By Liu Xiangwen, Monique Carrroll, Yang Jianyuan and Zhu Yuanyuan

The ‘why’

Due to the sensitivity of commercial bribery, corporations can be reluctant to instigate internal anti-commercial bribery investigations as a check on the effectiveness of their compliance program. Often an internal investigation will only be commenced when a serious problem emerges in the internal management system, a judicial or governmental investigation is initiated or a complaint is received accusing the corporation of serious compliance issues. However, given the increasing global focus on anti-bribery and corruption compliance, the value of regular internal compliance investigations or ‘audits’ has increased. The objective of a compliance audit is to identify and deal with any problems or risk areas before they are obvious to third parties and escalate to the media’s attention. Where the audit uncovers a serious problem that must be reported to regulators, the company will be in a much better position to pro-actively manage the situation – hopefully with the result of minimizing any penalties imposed on the company.

Over the medium to long term, regular compliance audits will strengthen the compliance and risk awareness of both the company and its employees and therefore contribute to an enterprise culture of compliance. Such a culture would in turn contribute to the long-term and sustainable development of the company.

The ‘how’

An internal compliance audit generally follows two paths. One is to examine whether the company’s commercial models and conduct are in compliance with relevant laws and regulations. The other is to examine whether staff conduct complies with company rules and standards.

As a compliance audit involves legal risk evaluation as well as moral evaluation when conduct falls within ‘grey areas’, it should be carried out with caution to avoid creating unnecessary negativity. In our experience, engaging external compliance professionals and taking into account the following procedure will significantly contribute to the success and smooth running of a compliance audit – whether taken as a routine precaution or to investigate a particular incident or concern.

1. Prepare a comprehensive audit plan

The first step is to prepare a comprehensive audit plan setting out the objectives, steps and process of the audit. The process of drafting the plan will assist with identifying risk areas and prepare for potential problems. Planning the audit will involve identification of the audit scope (eg a particular department’s compliance) and review of relevant documentation eg contracts or financial data to identify likely risk areas, key personnel etc.

An unequivocal and uniform statement as to the objective of the investigation and carrying out the investigation in strict compliance with the objective, is essential for a successful investigation. Once the audit has commenced, changes to this plan should not be made on an ad hoc basis. If it becomes necessary to broaden the audit scope, the entire audit plan should be reviewed and amended before doing so.

2. Adopt an investigation approach to minimize interference with the business

Employees can be reluctant to cooperate with the compliance audit. An inappropriate investigation could create negativity for employees, or the relevant department and interfere with the daily operation and business performance of the company.

Limiting the number of people taking part in the audit will help to ensure that the audit is contained to the plan and undertaken confidentially. A targeted and well managed audit is usually structured as follows: company executives direct the audit, the internal review and legal departments oversee the day to day conduct of the audit and external legal professionals perform the investigation component. External legal advisors will be experienced in identifying compliance issues, be able to conduct the investigation confidentially and can provide confidential advice on the outcome of the investigation (this advice may also be covered by legal professional privilege). If the investigation requires analysis of large amounts of technical or financial data, it may also be advisable to engage an accounting firm experienced at gathering and analysing such data.

Finally, the investigation component should be completed in the shortest time possible. This will help the company restore its normal operations swiftly and limit the opportunity for employees or third parties to interfere with the success of the investigation.

3. Consider involvement of third parties

Management of a company’s suppliers, clients and other third parties is a key component of compliance management. In conducting an internal compliance investigation, understanding the role played by third parties will be important to success of the investigation. However, it will also be important to minimize any negative effects on these business relationships caused by the investigation.

The nature of the external parties and their relationships with the company could vary greatly and thus should be treated accordingly. In particular, if a relevant third party is a government organization, it is not advised to include the staff of the government organization in the investigation directly.