Internal Control Lessons Learned from Global Anti-Corruption Enforcement in 2024

Introduction

2024 saw another strong year of Foreign Corruption Practices Act (FCPA) enforcement actions from the United States Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). There were 15 resolutions with corporates with net settlement amounts (after various credits and/or deductions) more than doubling in value compared to 2023 (2024: USD 1.3B; 2023: USD 520.4M). 

There are several excellent FCPA enforcement trend reports issued by leading international law firms exploring the legal and compliance takeaways from 2024 enforcement actions. In this article, we take a closer look at the books and records and internal control themes emerging within the 2024 cases based on information published by the DOJ and SEC on FCPA cases.¹ Four themes emerge: 

1. Third-Party Due Diligence
2. Use of Shell Companies
3. Gifts & Entertainment
4. Vendor Payment Controls

Below, we explore these themes from an internal controls and forensic auditing perspective, drawing from our own extensive experience conducting cross-border compliance reviews and investigations to highlight commonplace controls failures and weaknesses that, in the right environment, can allow bribery and corruption continue undetected. 

Third-Party Due Diligence

Third parties are a stalwart of FCPA enforcement, with over 90% of all cases having some connection to the use of third-party actors. Despite the high level of enforcement, this remains unchanged, with over 80% of cases in the last five years still featuring third parties.

In our experience, the use of third parties (and attendant inherent risks) is unlikely to abate. Tuning compliance procedures/internal controls to address third-party risk is a common challenge as many of the procedures (risk assessment, due diligence, commission assessments, business cases, etc.) are based on human judgment. 

While 2024 did see fewer third-party-related actions (5 of 15), the challenges related to due diligence appear to persist. Details shared in the DOJ/SEC actions for all five of those cases imply circumvention or some weakness within the offending corporation’s due diligence procedures. 

In our experience, we frequently see the following due diligence gaps/weaknesses which either render the process ineffective or easy to circumvent:

• Insufficiently risk-based processes or superficial due diligence that does not properly identify or conclude on key risk areas including (but not limited to): the identity of the ultimate controlling entity of the third party, undisclosed relationships between employees and third parties and/or government officials, red flags indicative of the third party being a shell company, or previous criminal or civil penalties for illegal or unethical conduct. 
• Being ill-equipped for “Urgent” or “Extraordinary” circumstances, allowing for undetected circumvention by employees of an otherwise robust due diligence policy. For example, we have seen multiple cases in which operational teams have commenced business relationships with third parties before due diligence is completed (particularly in relation to urgent, high-value opportunities or engagements). In other instances, the results of the due diligence process may not have been carefully considered, reviewed and in some way addressed or mitigated before the business relationship is approved.
• Lack of validation of business assertions used in the due diligence process, i.e., the reasonableness of remuneration structures; track record of the third party, or the actual business need for a third party to be involved in the transaction at all. Without sufficient independent review of the “business case” for using particular third parties, companies leave themselves exposed to the risk of falsified/inaccurate information used to “pass” the due diligence process.

Use of Shell Companies

Shell companies are entities without significant business operations, often used to obscure ownership and financial transactions. While they can have legitimate business purposes, such as holding assets or facilitating mergers, they are frequently misused in corruption schemes. Shell companies featured in three of the five FCPA actions which were connected to third parties. 

The opaque structures of shell companies make it challenging to identify ultimate beneficial owners and the lack of transparency and regulation in certain jurisdictions exacerbates the risk. While the risk of shell companies should be picked up in due diligence procedures, there are additional opportunities to challenge a high-risk payment to a shell company before it is transacted. We commonly see the following weaknesses in vendor onboarding and vendor payment controls which prevent companies from catching these payments before it is too late: 

• Onboarding vendors without seeking proof of business operations, tax identification records, and bank account verification. 
• Onboarding vendors with residential or P.O. box addresses or addresses that do not exist.
• Permitting vendor set-up to third parties in offshore jurisdictions without legitimate justification or in scenarios where the entities’ payment jurisdiction is not relevant to the third party, or the business being undertaken. 
• Weak segregation of duties whereby those charged with processing invoices do not challenge weak or missing evidence of service delivery.

