One of the specific requirements laid out in the 2019 Guidance, is around internal controls and more specifically control testing. It stated:
Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?
Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Internal Controls Framework considers assessing compliance internal controls. In “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, COSO laid out its views on assessing the effectiveness of internal controls. It noted that an effective system of internal controls provides “reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured protocol. First, each of the five components are present and functioning. Second, that the five components operate in an integrated fashion with each other. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.
As the COSO 2013 Internal Controls Framework was designed to apply to a wider variety of corporate entities, your audit should be designed to test your compliance internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.
The Illustrative Guide suggests using a four-pronged approach in your assessment.
- Make an overall assessment of your company’s system of compliance internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.”
- There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating compliance internal controls.
- See whether each principle of your compliance internal controls is present and functioning. The task here is determine if a deficiency exists and it so what is the severity of the deficiency.
- Finally, you should log all your internal control deficiencies, so they are addressed on a structured basis.
Another way to think through the approach is through a component evaluation which rolls up the results of the component’s principle evaluations and allows a re-evaluation of the severity of any deficiency in your compensating controls. Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.
The Illustrative Guide spends a fair amount of time discussing deficiencies. Initially it defines an internalcontrol deficiency as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” A major deficiency is an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”
Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. Objective criteria such as written policies in categories as laid out in the 2012 FCPA Guidance, (the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments), must be present, if you do not have such controls it would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.” Fortunately, such a standard is easily met.
However, if there are no objective criteria, such as those originally laid out in the 2012 FCPA Guidance and brought forward in the 2019 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate Board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”
The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” Documentation is critical in any best-practices anti-corruption or anti-bribery compliance program. With the Illustrative Guide, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence, they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions.
Three key takeaways:
- An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
- There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
- For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.