There are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.
Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company. While it is quite often true that a DOA is prepared without much thought given to compliance risks, once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or does not define authority in a way even the approvers could understand it. Therefore, it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this, you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.
Furthermore, if a DOA is properly prepared and enforced, it can be a powerful preventive tool for compliance. Consider the following example: A wire transfer between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of the same amount to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Finally, a DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US.
The vendor master file, can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted.
Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, are present in a contract, the terms must be approved not only by the original approver but also by the person so delegated in the DOA. Unfortunately, contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room.
The Hewlett-Packard FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. All situations where funds can be sent outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.
To prevent these types of activities internal controls, need to be in place. This means all wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.
The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.
Three Key Takeaways
- Remember the top four internal controls for an effective compliance program.
- Effective internal controls should do more than protect but also prevent internal program violations.
- Effective internal compliance controls are good financial controls.
There are four key internal controls which every compliance professional needs to incorporate into their program.Click to tweet
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.