What are internal controls? The best definition I have come across is from Jonathan Marks, who defined internal controls as:
Internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives(s). This, along with continuous auditing, continuous monitoring, and training, reasonably assures:
- The achievement of the process objectives linked to the organization’s objectives;
- Operational effectiveness and efficiency;
- Reliable (complete and accurate) books and records (financial reporting);
- Compliance with laws, regulations, and policies; and
- The reduction of risk fraud, waste, and abuse, which,
- Aids in the decline of process and policy variation, leading to more predictive outcomes.
The DOJ and SEC, in the 2020 FCPA Resource Guide, stated:
Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as a controlled environment that covers the tone set by the organization regarding integrity and ethics, risk assessments, and control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services, how the products or services get to market, the nature of its workforce; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.
This was supplemented in the 2020 Update with a pair of pointed questions: whether a company has made a significant investigation into its internal controls and whether they have been tested, then remediated based upon the testing?
The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help detect fraud, which could lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there, you can move to see if they are working in practice.
Three key takeaways:
- Effective internal controls are required under the FCPA
- Internal controls are a critical part of any best practices compliance program
- There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency.