ACL EBOOK

BRIBERY
AND
CORRUPTION
THE ESSENTIAL GUIDE TO MANAGING THE RISKS
CONTENTS
Failing to Manage Bribery and Corruption Risks Can Be Very Expensive…_____________________________________________ 4

A Global Risk______________________________________________________________________________________________________________________ 8

So Why is Bribery Still Commonplace and Such a Risk?_____________________________________________________________________ 9

What Can Be Done to Address the Risks Associated with Bribery and Corruption?__________________________________ 10

Whose Job is it Anyway? Start by Defining Roles and Responsibilities_________________________________________________ 12

A Fork in the Process Roadmap: Choose a Standalone or an Integrated Process_____________________________________ 13

Build an Anti-Bribery & Anti-Corruption Program: 5 Step Process______________________________________________________ 14

Identify and Assess Risks______________________________________________________________________________________________________ 14
Identify Mitigation Procedures to Reduce the Risks and Their Impact_____________________________________________________ 16
Monitor_________________________________________________________________________________________________________________________ 18
Manage Exceptions____________________________________________________________________________________________________________ 20
Reporting and Ongoing Assessment_________________________________________________________________________________________ 22

Anti-Bribery & Anti-Corruption Compliance Process Flow_______________________________________________________________ 24

How Does Your Organization Rank?_________________________________________________________________________________________ 25

Anti-Bribery and Anti-Corruption Technology Buying Checklist________________________________________________________ 26

Bribery & Corruption: The essential guide to managing the risks - 3

FAILING TO MANAGE BRIBERY AND CORRUPTION RISKS CAN BE VERY EXPENSIVE…

4 - Bribery & Corruption: The essential guide to managing the risks

For many corporations, the risks related to bribery and other forms of corrupt
payments rank among the most serious risks that must be managed. The direct
impact of financial penalties is not the only problem for businesses, as the damage to
brand and reputation from negative publicity can have an even greater and more
long-term impact.
Some organizations, such as multinationals and those in “Many of you are familiar with our pending litigation
specific industries, including defense, major construction
against various executives of Magyar Telekom, Siemens,
and resources, are particularly at risk, but it typically extends
to any organization competing for contracts across the and Noble. Litigation is ongoing against individuals in all
globe. Virtually no business is completely free of the risks three matters, and these cases have sent an unambiguous
associated with some form of corrupt payments.
message that we will vigorously pursue cases to hold
Many people in the world of audit, compliance, legal, and
individual accountable for FCPA violations – including
risk management will be well aware of high profile
instances in which organizations had to pay many executives at the highest rungs of the corporate ladder.
hundreds of millions of dollars in fines and penalties to In fact, this April, we obtained the second
U.S. and other national authorities for failing to comply
highest penalty ever assessed against an
with anti-bribery and corruption regulations.
individual in an FCPA case, when one of
This e-book outlines the key aspects of an effective
process framework for managing the risks of bribery and the Siemens executives agreed
corrupt payments. to pay $275,000.”
Andrew Ceresney
Co-Director of the Division of Enforcement,
U.S. Securities and Exchange Commission

Bribery & Corruption: The essential guide to managing the risks - 5

 FAILING TO MANAGE BRIBERY AND CORRUPTION RISKS CAN BE VERY EXPENSIVE…
“By its nature corruption can be difficult to detect as
it usually involves two or more people
entering into a secret agreement.
“Bribery is a specific offence which concerns the practice of
The agreement can be to pay a financial inducement to
offering something, usually money, to gain an illicit
a public official for securing favor of some description in return.
advantage and corruption is
In overseas corruption this can manifest itself in a company
an abuse of a position of trust in order
paying a bribe for the benefit of an overseas public official in
to gain an undue advantage.”
order to win a contract. This can be done through a third
Government of Ireland definition party — commonly known as an agent or advisor — who
then passes the bribe on to the public official or directly by
the company to the public official.

Ingenious methods of making the payments are used by

those involved, including moving the money through a
number of offshore companies (which, on the face of it, have
nothing to do with the intended recipient) registered in
various jurisdictions.”

