Soon after the U.S. Department of Justice unsealed the indictments of 14 officials from FIFA, soccer’s international governing body, on charges of wire fraud, racketeering and money laundering, it became clear that the scandal is likely to be one of the highest-profile corruption cases in sports history. Not only does it involve charges that at least $150 million in corrupt payments were made to FIFA officials, but it is centered on a sport that is followed avidly by more than two billion fans around the world. Preparation and hosting of FIFA World Cup tournaments typically lead to billions of dollars of infrastructure expenditures and can have a dramatic impact on local economies.For those in risk management, audit or compliance, however, the FIFA scandal is not particularly surprising. The risks of a failure to comply with legislation, such as the Foreign Corrupt Practices Act or the U.K. Bribery Act, have been well recognized, with large fines and penalties regularly imposed by regulatory authorities. While acts of corporate bribery, fraud and corruption are nothing new, FIFA has sustained massive damage to its credibility and reputation worldwide. What can other organizations do to ensure they are minimizing the risk of suffering similar damage?
Determining the Effectiveness of Internal Controls
In the opening pages of FIFA’s 2013 financial report, under a photo of beleaguered FIFA President Sepp Blatter, it prominently states: “We have reached very high levels of accountability, transparency and financial control.” Given the current charges, this statement seems ironic, but assuming that FIFA actually has a good system of internal controls for all of its operational and financial systems, how did this scandal come to be? Something was obviously amiss in FIFA’s governance, risk management and compliance policies.
One of the greatest challenges for risk managers and auditors can be dealing with ethical failures and criminal behavior among senior management. The FIFA scandal is a reminder that companies can have the best mechanisms for addressing nearly all of their operational and financial risks and still manage to overlook high-level internal corruption.
Getting Serious About Corruption
Another issue risk managers should be aware of is the shifting perception of bribery and corruption in the business world. A few decades ago, bribes and corrupt payments were the norm in many industries and countries. The United States took the lead in changing the status quo by enforcing the Foreign Corrupt Practices Act and imposing large fines on high-profile companies. The recent FIFA arrests are further evidence of its willingness to stamp out corrupt practices.
The United States is not the only nation to get serious about corruption. In China, for example, where bribery and corruption among senior government officials were rampant for decades, the general secretary of the Communist Party began a far-reaching campaign against corruption over the past two years, ultimately leading to dire penalties for many high-ranking officials.
Globally, there appears to be growing recognition that corruption causes real net damage to society. Rather than being viewed as the grease that oils the wheels of commerce, there is more widespread understanding that only individuals in privileged positions benefit from bribery. For example, when a country bribes its way into a contract to host a global sporting event when it is clearly not the best choice to do so, or a developer known for using inferior materials wins a contract to build key infrastructure for a developing country, the only people who win in the long term are those making or receiving the pay-offs.
In a corporate context, this is where the “tone at the top” can have a huge impact. If the culture is one in which the CEO, CFO and their colleagues make it clear that bribery is not a tolerated business practice and that ethics matter, then the risks of bribery occurring are almost always reduced.
Of course, there will continue to be corporations willing to accept the risks that come with bribery. It may not be ethical, but from a business perspective, the repercussions of failing to comply with anti-bribery regulations may seem like a reasonable bet to make for executives with large appetites for risk. While only a limited number of individuals are likely willing to make this bet, some results-driven corporate leaders will no doubt be tempted, particularly where it involves the potential for personal gain. The challenge for risk managers in these organizations is to understand where these risks are highest, and then to make sure the risks are properly assessed and decisions are made accordingly.
The Role of an Auditor
The FIFA scandal does raise a particular issue for auditors. The fact that FIFA’s external auditor issued a clean opinion on the organization’s financial statements continues to raise questions. Should the external auditor have been expected to detect corporate officials accepting $150 million in bribes over a period of many years? Should they have been able to detect a suspect $10 million payment by FIFA in relation to South Africa’s hosting of the World Cup?
These issues are similar to many others relating to the role of the external auditor in detecting various forms of fraud beyond those that materially impact the integrity of financial statements. In practice, the receipt of bribes by executives is a lot harder to detect than payments, even though the latter usually requires the extensive use of monitoring technology to identify at all.
And what about internal auditors and compliance specialists—should they also be expected to detect corrupt payments and receipt of bribes? The answer is presumably no different than when asking about any activity that interferes with an organization achieving its objectives. The challenge is to effectively assess the risks and then determine if they are well managed. The risks stemming from bribery and corruption, as well as how they rank compared to other risks, can vary greatly from one organization to another, and this should also be reflected in the risk assessment process.