Under the Prong entitled “Policies and Procedures” subtexted Operational Integration, the Evaluation states:
Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?
While of the basic Watergate maxims has always been appropriate in any FCPA investigation, Follow The Money, the Evaluation takes payment systems and their internal controls several steps further past the detect and even investigatory precepts. There is not a set of “compliance internal controls” but rather internal controls permeating throughout an organization which creates their effectiveness. Today, we examine what are effective compliance internal controls and how the payroll function can assist in fulfilling the mandate requirements to operationalize your compliance program.
What are internal controls?
What are internal controls in a FCPA compliance program? The starting point is the law itself, and as stated in the FCPA requires the following:
Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:
devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences ….
The Department of Justice and SEC, in their 2012 FCPA Guidance, state, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”
The FCPA Guidance specifies that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an organization’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences. After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.
Global Payroll Internal Controls
Max van der Klis-Busink, in his Global Payroll Management Institute’s three-part series, entitled “Take Charge With a Global Payroll Control Framework”, laid out how to design, implement and then improve internal controls around global payroll. His article details how one can operationalize your payroll controls to answer the questions posed in the Evaluation.
There are several specific internal payroll controls which will facilitate a company operationalizing your compliance program, as required under the Evaluation. These controls help keep an eye on the money trail as the money to pay a bribe is usually hidden in some company expenditure. The four general areas of payroll control should include: (1) Segregation of duties; (2) Accountability, authorization, and approval; (3) Security of assets; and (4) review and reconciliation.
To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
- Audit. Have either internal or external auditors conducted an annual audit of the payroll accuracy.
- Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a manager more senior.
- Change tracking log. If you are processing payroll in-house with a computerized payroll module, have a secure change tracking which will provide an audit trail.
- Expense trend lines. This is your data and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.
- Issue payment report to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.
- Restrict access to records. Prevent unauthorized access to payroll records.
- Segregation of duties. You should never allow one person prepare the payroll, authorize it and create payments.
The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then you should to review the internal controls in place to see how they facilitate the goals of compliance. From that review you can then determine how to use payroll to help to operationalize your compliance program.
Three Key Takeaways
- The Evaluation focuses your preventive prong on payroll, supplementing the prior focus on detection controls.
- You still need internal controls around payroll to ‘follow the money’.
- Do not forget upgrading and updating payroll controls.
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.