UK Serious Fraud Office

6 - Bribery & Corruption: The essential guide to managing the risks

 “The Foreign Corrupt Practices Act (FCPA), enacted in 1977, generally
prohibits the payment of bribes to foreign officials to assist in obtaining or retaining business.
The FCPA can apply to prohibited conduct anywhere in the world and extends to publicly traded companies and their officers, directors, employees,
stockholders, and agents. Agents can include third party agents, consultants, distributors, joint-venture partners, and others.

The FCPA also requires issuers to maintain accurate books and records and have a system of internal controls sufficient to, among other things, provide
reasonable assurances that transactions are executed and assets are accessed and accounted for in accordance with management’s authorization.

The sanctions for FCPA violations can be significant. The SEC may bring civil enforcement actions against issuers and their officers, directors, employees,
stockholders, and agents for violations of the anti-bribery or accounting provisions of the FCPA. Companies and individuals that have committed
violations of the FCPA may have to disgorge their ill-gotten gains plus pay prejudgment interest and substantial civil penalties.
Companies may also be subject to oversight by an independent consultant.”
The U.S. Securities and Exchange Commission

Bribery & Corruption: The essential guide to managing the risks - 7

A GLOBAL RISK

The U.S. Foreign Corrupt Practices Act (FCPA) and the U.K. Bribery Act are just two
examples of government legislation that aim to address the problem by levying
massive fines and other penalties against organizations and individuals involved in
bribery. The specifics of regulations vary by region and applicable laws.

The FCPA, for example, is only applicable to public
companies whose shares are traded in U.S. exchanges
and only relates to corrupt payments to government
officials. The U.K. Bribery Act is more wide-ranging and
also applies to corrupt payments to non-government
officials. Other national legislation, such as the Chinese
Article 164, the Brazilian Clean Company Act and the
Canadian Corruption of Foreign Public Officials Act,
among many others, all seek to do essentially the same
thing and impose very severe penalties on corporations
that resort to bribery.
8 - Bribery & Corruption: The essential guide to managing the risks
Despite increasing global legislation and enforcement,
the extent of bribery and corrupt payments does not
appear to be in decline. PwC’s 2014 Global Economic
Crime Survey reported that most organizations have
actually seen an increase in the problem. Bribery and
corruption, along with other forms of fraud and economic
crime, continue to be a major concern for companies of
all sizes across all regions and in virtually every sector.
More than 40 countries have
adopted the OECD Anti-Bribery
Convention, which establishes
“legally binding standards to
criminalize bribery of foreign
public officials in international
business transactions.”
SO WHY IS BRIBERY STILL COMMONPLACE AND SUCH A RISK?

Dealing with the problem of bribery and corrupt payments is not always easy. Formal
policies in most large companies clearly forbid such practices, but this does not mean
they will not occur. Behavioral education and compliance training is simply not
enough to mitigate the risk.

Payment and receipt of bribes, as well as other forms of
facilitation and consulting fees, gifts, entertainment, travel
and other benefits, are a well-established part of business
and government culture in many parts of the world. Until
relatively recently, these practices were widely accepted
by large, global companies as simply a part of the cost of
doing business. The reality for many business managers is
that it can be extremely difficult to remain competitive
and win new business in foreign markets without
resorting to some form of activity that may be illegal or, at
best, in a “grey area.”
As a result, in spite of the implementation of increasingly
stringent corporate policies, the temptation is to do
whatever is necessary to close a deal and then find a way
to avoid getting caught. This often means that large
payments manage to make their way into the bank
accounts of influential individuals in governments or
corporations in order to win a contract, but are carefully
disguised in a way that makes them difficult to detect
through normal control mechanisms.

Bribery & Corruption: The essential guide to managing the risks - 9

WHAT CAN BE DONE TO ADDRESS THE RISKS ASSOCIATED WITH BRIBERY AND CORRUPTION?

“We encourage companies to maintain robust

compliance programs, to voluntarily disclose
and eradicate misconduct when it is detected,
and to cooperate in the government’s
investigation. But we will not wait for
companies to act responsibly. With
cooperation or without it, the department will
identify criminal activity at corporations and
investigate the conduct ourselves, using all of
our resources, employing every law
enforcement tool, and considering all possible
actions, including charges against both
corporations and individuals.”

