Most Foreign Corrupt Practices Act (FCPA) practitioners understand the requirement for a compliance policy under the FCPA. However many practitioners, particularly lawyers practicing in the compliance field, do not understand the requirement for proper Internal Controls. Generally speaking, Internal Controls are policies, procedures and training which are installed to safeguard that a business’ assets are utilized in an appropriate manner; with proper oversight and approval and that all company transactions are properly recorded in its books and records.
We have previously discussed the new book by Aaron Murphy in the FCPA arena entitled, “Foreign Corrupt Practices Act – A Practical Resource for Managers and Executives”. In this work, Mr. Murphy opines that Internal Controls can be delineated into five concepts, which are as follows:
I. Risk Assessment – A company should assess the compliance risks associated with its business.
II. Corporate Compliance Policy and Code of Conduct – A company should have an overall governance document which will inform employees throughout the company, of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
III. Implementing Procedures – A company should have a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
IV. Training – A company should have a training program in place to confirm that employees understand their obligations under the compliance policies and procedures.
V. Monitor Compliance – A company must test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
While all of the above may seem covered by the US Sentencing Guidelines, as the best practices of any robust compliance program, the lack of Internal Controls can bring serious consequences to any company found violating the FCPA. The failure to maintain proper Internal Controls can bring a separate civil charge, brought by the Securities and Exchange Commission (SEC). Such a charge can lead to a fine, injunction and profit disgorgement.
With the above in mind, we would propose, as a starting point for the FCPA practitioner, our own five questions to start the assessment of your company’s internal controls. They are:
1. What accounting processes, if any, occur outside your home office and at how many locations?
2. What ERP/financial accounting software system is used? Is the same system used at each location where accounting is performed?
3. Who are the independent auditors and for how many years have they been performing audits for the Company?
4. Has there ever been an independent assessment of Internal Controls, other than what is done in connection with the independent audit? (are you asking readers to contact you to discuss or is that something that the FCPA practitioner should say to the board?)
5. Has there ever been fraud detected in the Company?
While Internal Controls is often seen as the step-child in any FCPA compliance discussion, we believe that Internal Controls should be seen as a bulwark in a best practices compliance program to prevent, detect and help remedy any situation which may be violative of the FCPA. We would also note that robust Internal Controls is also considered to be a key component of any adequate procedures under the UK Bribery Act. We hope that the five questions we have listed above may be a good starting point for you to begin to assess your company’s Internal Controls.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011