Ed. Note-I recently asked my colleague Henry Mixon CPA, if he could explain the differences regarding internal controls required under financial regulations such are Sarbanes-Oxley with internal controls required under anti-corruption laws such as the Foreign Corrupt Practices Act. The following is his explanation.
Relying on Sarbanes-Oxley (SOX) and independent audits presents significant risk of internal controls not being effective to comply with anti-bribery laws. Company management often believes that, because they have independent auditors and because they are SOX compliant, they don’t need any additional focus regarding compliance with anti-bribery laws. While independent audits and procedures required for SOX are useful, there are several reasons why focused attention needs to be paid to certain internal control objectives in order to have an effective anti-bribery compliance program.
1. The overriding concept is that effective internal controls do not automatically follow when Policy Statements are issued. Training employees regarding new policy requirements and obtaining their certification of understanding does not ensure compliance. A specific focus is needed to ensure there are control procedures in place to ensure compliance with the policies.
2. SOX controls are, by definition, focused on financial reporting. They do not address many transaction level controls needed to prevent violations of Anti-Bribery laws. Based on my experience assisting clients remediate internal controls to satisfy an independent monitor and the Department of Justice (DOJ), I have compiled a list of controls which should be considered on a risk basis to determine effective controls needed to prevent violations. Shown below are only a few of the control objectives which are needed in an effective Compliance Program which, for materiality or other reasons, are typically not in SOX (or independent audit) scope:
a. Controls to prevent payment of bribes using cash (petty cash funds and otherwise) and using manual checks to meet “emergency needs” processed outside the normal invoice approval system. A Corporate review of such transactions after the fact is not a sufficient control. (In each Independent Monitor situation, there was a substantial focus on risks associated with petty cash funds and manual checks.)
b. Because bribes can be given by methods other than cash, controls over contractual relationships with third parties should be scrutinized. This includes contracts with agents, contracts to lease facilities / equipment, etc. For example, unauthorized use of Company assets / facilities, with or without compensation, can be a means to pay a bribe. Therefore, controls are needed over movement of inventory (such as shipments of inventory to non-customer locations and use of mobile fixed assets). For example: (1) controls are needed to ensure shipments of goods after they have been accepted and paid for result in appropriate compensation to the Company; (2) controls are needed to ensure Company vehicles are not “loaned” to unauthorized persons without adequate compensation to the Company.
c. Controls are needed over gifts, entertainment, hospitality, political contributions, and charitable contributions. For materiality reasons (see below), these controls are typically not included in SOX scope.
d. Enforcement of an effective Delegation of Authority (including the accounting controls for processing / approving vendor invoices, signing checks,) is typically not addressed in SOX scope but is a critical control from a Compliance perspective. For example, when dual signatures are required, what is the control to ensure they are obtained? (Banks will pay checks with only one signature, even if two are required.) Another example, control should be in place to ensure document approvers actually review support for transactions they are approving, and these controls must be evidenced for the Compliance Program to be considered effective.
e. Use of offline processing and maintenance of key information related to vendors and disbursements (such as Excel spreadsheets which can impact payments to vendors or which track entertainment provided to third parties) presents risk. Therefore, controls over the creation and maintenance of spreadsheets which “feed” the financial accounting process require evaluation.
f. Employment of “contract” employees, as well as permanent employees in foreign locations requires controls in the payroll processing to ensure the employees’ status as a current / former Government Official, or as a relative of a Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
g. The controls regarding creation / approval / unauthorized modification of Purchase Orders should be carefully evaluated, not just the focus on the three-way match.
h. Controls should be in place regarding maintenance of the vendor master file to ensure no vendors are paid unless there has been appropriate due diligence performed. Controls should be in place to prevent situations where the vendor has invoiced the company and wants to be paid, but the vendor’s name is not in the vendor master file as an approved vendor. Having controls over changes to the vendor master is more effective than only having a policy that all vendors must be subject to diligence and pre-approval.
i. Having controls to ensure compliance with reimbursement to employees for travel and other business expenses is critical. Requiring a manager to initial an expense report does little to prevent unauthorized activities, unless there is evidence the approver actually looked at the substance of the requested reimbursement.
3. SOX and Generally Accepted Auditing Standards allow a scope definition which eliminates business locations / business units which are considered to be immaterial, as well as eliminating types of transactions / accounts not considered material for financial reporting purposes. Therefore relying on a SOX-acceptable universe of control assessment based on materiality increases the risk of violations occurring. Many of the instances of prosecution by the DOJ and by the SEC involved business locations considered immaterial for financial reporting (SOX) purposes. The DOJ and the SEC have been very specific that individually immaterial violations over time constitute a violation and that even improper recording of immaterial transactions determined to be bribes violates, respectively, the anti-bribery and Books and Records provisions of the FCPA.
Using a standard other than the traditional financial statement concept of materiality does not necessarily mean controls need to be more extensive. Rather, the controls which are needed for an effective Compliance Program take into account the risk of violation (such as inherent corruption index and the inherent risk of certain types of transactions and business relationships) rather than the number of transactions or cumulative financial totals of transactions. For example, controls in countries with a Corruption Perception Index (CPI) of 3 or less should be robust, regardless of volume of transactions. Doing business with agents and foreign business partners generally presents higher risk than with other third parties. Transactions which may be immaterial for financial reporting purposes (petty cash disbursements, gifts, charitable contributions, etc.) may present significantly higher Compliance risk than their individual financial amounts might indicate.
4. SOX allows a significant portion of controls to be “detect” controls. Anti-bribery laws require a specific focus on “preventive” controls. If improper payments are identified by “detect” controls which review disbursements and asset disposals after the fact, the identification of suspicious transactions only leads to a decision whether to self-report and how extensive (expensive) an internal investigation is needed to determine the company-wide magnitude of the issue. Little has been done to prevent the improper activity. (Accordingly, relying on a SOX approach will not meet the burden of proof necessary to satisfy the “prevent” requirements of the UK Bribery Act.)
5. The SOX approach does not take into account the high evidence standard which comes into play when there is a suspected Compliance violation. Certain types of controls should have more robust documentation from a Compliance perspective than from a “traditional” perspective. The “evidence standard” issue is very significant when third party investigations are at hand. For example, an initial on a document means someone initialed the document. It does not define what the person did before initialing the document or the representations which are being made when the person initials a document. Often such evidence is simply a matter of defining control procedures and of modifying approval blocks on forms.
If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.