Assistant Attorney General Caldwell,

Department of Justice

10 - Bribery & Corruption: The essential guide to managing the risks

As with many different forms of risks faced by corporations and other large organizations, there are ways to manage the risks
associated with bribery and corruption so that the extent of risk is reduced to a level that is acceptable to the organization.
Effective enterprise risk management (ERM) involves a process that, in principle, can be applied to any type of risk.

Some organizations develop a comprehensive framework

for ERM, where strategic risks are assessed and holistic
programs put in place to monitor and mitigate risks
organization-wide, while others have far more
rudimentary approaches. Most research indicates that The U.S. Department of Justice has
those businesses with capable risk management
indicated that if a company has
processes outperform those with ad hoc, disparate
or informal systems. performed proactive automated
Let’s look at the key aspects of an effective process monitoring of payments, then it will
framework for managing the risks of bribery and take this into account when instances
corrupt payments. While the specific risks and best of bribery still occur and will consider
response will always vary to some extent from one
organization to another, as well as from one part of an
reducing penalties accordingly
organization to another, there are key factors and steps
that should be considered in any risk management
process for bribery and corruption. These are all part of
what we refer to in this publication as the “ABAC Program”
(Anti-Bribery and Anti-Corruption).

Bribery & Corruption: The essential guide to managing the risks - 11

WHOSE JOB IS IT ANYWAY?
START BY DEFINING ROLES AND RESPONSIBILITIES
Ideally, the organizational structure for dealing with the risks of bribery and corruption should reflect that of risk management
responsibilities overall. This means there are several stakeholders and levels of responsibility:

THE BOARD, RISK AND AUDIT COMMITTEES

Various executives have overall responsibility for ensuring that risks are effectively managed within the organization, with the CEO holding the ultimate job:

Chief Compliance Officer
The CCO role owns overall
responsibility for protecting the
organization from compliance
risk and enforcement actions
and often directly leads the
creation and management of an
ABAC program.
General Counsel
General Counsel usually plays an
active role in regulatory
compliance and establishment
of levels of risk appetite around
specific activities.
Chief Risk Officer
Many organizations now have a
formal role of Chief Risk Officer
that focuses on facilitation and
coordination of overall
enterprise risk management
(ERM) processes, ensuring that
appropriate procedures are
implemented by those with
more direct responsibilities for
avoiding potentially corrupt
payments. The CRO is usually
responsible for identifying and
prioritizing material risks and
discussing them with senior
management and the Board.
Chief Financial Officer
The CFO bears responsibility
for financial controls, while line
and regional executives are
directly responsible for the
appropriateness of payments
that take place within their
area of budgetary and
business control.
Internal Audit
As with most areas of risk,
internal audit needs to consider
the risks and controls related to
ABAC as they develop and
execute their audit plan. Internal
audit’s procedures provide
assurance that ABAC processes
and controls are effective and
working as intended. It is of
course the job of business
management to actually
implement and maintain the
ABAC processes and controls.

TIP >> As there are various stakeholders in the ABAC Program process, the important thing is that all are aware of their respective roles and how they fit within the process. In order
to achieve this there needs to be an effective central system that can be accessed in order to clearly communicate and share information on the process and its current status.
12 - Bribery & Corruption: The essential guide to managing the risks
 A FORK IN THE PROCESS ROADMAP:
CHOOSE A STANDALONE OR AN INTEGRATED PROCESS
Although it is preferable that the processes for managing the risks of bribery and
corruption are integrated into an overall enterprise risk management “ERM” process,
this is not always feasible within some organizations.
The benefits of integration are that a full range of risks can
be assessed and compared with a consistent approach
and within one system. This allows specific bribery risks to
be evaluated within the overall business context of
organizational objectives. Appropriate resources can then
be allocated for management and mitigation of a range
of different risks, based on the organization’s tolerance for
different types of risk.
If an integrated ERM approach is not practical, the
specific processes for managing an ABAC program
remain essentially the same, except without
the element of comparison of the relative
impact of different risks.
As noted, if a formalized ERM process
exists within an organization, then the
anti-bribery and anti-corruption
(ABAC) risk assessment process should
ideally be carried out within the
corporate ERM framework. However, in
some organizations the overall risk
management process is fragmented
and the reality is that risks of bribery
and corruption are considered in
relative isolation.
Whichever approach is taken within an
organization, the process of defining
the risks should involve individuals
with sufficient knowledge of
regulations and the ways that the
business actually works.
Bribery & Corruption: The essential guide to managing the risks - 13
BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS

