Categories
Blog

Internal Controls in Compliance: Part 1-What are Internal Controls?

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, which states the following:
Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any
differences ….
The DOJ and SEC, in the  FCPA Resource Guide, 2nd edition, stated:
Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.
…the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.
Perhaps the best definition I have ever heard came from Jonathan Marks, Partner at Baker Tilly, who defined an internal control as
Internal controls expert Joe Howell, former Executive Vice President (EVP) at Workiva, Inc., has said that internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Howell adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.
The COSO, in its 2013 publication entitled “Internal Controls – Integrated Framework”, defined internal controls as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” More specifically, internal controls are, according to COSO:

  • Geared to the achievement of objectives in one or more categories – operations, reporting, and compliance
  • A process consisting of ongoing tasks and activities – a means to an end, not an end in itself
  • Effected by people – not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
  • Able to provide reasonable assurance – but not absolute assurance, to an entity’s senior management and board of directors
  • Adaptable to the entity structure – flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process

The Integrated Framework goes on to note, “This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.”
Why are internal controls important in your compliance program? Two FCPA enforcement actions demonstrate the reason. The first came in late 2013 when the DOJ obtained a criminal plea from Weatherford International. There were three areas where Weatherford failed to institute appropriate internal controls. First, around third parties and business transactions, limits of authority and documentation requirements. Second, on effectively evaluating business transactions, including acquisitions and JVs, for corruption risks and to investigate those risks when detected. Finally, in the area of gifts, travel and entertainment expenses, they were not adequately vetted to ensure that they were reasonable, bona fide, and properly documented.
The second case involved the SEC 2017 FCPA enforcement action with Halliburton. In this matter, Halliburton’s internal controls were circumvented and over-ridden which led to a FCPA violation without evidence of a bribe being paid. It was a civil FCPA enforcement action. It demonstrated that internal controls must be shown to be effect under the FCPA and without such a showing there can be a large financial penalty paid by a violator.
The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe.
As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist. This will help you to determine whether adequate compliance internal controls are present. From there you can move to see if they are working in practice or “functioning.” Internal controls will only become more important in FCPA enforcement. In this chapter, you will learn how to get ahead of the curve.

Categories
Sunday Book Review

October 3,  2021, the Travel in America edition


In today’s edition of Sunday Book Review:

  • Letters from America by By J. Hector St. John de Crèvecoeur
  • Roughing It by Mark Twain
  • Old Glory by Jonathan Raban
  • Confederates in the Attic by Tony Horwitz
  • Travels with Charlie by John Steinbeck
Categories
Blog

Internal Controls Week: Part 5 – Assessing Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how it is integrated with the corporate headquarters, or the U.S. business unit’s financial and operation structure, if the foreign operation is part of a U.S. business unit.
You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third-party representatives are coming into a commercial relationship with your company through your supply chain.
Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and, of course, is there a local petty cash fund.
As with many other areas around internal controls, it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as: 1) approval of vendor invoices, 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.
You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment to customers; are products drop shipped from U.S. directly to the customers of the local operation or are they drop shipped to distributors for delivery to the ultimate customer?
Hopefully you are already doing the above, but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and, if so, what were the results of the investigation? Around customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.
If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Some of these considerations would be an inadequate SODs because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders should not be capable of processing accounts payable transactions. Further, the employee who prepares the deposit should not post the receipts to the customer accounts.
You should look to see if there is inappropriate access to assets. If there are, internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms and update applications. This means that an employee who only needs to view computer information should be restricted to “read and file scan” access and should not be granted “write and create” access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.
It is not necessary to prove a that a bribe has been paid to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. That was the situation in the SEC 2018 FCPA enforcement action involving Kinross Gold Corporation. It was this lack of effective internal controls, not the payment of a bribe, which was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.
Such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a country manager provides a true control as an approver; or where the country manager or the local finance manager has ability to conceal the true nature of transactions without detection by anyone else.
Another important area involves sales and compensation for a foreign business unit. On the sales side of the equation, you review the three-year historical sales for the location and the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as: What is the sales incentive compensation plan for local sales personnel? For the country manager? Such an inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe to win a contract which results in a large sales incentive compensation to the employee.
These reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization. A fraud perpetrator always rationalizes that he/she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity. The perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment
Categories
Daily Compliance News

October 2, 2021 the Crazyiness in Ozyland Folding edition


In today’s edition of Daily Compliance News:

  • Ozy announces its closure. (NYT)
  • Key takeaways from week 4 of Holmes trial. (NYT)
  • Biden DOJ selects competence rather than political lackeys. (WSJ)
  • Convicted fraudster John Rigas died. (WaPo)
Categories
The Ethics Movement

Converge21 – Viktoria Reding on Employee Awareness, Engagement, and Training


CONVERGE is in its 6th year of bringing together the world’s leading companies for 2 days of dynamic speakers, thought-provoking breakout sessions, and opportunities to connect with like-minded professionals. This year the conference has gone virtual. You will leave the conference with new resources and best practices allowing you to continue the hard work of driving ethics to the center of your business. In today’s episode I visit with Viktoria Reding, Compliance Manager at Wella. We visit about her presentation at Converge21 on Employee Awareness, Engagement, and Training.
For more information, go to Converge21.

Categories
Compliance Kitchen

Treasury and Humanitarian Issues


In this episode, the Kitchen takes a look at how the Treasury Department facilitates humanitarian assistance in Afghanistan.

