Uncovering bribes hidden in books and records

More than 40 years after the Foreign Corrupt Practices Act (FCPA) was enacted, the SEC and the U.S. Department of Justice (DOJ) continue to crack down on schemes in which bribes are paid to foreign officials with the intent to advance business interests.

In an effort to conceal illicit payments, individuals involved in illegal activity have gone to great lengths to falsify company books and records in the hopes of keeping them hidden from in-house accountants, internal and external auditors, or legal and compliance personnel. In some instances, a parent company or its officers may have unwittingly played a role in the illegal activity because the appropriate internal controls were not in place to prevent or detect improper payments.

For public companies operating in or with subsidiaries in countries that have been identified as high-risk (including Brazil, Russia, India, and China), understanding specific FCPA risks and the government’s areas of focus can enhance compliance efforts and reduce exposure (see the sidebar “FCPA Accounting Provisions and Sanctions for Violations”).

Although the SEC’s prosecution of FCPA violations involves public companies, the DOJ handles criminal prosecution of both public and private entities.

While larger corporations and, to some extent, medium-size companies may have more mature anti-corruption compliance programs and sufficient resources to address their risks in these geographic locations, companies that do not have the necessary resources and robust anti-corruption compliance programs in place should consider obtaining advice to assess corruption risks and the adequacy of controls to mitigate issues and avoid violations.

To help companies of all sizes understand the books and records that create the most risk for prosecution, we analyzed all the SEC’s FCPA enforcement actions from 2014 to 2018 and identified the financial accounts and expense categories that it flagged as attempts to conceal corrupt payments (see the graphic, “Details of SEC Citations”). Companies and their executives can use this historical analysis to enhance their anti-corruption compliance programs and to design targeted compliance monitoring procedures, including data analytics techniques, to identify potential improper payments or internal control deficiencies.

Details of SEC citations

Fifty-seven companies were charged with FCPA violations from 2014 to 2018. The SEC cited the following expense categories and key terms as problems for almost all of the companies that were charged with violating the SEC’s books and records provision. Several companies were cited for irregularities in multiple expense categories.



The SEC’s enforcement actions indicate clear patterns of the identified improper behavior when it comes to key terms and categories used to “cook the books” and cover up bribery payments.

More specifically, the 57 companies charged by the SEC from 2014 to 2018 (excluding companies that entered into nonprosecution or deferred prosecution agreements) used various account categories to inaccurately record or falsify improper payments, including “consulting,” “other business expenses,” “gifts, travel, and entertainment,” “commissions,” “marketing,” and “discounts.” However, the specific accounts included both general descriptions (such as “research services” or “administrative expenses”) and specific descriptions (such as “influencer fee” or “executive gifts: 5 watches”). Internal controls, therefore, need to be designed to address these recurring categories, as well as other potential categories in which companies may attempt to hide improper payments.

A review of the charging documents for these matters reveals that 84% included allegations of bribery initiated through an intermediary, such as a shell company, consultant, or local partner. Only nine of the 57 companies (16%) did not use an intermediary to facilitate bribery schemes. Many intermediaries were new partners engaged solely for the purpose of routing bribes.

Lack of adequate internal controls is the most common issue for companies that have landed in trouble with the government (see the sidebar “Control Failures: 2 Examples”). In a majority of these matters, the SEC also alleged control violations, with some companies appearing to have no controls at all. Within this context, a variety of control weaknesses were cited, including:

  • Lack of understanding of FCPA compliance;
  • Lack of training of employees on FCPA regulations, including a failure to translate certain anti-corruption training materials into subsidiary employees’ local language;
  • No program to monitor employee compliance with FCPA regulations;
  • Lack of, or inadequate, due diligence regarding third-party agents, and a lack of oversight over foreign agents;
  • Lack of due diligence into internal accounting controls and anti-corruption compliance programs during an acquisition;
  • Lack of management authorization for transactions;
  • Failure to follow up on FCPA red flags; and
  • Absence of independent compliance staff or an internal audit function to intervene and take remedial actions upon detection of questionable behavior.


Companies, both public and privately held, should conduct a thorough risk assessment and identify potential corruption risks and fraud schemes based upon the nature of the business and locations. Data analytics tools can also be used to analyze both quantitative and qualitative fraud and corruption risks so that controls can be enhanced.

Quantitative analyses include assessing financial information, such as general ledger detail, disbursements data, and sales information. Qualitative analyses include assessing non-numeric data to identify potential corruption, such as reviewing terminated vendors and results from previous internal audits or investigations to determine if the company conducts business with certain individuals or entities that are prohibited from doing business with the company.

Our analysis of prior enforcement actions can help inform companies about particular risk categories. Using data analytics and performing timely analysis of transactions against risk criteria is essential in implementing an effective FCPA compliance program.

Companies may consider employing various data analytics tools such as SQL, R, Tableau, and Python (including TensorFlow, Keras, and scikit-learn packages) to develop risk-based approaches to monitor transactions and assess potential compliance issues on both a proactive and reactive basis. This involves the determination and aggregation of relevant data sources, identification of key variables, and iterative modeling of variables to assist in the enhancement of existing compliance programs and aid in the use of visual tools and dynamic interfaces to provide clear and compelling insights as part of investigations. Whatever approach companies use, transaction monitoring programs are often fundamental to implementing effective anti-corruption compliance programs.

In addition to analyzing financial and nonfinancial data, companies can take steps to ensure their compliance program is strong and effective. The FCPA manual issued by the DOJ and SEC in November 2012 is a useful reference. An important hallmark of a quality compliance program is when senior leadership creates a culture of compliance that demonstrably trickles down from the boardroom to the supply room, covering all employees as well as third-party partners. The goal is to develop expectations for compliance and ethics, and related policies and procedures that are universally understood and strictly followed across the entire organization, including foreign locations. This can be done, in part, through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.

Regularly updated risk assessments are another crucial step for developing and maintaining an effective compliance program. Factors cited by the SEC/DOJ guidance include the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.

As discussed in the manual, stringent monitoring of third parties and partnerships is vital to curbing fraudulent activity by outside vendors. Such monitoring could include evaluating the third party’s reputation and relationship with foreign officials and assessing the payment structure to ensure it is equitable and will not be siphoned off to fund corrupt activity.

Companies must conduct internal investigations and implement confidential reporting mechanisms that allow employees to anonymously report allegations of corruption, and violators of compliance programs should face serious repercussions for breaching the company’s policies and procedures. In contrast, companies should consider ways to incentivize and reward compliant behavior. For instance, the manual recommends incentives such as promotions and rewards for “improving and developing a company’s compliance program and for ethics and compliance leadership.” (The SEC and DOJ also encourage organizations to pursue compliance by voluntarily reporting violations, as discussed in the sidebar “Self-Reporting: Risks and Potential Benefits.”)

Finally, a compliance program cannot remain effective if it stagnates or becomes outdated. Thus, it is crucial that companies regularly assess the design of controls and monitor their operating effectiveness to uncover deficiencies and make enhancements as needed. Special attention should be paid when engaging in acquisitions, ensuring appropriate due diligence is done.

FCPA accounting provisions and sanctions for violations

The FCPA contains specific provisions that the SEC typically uses to prosecute companies and executives who participate in illegal acts, and it’s important to understand the types of sanctions that can be obtained for violations.

The FCPA has both bribery- and accounting-related provisions. The bribery provisions prohibit a company from bribing a “foreign official” or a politician for the purpose of influencing his or her official actions for the advantage of the company. A “government official” is potentially a very broad group in some countries, including, for example, medical personnel in a national health system. The accounting provisions — Sections 13(b)(2)(A) and 13(b)(2)(B) of the Securities Exchange Act — require “issuers to maintain accurate books and records and have a system of internal controls sufficient to, among other things, provide reasonable assurances that transactions are executed and assets are accessed and accounted for in accordance with management’s authorization.”

The FCPA can apply to conduct anywhere in the world, and it extends to companies, their officers, directors, and employees, as well as agents. Agents can include various types of third parties, including consultants, distributors, and joint-venture partners. It is important to note that intent is not required as a condition of violating these accounting provisions, and the SEC has initiated enforcement actions involving illegal conduct at a foreign subsidiary of a U.S. multinational company when senior company officials in the United States were unaware of the improper payments. Consequently, it is crucial for legal, compliance, and accounting executives to collectively implement internal controls that are properly designed and operating effectively worldwide and can provide reasonable assurance that illegal conduct will be detected and prevented.

If FCPA violations are found, the sanctions generally involve civil and sometimes criminal enforcement actions against issuers and individuals, often including large disgorgement payments and penalties. Sanctions can also include the imposition of a monitor to oversee remedial efforts.

Control failures: 2 examples

Inadequate controls — or in some cases, a complete lack of controls — often are cited by the SEC in prosecutions of FCPA violations. Here are two examples of FCPA prosecutions and the control failures described by the SEC that it said contributed to the transgressions:

Kinross Gold

Canada-based Kinross Gold Corp. settled an action in 2018 for what the SEC said was a repeated failure to implement adequate accounting controls at two African subsidiaries. According to the SEC, the company acquired the subsidiaries understanding that they lacked anti-corruption compliance programs and internal accounting controls, but it took Kinross Gold almost three years to implement adequate controls.Even after implementing the controls, Kinross Gold failed to maintain them, the SEC reported. The company failed to follow its bidding and tendering procedures when it awarded a lucrative logistics contract to a company preferred by Mauritanian government officials, according to the SEC. The company did not admit or deny the findings but paid a $950,000 penalty.

BHP Billiton

Global resources company BHP Billiton was charged in 2015 with paying for foreign officials to attend the 2008 Olympic Games in Beijing while they were in a position to help the company with its business or regulatory endeavors.

According to the SEC, the company failed to provide employees with training on how to complete hospitality application forms or evaluate bribery risks presented by the invitation to the Olympics. In addition, the company did not clearly communicate to employees submitting hospitality application forms that no one outside the business unit submitting the application would review the invitations to the Olympics, the SEC reported. The company paid a $25 million penalty but did not admit or deny the SEC’s findings.

— By Ken Tysiac

Self-reporting: Risks and potential benefits

In recent years, the DOJ and SEC have been encouraging organizations, both private and public, that fall under the FCPA to self-report corruption violations in exchange for reduced fines and penalties, which can range from a nonprosecution agreement (NPA) to a deferred prosecution agreement (DPA) to a felony plea.

The top benefits for self-reporting are obvious — it could result in a declination or otherwise limit the company’s civil and criminal exposure and reduce monetary penalties. While this might sound like an easy decision, there are downside risks associated with self-reporting that companies, in conjunction with their legal counsel, should consider before moving forward with voluntary disclosure.

For instance, the initiation of a government investigation may require disclosure in SEC filings, making the issue public and potentially damaging the organization’s reputation and brand. Self-reporting and cooperation do not guarantee that the company will not have to spend substantial funds responding to a government investigation or that the matter will be dropped.

Finally, if an enforcement action is brought, it may be difficult to measure how much self-reporting and cooperation credit a company actually received. Ultimately, the decision to self-disclose potential corrupt behavior is a business decision for each public and private company operating under the FCPA umbrella to make. Thus, it is recommended that organizations seek the advice of outside and/or in-house counsel before deciding whether to take the self-reporting path.

Membership in the Forensic and Valuation Services (FVS) Section provides access to numerous specialized resources in the forensic and valuation services discipline areas, including practice guides, and exclusive member discounts for products and events. Visit the FVS Center at aicpa.org/FVS. Members with a specialization in financial forensics may be interested in applying for the Certified in Financial Forensics (CFF) credential. Information about the CFF credential is available at aicpa.org/CFF.