My colleague Henry Mixon of Mixon Consulting has an interesting observation regarding internal controls under the UK Bribery Act. Unlike the Foreign Corrupt Practices Act (FCPA), the Bribery Act does not have a books and records component written into the law. However, even without this books and records component, robust internal controls may be more important under for the reason that they must be present and functioning if a company is to assert an “Adequate Procedures” defense available under the Act.
Buried within “Principle Five of the Guidance” is the requirement that (a) a company has appropriate financial controls to prevent and detect violation of anti-bribery policies; and (b) that these financial controls be communicated to both employees and relevant third parties. With this total lack of ‘guidance’ for companies subject to the Bribery Act to fall back upon, we believe companies can look to internal controls developed for the FCPA for some guidance. However, the internal controls put in place for the Bribery Act will need to address the specifics of that the Bribery Act. Clearly the two major differences will be lack of distinction between public officials and the jurisdictional nature of the Bribery Act will require a company’s internal controls to be global in scope.
I. The Four Cornerstones
We have previously set out the four cornerstones of any internal controls regime, and just to refresh they are as follows:
- Transactions are properly authorized;
- Transactions are accurately recorded;
- Accountability for assets is maintained; and
- Unauthorized access to assets is prevented.
As we have also made clear, in prior posts, three key components are: Documentation, Documentation and Documentation. There must be written policies and procedures which are clear, assessable and enforced, however policies alone are not sufficient. There must be evidence of standards for the performance of internal controls; there should also be ongoing monitoring and auditing to ensure that they continue to function effectively.
Internal control infrastructure should be evaluated and enhanced if needed. This would include the tracking of gifts, entertainment, hospitality and promotional considerations. A similar requirement is found for travel. Any payments to high risk parties or in high risk countries should not only be evaluated with internal controls but elevated for approval to an appropriate level of management for visibility, a delegation of authority issue. All of these considerations need to include an expanded emphasis under the Bribery Act, due to the lack of distinction of public officials and private actors, so all transactions need to have this level of review.
III. Beyond the FCPA
Other additional considerations or expanded considerations which a FCPA only based internal controls system may need under the Bribery Act are a mechanism to deal with a company’s interaction with a US governmental official. As the Bribery Act makes illegal the acceptance of a bribe, controls will be needed to cover and document this aspect. Lastly, there should be overall documentation of the company’s compliance program to provide proof of ‘Adequate Procedures’ so that a defense is available under the Bribery Act.
IV. Some Suggestions
A suggested approach to evaluate your company’s internal controls under the Bribery Act would include an initial bribery-related risk assessment to include:
- Location-specific risks;
- Transaction-specific risks;
- Process-specific risks;
- Inherent risks of your industry; and
- Inherent risks due to the way your company does business.
Thereafter, the following should be considered:
- Gap analysis, including deficiencies in documentation of the performance of controls;
- A controls remediation plan, proportionate to identified risks, gap analysis, and the nature of your business operations;
- An internal controls training plan, including training for Delegation of Authority approvers, persons involved in business development, accounts payable clerks, and others;
- An internal controls monitoring plan;
- Address proof of “adequate procedures”;
- Expand the scope of third party risk assessment (not just foreign public officials and those who interact with them);
- Address risk of requesting/receiving a bribe; and
- Consider anti-bribery controls in the US.
As recently reported in the Wall Street Journal, an astonishing 73% of more than 1,000 business professionals polled by Deloitte Financial Advisory Services LLP said they were not familiar with the provisions of the Bribery Act. With an upcoming implementation date of July 1, 2011, we can only hope that these companies will wake up and smell the [Bribery Act] coffee, or tea, for our English followers.
Henry Mixon is the Principle of Mixon Consulting and can be reached via email at firstname.lastname@example.org.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2011