Categories
The Compliance Handbook

The Compliance Handbook – Karen Woody on Internal Controls


Internal Controls
Internal controls are an organization’s processes, regulations, and practices for maintaining corporate governance’s accuracy in fostering transparency and avoiding fraud. Internal controls may help enhance operating performance by improving the accuracy and reliability of financial statements, in addition to compliance with laws and legislation and discouraging workers from embezzling assets or committing fraud.
In another uber-treat episode of The Compliance Handbook, I’ve invited Karen Woody to talk about internal controls’ role in compliance.
Key takeaways discussed in the chapter:

  • Understand how internal controls are compared to smoke alarms that go off if there’s some wrongdoing happening.
  • Dive deeper into the four keys of internal controls for compliance. Learn how to use each key in your goal to have an ethical company.
  • Get the point that Internal controls can change, evolve, and grow as the bad guys get more sophisticated. Find the solution on how your organization can implement a dynamic policy.
  • Wade through the COSO 2013 Internal Controls Framework and see if the same policies will work for your organization.
  • Have knowledge of how the SEC views internal controls and why we have non-bribery SEC internal control enforcement actions.
  • Make sense of some lessons in failures of internal controls.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan
The first chapter of this unique work lays out a succinct yet thorough 31-day approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, the chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.
Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.
 http://www.lexisnexis.com/fox25

Categories
31 Days to More Effective Compliance Programs

Day 8 | Internal Controls and Compliance


What are internal controls? The best definition I have come across is from Jonathan Marks who defined internal controls as:
An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or the objectives(s). This, along with continuous auditing, continuous monitoring and training reasonably assures: 

  • The achievement of the process objectives linked to the organization’s objectives;
  • Operational effectiveness and efficiency;
  • Reliable (complete and accurate) books and records (financial reporting);
  • Compliance with laws, regulations and policies; and
  • The reduction of risk-fraud, waste and abuse, which,

   Aids in the decline of process and policy variation, leading to more predictive outcomes.
The DOJ and SEC, in the 2020 FCPA Resource Guide, stated:
Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.
This was supplemented in the 2020 Update, with a pair of pointed questions: whether a company has made significant investigation into its internal controls and have they been tested, then remediated based upon the testing?
The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice.
Three key takeaways:

  1. Effective internal controls are required under the FCPA
  2. Internal controls are a critical part of any best practices compliance program
  3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency
Categories
31 Days to More Effective Compliance Programs

Assessing compliance internal controls under COSO


Next, consider what COSO says about assessing compliance internal controls. In its Illustrative Guide, COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO 2013 Internal Controls Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.
Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the 2020 FCPA Resource Guide, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”
Three key takeaways:

  1. A new revenue recognition standard has become effective. What have you done from the compliance perspective?
  2. This new revenue recognition standard is much more judgment based and when a standard is more judgment based, there can be more room for manipulation.
  3. Compliance internal controls now can also be used to gather the information which will be presented to auditors under the new rev rec standard.
Categories
31 Days to More Effective Compliance Programs

Internal controls for gifts, travel and entertainment


It is reasonable to expect that internal controls over gifts, travel and entertainment be designed to ensure that they satisfy the criteria as defined in company policies. These are narrow, including a definition of the dollar limit, which must not be exceeded for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?The key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. There are four issues to evaluate:

  1. Is the correct level of person approving the payment/reimbursement for the gift?
  2. Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  3. Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  4. If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company. 
Three key takeaways:

  1. Gifts, travel and entertainment compliance internal controls are low hanging fruit, pick them.
  2. Compliance internal controls can be both detect and prevent controls.
  3. Good compliance internal controls are good for business.
Categories
31 Days to More Effective Compliance Programs

Internal controls in international locations


Next, I want to consider some of the issues around internal controls outside the U.S. and why your company’s internal controls might require changes for different countries across the globe. However, this provides an opportunity to further operationalize your compliance program through internal controls more narrowly tailored to mirror your business practices. Every CCO should consider entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the U.S. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and SEC filings. So, as with the use of third-party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance.
While a CCO should expect (or at least hope) that internal controls at locations outside the U.S. are of the same effectiveness as internal controls within U.S. business units and at the U.S. corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the CFO may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the U.S.) having completely different accounting, ERP and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.
Three key takeaways:

  1. Modifying your internal controls can work to more fully operationalize your compliance program.
  2. Check the effectiveness of your internal controls for your international locations.
  3. Revisit your internal controls when a country or region experience large growth or other disruption.
Categories
31 Days to More Effective Compliance Programs

The four key internal controls for compliance

 
There are four significant controls that I would suggest the compliance practitioner implement initially. They are: 1) DOA; 2) maintenance of the vendor master file; 3) contracts with third parties; and 4) movement of cash/currency.
Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the U.S. would be required inside your company. The vendor master file, can be one of the most powerful preventative control tools largely because payments to fictitious vendors are one of the most common occupational frauds. Near and dear to my heart as a lawyer are contracts with third parties. These can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. The Hewlett-Packard (HP) FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. All situations where funds can be sent outside the U.S., including such methods accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans or advances, should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.
To prevent these types of activities internal controls, need to be in place. This means all wire transfers outside the U.S. should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the U.S. should always require dual approvals. Lastly, wire transfer requests going outside the U.S. should be required to include a description of proper business purpose.
The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.
 Three key takeaways:

  1. Remember the top four internal controls for an effective compliance program.
  2. Effective internal controls should do more than protect but also prevent internal program violations.
  3. Effective internal compliance controls are good financial controls.
Categories
31 Days to More Effective Compliance Programs

Discipline and rigor in your internal controls


New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increase operationalization around the internal controls a company should consider including gifts, travel and entertainment expenses.
Brooks said, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Howell has identified, you can go a long way towards detecting and, more importantly, preventing a FCPA violation from occurring.
Three key takeaways:

  1. You must maintain rigor around your internal controls.
  2. Controls against fraud can also help to prevent corruption.
  3. Building and maintaining good internal controls requires rigor.
Categories
31 Days to More Effective Compliance Programs

What are internal controls?


What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. Internal controls expert Joe Howell, former Executive Vice President (EVP) at Workiva, Inc., has said that internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Howell adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.
Three key takeaways:

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. There are multiple FCPA enforcement actions that demonstrate the enforcement spotlight on internal controls.
Categories
31 Days to More Effective Compliance Programs

The Board’s Role with Internal Controls


The basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when regulators challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.
Internal controls for a Board or Board Compliance Committee should be broken down into five concepts:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

Three Key Takeaways

  1. Has your company implemented COSO 2013?
  2. What was the Board’s involvement?
  3. What is your documentation?
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Board of Directors’ oversight as an internal control

Is a Board of Directors a compliance internal control? The clear answer is yes. In the 2020 FCPA Resource Guide, Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. One states, “Within a business organization, compliance begins with the Board of Directors and senior executives setting the proper tone for the rest of the company.” The second is found under the Hallmark entitled “Oversight, Autonomy and Resources,” which says the CCO should have “direct access to an organization’s governing authority, such as the Board of Directors and committees of the Board of Directors (e.g., the audit committee).”

Further, under the U.S. Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: Do the directors exercise independent review of a company’s compliance program, and are directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.
Three key takeaways:

  1. Board oversight over the compliance function is a separate internal control so document it and use it.
  2. Board must perform oversight over your company’s internal controls.
  3. Does your Board use the five principles for involvement in compliance internal controls?

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.