Position paper: Internal audit and corrupt practices

(including fraud and bribery)

Main message

Internal audit has an important role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organisation. This is part of its normal role of supporting the Board's and Audit Committee's oversight of risk management,

But it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit's role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.

What do we want?

Boards and senior management should not regard internal audit as an operational part of an organisation's defence against corrupt practice, nor should it be seen as the obvious investigator of incidents after the event. 

Internal Audit should only be given extra responsibilities for fraud and corruption

• if it is given a clear and limited mandate that does not prejudice its prime role as the independent third line of defence
• if it has the specific expertise needed in a particular case
• if it has the resource capacity
• if the board / audit committee approves.

Additional points

Every organisation faces risks arising from corrupt practices, such as bribery and fraud.

Corruption can lead to financial losses, false information, poor decision-making and reputational damage.

Organisations in the UK also have potential legal liability for certain corrupt practices of their staff, most notably under the 2010 Bribery Act, and could face criminal charges. This is not yet the case in Ireland.

Organisations need a strong programme of internal controls to combat corruption that includes top level commitment, raising awareness, measures to prevent, detect and manage the damage arising from corrupt practices, and a risk assessment process to identify the risks of corruption within the organization. Internal audit's primary role is to offer assurance at board level that such controls are in place and are functioning effectively

Some organisations may not have sufficient capacity in the executive to deal with fraud. Where, exceptionally, management requests internal audit to undertake fraud investigation, the head of internal audit should determine that he/she has the required mandate and expertise, and that resources are not being diverted from higher priority internal audit work. He/She should also ensure that the audit committee endorse undertaking such work.

Background

The UK Fraud Act 2006 states that a person is guilty of fraud if he/she:

• dishonestly makes a false representation, and intends, by making the representation to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.
• dishonestly fails to disclose to another person information which he is under a legal duty to disclose, and intends, by failing to disclose the information to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.
• occupies a position in which he is expected to safeguard, or not to act against, the financial interests of another person, dishonestly abuses that position, and intends, by means of the abuse of that position-to make a gain for himself or another, or to cause loss to another or to expose another to a risk of loss.

The UK Bribery Act 2010 covers three areas of personal corruption 

• The offence of bribing another person, where a person offers, promises or gives a financial or other advantage to another individual to perform improperly a relevant function or activity, or to reward a person for the improper performance of such a function or activity
• The offence of being bribed, where a person receives or accepts a financial or other advantage to perform a function or activity improperly. It does not matter whether the recipient of the bribe receives it directly or through a third party, or whether it is for the recipient's ultimate benefit or not.
• Bribery of a Foreign Public Official, where a person directly or through a third party offers, promises or gives any financial or other advantage to a Foreign Public Official in an attempt to influence them as a public servant and to obtain or retain business, or any other related advantage in the conduct of business. 

and introduces a new corporate offence of failure to prevent bribery. 

• A commercial organisation will be liable to prosecution if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organisation.
  The commercial organisation will have a full defence if it can show that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing. In accordance with established case law, the standard of proof which the commercial organisation would need to discharge in order to prove the defence, in the event it was prosecuted, is the balance of probabilities

The Irish Legal Position

"Bribery and corruption" is an offence at common law, defined in Murdoch's Dictionary of Irish Law as "corruptly to solicit, promise, give, receive or agree to receive a bribe (i.e. a reward)  in order that any public official should either:

a) act contrary to a duty he has to do something in which the public has an interest, or

b) show favour in the discharge of his duty and function." 

Irish law on bribery and corruption is contained in a series of statutes dating from 1889, with a collective citation of the Prevention of Corruption Acts 1889 to 2010. The law is not clear in places and is difficult to navigate. Some wrongful acts can be prosecuted under several separate provisions and other unethical acts are not regulated at all. 

• The Irish Prevention of Corruption Act is made up of the following: 
• Public Bodies Corrupt Practices Act 1889 (outlaws the bribery of public officials)
• Prevention of Corruption Act 1906 (outlaws bribery and corrupt payments generally).
• Prevention of Corruption Act 1916 (presumes certain payments made to be corrupt).
• Ethics in Public Office Act 1995, s 38 (extends law to special advisers of Ministers).
• Prevention of Corruption (Amendment) Act 2001 (revamped the 1906 Act)
• Proceeds of Crime (Amendment) Act 2005, Part V
• Prevention of Corruption (Amendment) Act 2010 (revamped the 1906 Act)

The Prevention of Corruption (Amendment) Act, 2010, strengthened the legislation on corruption, in particular in relation to corruption occurring outside the State, and gave fuller effect to the OECD Anti-bribery Convention.

A key provision in the Act is the protection afforded to persons, including employees, who make reports, in good faith, of offences under the Corruption Acts, 1889 to 2010 ("whistleblower protection"), and those reports can also be made on a confidential basis.

The Act also provides that reports of suspected corruption offences abroad can be made to diplomatic or consular officers, and foreign police forces, as appropriate.

The Minister for Justice, Equality and Defence received Government approval for the General Scheme of a Criminal Justice (Corruption) Bill, which will update, strengthen and reform the law criminalising corruption. The General Scheme was published in July 2012 to allow the Joint Oireachtas (Parliamentary) Committee on Justice, Defence and Equality to consider the content of this measure and to allow all interested parties to have an input, prior to the publication of the Bill.

The consultation, which closed in September 2012, will be considered in the overall context of developing new, effective legislation to tackle corruption and meet Ireland's international obligations.

In Ireland there is no precise definition of fraud. Many of the offences referred to as fraud are covered by the Criminal Justice (Theft and Fraud Offences) Act 2001. Fraud is a crime which may involve a false pretence, false accounting, forgery, embezzlement or fraudulent conversion.

Under this Act "A person is guilty of forgery if he or she makes a false instrument with the intention that it shall be used to induce another person to accept it as genuine and, by reason of so accepting it, to do some act, or to make some omission, to the prejudice of that person or any other person."

In addition, the Electronic Commerce Act 2000 provides for a number of offences of electronic fraud, for example the fraudulent use of electronic signatures, signature creation devices and electronic certificates.

In Ireland, at present, there is no such automatic imputation to a company of the acts of an employee, officer or agent. It turns on the extent that it could be argued on the facts that liability is imputed under the identification doctrine or attribution doctrine.

IIA Global Standards Practice Advisory 

1210.A2 - Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. 

2120.A2 - The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. 

1220.A1 - Internal auditors must exercise due professional care by considering the:

2060 - The chief audit executive (CAE) must report periodically to senior management and the board on the internal audit activity's purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by senior management and the board.

IIA's advice

Every organisation should: 

• Set the tone from the top by having a policy that makes it clear that fraud and other corrupt practices will not be tolerated, that the organisation is committed to preventing and detecting breaches, and that offenders will be prosecuted;
• Have a risk management strategy, which includes risk mitigation measures, aimed at detecting corrupt practices and deterring would-be offenders;
• Have a response plan setting out exactly what steps to take if a fraud or other corrupt practices are reported or detected;
• Have a continuous programme of corruption awareness and regular updates and training for new and existing staff.
• The highest level of management should formally adopt the policy, strategy and plan.

The primary responsibility for prevention, detection and investigation rests with management, which also has the responsibility to manage the risk. Many organisations now have a dedicated in-house "security" function with responsibility to manage investigations. This function may be assisted by internal audit.

The executive board is responsible for:

• Corporate policy on the non-tolerance of corruption, dealing with its occurrence and laying down responsibilities and measures to mitigate risk;
• Notifying appropriate regulatory authorities of relevant transgressions;
• Ratifying policy, mitigation strategy and response plan;
• Corporate ethos, setting the right ethics and policies;
• Risk and threat assessment;
• Adequate and effective internal control;
• Adequate and effective internal audit.
   

Line management in responsible for managing, controlling, reporting and taking action on the risk of corrupt practice including:

• Having processes in place to deter and detect corruption;
• Applying adequate controls to prevent transgressions;
• Leading investigations;
• Overseeing investigations conducted by specialists on their behalf;
• Dealing effectively with issues raised by staff (including taking appropriate action to deal with reported or suspected illegal activity);
• Involving the police where necessary.    
                                    

Staff are responsible for:

• Operating procedures to safeguard the organisation's assets;
• Alerting management when they believe that the possibility of corruption exists;
• Reporting immediately to management when they suspect that an illegal act has been committed.
   

Internal audit

It is not a primary role of internal audit to detect corrupt acts, but it is a role most people expect internal audit to undertake. There is, therefore, an expectations gap that needs to be managed.

Internal audit has no legal responsibility for corruption but is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risks.

Any additional activities carried out by internal audit should be in the context of and not prejudicial to this primary role. The roles that internal audit should undertake include the following: 

• Investigating the causes of illegal acts;
• Reviewing prevention controls and detection processes put in place by management;
• Making recommendations to improve those processes;
• Advising the audit committee on what, if any, legal advice should be sought if a criminal investigation is to proceed;
• Bringing in any specialist knowledge and skills to assist in investigations, or leading investigations where appropriate and requested by management;
• Liaising with the investigation team;
• Responding to whistleblowers;
• Considering the risk associated with corruption in every audit;
• Having sufficient knowledge to identify the indicators of fraud and other corrupt practices;
• Facilitating corporate learning.
   

Audit Committee 

The audit committee should review arrangements by which staff of the company may, in confidence, raise concerns about possible improprieties in matters of financial reporting, financial control or any other matters.

The audit committee's objective should be to ensure that arrangements are in place for the proportionate and independent investigation of such matters and for appropriate follow-up action, and that any matters relevant to its own responsibilities are brought to its attention. (Smith Guidance on Audit Committees)