What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as:
An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures:
• The achievement of the process objectives linked to the organization’s objectives;
• Operational effectiveness and efficiency;
• Reliable (complete and accurate) books and records (financial reporting);
• Compliance with laws, regulations and policies; and
• The reduction of risk-fraud, waste and abuse, which, aids in the decline of process and policy variation, leading to more predictive outcomes.
What specifically are internal controls in a compliance program? The starting point is the FCPA itself, which requires issuers to devise and maintain a system of internal controls that can reasonably assure:
1. Transactions are executed in accordance with management’s general or specific authorization;
2. Transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
3. Access to assets is permitted only in accordance with management’s general or specific authorization; and
4. The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
The DOJ and SEC, in the 2020 FCPA Resource Guide, 2nd edition, stated:
Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.
This was supplemented in the 2023 ECCP, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing?
The whole concept of internal controls is that companies need to focus on where the risks—compliance or otherwise—are and then allocate their limited resources to putting controls in place that address those risks. In the compliance world, of course, your two biggest risks are 1) company assets or resources, marketing expenses, petty cash or other sources of funds being used to pay a bribe, and 2) diversion of company assets, such as unauthorized sales discounts or receivables and write offs used to pay a bribe.
There are four significant controls for the compliance practitioner to implement initially. They are:
1. Delegation of authority (DOA);
2. Maintenance of the vendor master file;
3. Contracts with third parties; and
4. Movement of cash/currency.
Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company.
Next is the vendor master file, which can be a powerful preventative control tool largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Internal controls are needed over the submission, approval, and input of changes to the vendor master file.
Contracts with third parties can be a very effective internal control that works to prevent nefarious conduct rather than simply as a detect control. For contracts to provide effective internal controls, however, relevant terms of those contracts—including, for instance, the commission rate, reimbursement of business expenses, use of subagents, etc.,—should be made available to those who process and approve vendor invoices.
All situations involving the movement of cash or transfer of monies outside the US—including such methods as computer checks, manual checks, wire transfers, replenishment of petty cash, loans, and advances—should be reviewed from the compliance risk standpoint. This means identifying the ways in which a country manager or a sales manager could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.
To prevent these types of activities, internal controls need to be in place. All wire transfers outside the US should have defined approvals in the DOA. The persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA, and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.
The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice.