Farewell to Lou Brock and Implementing Internal Controls

Thomas Fox - Compliance Evangelist
Contact
LinkedIn
Facebook
X
Send
Embed

Compliance Evangelist

Today, I want to honor one of my favorite St. Louis Cardinals, Lou Brock, who passed away last week. First of all, a huge shout out to Cardinal uber fan Tim Erblich for sharing The Athletic piece,  Lou Brock’s fearlessness and joy made him a Cardinal legend, from which these stats are derived. Brock was first and foremost a gentleman and is known for many achievements. He was the ‘lop’ in the most lop-sided baseball trade of all-time where the Chicago Cubs sent him to St. Louis for Ernie Broglio. The trade was clearly race-based as the Cubs had two other Negro stars, Ernie Banks and Billy Williams, and did not want a third.

Brock held the Major League Baseball (MLB) record on single season stolen bases, swiping 118 bases in 1974. (Ricky Henderson later broke this record.) He had over 3,000 hits. But even with all that greatness, Lou Brock was probably one of the best World Series player of all time. “In the 1967 World Series, he hit .414, stole seven bases and scored eight runs. In the 1968 World Series, he hit .464 with another seven stolen bases and six extra-base hits.” Somewhere in the Field of Dreams Lou Brock has singled and with head down is gunning for Second.

In an odd way, it is Brock who informs today’s blog post. Brock was the master of doing the little right. All the time. He also informs some ways in which a compliance professional can work to implement internal controls in a multi-national organization. The first step is to convert your company’s compliance risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine-tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

One example of how the process might work in the situation where the compliance risk is that a third-party representative may be paid for an invoiced amount before that third-party representative has gone through your company’s full third-party approval process. Here your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system, such as SAP, where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check unless the designated fields are populated. There would also be manual controls to ensure the data is not entered inappropriately. These internal controls would translate into a form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the Controller. Through this mechanism, you have created a primary control through your third-party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system? In this situation, the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes is printed and submitted to the check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and is told the controls are too burdensome and will also make operations less efficient? Many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

Consider benchmarking from other company’s compliance experiences. This can be expanded into solid presentations about why it is important to assess and mitigate compliance risks using your corporate peers that have been the subject of Foreign Corrupt Practices Act (FCPA) enforcement actions. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

The premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling the cost benefit analysis. If the selling is done after at least a basic risk analysis, then it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all compliance initiatives, is “tone at the top.” This means that you should meet with and present the case for compliance-focused internal controls to your company’s ELT, the Audit Committee/Compliance Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating compliance and fraud risks. Some of these might include the following:

  • Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
  • Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
  • With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
  • As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
  • It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes-Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond?

 There are two primary reasons why the assessment under SOX is not sufficient for a compliance officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks, or the control needs with respect to FCPA. Another example is internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

Good compliance internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. The presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. One need only consider Ethisphere and its annual survey of the world’s most ethical companies because they exceed the Standard & Poor’s index of average profits and growth by a factor of 4X. A key reason such companies have better than average profitability is that they have better internal controls.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox - Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox - Compliance Evangelist
Thomas Fox - Compliance Evangelist
Contact
more
less

Thomas Fox - Compliance Evangelist on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide