Auditing Bribery and Conflicts of Interest

The FCPA operates through two distinct mechanisms. The anti-bribery provisions target the act of paying or offering anything of value to a foreign official to obtain or retain business or a business advantage. Liability attaches to US issuers (companies listed on US exchanges), US domestic concerns (any US citizen, national, or entity), and, in some circumstances, foreign nationals and entities acting within the United States. The accounting provisions apply only to issuers and require accurate book-keeping and a system of internal controls, regardless of whether any bribery occurred. Companies have been penalised under the accounting provisions for record-keeping failures even when no improper payment was proven.

The UK Bribery Act 2010 is structured differently. Section 1 creates an offence of paying bribes; Section 2 creates an offence of receiving bribes; Section 6 specifically addresses bribing a foreign public official; and Section 7 creates the corporate offence of failure to prevent bribery. Section 7 has no intent requirement: a company is guilty if a person associated with it pays a bribe to obtain or retain business for the company, unless the company proves adequate procedures were in place. The UK Ministry of Justice guidance on adequate procedures identifies six principles: proportionate procedures, top-level commitment, risk assessment, due diligence, communication and training, and monitoring and review.

The OECD Anti-Bribery Convention requires signatory states to criminalise the bribery of foreign public officials and to apply effective, proportionate, and dissuasive sanctions. The Convention has been implemented through domestic legislation in 44 countries, including Germany (Section 334 StGB), France (Sapin II law of 2016), Brazil (Clean Company Act of 2013), and Australia (Criminal Code Act). Forensic auditors working across jurisdictions must identify which statute applies to the entity under review: a subsidiary of a US issuer is subject to the FCPA's accounting provisions; a UK company with operations in Germany may face both UK Bribery Act and German criminal liability.

Bribery schemes leave patterns in financial records because the corrupt payment must flow somewhere. The payment may be disguised as a commission to an agent, an entertainment expense, a consulting fee, a gift, or a donation. The auditor's task is to identify transactions where the stated purpose is inconsistent with the amount, the timing, the counterparty, or the business context.

• Payments to agents shortly before or after a contract award: commissions that spike at contract-award dates, particularly in jurisdictions known for public-sector corruption, are a primary indicator.
• Vague service descriptions: invoices that describe services as 'consulting', 'business development', or 'market access' without specifying deliverables warrant scrutiny, particularly when the fee is a percentage of contract value.
• Payments to entities in high-risk or secrecy jurisdictions: intermediary payments routed through shell companies in jurisdictions with strong bank secrecy laws, without a legitimate business reason, are a structural red flag.
• Entertainment and hospitality expenses lacking business purpose documentation: expenses for travel, hotels, meals, or gifts where the guest list includes government officials or their families, and where no business purpose is documented, trigger both FCPA and UK Bribery Act concerns.
• Contracts awarded without competitive tender: sole-source awards that are recurring, that involve the same official at the counterparty, or that lack an adequate written justification are procurement-level red flags.
• Round-number or split payments below approval thresholds: payments structured to remain just under an approval or reporting threshold suggest deliberate circumvention of controls.

Red flags are indicators, not proof. A commission paid to an agent before a contract award may be entirely proper if the agent's role is documented, the fee is proportionate to the service, and the agent has no connection to the awarding official. The auditor's job is to test whether a satisfactory explanation exists, not to presume guilt from a statistical pattern.

Most large bribery enforcement actions involve a third-party intermediary: an agent, distributor, joint-venture partner, or consultant who makes the improper payment on the company's behalf. Both the FCPA and the UK Bribery Act impose liability on the principal for payments made through third parties, subject to knowledge or wilful blindness (FCPA) or strict liability with an adequate-procedures defence (UK Bribery Act). The response to this risk is a structured due-diligence programme applied before engaging a third party and on a periodic basis throughout the relationship.

A standard third-party due-diligence process includes five elements. First, identification and ownership verification: confirm the legal name, registration number, jurisdiction of incorporation, and ultimate beneficial ownership of the third party. Shell companies with opaque ownership structures are a risk indicator. Second, PEP and sanctions screening: check the third party and its principals against PEP lists, government sanctions lists (OFAC, HM Treasury, EU consolidated list), and debarment registers. Third, reputation and media review: search for adverse media, legal proceedings, regulatory actions, and industry reputation. Fourth, commercial justification: confirm that the services the third party is to provide are real, that the fee is proportionate, and that the third party has the capacity and expertise to deliver. Fifth, contractual protections: ensure the agreement includes anti-bribery representations and warranties, audit rights, and a right of termination on bribery-related grounds.

