Although much is still unclear about the implementation
date, or the manner in which the UK Bribery Act will be enforced, it is clear
that one of the important compliance functions which a company should implement
is appropriate internal controls. The previously released Consultative Guidance
had the following language regarding internal controls, "Businesses should also
consider how their existing internal company procedures can be used for
bribery and corruption prevention. For example, financial and auditing
controls, disciplinary procedures, performance appraisals, and selection
criteria can act as an effective bribery deterrent."
Internal controls are a key component of any best
practices compliance program, whether based upon the Foreign Corrupt Practices
Act (FCPA); OECD Good Practices or another local law. Appropriate controls are
always needed for the reason that if a compliance program relies simply on the
issuance of compliance policies, and on the honesty of a company's employees, a
company may get lucky and avoid a violation but a it will not have an effective
compliance program.
Internal controls means more than simply financial and
auditing controls. As noted by the UK Bribery Act Consultative Guidance,
internal controls should also be applied to other areas of a company's overall
program. Internal controls can provide a check on employee training,
certification and testing; issues related to employee performance, such as
performance appraisals and disciplinary procedures; and third party due
diligence and administrative procedures.
As recently as last week, yet another enforcement action
was announced by the Securities and Exchange Commission (SEC) for violation of
the books and records component of the FCPA. The SEC agreed to a settlement related
to a finding that IBM's internal controls were inadequate. Improper payments
were made to South Korean officials and improper travel and entertainment was
paid for Chinese officials. All the payments were by subsidiaries for which IBM
was held responsible.
Within the FCPA, the requirements of the books and
records provision requires that a company keep detailed books and records which
fairly reflect the company's transactions and disposition of assets. While many
companies are familiar with external auditors, who consider materiality to
financial statements when determining an audit scope and where the audit focus
is the fairness of the presentation of financial statements in all material
aspects. They are also experienced with audits for Sarbanes-Oxley (SOX)
purposes, which allow exclusion of coverage for immaterial processes and
locations and the focus is more directed to the avoidance of material
misstatements in the financial statements. However, this materiality issue does
not arise under the books and records provisions of the FCPA. Put another way -
there is NO materiality consideration - either in the transaction amount or the
size of the operations.
Effective controls generally mean that a company's
controls are designed to meet specific objectives. A company's internal control
system should include measures to ensure that controls are consistently and
accurately performed. A company should maintain internal accounting controls
which provide reasonable assurance that:
- Transactions
are properly authorized;
- Transactions
are accurately recorded;
- Accountability
for assets is maintained; and
- Unauthorized
access to assets is prevented.
It is important that a company assesses its internal
accounting controls at regular intervals. This means that a company should
compare the recordkeeping for assets to an inventory of the actual physical
assets. If there are discrepancies, remedial action should be taken. Some
examples of this can be physical inventory counts, fixed asset counts and cash
reconciliation.
Last week's SEC enforcement action against IBM drove home
yet again the importance of adequate books and records in any FCPA compliance
program. Internal controls are a key element in providing sufficient records.
An overlooked part of the UK Bribery Act is that all companies subject to its
rules and regulations must have an adequate internal controls program,
encompassing areas much broader than adequate books and records. These areas
should be assessed and remedial action taken to correct any deficiencies as
part of a company's ongoing assessment and compliance program update.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011
For more information about LexisNexis
products and solutions connect with us through our corporate site.