[author: Troy McAlister]
Ed. Note-today we have a guest post from Troy McAlister, who brings 20 years of experience at both public and private companies, in public accounting and in a variety of industries. Troy has experience in establishing and managing multiple corporate compliance and internal control programs including working directly with and resolving a DOJ appointed monitor. Troy lives in the greater Houston area, has his MS and BBA from Texas A&M University and a CCEP certification.
Internal controls as an integral component of a compliance program have been a hot topic of late with recent updates to the FCPA Resource Guide. 2nd edition, the 2020 Updates to the DOJ Evaluation of Compliance Programs and of course Tom Fox’s podcast on 31 days to a More Effective Compliance Program. Many discussions have focused, and rightly so, on primary controls such as delegation of authority, transfers of cash, vendor master files and disbursement controls for international operations and FCPA risk. These are particularly common controls in the world of public companies, Sarbanes-Oxley and even private companies who focus on internal controls over financial reporting. However, don’t let the presence of these controls lull you into a false sense of confidence.
Internal controls over financial reporting will typically use a level of materiality that is higher than what an anti-corruption compliance program can accept. Compliance programs need internal controls that are tailored for fit. The higher the risk, the more stringent the control. Compliance programs also need to ensure their controls are comprehensive as perpetrators will look to exploit areas of lesser control. To address this, you need to develop a deeper understanding of your international operations and explore non-traditional ways of getting assets and value out of your organization. Allocate ample time to visit, or in today’s world of COVID-19, hold numerous calls with a wide range of personnel at your international location. Talk through the processes from start to finish with leadership, managers and front-line employees. Conduct a detailed analysis of the location’s general ledger accounts and activities with financially savvy individuals. The more comprehensive your understanding, the better you will be able to assess not only the presence of controls, but how adequately they are designed to mitigate risk.
The following are a few examples of risk areas that require additional scrutiny to ensure your internal controls are designed and operating effectively:
Organization Charts and Delegation of Authority: Just because you have something that says “Delegation of Authority” it doesn’t mean it’s an effectively designed control. Compare the delegation of authority to organization charts. If one, or a few individuals exercise considerable, if not exclusive, authority at the location, they may be able to perpetrate and cover up inappropriate activities. Incorporating matrix structures can help improve checks and balances and strengthen the control. Conversely, look at delegated authority levels to personnel such as sales representatives to ensure they haven’t been allocated too much autonomy and authority.
Bank and Petty Cash Accounts: Drill into general ledger account details and interview personnel to ensure you know all sources of cash payments such as use of a central company-wide disbursement account, local bank accounts, manual checks or petty cash. Ask who has authority to open and close accounts locally, even if think you already know the answer to that question. Compare your notes with corporate finance/treasury to ensure consistency in understanding and adherence to policy. Manual checks and petty cash accounts often fall underneath financial reporting materiality levels. Both should have robust request documentation, approval and reconciliation processes or should be eliminated completely. Also, look at establishing data analytic reports that show volume (both dollar and number of transactions) that flow through these accounts.
Credit Cards and Reimbursements: Ask personnel about use of credit cards and reimbursements to determine if they are using a company-wide credit card program, p-cards, personal credit cards or some combination of these. Ensure strong oversight of these programs with emphasis on minimizing use as much as possible. Look to use expense reporting systems. If that is not an option, establish standard manual forms. Evaluate approval structures to ensure no one individual is approving an excessive number of credit cards transactions, otherwise, it is unlikely that their review is an effective control. Establish data analytics on the number of credit cards, the volume of transactions and the categories of spend.
Cash Advances: If the location engages in cash advances, establish standardized request forms, required pre-approvals, robust tracking and matching of expenses guidelines. Scrutinize how well outstanding balances are reconciled and monitored and what escalation and investigation procedures are.
Asset Disposals and Write-Offs: Write-off or disposal of assets is potentially an easy way to get assets or items of value out of the company and into someone else’s hands. This is particularly true for assets such as computers, monitors and phones that may be below capitalization thresholds. Evaluate who has authority to approve write-offs or disposals and whether there is any central oversight. Consider establishing controls on who assets are sold, scrapped or otherwise disposed to such as pre-approved lists. Establish master inventory lists and periodic asset verification procedures and escalation/approval protocols for missing items. Scrutinize periodic reconciliation processes to ensure proper attention is given to such activities and unreconciled items.
System Transparency: Having an international location on the same system and platform as your corporate function serves as a deterrent for inappropriate activity due to access and transparency. If an international location is on a separate system, look into oversight processes including periodic financial reviews and reports. Work with accounting or other personnel to include certain high-risk activities as part of the recurring review process or establish new processes which compliance is involved.
Understanding and context are pre-requisites in identifying and designing your compliance internal controls. This requires patience and diligence and a mix of legal, compliance, controls and accounting skillsets on your team. When done right, you will be further down the path to your goal of having effective controls in your compliance program.
- Internal controls over financial reporting are good, but they alone are not sufficient for an effective compliance program.
- A detailed understanding is necessary of operations in order to establish and identify appropriate internal controls.
- Only after careful scrutiny of control design and procedures can you ensure those internal controls are meeting their risk objectives.