Wal-Mart’s annual meeting next month promises to be a contentious one because of questions over how the retail giant handled bribery allegations at a Mexico subsidiary. Shareholders are concerned about the board members’ independence in light of the alleged cover-up of bribery that occurred in 2005 and 2006.

In the meantime, the controversy surrounding Wal-Mart could have a ripple effect on other companies’ governance practices by prompting boards to become increasingly concerned over hits to the reputations of the companies they oversee. That translates into possibly tougher questioning of CFOs. “It’s audit-committee meeting season for most public companies, and I’d be surprised if there is an audit committee out there not questioning companies on their processes and compliance around the Foreign Corrupt Practices Act,” says Dennis Whalen, executive director of KPMG’s Audit Committee Institute. (Like other governance experts CFO spoke with for this story, he refused to comment on the Wal-Mart case specifically.)

Even before the Wal-Mart issue came to light, directors have become increasingly concerned over compliance with the FCPA, a 34-year-old law that prohibits U.S. companies from bribing government officials to win business. The reasons for their worry are that the enforcement of the act has risen in recent years and more companies are becoming global in scale.

In a report released this week, accounting firm EisnerAmper found that two-thirds of the 193 directors studied view reputational risk — which includes FCPA-compliance risk — as their primary concern. Based on a survey done between October 2011 and February 2012, companies that have not been charged by regulators, such as Avon Products, have seen high-level executives resign amid disclosures of FCPA-related internal investigations.

In Wal-Mart’s case, the directors — even those who were not seated at the time of the alleged wrongdoing — are in the crosshairs of the reputational hit the company has taken since an April New York Times article reported that executives pushed internal claims of corruption at Wal-Mart de Mexico under the rug.

Since then, shareholders have filed a derivative lawsuit and have made a plea that investors vote against five directors who are up for reelection. The directors include Michael Duke, the company’s chief executive officer; S. Robson Walton, chairman of the board; and Arne Sorenson, Marriott International’s CEO, who joined the board in 2008 when he was the hotel chain’s finance chief. “We are reviewing the lawsuit closely and are thoroughly investigating the issues that have been raised,” a Wal-Mart spokesperson says.

Among the reasons New York City Pension Funds gives for this proxy fight is that Sorensen is not independent. The basis is that Marriott has a business partnership with Wal-Mart, and that other directors who were on the board at the time of the alleged bribery should have done more to ensure Wal-Mart had adequate internal controls related to its legal and regulatory compliance.

Heightened Awareness
If there has been wrongdoing at a far-flung location, should directors share the blame? And how can directors in general have assurance they are made aware of major risks facing companies? In some ways, the Dodd-Frank Act has helped answer those questions by requiring management and boards to consider who is ultimately responsible for overseeing risk management and putting the answer in writing on proxy statements.

“In the last two years, boards have become much more aware of their responsibilities in assessing risk at the board level,” says Ed Terino, a former finance chief who sits on Baltic Trading’s and SeaChange International’s audit committees. “There’s been a lot of debate on the boards I’ve been a part of [about] where that responsibility lies: whether it lies with the audit committee or the full board.”

Board members, however, are not always aware of potential problem areas. Directors “don’t know what’s going on at a company because they rely on what’s told to them by the CEO and CFO,” says Frederick Lipman, a partner at Blank Rome and president of the Association of Audit Committee Members. “They have no idea what the real risks are because most of what is known is at the lower level of management and never filters up to the board.”

Lipman is a proponent of robust internal whistle-blower programs that ensure confidentiality, offer rewards to legitimate informants, and have a direct connection to the heads of audit committees. The following are more ways CFOs who sit on boards can get a better feel for a company’s FCPA risks and suggestions to make to the committees that oversee their company.

Ask the right questions. Directors need to step back and question the incentives at work and the reporting that overseas divisions and operations make. They should, for instance, ask: “What are the objectives set for these foreign locations, and are the goals being put on them doable given their environment?” says William Hernandez, a retired CFO of PPG Industries who sits on the audit committees of Eastman Kodak and Albemarle, a specialty chemical company. Such probing could get at whether the company is putting too much pressure on employees to give into such temptations as the need to promise a kickback to speed up a permit approval. Michael Breit, a partner at EisnerAmper, suggests that boards should take a careful look at companies’ segment reporting and pay careful attention when a region has significant shifts in sales volume.

Test internal hotlines. Only 5% of employees will use a company tipline, according to a recent report by the Ethics Resource Center. At the same time, the majority of workers are more likely to report a problem to their supervisor. Hotlines are preferred by boards, since a manager may not share or pursue a tip. Hernandez recommends periodic testing of internal hotlines, including using different languages, so that audit committees — which should have access to raw data coming out of these tips — can see if the messages are being translated properly and in a timely manner.

Encourage diversity in experience. While the Sarbanes-Oxley Act requires all audit committees to have a financial expert, it’s also best practice to have a range of backgrounds on boards, notes Hernandez. That can supply a variety of perspectives. Plus, “the whole advantage of having a diverse and good-sized audit committee is that it’s not one person judging whether the controller is doing a good job,” he says. “[Directors] spend a lot of time outside meetings talking to each other . . . about the caliber [of people] and the responses they get.”

Branch out. Board members should try sitting in on committee meetings in which they aren’t directly involved to learn more about other areas of the company. Audit-committee members could learn about questionable incentives that may lead to risky behavior by attending compensation-committee meetings, for example. They should also consider bringing lower-level employees to board meetings to enable the board to hear new voices. “Almost every company now works hard to make sure boards know not only the management they see in every board meeting, but [also get] to see as many people down the organization as they can,” Hernandez says.

Train and train again. Annual ethics training has become more common at companies, and having employees sign a document that they understand the company’s ethics policies can make them accountable if a problem arises. Indeed, the recent lawsuit filed by the California State Teachers’ Retirement System notes the CFO and other senior financial officers are bound by the Wal-Mart’s ethics code, which requires them to report any violations to the audit committee and internal auditors.

Make employees truly accountable. International salespeople and general managers should sign representation letters that attest they will not accept bribes, Terino recommends.