1 IDENTIFY
AND
ASSESS
RISKS
The first thing to do is fully understand the nature of the risks of bribery and corrupt
payments across the organization. The specific risks can vary considerably according
to factors such as:

■■

■■

■■

■■
Applicable legislation
Types of business carried out
Geographical locations in which business
takes place
Types of customers

The purpose of any enterprise risk management (ERM)

process is to identify and assess those risks that may
negatively impact the organization’s ability to achieve
its corporate objectives, and then determine what can
be done to mitigate those risks and reduce them to a
level that is acceptable. This “acceptable level” is based
on the risk appetite that is usually defined by the board
and risk committees.
background and understanding of the way the
organization works (e.g., auditors, legal and compliance
specialists, business managers, accountants, controllers).
The usual desired outcome is to have a “heat-map” type
report that ranks the risks by likelihood and extent of
impact, as well as an estimate of the costs of managing
the risks to an acceptable level. It often makes sense to
identify the “residual risk” — the extent of risk that remains
It is often desirable to have a variety of individuals after taking account of risk mitigation efforts such as
involved in the assessment and ranking process, including internal controls.
those who have different perspectives based on their

14 - Bribery & Corruption: The essential guide to managing the risks

 Risk Heat Map

ABAC TECHNOLOGY REQUIREMENTS:

oo A
 bility to record, assess, and rank a range of risks in
a structured and consistent way that provides
sufficient detailed information for comparison and
reference purposes.
The use of a heat map enables the different types of
specific ABAC risks to be put into context against each
other, as well as other risks across the organization.
The end result of this heat map ABAC risk evaluation can
vary considerably assessment. So, for example, a business
unit of a U.S. publicly traded company that bids
competitively for major government contracts in a region
where corruption is commonplace is likely to rank the
likelihood and size of risk as high. On the other hand, a
privately held corporation that sells primarily into the
retail market may rank the risk as relatively very low.

<< TIP
The use of spreadsheet technology for risk identification and assessment can itself be risky, due to the
inherent problems of maintaining control over the integrity of information recorded, avoiding errors and
accidental changes and being able to share information in an efficient way.
Bribery & Corruption: The essential guide to managing the risks - 15
BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS

2
IDENTIFY
MITIGATION
PROCEDURES Risks are a normal part of business. Some, such as investing in new products and

TO REDUCE THE markets, are very desirable for any healthy, growing, innovative company. Other types
of risks, such as those related to bribery and corrupt payments are clearly not

RISKS AND generally desirable. The issue is to weigh the negative aspects of risks against the cost
of managing the risks. In some cases it may make good business sense to accept that

THEIR IMPACT a risk will sometimes turn into a negative event as the cost of managing and reducing
the risk is simply too high.

Once the nature of the types of bribery and corruption
risk is properly understood, an important part of the risk
management process is to identify the ways in which the
risks can be monitored, reduced, or eliminated through
mitigation efforts.
In the case of ABAC, mitigation efforts could include
examples such as:
■■ Corporate policies that are documented and
expressly prohibit the payment of bribes or other
forms of corrupt payments.
■■ Compliance training programs for those most likely
to be exposed to bribery and corrupt activities,
designed to increase awareness and educate on
what constitutes illegal or “grey area” activities.
■■ Specific controls, such as approval, authorization,
and review processes, for payments that take
place through systems for vendor payables,
purchasing cards, travel & entertainment
expenses.
■■ Systematic monitoring of payments to look for
suspect outliers, unusual patterns and other
indicators of potential cases of bribery and
corruption.
For each type of mitigation procedure, whether policy,
specific control, or program, it is important to consider at
a detailed level all the things that could go wrong and
reduce make the process or program ineffective.

16 - Bribery & Corruption: The essential guide to managing the risks

ABAC TECHNOLOGY REQUIREMENTS:
oo A
 bility to clearly identify the relevant mitigation
procedures and controls for specific bribery and
corruption risks.
oo A
 bility to assess the effectiveness of each
mitigation procedure or control.