Categories
Daily Compliance News

October 1, 2021 the Manning Brothers edition


In today’s edition of Daily Compliance News:

  • Morgan Stanley faces scrutiny over Venezuela. (WSJ)
  • Joel and the robots on MNF. (WSJ)
  • Dan Kahn returns to private practice. (WSJ)
  • Crypto beefs up compliance. (WSJ)
Categories
STAKE: The Leadership Podcast

Questions Leaders Should Be Asking Employees


Wondering what it’s going to take to keep your best employees? It’s a valid concern in a world where researchers are shouting that soon there will be a big shift of people out of their current positions and organizations.
So, as a leader, what can you do about it? Can you stop it?
I believe you can. It starts by you getting to know your people better. When you know YOUR EMPLOYEES — not the employees surveyed by researchers — then your employees will give you answers on how to lead them in a way that will make them stay and go all in.
In today’s episode I’m sharing with you a recent episode of a show I do on LinkedIn with Phil Van Hooser. We discuss this topic and I hope you have lots of helpful takeaways for your own leadership journey!
———-
If you’re looking for tangible action steps and refreshing insights to help ignite the power of your own leadership journey, sign up for my weekly leadership blog HERE.
If your business would benefit from higher-performing leaders, check out more information about the comprehensive leadership development training I do HERE.
If you want to reach out to me directly, email alyson@vanhooser.com.
If you enjoyed this episode, will you please subscribe and leave a review? Your reviews help this show get discovered by more incredible leaders just like you. I’m obsessed with helping leaders ignite their performance results and I’d love to have you help me make an impact! Thank you so much!
P.S. Share and tag me on social — @AlysonVanHooser — and I’ll share your comments and big takeaways on my feed!

Categories
From the Editor's Desk

September in Compliance Week


Welcome to From the Editor’s Desk, a podcast where co-hosts Tom Fox and Dave Lefort, Editor in Chief at Compliance Week unpack some of the top stories which have appeared in Compliance Week over the past month, look at top compliance stories, talk some sports and generally try to solve the world’s problems.
In this month’s episode, we look back at top stories in CW from September including the Securities and Exchange Commission letter regarding ESG reporting and the CW survey ‘Inside the Mind of the CCO’. We look at the upcoming CW report on the survey, a long form investigative series by Aly McDevitt on ransomware attacked and a new CW self-directed learning module on Cybersecurity for the compliance professional. We conclude with a look at some of the highlights from the first few weeks of the 2021 NFL season, the MLB playoff races and the tension of a one-game playoff.
Take the CW survey ‘Inside the Mind of the CCO’ by clicking here.
Check out the CW learning module on Cybersecurity for the Compliance Professional here.

Categories
This Week in FCPA

Episode 271 – the Monsterfest Month Returns


Jay and Tom  are back to unpack some of the stories that caught their collective eye on the Monsterfest Month Returns edition.

Stories

1.     WPP FCPA enforcement action. Tom with 5-part series on the FCPA Compliance and Ethics Blog. Matt Kelly in Radical Compliance. Tom and Matt on Compliance into the Weeds. Mike Volkov has a 3-part series in Corruption Crime and Compliance.
2.     Human rights litigation on the EU. Salomé Lemasson in the FCPA Blog.
3.     BOD structure as key to compliance oversight. David Katz and Laura McIntosh in Harvard Law School Forum on Corporate Governance.
4.     Bringing clarity to the chaotic world of the CCO. Chris Audet in CCI.
5.     Another week, another Wells Fargo fraud related penalty. Jaclyn Jaeger in Compliance Week (sub req’d)
6.     Dan Kahn returns to private practice. Dylan Tokar in the WSJ Risk and Compliance Journal.
7.     Do ABC academics fail? Matthew Stephenson in GAB.
8.     Conquering the last mile of delivery of your Code of Conduct. Harper Wells in CCI.
9.     What is Ozy and what does it mean for compliance. Ben Smith in the NYT.
10.  Who owns ESG? Matt Kelly explores on Radical Compliance.

Podcasts and Events

11.  CCI surveying stress in compliance. Henry Kronk in CCI. Take the survey here.
12.  Compliance Week is going ‘Inside the Mind of the CCO’. Participate in the survey here.
13.  Ethisphere’s World Most Ethical Company awards for 2022 are open for submission. For more information on the Application Process, click here.
14.  Check out the latest addition to the Compliance Podcast Network, A Yank at Oxford. It details the journey of Foley & Lardner partner David Simon as he heads back to university to matriculate for a MBA at Oxford. Episode 1.
15.  Are you exasperated? Then check, F*ing Argentina. In this podcast series co-hosts Tom Fox and Gregg Greenberg, author of F* Argentina explore the current American psyche of being overworked, over leveraged, overtired and overwhelmed. Find out about modern America’s exasperation with well…exasperation. In Episode 1, the dreaded Parent Meeting night at your child’s elementary school. In Episode 2, why F*ing Argentina? In Episode 3, one of the most beloved characters in musical theater, Officer Krupke is exasperated.
16.  Tom and Compliance Week EIC Dave Lefort look back at September in CW and forward to October (and talk some sports) in this month’s edition of From the Editor’s Desk.
17.  K2 Integrity’s Edoardo Fiora will present at, “ESG Getting Hitched to Business (and IP) Strategy—From Resilience Framework to Recovery Path,” on October 14th. Registration and Information here.
18.  Join Jay, Tom and the top E&C professionals at Converge21, a virtual conference on October 12 & 13. Registration and information here. Why should you attend? Check out some of the panelists discuss their presentation on the Converge21 podcasts. Michael Randrup Wendy Badger, Lloydette Bai-Marrow, Tom and Philip Winterburn.
19.  How does a Compliance Bible become a best-seller. Check out Tom’s appearance on the C-Suite Network’s Best Seller TV to find out.  Purchase The Compliance Handbook, 2nd edition here.

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.