What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as:
An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring, and training, reasonably assures:
• The achievement of the process objectives linked to the organization’s objectives;
• Operational effectiveness and efficiency;
• Reliable (complete and accurate) books and records (financial reporting);
• Compliance with laws, regulations and policies; and
• The reduction of risk fraud, waste, and abuse, which aids in the decline of process and policy variation, leading to more predictive outcomes.
The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you determine whether adequate internal compliance controls are present in your company. From there, you can move on to see if they are working in practice.
Three key takeaways:
1. Effective internal controls are required under the FCPA
2. Internal controls are a critical part of any best practices compliance program
3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash or currency