Bribery & Corruption: The essential guide to managing the risks - 17

BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS

3 MONITOR The ABAC risks have been defined, assessed, and ranked and decisions made about
the risk mitigation processes that need to be in place. What’s left to do…?

Quite a lot.

None of these efforts are worth much if the process,

policy, or control, however carefully planned, is not
actually working as intended.
One of the most critical phases of the ABAC Program
is to monitor the process to determine:
(a) whether or not the controls and procedures are
working as intended, and
(b) whether there are indicators of new risks for
which no specific controls were developed.
Monitoring of policies and controls can take place across
the range of business process areas that are subject to
bribery and corruption risks, including purchase-to-
payment, vendor transactions, expense reporting, and
general ledger. Human behavior can be monitored as well
through human analytics, such as querying employees if
they have completed ABAC compliance training, or to
provide their response as to whether they followed the
protocol when providing any benefit, such as
entertainment, within a foreign jurisdiction. Based on
employee responses to these surveys, triggers can be
setup to automatically assess their responses and flag,
notify or escalate as required.

CLICK TO
LEARN MORE, What is Human Analytics?
ON THE In its simplest of forms, surveys or questionnaires are
ACL BLOG >> forms of human analytics. But the possibilities of solving
significant problems and adding strategic value are
18 - Bribery & Corruption:
The essential guide to managing the risks
endless with human analytics.

The single most effective method of monitoring is to
examine every payment transaction and every benefit
provided by the organization in order to determine if
there are signs that non-compliant activities occurred, in
spite of the policies and controls that are meant to be in
place. This form of detailed testing of transactions and
controls, based on data analysis, is used widely by internal
auditors in many of their assurance activities.
This approach is even more effective when used by those
directly responsible for maintaining effective payment
control systems, including the financial, business, and
operational managers of an organization, as well as those
in specific compliance functions.
DOWNLOAD ACL’S LIST
OF THE “TOP 10
ANTI-BRIBERY
ANALYTICS”
Entire populations of payment transactions, across
disparate business systems, are examined in detail to look ABAC TECHNOLOGY REQUIREMENTS:
for indicators of problems such as some of the following: oo L inks between individual controls and the tests
■■ Payments made to individuals on the “Politically used to examine transactions and other data.
Exposed Persons (PEP)” database of foreign oo A
 bility to perform a wide range of data analysis
government officials tests on an automatic basis and link the results
back to the description of the control.
■■ Expenses in high risk regions described using
oo Visual analysis of testing results.
suspect keywords such as “facilitation”,
“consulting”, “donation”, “training”
■■ Payments made in high risk regions to one time
or new vendors that do not fit the typical vendor
profile
■■ High value transaction amounts that have not
been subject to required approvals
■■ Payments made through and to unusual offshore
bank accounts
Bribery & Corruption: The essential guide to managing the risks - 19
BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS

4 MANAGE
EXCEPTIONS
The transaction monitoring process can produce a high or low number of exceptions,
depending on the thresholds and parameters used in the data analysis tests. In order
to determine whether the ABAC Program is working effectively, it is important to have
a strong process for dealing with exceptions.

Not all exceptions necessarily mean that a bribe has been

paid. Depending on the exact nature of the test and the
way the monitoring system is implemented, an exception
should mean that there is a reasonable probability that
there is a problem that needs investigation and follow up.
The result of the follow up may be an understanding that
the exception was a “false positive” — in which case the test
can be modified to reduce the chances of future false
positives. The result could also be a conclusion that a control,
such as an approval process where the controller needs to
review all high dollar transactions to one time vendors, is not
working as intended — in which case the situation must be
addressed. Of course, the exception could turn out to be an
actual corrupt payment — in which case, depending on the
circumstances, a series of critical notifications and actions
may need to be performed.
Typically, the exception management process involves
specific workflow that will vary considerably from one
organization to another and will also vary depending on
the nature of the exception that is identified. For example,
certain high risk exceptions may always be routed directly
to a senior manager. In the event that there is no
satisfactory resolution within a given timeframe, a
notification would be sent to the CFO and CRO.

