Anti-corruption compliance is no longer just a legal department concern. Since the strengthening of regulatory frameworks globally—from the US Foreign Corrupt Practices Act (FCPA) to France’s Sapin II law and similar EU directives—companies operating internationally must implement systematic operational measures for corruption prevention and detection.
The risk has become tangible. The US Department of Justice and SEC collected over $1.28 billion in FCPA penalties in 2024 alone. In France, the Anti-Corruption Agency (AFA) conducted 165 compliance audits since 2017, with 10 initial audits in 2024 alone. The question is no longer “should we comply?” but “how can we automate controls within existing systems?”.
The ERP, given its central role in procurement, accounting, and vendor management processes, represents the natural lever for industrializing compliance. This article details legal obligations, five automatable controls within an ERP system, and available market solutions.
FCPA and EU Anti-Corruption Laws in 2026: Concrete Legal Requirements
The US Foreign Corrupt Practices Act (FCPA): Extraterritorial Reach
The FCPA applies far beyond US companies. Any entity listed on US exchanges, conducting transactions in USD, or maintaining a US subsidiary falls under US jurisdiction. The penalties are massive: Airbus paid €3.6 billion in 2020 in a global settlement with French, British, and American authorities—the largest anti-corruption settlement in history.
For European companies operating internationally, FCPA exposure is often underestimated. A USD payment, a contract involving intermediaries in high-risk countries according to Transparency International’s Corruption Perception Index (global average dropped to 42/100 in 2025), and the company enters DOJ’s radar.
France’s Sapin II Law: A European Reference Framework
France’s Sapin II law (December 9, 2016) requires companies with over 500 employees or €100M annual revenue to implement eight structured anti-corruption measures:
- Code of conduct integrated into company regulations, defining prohibited behaviors with sector-specific concrete cases.
- Internal whistleblowing system allowing confidential reporting of corruption facts, reinforced by the Waserman law (March 21, 2022) transposing EU directive 2019/1937.
- Risk mapping of corruption exposure, regularly updated, prioritizing risks by business process and geographical zone.
- Third-party evaluation (due diligence on suppliers, clients, commercial agents) with screening proportional to risk level.
- Internal and external accounting controls to detect anomalies potentially masking corruption.
- Training for executives and personnel most exposed to risks.
- Disciplinary regime enabling sanctions for code of conduct violations.
- Internal monitoring and evaluation of the system—the “control of controls.”
Similar frameworks exist across the EU, with the directive 2019/1937 on whistleblower protection establishing minimum standards across member states.
Escalating Enforcement Actions
Regulatory enforcement has intensified. Beyond the record FCPA penalties, European authorities are stepping up enforcement. The French AFA reported an 83% increase in internal reports, reaching 802 in 2024. For internationally operating companies, compliance failures now carry existential financial risks.
5 Automatable Anti-Corruption Controls in ERP Systems
The ERP doesn’t replace a compliance program—it operationalizes it. Here are five controls every modern ERP can and should automate.
1. Third-Party Screening (KYC / Vendor Due Diligence)
The ERP’s vendor master data serves as the natural starting point for due diligence. The objective: verify every supplier, customer, or intermediary before any transaction.
What the ERP automates:
- Automatic verification against international sanctions lists (EU, OFAC, UK HM Treasury) upon creation or modification of vendor records.
- Integrated risk scoring in vendor master data: composite score based on country location, industry sector, and transaction volume.
- Automatic blocking of purchase orders to non-evaluated or flagged vendors.
Key consideration: regulators expect “risk-based” evaluation—uniform screening of all vendors is neither required nor realistic. Focus enhanced verification on high-risk parties (commercial agents, intermediaries in sensitive countries, intellectual services providers).
2. Procurement Controls and Segregation of Duties (SoD)
Segregation of duties represents the number one control audited by regulators. The principle: no individual should be able to initiate, approve, and pay for an expense.
What the ERP automates:
- Configurable SoD matrix with role incompatibilities (requestor ≠ approver ≠ accountant ≠ treasurer).
- Threshold-based approval workflows: below €5,000, N+1 validation; above, dual validation by management + compliance.
- Purchase splitting detection: the ERP identifies multiple orders to the same vendor over short periods, just below approval thresholds—a classic circumvention signal.
Concrete example: An employee creates three purchase orders of €4,800 to the same vendor in one week to avoid the €5,000 threshold. The ERP triggers an automatic alert and blocks the third order pending enhanced validation.
3. Audit Trail and Transaction Traceability
The audit trail forms the backbone of any anti-corruption program. Regulators require complete traceability: who did what, when, and in what context.
What the ERP automates:
- Immutable logging of all modifications to sensitive data (vendor records, orders, invoices, payments) with timestamps, user IDs, and before/after values.
- Structured exports for regulatory audits: auditors demand extractions over specific periods and scopes—the ERP must produce them within clicks.
- Integration with electronic invoicing audit requirements: the same traceability mechanisms serve multiple regulatory obligations.
This convergence between anti-corruption compliance, e-invoicing, and data protection (GDPR data access logs) justifies investment in robust audit trails: one system covers multiple obligations.
4. Anomalous Transaction Alerts
The ERP is the only system seeing the entirety of the company’s financial flows, making it the natural candidate for anomaly detection.
Configurable business rules:
- Gifts and entertainment exceeding defined thresholds (e.g., €150 per recipient per year).
- Representation expenses abnormally high compared to department averages.
- Payments to high-risk countries (Transparency International score below 40).
- Expense reports with repetitive round amounts (statistical falsification signal).
Compliance dashboards: A dashboard with red/orange/green indicators allows the Compliance Officer to manage the system without reviewing every transaction. Red indicators trigger investigation; orange feeds second-level controls.
5. Internal Whistleblowing System
Since the transposition of EU directive 2019/1937 by national laws, companies with over 50 employees must maintain an internal confidential reporting channel.
Two ERP approaches:
- Integrated module: Some ERPs (SAP, Oracle) offer reporting modules with investigation workflow management, anonymization, and dedicated audit trails.
- Third-party platform integration: For ERPs without native modules, integration with specialized platforms (EQS Integrity Line, Whispli, local solutions) centralizes alerts while guaranteeing required confidentiality.
Key requirement: The system must be accessible to employees, external collaborators, and business partners. Whistleblower protection against retaliation is a legal obligation—the reporting channel cannot be a simple internal HR form.
Which ERPs Natively Support Anti-Corruption Compliance?
Not all ERPs are equal on compliance terrain. Here’s a market overview.
SAP GRC (Governance, Risk, Compliance) remains the historical leader. The Access Control module manages SoD granularly, Process Control automates accounting controls, and the Business Integrity Screening module verifies third parties against sanctions lists. The downside: deployment complexity and cost reserve it for large enterprises already in the SAP ecosystem.
Oracle Risk Management Cloud, integrated with Oracle Fusion, offers a cloud-native approach with risk management, automated controls, and transaction analysis. Integration with the Procurement module facilitates vendor screening.
Microsoft Dynamics 365 provides multi-level approval workflows and SoD via security roles, complemented by partner solutions (Fastpath, for example) for advanced SoD analysis and third-party screening.
Sage Intacct, positioned in the mid-market, offers multi-level approval controls and comprehensive audit trails. Advanced GRC capabilities require additional modules or third-party integrations.
NetSuite includes configurable approval workflows and role-based access controls, with compliance modules available through SuiteApp marketplace partners.
Smaller ERP solutions (Odoo, local providers) typically lack native anti-corruption modules. Compliance requires specific development or third-party integrations. For growing companies approaching regulatory thresholds, this represents a vigilance point for the roadmap.
Integrating Anti-Corruption Compliance into Existing ERP Systems
The good news: changing ERP systems isn’t necessary for compliance. A layered approach allows adding controls to existing systems.
Prioritize the Three Most Audited Pillars
Regulatory audits focus on three priority domains:
- Segregation of duties (SoD) — most frequently audited. If your ERP allows configuring role conflict matrices, start there.
- Third-party screening — vendor evaluation represents the second systematic control point. A connector to a sanctions database (Dow Jones, World-Check, OpenSanctions) can be deployed in weeks.
- Audit trail — verify your ERP logs are immutable and exportable. If not, activate audit trail functionality available in most modern ERPs.
Indicative Budget
For an existing mid-market ERP, deploying a GRC module or compliance control layer typically costs €30,000-€80,000, including:
- SoD matrix configuration and approval workflow setup.
- Third-party screening service integration.
- Audit trail activation and configuration.
- Compliance team training.
This budget should be contextualized against non-compliance costs. French compliance agreements run into millions of euros, while FCPA penalties reach far higher amounts—recall Airbus’s €3.6 billion.
Recommended Project Approach
- Existing system audit (2-4 weeks): map controls already in place in the ERP, identify gaps with regulatory requirements.
- Quick wins (4-6 weeks): activate SoD, configure purchase splitting alerts, verify log immutability.
- Structural phase (2-4 months): deploy automated third-party screening, implement compliance dashboards, connect internal whistleblowing system.
- Continuous improvement: update risk mapping annually, test controls via internal audits, train new collaborators.
Looking Forward
Anti-corruption compliance doesn’t operate in isolation. It integrates within a broader regulatory ecosystem where the ERP plays a central role. To complete your perspective:
- Our guide on NIS2 directive and ERP details cyber obligations applying to the same companies subject to anti-corruption laws.
- The article on DORA and operational resilience in financial sector covers a complementary regulatory framework for companies with financial activities.
- Our analysis of Procure-to-Pay in ERP deepens procurement workflows, the primary terrain for anti-corruption controls.
