Today, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparing the risk assessment, the next step is to prioritize listing the risks and which locations are common. This begins by mapping existing internal controls to risks and assessing whether the internal controls are sufficient to mitigate the risks.
To help with consistency in this evaluation process, assigning a risk weight to each element in the risk assessment may be useful. For example, a construction company might assign a higher weight to the presence of movable fixed assets. A company that sells exclusively through local distributors might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured; the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then prioritize the locations dealing with control risks.
Top Risks Include:
Sales are conducted through third parties.
· A U.S.-based international sales manager who is responsible for growing the business?
· Sales channel uses a U.S.-based sales force that only travels to locations outside the U.S. for temporary visits of generally short duration.
· Gifts, travel, and entertainment.
· High-risk jurisdictions.
· Business ventures.
You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal controls over financial reporting and could be useful for companies complying with internal compliance controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.
Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture, such that even if an employee saw inappropriate behavior, it would not be expected that the employee would make any report or comment.
Three key takeaways:
1. Third-party risks are still your highest risks under the FCPA, so use your internal controls appropriately to help prevent this risk from becoming a violation.
2. Use mapping and gap analysis to collate risks to existing controls.
3. Always consider the regional and geographic variances.
