of the anti-bribery programme, by the Board, including the results of any external independent review, if disclosed publicly, will emphasise the importance that the company attaches to the programme and informing stakeholders of the programme’s design and performance. Such reports may also form part of any regulatory requirement for the Board to report on risks as part of an operating and financial review.
In order to gauge the impact on company culture as a result of senior management commitment to anti-corruption, employee surveys and other culture assessments can prove very useful. Questions such as:
- Do you agree or disagree that leaders believe it is more important to win with integrity rather than just win?
- Do you agree or disagree that leaders promote a culture of integrity and doing the right thing?
Triangulating this survey with other data metrics such as the number of policy endorsements made by senior management and consistency in anti-corruption messages from senior management.
17.11 Measuring Effectiveness: Activity vs Impact
Measuring the effectiveness of a company’s approach to anti-corruption enables companies to face these challenges by identifying which activities are having the most impact in reducing the risk of corruption and which are not - and then change the approach to make it more effective.
Measurable anti-corruption metrics by which we can assess the standards of practice within companies broadly fall into two categories: activity metrics and impact metrics. Activity metrics record the raw activity of firms, typically representing efforts undertaken as part of the company’s anti-corruption programme, but may also include corruption incidents and other events. Impact metrics evidence the extent to which the company is achieving the intended impact of the anti-corruption activity. For example, data that helps measure changes in behaviour or understanding which is attributable to a company’s training would constitute an impact metric.
The business case for measuring effectiveness can be summarised by the following points:
- Limits the effects of bribery and corruption
- Prevents resources from being lost to bribery and corruption
- Adheres to expectations from regulators and law enforcement
- Meets commitments to ethical business
Not only will this process of measuring, developing and enhancing effectiveness help companies to avoid wasting resources and incurring potential significant legal, commercial and repetitional liabilities, but an effective anti-corruption programme will reduce the harmful effects of corruption, which wastes taxpayer’s money and disproportionately affects the disempowered and disadvantaged.
Transparency UK’s 2021 Make it Count report recommends that businesses move away from over-reliance on activity metrics as they lack sufficient information on the impact of the anti-corruption approach. Companies need to ensure that not only are they looking at the correct types of metrics, but also that their analysis and interpretation of data is not encumbered or skewed by practicalities, methodology, or cognitive biases. Disclosure of how companies are measuring the effectiveness of their approach to anti-bribery and corruption, and what they have found to be effective, is now a vital element for driving improvement and evolving the private sector.
Resources
17.12 Some Red Flags for Automated Monitoring of Transactions
- High risk transactions: Using weightings, search for key risks words such as consultancy fee, gifts, facilitation, cash, per diem, miscellaneous and non-standard terms such as customer maintenance fees, customer cooperation fees, services rendered.
- Gifts, hospitality and expenses: Identify frequent transactions, excessive aggregated amounts involving a third party or any transactions involving a PEP.
- High risk countries: Transactions with third parties in high risk countries.
- High risk third parties: These will have been identified in the risk assessments and due diligence processes.
- Repeated transactions just below the counter signature threshold: For example, an employee breaks down an order into segments to avoid being required to have a counter signature in an attempt to place larger orders improperly.
- Repeated amounts of rounded value: Identify employees with more than a defined number of even amount cash expense transactions above a specific amount threshold in a specified time period.
- The dog that didn’t bark: Absence of any records that would be expected e.g. hospitality, small bribes.
- Overpaid purchase orders: Purchase orders where the total payment amount was greater than the total purchase order amount.
- Contract variations: Orders or contracts by employee where variations or rush orders are frequent.
- Invoice receipt greater than goods receipt: Invoices where the receipt amount is greater than the goods receipt amount.
17.13 The pros and cons of ISO 37001
Pros:
- Establishes a global standard and language for anti-bribery good practice.
- Can be an advocacy tool for good practice and advancing corporate anti-bribery practice.
- Can be a positive indicator for use in whitelisting, pre-qualification and due diligence.
- Has potential to advance anti-bribery standards in supply chains, especially where anti-bribery legislation or enforcement is weak.
- Provides a baseline for evolution and development of anti-bribery corporate practice.
- Provides a common basis for benchmarking against peers.
- Annual surveillance audits and renewal audits at three year intervals ensure continuous good practice.
Cons:
- For large companies with good practice anti-bribery programmes, the certification process would add little value to their programme.
- Certification can be demanding and costly.
- Certification is only as good as the accredited assessors and most assessors will not be anti-bribery experts, running the risk that the accreditation becomes a box-ticking exercise. Specific competency requirements have been issued for ABS auditors (ISO/IEC 17021-9, in addition to the general requirements of IS= 17021-1) but it is not sure that this will be sufficient to ensure consistent auditing.
- Certification may be less effective for testing implementation – it requires detailed guidance on procedures and expertise of assessors and can be costly,
- ISO 37001 is a copyright publication available only for a fee – this may restrict the diffusion of the standard among SMEs and in emerging markets.
- The standard does not provide comprehensive guidance.
- Meeting ISO 37001 requirements may not provide for meeting specific legal requirements of countries where a company operates e.g. section 6 of the UK Bribery Act which covers benefits given in certain circumstances to foreign public officials.
17.14 Good practice example: Novo Nordisk
Since 1997, Novo Nordisk has used experienced employees called facilitators, to visit Novo Nordisk units around the world, helping employees and managers translate the company’s printed values into practical action. A facilitator’s job is to evaluate how well a given unit lives up to the Novo Nordisk values statements – and to make sure that any problems in this area are solved. Today, Novo Nordisk has 12 full-time and 12 part-time facilitators who conduct 60-65 facilitations a year worldwide. At its heart, a facilitation is a series of confidential, one-on-one interviews with employees and managers in a particular unit. Interviewees do not need to prepare for this interview - all they need to do is provide honest answers about the successes and challenges of their workplace. Names of individual employees never appear in a facilitation report. If a facilitator sees a general trend or issue that needs to be addressed, he or she will mention it in a facilitation report. More importantly, the facilitator will agree with the unit manager on ways to fix the problem and follow up to make sure action is taken within an agreed deadline.
Facilitation interviews are supplemented by a variety of written documentation as well as statements from external stakeholders. Most departments, areas or affiliates will be facilitated every 3-5 years, but strategically important units or areas that are expanding will generally be facilitated more often. A copy of each facilitation report goes to the manager of the unit that has been facilitated; he or she will then share the contents with the other employees in the unit.