Everyone gets tired of the phrase “Follow the Money.” The origin of the statement is supposedly from Deep Throat to Woodward and Bernstein during the Watergate investigation. (As an aside, recent Watergate books have called into question how much information Deep Throat (Mark Feld from the FBI) really had and how much he really gave to Woodward and Bernstein but that is another story . . . ). Following the money did eventually break the Watergate case, with the help of Judge Sirica and the Senate Watergate Committee investigation.
When it comes to bribery, here is a profound statement – a company cannot bribe unless the briber has access to money. So in the end, if you can control every penny spent, you can protect your company from paying bribes to foreign officials.
While it does sound too obvious, there is a point to be made. Compliance, legal and auditing staff need to focus on internal control and how employees obtain authority and access to money. Anti-corruption compliance programs ignore or downplay the importance of internal controls and the fundamental question of authority and access to money. Internal controls need to be designed around fundamental principles:
1. Does the person requesting the money have a legitimate reason to request the money?
2. Is the person’s request for money for an authorized expenditure?
3. Has the person submitted, or is there, adequate documentation in support of the person’s request for money?
4. Are there adequate controls in place to verify the answer to questions 1 through 3?
5. Is the person requesting the money required to supply documentation that the expenses was authorized, was paid, and was paid for the specified purpose?
These are the five basic questions to “follow the money.” It is surprising how many companies cannot answer these five questions in the affirmative.
Financial controls also need to be built into the due diligence process for review of potential third parties. Companies have to use financial controls and integrate payment systems for third parties into the company’s basic financial controls. Written contract provisions, monitoring programs for third parties and financial controls can operate together to minimize any risk identified with third parties.
Many companies do not have a central database of approved contracts (or one that is kept up to date). Even when companies have a central database of approved contracts, they often do not have a mechanism in place to coordinate or link the requested payment to an approved contract. This leads to a dangerous situation where payments can be made for unauthorized or unknown purposes, just on the say so of a specific individual. That is a recipe for disaster and a possibility for bribery or other unauthorized uses of company assets.
Some companies convince themselves that their controls are adequate when the CFO carries a huge amount of responsibility in their heads and on their shoulders. While it is great to have an active and knowledgeable CFO, no one person can carry such responsibilities. Financial controls should be in place to relieve the CFO from such a burden. In the end, adequate financial controls can elevate corporate performance and responsibility.