It is a new month and a new topic for 31 Days to a More Effective Compliance Program. In September, I will consider internal controls. I am pleased to welcome back Affiliated Monitors, Inc. (AMI) as this month’s sponsor of the podcast series. For compliance officers with a legal background, internal controls are perhaps the least understood component of a best practices compliance regime. However, have no fear as by the end of September you will have a full grounding in internal controls.

Over this series, I will discuss internal controls from a variety of angles. From the key internal controls for compliance, to mapping your internal controls, to the COSO 2013 Internal Control Framework to some of the top failures around internal controls in Foreign Corrupt Practices Act (FCPA) compliance Programs. So, join me every weekday at noon in the month of September to learn more about internal controls and how to implement them into your compliance program.

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, which states the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The Department of Justice (DOJ) and Securities and Exchange Commission (SEC), in the  FCPA Resource Guide, 2nd edition, stated:

Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.

…the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.

Perhaps the best definition I have ever heard came from Jonathan Marks, Partner at Baker Tilly US, LLP, who defined an internal control as an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring and training reasonably assure:

  • The achievement of the process objectives linked to the organizations objectives;
  • Operational effectiveness and efficiency;
  • Reliable (complete and accurate) books and records (financial reporting);
  • Compliance with laws, regulations and policies;
  • The reduction of fraud, waste and abuse; which
  • Aids in the decline of process and policy variations leading to more predictive outcomes.

 Cited with approval of Jonathan Marks

COSO, in its 2013 publication entitled “Internal Controls – Integrated Framework”, defined internal controls as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” More specifically, internal controls are, according to COSO:

  • Geared to the achievement of objectives in one or more categories – operations, reporting, and compliance
  • A process consisting of ongoing tasks and activities – a means to an end, not an end in itself
  • Effected by people – not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
  • Able to provide reasonable assurance – but not absolute assurance, to an entity’s senior management and board of directors
  • Adaptable to the entity structure – flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process

The Integrated Framework goes on to note, “This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.”

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe.

As an exercise, I suggest that you map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist. This will help you to determine whether adequate compliance internal controls are present. From there you can move to see if they are working in practice or “functioning.” Internal controls will only become more important in FCPA enforcement. In this chapter, you will learn how to get ahead of the curve.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2020