In a forensic audit context, the auditor reviewing an existing third-party relationship will examine historical due-diligence files to assess what was done at the time of engagement and whether the programme was adequate. Where records are incomplete or the due-diligence process was cursory, this becomes evidence of control failure that may itself constitute a violation of the FCPA's accounting provisions or the UK Bribery Act's adequate-procedures standard.

A conflict of interest does not require a payment. An employee who approves invoices from a supplier in which they hold shares has a conflict of interest even if the invoices are priced at market rate and the work is done properly. The conflict is the undisclosed private interest that could compromise objective decision-making. Most organisations manage conflict-of-interest risk through a combination of disclosure requirements (employees must declare interests that could conflict with their duties) and structural controls (conflicted individuals are excluded from relevant decisions).

The forensic auditor tests conflict-of-interest controls by: reviewing the completeness and currency of the organisation's conflict-of-interest register, cross-referencing disclosed interests against vendor master files and counterparty lists to identify undisclosed relationships, examining approval records for transactions involving counterparties related to decision-makers, and interviewing department heads and procurement officers about their awareness of the disclosure requirement. In public sector settings, declarations of interest are often statutory and may be publicly accessible, allowing the auditor to compare filed declarations against procurement records.

Related-party transaction review is a closely connected procedure. Accounting standards (IFRS IAS 24, US GAAP ASC 850) require disclosure of transactions with related parties, meaning entities or individuals with the ability to influence management or that are influenced by the reporting entity. The forensic auditor examines whether the organisation's related-party identification process is rigorous, whether disclosed transactions are on arm's-length terms, and whether undisclosed relationships exist. Common undisclosed relationships include: a director's spouse owning a supplier, a procurement officer holding a financial interest in a distributor, or a senior executive receiving consulting fees from a company that also pays their employer.

A bribery and conflict-of-interest audit is structured as a fraud examination: it begins with a predication event, proceeds through planning and risk assessment, and moves into evidence gathering that combines document review, data analytics, and interviews. The predication and engagement planning phase establishes the scope of the inquiry, the jurisdictions involved, and the specific schemes under investigation.

• Document review: procurement files, contract award records, payment vouchers, expense reports, agent agreements, due-diligence files, and email correspondence. Email review, using keyword searches around payment amounts, agent names, and official names, frequently surfaces explicit communications about improper payments.
• Transaction analysis: extract and analyse all payments to agents, consultants, and other intermediaries over the audit period. Flag payments with suspicious timing (preceding contract awards), suspicious amounts (percentages of contract values), or unusual approval patterns (bypassed controls).
• Vendor master review: identify vendors with incomplete registration information, shared addresses with employees, recent registration dates relative to contract awards, or names that match politically exposed persons or their associates.
• Interviews: structured interviews with procurement officers, finance staff, and relevant business personnel to understand the commercial context for flagged transactions. Interviews of witnesses should precede interviews of subjects.
• Asset tracing: where funds are suspected of being diverted as bribes, trace payment flows through bank records, cross-border wire transfer records, and corporate registry filings to identify ultimate recipients.

Evidence gathered in a bribery audit may be used in civil proceedings, regulatory enforcement actions, or criminal prosecutions. The chain of custody for documents must be maintained from collection through review and reporting. Digital evidence, including emails, accounting system exports, and electronic approvals, should be collected using forensically sound methods to preserve metadata and ensure admissibility. Standards for digital evidence collection vary by jurisdiction: the UK relies on the ACPO (now National Cyber Security Centre) guidelines; Indian proceedings apply the Bharatiya Sakshya Adhiniyam 2023, which addresses electronic evidence and admissibility requirements.

A finding of bribery or conflict-of-interest fraud almost always reflects a control failure as well as a human failure. The forensic auditor therefore evaluates not only the scheme itself but the controls that should have prevented or detected it. Under the FCPA's accounting provisions, a control failure at an issuer can independently trigger enforcement action; under the UK Bribery Act's adequate-procedures standard, the strength of the compliance programme determines whether the corporate offence is established.

Control assessment in this context covers: whether an anti-bribery policy exists and has been communicated to relevant personnel, whether the gifts and hospitality register is maintained and reviewed, whether the third-party due-diligence programme is proportionate to the risk, whether approval thresholds for entertainment and agent commissions are calibrated to the business's risk profile, whether the conflict-of-interest disclosure process is operating, and whether the internal audit or compliance function independently tests these controls. The six principles set out in the UK Ministry of Justice guidance on adequate procedures provide a useful framework for structuring this assessment.

Where a compliance programme is found to be inadequate, the forensic auditor's report should distinguish between design gaps (the control was never implemented) and operating gaps (the control was designed but not followed). This distinction matters for remediation: a design gap requires policy development and system changes, while an operating gap may indicate cultural or supervisory failures that require a different response. Both types of gap are relevant to regulators assessing whether to pursue enforcement and what credit to give for compliance efforts.