20 - Bribery & Corruption: The essential guide to managing the risks

ABAC TECHNOLOGY REQUIREMENTS:
oo F lexible workflow capabilities that can
accommodate a range of alternate actions
depending on the nature of exceptions generated.
oo C
 omprehensive visual reporting on the status of
exception management activities, in summary and
at a detailed level.
oo A
 bility to collaborate with any stakeholder of the
organization – including vendors, partners,
contractors, clients and employees and request
confirmation or evidence for the validity of a
transaction or payment.
oo “ Human analytic” capabilities, meaning the ability
to assess and combine responses that individuals
provide when following up on exceptions.

Bribery & Corruption: The essential guide to managing the risks - 21

BUILD AN ANTI-BRIBERY & ANTI-CORRUPTION PROGRAM: 5 STEP PROCESS

5 REPORTING
AND ONGOING
ASSESSMENT
Reporting is one of the most important and valuable steps in the ABAC Program process.
This is where risk managers, compliance officers, auditors, C-suite executives, and other
stakeholders can really get visibility into how effectively the ABAC program is working.

Ideally, the reporting system should be able to go from a top level overview of overall risk trends, all the way down to the
detail of specific red flags of potential violations, including the resolution of each issue that was identified. It is a critical
part of the ongoing risk assessment process.
One of the great benefits of using data analysis in the ABAC Program process is that the monitoring and assessment
process can be accurately quantified.
This could mean, just as an example, that a report or visual dashboard shows –

SAMPLE VISUALIZATION TO COMMUNICATE TO EXECUTIVES:

that a total across were analyzed and Of these but

equivalent of tested for payments,
15 75% 10 TRANSACTIONS,
US$3.542B BUSINESS 12 KEY 384, of these were totaling
of payments
units and INDICATORS totaling satisfactorily
resolved US$11
10 of potential US$45.7M, MILLION,
corrupt payments in two regions,
REGIONS were flagged as are in the process of
investigation and
exceptions
appear to be very
22 - Bribery & Corruption: The essential guide to managing the risks
high-risk items

Effective reporting means that you can see both the
“forest” and, where necessary, all of the “trees.”
By reviewing the results of the analysis and monitoring process over
time, it is easy to see whether and where there is an increasing or an
improving risk problem.
ABAC TECHNOLOGY REQUIREMENTS:
oo T he ability to quickly and easily get an overview of
the status of the entire ABAC process and move
down to whatever detailed level is appropriate.
oo P
 rovide an executive storyboard that shows all
material issues identified in the organization,
across all risk mitigation programs, as it relates
specifically to ABAC.
oo M
 ultiple levels of access control and security in
order to ensure that sensitive data is only available
to those who should be involved in a particular
part of the process.
oo V
 isual reporting capabilities that, where needed,
are fully integrated into an overall risk
management dashboard.
oo R
 eporting that can be accessed from a range of
technologies, including smart phones, tablets
and laptops.
Bribery & Corruption: The essential guide to managing the risks - 23
 ANTI-BRIBERY & ANTI-CORRUPTION COMPLIANCE PROCESS FLOW

Identify & Assess

Controls
Identify & Assess
Risks Run Tests
Design & & Monitor
Configure
Tests

Tests
Risk & Controls
Database

Payment/Benefits
Transactions

Respond
& Resolve
Manage
Exceptions

Report

24 - Bribery & Corruption: The essential guide to managing the risks

 HOW DOES YOUR ORGANIZATION RANK?
IS YOUR ORGANIZATION AT RISK
OF HAVING TO PLEAD GUILTY?
Take the Anti-Bribery
Self-Assessment Quiz

The business media regularly reports news showing the increasing WE’RE HERE TO HELP
magnitude of threats posed from failing to comply with anti-bribery
ACL has drawn upon its two
and anti-corruption legislation.
decades of experience working
with thousands of customers
We know that some organizations are well down the path worldwide to develop detailed
of implementing effective programs to manage these methodologies and best practices
risks, while others still have a very long way to go. for managing anti-bribery and
Where does your organization fit in this spectrum? anti-corruption compliance.
We hope that this eBook has provided you with some
For a free assessment of how your
helpful information on how to best manage the risks
organization can best integrate
associated with bribery and corrupt payments, using
technology into your
technology including data-centric compliance
compliance program,
management as a key driver.
call 1-888-669-4225
We are here to help. or email info@acl.com

