Most Foreign Corrupt Practices Act (FCPA) practitioners
understand the requirement for a compliance policy under the FCPA. However many
practitioners, particularly lawyers practicing in the compliance field, do not
understand the requirement for proper Internal Controls. Generally speaking,
Internal Controls are policies, procedures and training which are installed to
safeguard that a business' assets are utilized in an appropriate manner; with
proper oversight and approval and that all company transactions are properly
recorded in its books and records.
We have previously discussed the new book by Aaron Murphy
in the FCPA arena entitled, "Foreign Corrupt Practices Act - A Practical
Resource for Managers and Executives". In this work, Mr. Murphy opines
that Internal Controls can be delineated into five concepts, which are as
I. Risk Assessment - A
company should assess the compliance risks associated with its business.
II. Corporate Compliance Policy and Code of Conduct - A company should
have an overall governance document which will inform employees throughout the
company, of the conduct the company expects from an employee. If the company is
global/multi-national, this document should be translated into the relevant
languages as appropriate.
III. Implementing Procedures - A company should have a written set of
procedures in place that instructs employees on the details of how to comply
with the company's compliance policy.
IV. Training - A company should have a training program in place to
confirm that employees understand their obligations under the compliance
policies and procedures.
V. Monitor Compliance - A company must test, assess and audit to
determine if its compliance policies and procedures are a 'living and breathing
program' and not just a paper tiger.
While all of the above may seem covered by the US
Sentencing Guidelines, as the best practices of any robust compliance
program, the lack of Internal Controls can bring serious consequences to any
company found violating the FCPA. The failure to maintain proper Internal Controls
can bring a separate civil charge, brought by the Securities and Exchange
Commission (SEC). Such a charge can lead to a fine, injunction and profit
With the above in mind, we would propose, as a starting
point for the FCPA practitioner, our own five questions to start the assessment
of your company's internal controls. They are:
1. What accounting processes, if any, occur outside your home office and at how
2. What ERP/financial accounting software system is used? Is the same system
used at each location where accounting is performed?
3. Who are the independent auditors and for how many years have they been
performing audits for the Company?
4. Has there ever been an independent assessment of Internal Controls, other
than what is done in connection with the independent audit? (are you asking
readers to contact you to discuss or is that something that the FCPA
practitioner should say to the board?)
5. Has there ever been fraud detected in the Company?
While Internal Controls is often seen as the step-child
in any FCPA compliance discussion, we believe that Internal Controls should be
seen as a bulwark in a best practices compliance program to prevent,
detect and help remedy any situation which may be violative of the FCPA. We
would also note that robust Internal Controls is also considered to be a key
component of any adequate procedures under the UK Bribery Act. We hope
that the five questions we have listed above may be a good starting point for
you to begin to assess your company's Internal Controls.
Visit the FCPA Compliance and Ethics Blog, hosted
by Thomas Fox, for more commentary on FCPA compliance, indemnities and other
forms of risk management for a worldwide energy practice, tax issues faced by
multi-national US companies, insurance coverage issues and protection of trade
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this
publication. The Author gives his permission to link, post, distribute, or
reference this article for any lawful purpose, provided attribution is made to
the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011
For more information
about LexisNexis products and solutions connect with us through our corporate site.