railway3


Reviewing and Improving the Programme

This section provides guidance in relation to the requirement that an organisation should review and improve the anti-corruption programme in order to ensure that the programme is adequate to manage effectively the corruption risks faced by the organisation, and is being effectively implemented (Measure 17 of the Anti-Corruption Programme for Organisations).

The organisation should determine the most appropriate manner to carry out this review and improvement, but the most effective method is probably likely to be a combination of:

  • On-going compliance manager review and improvement
  • Periodic internal audit and
  • Annual board review.

These are examined below.

(1) Compliance manager review and improvement

(1.1) On-going review

  • The compliance manager should monitor and assess on an on-going basis whether the anti-corruption programme is:
    • adequate to manage effectively the corruption risks faced by the organisation; and
    • being effectively implemented.
  • In doing so, the compliance manager should take account of
    • the compliance manager’s own observations; and
    • any weaknesses, deficiencies or recommendations for improvement in the programme which have been identified by others, for example internal audit (see section 2 below), personnel reports, or the board review (see section 3 below).
  • The two key areas of weakness or deficiency are likely to be:
    • in the actual procedures (e.g. if they do not effectively deal with an assessed risk); and
    • in implementation (where the procedures would deal effectively with an assessed risk, but a relevant manager(s) is not implementing the procedures properly).
  • This on-going review is similar to the on-going review by any manager of her/his functional responsibility.  For example, a finance director should constantly monitor the financial issues facing the organisation, and question and check that the organisation’s procedures are adequate to deal with the organisation’s financial risks and requirements (e.g. controls over payments to business associates and personnel; controls over capital expenditure; ensuring that transactions are properly recorded in the accounts; ensuring that the annual financial audit is carried out properly and on time).  Compliance responsibilities are similar, in that the compliance manager needs to constantly monitor the corruption risks facing the organisation, and constantly question whether the procedures of the organisation are effective to deal with these risks and are being properly implemented.
  • The compliance manager needs to determine how best to carry out this on-going review.  It is relatively easy for the compliance manager to monitor and assess on an on-going basis the adequacy and implementation of  measures which are under the compliance manager’s direct control (e.g. if the compliance manager under the organisation’s structure is responsible for preparing risk assessments, providing training and maintaining the gifts register).  It is more difficult for the compliance manager to monitor and assess the adequacy and implementation of measures which are under the control of other functions. For example if the procurement department manages the corruption risks in relation to procurement, the compliance manager needs to take reasonable steps to ensure that the procurement department is properly implementing adequate controls.  For example, the compliance manager may discuss the relevant procurement risks and procedures periodically in management meetings with the procurement manager, and may receive copies of key assessments of high risk suppliers.  It is not the intention that the compliance manager should duplicate the procurement manager’s responsibilities – merely that the compliance manager needs to take reasonable steps, on an on-going basis, to ensure that the procurement department is effectively implementing these controls and that the controls are adequate to manage effectively the corruption risks facing the procurement department.  The compliance manager should review, on a similar basis, the anti-corruption measures which are under the control of other departments.
  • The compliance manager’s on-going review will be assisted by the internal audit (see section 2 below).  In particular, the compliance and internal audit functions (if they are different functions) should liaise so as to ensure that their actions are complementary and are not unnecessarily duplicatory.

(1.2) Reporting to the board

  • The compliance manager should provide a written report to the board on the adequacy and implementation of the anti-corruption programme:
    • as soon as possible in the event of any material breach or weakness being  identified; and
    • at agreed periods (at least annually).
  • The periodic report by the compliance manager to the board could include the following elements (in summary format):
    • Routine actions taken during the reporting period as part of the programme.  For example:
      • Training provided
      • Risk assessments and due diligence undertaken
    • Any reports received from personnel or third parties of suspected or actual corruption.
    • Any investigations of suspected or actual corruption undertaken and outcomes.
    • An overview of whether the anti-corruption programme seems to be operating effectively. 
    • Any weaknesses identified in the anti-corruption programme or its implementation.
    • Any improvements to the programme or its implementation which are recommended or which have been put in place during the year (with assessed timings when these actions are not yet complete).

(1.3) Implementing improvements

  • Based on the above review and reports, the compliance manager should oversee the implementation as soon as possible of necessary or desirable improvements to the programme designed to rectify any identified deficiencies or weaknesses.
  • Depending on the structure of the organisation, and on the level of authority delegated by the board to the compliance manager, the compliance manager may or may not need approval of proposed improvements by another manager or by the board.
  • The compliance manager should ensure that improvements to specific aspects do not reduce in any way the overall effectiveness of the anti-corruption programme.