Bribery & Corruption: The essential guide to managing the risks - 25

#
ANTI-BRIBERY AND ANTI-CORRUPTION TECHNOLOGY BUYING CHECKLIST
Make sure your ABAC compliance software platform has the following capabilities:
1. IDENTIFY AND ASSESS RISKS
oo A
 bility to record, assess, and rank a range of risks in a
structured and consistent way that provides sufficient
detailed information for comparison and reference purposes
2. IDENTIFY MITIGATION PROCEDURES TO
REDUCE THE RISKS AND THEIR IMPACT
oo A
 bility to clearly identify the relevant mitigation procedures
and controls for specific bribery and corruption risks
oo A
 bility to assess the effectiveness of each mitigation
procedure or control
3. MONITOR
oo Links
 between individual controls and the tests used to
examine transactions and other data
oo A
 bility to perform a wide range of data analysis tests on an
automatic basis and link the results back to the description
of the control
oo Visual analysis of testing results
#
26 - Bribery & Corruption: The essential guide to managing the risks
4. MANAGE EXCEPTIONS
oo F lexible workflow capabilities that can accommodate a
range of alternate actions depending on the nature of
exceptions generated
oo C
 omprehensive visual reporting on the status of exception
management activities, in summary and at a detailed level
oo A
 bility to collaborate with any stakeholder of the
organization – including vendors, partners, contractors,
clients and employees and request confirmation or evidence
for the validity of a transaction or payment
oo “ Human analytic” capabilities, meaning the ability to assess
and combine responses that individuals provide when
following up on exceptions
5. GENERAL CAPABILITIES
oo Designed for rapid configuration and implementation
oo Software runs on a range of mobile devices
oo S eamless integration across functional capabilities, including
data analysis
oo Modern, simple design and best practices user interface
6. REPORTING AND ONGOING ASSESSMENT
oo T he ability to quickly and easily get an overview of the status
of the entire ABAC process and move down to whatever
detailed level is appropriate
oo P
 rovide an executive storyboard that shows all material
issues identified in the organization, across all risk mitigation
programs, as it relates specifically to ABAC
oo M
 ultiple levels of access control and security in order to
ensure that sensitive data is only available to those who
should be involved in a particular part of the process
oo V
 isual reporting capabilities that, where needed, are fully
integrated into an overall risk management dashboard
oo R
 eporting that can be accessed from a range of
technologies, including smart phones, tablets
and laptops
 #

#
Bribery & Corruption: The essential guide to managing the risks - 27

ABOUT THE AUTHOR:
JOHN VERVER
John Verver, CPA, CISA, CMC is an acknowledged thought
leader, writer and speaker on the application of technology,
particularly, data analysis, in audit, fraud detection, risk
management and compliance. He is recognized internationally
as a leading innovator in continuous controls monitoring and
continuous auditing and as a contributor to professional
publications. He is currently a strategic advisor to ACL, where he
has also held vice president responsibilities for product strategy,
as well as ACL’s professional services organization. Previously,
John was a principal with Deloitte in Canada
ACL and the ACL logo are trademarks or registered trademarks of ACL
ABOUT ACL
ACL delivers technology solutions that are transforming audit,
compliance, and risk management. Through a combination of
software and expert content, ACL enables powerful internal
controls that identify and mitigate risk, protect profits, and
accelerate performance.
Driven by a desire to expand the horizons of audit and risk
management so they can deliver greater strategic business value,
we develop and advocate technology that strengthens results,
simplifies adoption, and improves usability. ACL’s integrated
family of products—including our cloud-based governance, risk
management, and compliance (GRC) solution and flagship data
analytics products—combine all vital components of audit and
risk, and are used seamlessly at all levels of the organization, from
the C-suite to front line audit and risk professionals and the
business managers they interface with. Enhanced reporting and
dashboards provide transparency and business context that
allows organizations to focus on what matters.
And, thanks to 25 years of experience and our consultative
approach, we ensure fast, effective implementation, so
customers realize concrete business results fast at low risk. Our
actively engaged community of more than 14,000 customers
around the globe—including 89% of the Fortune 500—tells
our story best. Here are just a few.
Visit us online at www.acl.com
© 2015 ACL Services Ltd.
Bribery & Services Ltd. AllThe
Corruption: otheressential
trademarks are thetoproperty
guide of theirthe
managing respective
risks - owners.
28