Ed. Note-today we have a guest post from Michael Potorti, CPA of MP Audit
Executive Management is increasingly turning to their Internal Audit Department to assess the risk of FCPA and UK Bribery Act non-compliance on their business and develop ways to mitigate those risks. In the absence of an Internal Audit function, companies are turning to outside counsel and CPAs to provide a roadmap to compliance.
Counsel can interpret the law, update Management on Government cases/trends and identify high areas of risk within an organization. In addition to the legal advice, companies need experienced auditors to design the controls necessary to target these risk areas. Auditors are also needed to test the design and effectiveness of controls implemented as well as periodically monitor these controls to determine the sustainability of an effective internal control environment.
OK, we now know what we have to accomplish but how do we get there? Here are a couple of recommended steps:
1. Perform a Risk Assessment – look at the company as a whole using a Risk Based Approach – interview Executive Management, local management, etc. to get their views on where the risks lie – we don’t want to flood the organization with controls that have little value
2. Setting the “Tone at the Top” – Executive Management must be on-board with the effort and issue a company-wide communication stressing the importance of compliance and full cooperation with counsel/auditors
3. Create a “Gap” Analysis – target the risk areas identified and interview related employees to determine current control procedures (if any) – detail deficiencies so we can create specific controls to mitigate risk
4. Share Deficiencies with Management- it is important to establish and confirm existence of these deficiencies and develop Action Plans to remediate – management should stress importance of remediation with employees
5. Assign Ownership for Deficiency Remediation – local management and employees close to the deficiency should be responsible for developing controls (with auditor assistance) and implementing them within a certain pre-determined timeframe
6. Test Newly Created Controls for Effectiveness – auditors should perform a walkthrough of activity to ensure the control is designed and operating properly – adjustments should be made if necessary
7. Develop Standard Operating Procedures (SOPs) – controls should be aggregated and documented in SOPs which must be reviewed/signed off on by management and should be mandatory reading for related employees and new hires
8. Monitor – perform periodic testing on the related controls to determine if they are still operating effectively – adjustments should be made if necessary to conform to any changes to the business environment (i.e. job descriptions and/or structure of company changes).
This preventive effort and the related controls implemented could save the organization from millions in fines, shareholder lawsuits and damage of reputation.
Micheal Potorti can be reached at firstname.lastname@example.org.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.