Gifts & Entertainment

In 2024, two organizations were subject to U.S. enforcement actions with reference to gifts and hospitality. Gifts and hospitality are ubiquitous in the world of business, and it is one of the areas in which organizations are typically most confident in their controls. Nevertheless, employees and/or third parties find ways to take advantage of the perceived “grey areas” between acceptable business and societal norms and acts of bribery, and in our experience, the following are common control weaknesses that enable or fail to detect inappropriate activity:

• Failure or inability to assess the totality of hospitality afforded to particular entities or individuals; we often see frequent gifts and entertainment that are within policy thresholds or just under approval limits which, when taken in aggregate, are egregious sums.
• Inappropriate expenditure is concealed through non-descript or vague expense reports, potentially without enough information to gauge the business justification for such expenses; this is a prominent issue in environments in which gifts & entertainment controls rely on self-disclosure. 
• Insufficient supporting documentation/details including beneficiary names and organizations or lack of detailed receipts.
• The mingling of business and entertainment without sufficient oversight; for example, conducting site visits or demonstrations with entertainment that does not go through the appropriate approval process. 
• Business expansions that fail to integrate or adapt controls or to consider cultural context.

Vendor Payment Controls

In 2024, nine organizations were subject to U.S. enforcement resolutions featuring alleged payment control deficiencies, including: 

• Poor/little evidence of service delivery
• Vague or inaccurate service descriptions
• Requests for upfront payment
• Payments to offshore jurisdictions

As part of our corruption investigations and forensic audits, we frequently come across payment controls that are either not designed to address corruption risks or not operating effectively, allowing for the transfer of value out of the business. Elaborating on the themes identified in the FCPA enforcement actions, specific examples of the weak payment controls we have observed include:

• Insufficiently risk-based payment approval matrices, with no escalation or distinction in process for high-risk transactions (e.g., consulting and agent fees, upfront/urgent payments, payments in cash, and payments to offshore jurisdictions). 
• Weak link(s) in the “three-way-check” system which seeks to validate that contracted services, invoiced services, and proof of service delivery are all aligned before issuing payment; we frequently see instances in which vague language / insufficient details are attendant in one of those three areas in relation to problematic payments.
• Those responsible for processing vendor payments lack authority, risk awareness, and business insight to adequately verify/challenge red flags related to inadequate business purpose, changes to business terms, or urgent payments.
• Lack of segregation of duties between payment request, approval, final payment, and posting to the accounts. This is particularly acute when team compositions change due to resignations or layoffs, approvals in expense systems may lag or be automatically transferred to remaining employees. Similarly, there is a risk that employees may be colluding as part of a scheme to evade controls, with payment approval requests being routed to specific managers when conducting improper activities. 

Looking Ahead to 2025

In conclusion, the lessons learned from the global anti-corruption enforcement landscape in 2024 underscore the critical need for robust internal controls. As companies navigate the complexities of evolving regulatory environments and potential geopolitical shifts resulting from 2024’s landmark year of elections and regime change across the globe, a proactive approach to strengthening internal controls, particularly around third-party due diligence, use of shell companies, gifts and entertainment, and payment processes, will be vital. 

For more information about Ankura’s Investigation and Forensic Accounting practice and how we help assess control frameworks or investigate red-flag activities, please contact: Lorynn Demetriades, Jonathan Brown, Bernie Woolfley, or Jean-Michel Ferat.

^{1 We recognize that other enforcement agencies around the globe, including the UK's Serious Fraud Office (SFO), France's Parquet National Financier (PNF), Switzerland’s Office of the Attorney General (AOG) and Germany's various state prosecutors have, over the course of 2024, demonstrated growing appetite for pursuing corporate corruption, either independently or in cooperation with the DOJ. However, the U.S. remains the most dominant in terms of enforcement and their actions include well-documented filings and settlements as to the underlying conduct.} 
 

Sign up to receive all the latest insights from Ankura. Subscribe now

^{© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}