Auditing for Conflicts of Interest
Does your company’s C&E audit plan sufficiently address COIs? Most companies presumably have some COI-related auditing, but far fewer deal with this important C&E area in a systematic way.
As with other C&E-related areas, COI-directed audits tend to fall largely into a “substance” bucket and a “process” one.
The former includes (but is by no means limited to) certain measures that are necessary for all companies – such as examining T&E records of corporate officers and other key individuals. It should also include auditing based on industry-related COI laws and regulations (e.g., in health care/life science, government contracting or financial services), as well as cross-industry areas of legal risk (such as FCPA).
Of course, for companies with a risk of organizational conflicts there is a host of audit measures one might take. Perhaps less obvious, where companies face significant risks of causing third-party COIs that should be audited.
The latter type of audit measures (for process) would look at COI-related:
– Risk assessment processes. Are they well designed? Are they being followed? Is the information from the process being fully used to inform other aspects of the C&E program?
– Policies and communications. Are the standards clear? Is there a training and communications plan around COIs? What is employee understanding of applicable standards?
– Procedures around disclosure, review and management. As with other audit areas, this part of the effort would look at both design and operation — and also focus on the sufficiency of documentation.
– Accountabilities. This includes both administrative accountability and discipline for violations (including the culpable failure by managers to prevent and detect violations by others).
Finally, political and charitable contributions should, for some companies, be reviewed, not only for COIs but also the related issues of moral hazard or bias.