New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increase operationalization around the internal controls a company should consider including gifts, travel and entertainment expenses.
One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. The Delegation of Authority (DOA) is a critical internal control. For example, a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense.
Petty cash disbursements in locations outside the US have unique control issues. Some petty cash funds outside the US have small balances but substantial throughput of transactions. Your DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside the US
Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with the GlaxoSmithKline plc (GSK) bribery and corruption criminal conviction in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. You should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place.
An area for fraud, corruption and corporate abuse has long been P-Cards. If your company uses P-Cards, assume this to be a very high-risk area, not just for bribery and corruption but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedure defining the acceptable and unacceptable use of company P-Cards, required forms, required approvals, documentation and review requirements.
If the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which would be subject to stringent controls. In such cases a checklist should be completed and attached to the request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the items to the appropriate level of review and requires appropriate documentation.
One question I am often asked is why does a company need internal controls in place regarding gifts because in many companies internal audits of these expense reports are common? It is important to keep in mind that, with respect to gifts, travel and entertainment, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So, it will be a false sense of security if a compliance officer relies on the internal audit of expense reports to be the control needed over violation of gift policies.
Brooks said, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way towards detecting and, more importantly, preventing a Foreign Corrupt Practices Act (FCPA) violation from occurring.