Revelations from the Panama Papers investigation paint a picture of public officials and business leaders allegedly moving money to secret offshore companies. The investigation by the International Consortium of Investigative Journalists is based on more than 11 million emails, documents, and client records leaked from Panama-based law firm Mossack Fonseca. Although much of the business operations highlighted in the papers are legal, some of the dealings allegedly include money laundering and other illegal activities, and the lack of transparency involved often is a red flag of potential corruption.
With the spotlight now shining brightly on potential corruption, it’s more important than ever that organizations have comprehensive anti-corruption compliance programs in place. One way internal auditors can help management gauge the effectiveness and completeness of their organization’s program is by using an anti-corruption maturity model. The maturity model depicted in this article is a variation of the capability maturity model integration approach developed at Carnegie Mellon University that has been customized to measure the proficiency of an anti-corruption compliance program. The model measures an organization’s proficiency in complying with laws, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act, by comparing its compliance program against anti-corruption standards.
Moreover, internal auditors can use the anti-corruption maturity model to measure the degree to which the organization has implemented governance controls and identify expectation gaps that may exist between the organization’s perceived efforts and actual efforts. The model can enable auditors to identify areas of strengths and weaknesses, and it can serve as the basis for allocating resources to most effectively reduce corruption risk. In addition, auditors can use the model to measure the degree to which their organization has adopted regulatory guidelines in its anti-corruption efforts.
Designing the Maturity Model
The anti-corruption maturity model measures control strengths on a scale (see “Maturity Model Scale” at right). Each of the scale’s four levels describes a different strategy for combating corruption. The model’s scale should be commensurate with the organization’s complexity, geographic dispersion, and capital resources. For simplicity, this model is designed for a mid-sized company that has multiple product lines and sells in a global market. A large company that has many subsidiaries operating across diverse industries might be better suited with a larger scale, perhaps with five or six levels. The size of the scale is not as important as having a scale that is aligned with the organization’s risk profile.
After an appropriate scale is established, internal auditors should establish the criteria on which the compliance program will be measured. Corruption-related controls should be grouped into components based on the risk drivers they are designed to mitigate. A Resource Guide to the U.S. Foreign Corrupt Practices Act, Hallmarks of Effective Compliance Programs, developed by the U.S. Department of Justice and the Securities and Exchange Commission, is an excellent resource for identifying the types of components that make up the foundation on which an effective compliance program should be built. This guidance identifies seven components that form the basis for the anti-corruption maturity model: oversight, resources, risk assessment, policy statements, due diligence, controls and monitoring, and training.
“Anti-corruption Maturity Model Components” (below) describes some controls that are typical of each component. Internal auditors should consider the organization’s size, complexity, and risk profile in identifying which components to include in the model. For example, an organization that plans to grow through acquisition might add a separate component dedicated to the merger and acquisition process, while a company that does not rely heavily on third-party consultants or agents might place due diligence under risk assessment.
After identifying the controls relevant to the organization, the internal auditor should assign them to the respective component of the maturity model. Basic controls that by themselves are not effective in preventing or detecting corruption should be assigned to lower levels. As controls become more sophisticated and effective, they should be assigned to the appropriate higher levels. It is necessary to achieve the activities on the lower levels of the scale to attain those on the higher levels. Depending on the number of controls identified for each component, it may be more practical to summarize the objectives of the controls in the model, itself. The individual controls and their objectives will be detailed in the assessment test schedule.
Assessing Compliance Program Controls
Assessing an organizational-level compliance program goes beyond identifying risks and controls, and evaluating their likelihood and impact. The maturity model measures strength based on the degree to which the documented evidence supports that controls were designed effectively and are functioning accordingly. This is accomplished when the internal auditor reviews supporting documentation and draws reasonable conclusions about their effectiveness. Auditors rate each control on the scale (see “Degree of Evidence Rating” below).
To illustrate how the degree of evidence is measured, assume an internal auditor is reviewing a control that requires anti-corruption training to be provided to all employees in a format consistent with the local languages in all business units. The business operates in Germany, Greece, Spain, and the U.S. To facilitate training, management provides PowerPoint slides in English, German, and Spanish, but it was not able to translate the slide decks into Greek. The auditor rates this control “3” and recommends that the organization translate the training slides into Greek and include them in the online training software.
The process continues until all controls have been assessed. If there is not a control for a significant risk, that attribute receives a zero score.
This methodology gives the internal auditor a deliverable that can provide management with a better picture of the strengths and weaknesses of its anti-corruption controls than it would have using a pass/fail method. That method would have failed the training control in the PowerPoint example because not all employees received instruction in their local languages. Using Excel to document and rate controls enables the auditor to easily tally ratings by component into an assessment scorecard.
Tallying the Scorecard
After internal audit has assessed all of the controls in the respective components and established the degree of evidence, it should determine the effectiveness of the individual components and the overall compliance program by tallying the degree of evidence scores by component. The company for which this model was designed identified 107 compliance controls. The maximum score that can be attained for each component is the number of controls that were assessed multiplied by four, the highest degree of evidence rating. The actual score achieved in each component is divided by the maximum attainable score to arrive at the percentage score. This percentage score will be used to establish the level on which each component will be rated in the model. For example, the oversight component contains 17 controls for a maximum score of 68. If the component’s actual score is 47, then its rating is 69 percent.
Evidence of Effectiveness
A capability maturity model can be an effective tool for assessing the strength of an anti-corruption compliance program. The evidence-based methodology provides internal auditors who are assessing these programs unambiguous results based on empirical evidence rather than results based on subjective perception. It also provides management an easy-to-read summary that executives can use to identify improvement opportunities for the anti-corruption program as well as a methodology that can be easily repeated in future years.
See samples below for anti-corruption maturity models:
- Assessment Scorecard.pdf
- Sample Assessment Ratings.pdf
- Anti-corruption Maturity Model Post-assessment.pdf