The FIFA Scandal: Five Lessons for Internal Audit

The global soccer community was rocked this past week when the U.S. Department of Justice (DOJ) announced charges and arrests for “rampant, systemic, and deep-rooted” corruption by high-ranking members of FIFA, the sport’s global governing body. Using the U.S. Foreign Corrupt Practices Act (FCPA) as its legal hammer, the DOJ outlined in its 47-count indictment a disturbing history of alleged bribes and racketeering by top FIFA officials dating back as far as two decades. It is evident that more troubles lie ahead for the global soccer body, as Swiss officials have announced that they are also investigating potential improprieties.

The relevance of the events of the past week are obvious to our profession, but it goes well beyond an acknowledgement of internal audit’s role in providing assurance on anti-bribery and anti-corruption programs and its role in detecting and deterring fraud and corruption.

Indeed, this unfolding spectacle touches on no less than five significant aspects of the internal audit function, and we can draw a number of lessons from this sad affair.

1.     Internal audit must raise a yellow card when corporate culture creates susceptibility to corruption. It did not take long for fallout from the indictments to reach the top of the FIFA hierarchy with almost immediate calls for the ouster of FIFA President Sepp Blatter. Blatter was reaffirmed as the organization’s president in a Friday vote, and he has said he knew nothing of the alleged corruption.

But allegations of corruption within FIFA were not unheard of before the DOJ indictments, and I have to wonder if they were ever brought to Blatter’s attention. The bottom line is that no organization can afford to practice “willful ignorance” about serious challenges for long without paying a high price.

The lesson for internal audit: A frank and honest analysis of corporate culture must be part of internal audit’s purview, and it must raise its voice when erosion of the culture becomes an organizational risk.

2.     Internal audit must act quickly to address reputational risk. A number of media accounts of the evolving scandal have described long-held concerns about corruption at FIFA. I have no insight into the efforts of FIFA’s internal audit function, but the potential for significant reputational harm should have been identified and brought to management and the board of directors by those charged with providing assurance to management and governance officials.

The lesson for internal audit: The internal audit function cannot afford to allow risks to organizational reputation to go unchallenged.

A secondary lesson is one that FIFA’s sponsors are learning. Reputational risk is not just about your organization. The behavior of the organizations you partner with can impact your reputation, as well.

3.     Internal audit must play a significant role in crisis planning and execution. Internal audit’s role in crises cannot be one of simply grading after the fact how a crisis plan was carried out. Internal audit can and must provide insight into the development of such plans and be consulted even as a crisis is unfolding. Having good communications protocols in place can help an organization mitigate reputational and other potential risks in a crisis. But proper execution of the plan also plays a vital role in its success.

Lesson for internal audit: Internal audit must assess all risks — including the risks of not addressing adversity swiftly and effectively.

4.     Internal audit must stay current with anti-corruption legislation. While the FIFA crackdown was facilitated by the strength of the FCPA, internal audit functions must be cognizant of growing anti-corruption efforts worldwide. This is especially important for businesses that operate globally. The June issue of Internal Auditor magazine offers an excellent article, “Beyond the FCPA”, on the topic.

According to the article, Canada and Brazil each passed anti-bribery legislation in 2013 that aligns more closely to the FCPA and the United Kingdom’s 2010 Bribery Act is even broader in scope. The latter not only penalized the bribe payer, but the bribe receiver, as well.

Lesson for internal audit: Changing legal landscapes in the countries where we do business can develop into risks if the organization does not keep abreast of those changes.

5.     Internal audit must be courageous. It is not hard to imagine that anyone within FIFA charged with assurance on the effectiveness of compliance and controls must have been under great pressure. The issue of courage for heads of audit has been a recurring theme in a number of my blogs.

Lesson for internal audit: Those aspiring to be heads of audit must have the courage to do what needs to be done or say what needs to be said no matter the consequences.

A final thought about the FIFA issue. A quote from FBI Director James Comey widely reported by media struck a chord with me. Comey said, “If you touch our shores with your corrupt enterprise, whether that is through meetings or through using our world-class financial system, you will be held accountable for that corruption.”

FIFA officials deserve the presumption of innocence until proven guilty in a court of law, but Comey’s message is loud and clear. No corruption is acceptable, and nothing is off limits. This may be the most important lesson from the FIFA scandal, and one internal audit must embrace.

As always, I welcome your thoughts.