One of the new areas articulated in the Evaluation of Corporate Compliance Programs (Evaluation) was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role for a corporate payroll function in the operationalization of a corporate compliance program.
It is found in Prong 4, “Operational Integration”, which is the section that includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any Foreign Corrupt Practices Act (FCPA) violation and how oversight is dedicated in your organization. The questions posed are, “Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?” This is immediately followed by an equally important set of questions, “Approval/Certification Process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process?” Finally, the questions around payment systems are proceeded by the following, “Controls – What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?”
Taken together, these three groups of questions may not seem particularly new, innovative or even something different from what payroll currently does for an organization. However, the Evaluation, with its emphasis on the operationalization of a corporate compliance program, clearly demonstrates the role of payroll in compliance. The Evaluation requires that payroll not only form a part of any best practices compliance program but when it comes to the specific subject matter expertise (SME), payroll is on the front lines of any attempts to prevent, detect and then remediate anti-corruption compliance violations.
The FCPA prohibits “anything of value” to be provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money and that money must come from somewhere inside the company. While the Watergate intonation to ‘follow the money’ certainly continues to be valid in any FCPA issue, the Evaluation speaks in much more depth around payroll’s responsibility in a corporate compliance program. There must be demonstrable controls in place which not only detect fraudulent payments but work to prevent any such payments as well.
Yet when the three inquiries are read together, they paint a broader picture than one of simply tasking payroll with the responsibility to prevent fraudulent leakage of money which could be used to fund bribes. The questions around the approval/certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain from the individual employee, up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed to not only put a set of brakes in place but also work to put a second set of eyes on the entire payroll process.
Finally, the questions proceeding the payment systems questions speak to the remediation prong of any best practices compliance program. If there was a payroll control failure which led to or even allowed a FCPA compliance violation, what was done to fix the control issue? Here payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking or even to your own corporate auditors.
This means that not only can payroll be one of the compliance function’s strongest corporate allies, the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.
This is most particularly true around offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in payroll on this issue, they may well pick up the phone, and notify compliance when they see a request for payment in a geographic location separate and apart from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.
Another way to view it is if there is a payroll control for such a scenario which notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval and documentation of the entire process. This is a financial control which acts as a compliance control as well. It strengthens the company’s internal controls to both prevent and detect key compliance risks going forward.
Max van der Klis-Busink, in his Global Payroll Management Institute’s three-part series, entitled “Take Charge With a Global Payroll Control Framework”, laid out how to design, implement and then improve internal controls around global payroll. His article details how one can operationalize payroll controls to answer the questions posed in the Evaluation.
There are several specific internal payroll controls which will facilitate a company operationalizing its compliance program, as required under the Evaluation. These controls help keep an eye on the money trail as the money to pay a bribe is usually hidden in some company expenditure. The four general areas of payroll control should include: (1) Segregation of duties; (2) Accountability, authorization, and approval; (3) Security of assets; and (4) review and reconciliation.
To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
- Audit. Have either internal or external auditors conducted an annual audit of the payroll accuracy.
- Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.
- Change tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking which will provide an audit trail.
- Expense trend lines. This is your data and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.
- Issue payment report to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.
- Restrict access to records. Prevent unauthorized access to payroll records.
- Segregation of duties. You should never allow one person to prepare the payroll, authorize it and create payments.
The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers (CCO) need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.
The Department of Justice (DOJ) has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well suited corporate discipline to provide this first level of oversight and controls.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018