Although much is still unclear about the implementation date, or the manner in which the UK Bribery Act will be enforced, it is clear that one of the important compliance functions which a company should implement is appropriate internal controls. The previously released Consultative Guidance had the following language regarding internal controls, “Businesses should also consider how their existing internal company procedures can be used for bribery and corruption prevention. For example, financial and auditing controls, disciplinary procedures, performance appraisals, and selection criteria can act as an effective bribery deterrent.”
Internal controls are a key component of any best practices compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA); OECD Good Practices or another local law. Appropriate controls are always needed for the reason that if a compliance program relies simply on the issuance of compliance policies, and on the honesty of a company’s employees, a company may get lucky and avoid a violation but a it will not have an effective compliance program.
Internal controls means more than simply financial and auditing controls. As noted by the UK Bribery Act Consultative Guidance, internal controls should also be applied to other areas of a company’s overall program. Internal controls can provide a check on employee training, certification and testing; issues related to employee performance, such as performance appraisals and disciplinary procedures; and third party due diligence and administrative procedures.
As recently as last week, yet another enforcement action was announced by the Securities and Exchange Commission (SEC) for violation of the books and records component of the FCPA. The SEC agreed to a settlement related to a finding that IBM’s internal controls were inadequate. Improper payments were made to South Korean officials and improper travel and entertainment was paid for Chinese officials. All the payments were by subsidiaries for which IBM was held responsible.
Within the FCPA, the requirements of the books and records provision requires that a company keep detailed books and records which fairly reflect the company’s transactions and disposition of assets. While many companies are familiar with external auditors, who consider materiality to financial statements when determining an audit scope and where the audit focus is the fairness of the presentation of financial statements in all material aspects. They are also experienced with audits for Sarbanes-Oxley (SOX) purposes, which allow exclusion of coverage for immaterial processes and locations and the focus is more directed to the avoidance of material misstatements in the financial statements. However, this materiality issue does not arise under the books and records provisions of the FCPA. Put another way – there is NO materiality consideration – either in the transaction amount or the size of the operations.
Effective controls generally mean that a company’s controls are designed to meet specific objectives. A company’s internal control system should include measures to ensure that controls are consistently and accurately performed. A company should maintain internal accounting controls which provide reasonable assurance that:
- Transactions are properly authorized;
- Transactions are accurately recorded;
- Accountability for assets is maintained; and
- Unauthorized access to assets is prevented.
It is important that a company assesses its internal accounting controls at regular intervals. This means that a company should compare the recordkeeping for assets to an inventory of the actual physical assets. If there are discrepancies, remedial action should be taken. Some examples of this can be physical inventory counts, fixed asset counts and cash reconciliation.
Last week’s SEC enforcement action against IBM drove home yet again the importance of adequate books and records in any FCPA compliance program. Internal controls are a key element in providing sufficient records. An overlooked part of the UK Bribery Act is that all companies subject to its rules and regulations must have an adequate internal controls program, encompassing areas much broader than adequate books and records. These areas should be assessed and remedial action taken to correct any deficiencies as part of a company’s ongoing assessment and compliance program update.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011