(2) Internal audit

(2.1) Periodic audit

  • The organisation should implement a periodic internal audit to check projects, contracts and systems, on an appropriate sample basis, for any indication of corruption or breach of the anti-corruption programme.  This is a form of internal verification that the organisation’s procedures are working effectively.
  • This requirement for internal audit does not mean that an organisation must have its own separate full-time internal audit function. It requires the organisation to appoint a suitable function or person with responsibility to undertake this audit. This responsibility could be part time, and could be combined with other functions.  The person undertaking the internal audit will normally be a manager of the organisation, but an appropriate third party could be appointed to undertake the task.
  • The purpose of the internal compliance audits is to check projects, contracts and systems, on an appropriate sample basis, for:
    • corruption, or suspicion of corruption;
    • non-compliance with the anti-corruption policy or anti-corruption programme;
    • failure of other organisations over which the organisation has control, or of relevant business associates, to implement appropriate anti-corruption measures; and
    • weaknesses in or scope for improvement to the anti-corruption programme.
  • To ensure the objectivity and impartiality of the audit, the organisation should as far as reasonable ensure that the audit is undertaken by:
    • an independent function or person within the organisation established or appointed for this process; or
    • the compliance manager (unless it is the compliance manager’s own actions which are being audited); or
    • an appropriate person from a department or function other than the one being audited; or
    • an appropriate third party; or
    • a group comprising any the above.
  • The process should ensure that no auditor is auditing her/his own work.
  • The audit programme should be planned periodically (probably annually) taking into consideration the risk and importance of the processes and areas to be audited, and the results of previous audits. For example, a high-risk project, or one which has suffered previous concerns, would normally be selected for audit in priority to a low-risk project.
  • The audits could be on an appropriate sample basis each year, with the intention that all projects, contracts, procedures, controls and systems are audited at least once every [three] years.
  • By way of example, an internal audit on a project may take the following steps:
    • Identify all sub-contractors appointed on the project, and their scope of work, contract value and location. 
    • Select from this list a sample of [five] sub-contractors which could in principle pose a corruption risk (e.g. due to their scope of work, contract value and location). 
    • In respect of these sample sub-contractors, take reasonable steps to verify:
      • whether the organisation’s due diligence procedures were properly followed prior to appointing these sub-contractors, and whether any red flags were appropriately dealt with;
      • whether the sub-contractors were properly appointed in accordance with the organisation’s procurement and approval procedures;
      • whether there are any possible inappropriate links between these sub-contractors and the organisation’s personnel or clients or relevant public officials;
      • whether the contracts with these sub-contractors contain anti-corruption commitments;
      • whether the contract value of these sub-contracts appears to constitute reasonable value for legitimate services;
      • whether the sub-contractors appear to have properly complied with their contractual obligations.
  • The audit of these sub-contracts is not meant to be a full forensic audit studying every document and process, but rather an overview audit, sampling specific issues.  It is designed to identify as far as reasonable any breach of the organisation’s anti-corruption procedures, or any possible corruption.  It also acts as a deterrent to any potentially corrupt personnel (as they will be aware that their project or department could be selected for audit).
  • The audit need not be a specific anti-corruption audit.  The audit can combine a number of checks of different processes.  For example, it could check at the same time compliance with financial, procurement, project management and anti-corruption procedures.
  • On completion of an audit, the auditor should prepare a written audit report, summarising the areas audited, any significant matters identified, any non-conformances or issues observed, and any recommended improvements or actions.
  • Where the compliance manager does not undertake the audits, copies of the audit reports, as soon as they are completed, should be provided to the compliance manager.

(2.2) Reporting to the board

  • The written audit reports, as soon as they are completed, should be provided to the board by the audit function.
  • The intention of the audit reports to the board should be:
    • to provide reasonable assurance to the board that the anti-corruption policy and anti-corruption programme have been implemented and are operating effectively; and
    • to notify the board of any concerns identified.

(3) Board review

  • As part of the board’s overall responsibility to ensure the continuing effectiveness of the anti-corruption programme, the board should review the scope and implementation of the anti-corruption programme:
    • at least annually,
    • when major changes to the organisation’s activities or structure take place; and
    • when material weaknesses or deficiencies in the programme are reported to it.
  • The board review should be based on:
    • the compliance manager’s review and reports (section 1 above);
    • internal audit reports (section 2 above);
    • personnel reports; and
    • breaches / incidents and control weaknesses that have been identified.
  • The board should ensure that any weaknesses identified in the anti-corruption programme are rectified and any necessary improvements are implemented as soon as possible.

Implementation checklist for Measure 17

  1. The organisation should determine what process should be put in place to review and improve the anti-corruption programme.  For example (as per above guidance):
    • on-going compliance manager review and improvement
    • periodic internal audit, and
    • annual board review.
  2. The organisation should determine the details and timings of such reviews.  For example:
    • what aspects should be reviewed by the compliance manager, in what detail, and how frequently;
    • what aspects should be reviewed by the internal audit, in what detail, and how frequently; and
    • the content and timing of the annual board review.
  3. The organisation should implement the review process.
  4. The compliance manager should carry out the ongoing review and improvement of the programme, and make written reports to the board, as required by the review and improvement process.
  5. The internal audit process should be implemented.  This could comprise the following steps:
    • The organisation should identify from its Organisation Anti-Corruption Risk Assessment its areas of corruption risk, and from this it should plan the audit for the year.  This will normally be a sample of projects, contracts and processes.  Focus should be on the higher risk areas.
    • The organisation should appoint a suitable person(s) to undertake the audit.
    • The auditor should undertake the audit. 
    • The auditor should report to the compliance manager or board any lack of co-operation with the audit by any personnel, so that co-operation can be required.
    • The auditor should prepare a written report on the audit, and send the report to the board with a copy to the compliance manager.
    • The board should ensure that any issues identified and actions recommended are dealt with appropriately.
    • A repeat audit may be necessary on any area shown by the audit to have a material weakness in order to ensure that the weakness has been satisfactorily rectified.
    • The process should be repeated at least annually, selecting a different sample of projects, contracts and processes.
  6. The board should:
    • review the compliance manager’s report, internal audit report and other relevant matters at the times required by the programme, and
    • ensure that appropriate actions are taken to:
      • deal with and rectify any breaches, weaknesses or deficiencies identified, and
      • implement appropriate improvements to the programme.

Updated on 10th April 2020

© GIACC