Prosecutions for violations of Foreign Corrupt Practices Act (FCPA) internal controls provisions have continued to increase in 2016. Consider this announcement by the Securities and Exchange Commission, (SEC), which brings the charges:
“The Securities and Exchange Commission today announced that a Massachusetts-based technology company and its Chinese subsidiaries agreed to pay more than $28 million to settle parallel civil and criminal actions involving violations of the Foreign Corrupt Practices Act (FCPA).”
Enforcement actions have driven home the point that a company must have an effective set of internal controls throughout all corporate disciplines and functions. These are simply not a set of “compliance internal controls” but internal controls permeating throughout an organization, which creates their effectiveness. Read on to learn about effective compliance internal controls and how the global payroll function can assist in fulfilling those requirements.
Internal Controls
To understand internal controls in an FCPA compliance program, the starting point is the law itself. As stated in the FCPA, it requires the following:
Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
(i) transactions are executed in accordance with management’s general or specific authorization
(ii) transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets
(iii) access to assets is permitted only in accordance with management’s general or specific authorization
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals, and appropriate action is taken with respect to any differences
The Department of Justice (DOJ) and SEC, in their jointly released 2012 FCPA Guidance, stated that “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements.”
They include various components, such as a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.”
Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its workforce; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”
Aaron Murphy, an Assistant Solicitor General in the Utah Attorney General’s Office and the author of Foreign Corrupt Practices Act, A Practical Resource for Managers and Executives, said, “Internal controls are policies, procedures, monitoring, and training that are designed to ensure that company assets are used properly, with proper approval, and that transactions are properly recorded in the books and records.
“While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand—where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”
Well-known internal controls expert Henry Mixon has said internal controls are systematic measures such as reviews, checks and balances, methods, and procedures instituted by an organization that performs several different functions.
These functions include:
- to allow a company to conduct its business in an orderly and efficient manner
- to safeguard its assets and resources
- to detect and deter errors, fraud, and theft
- to assist an organization in ensuring the accuracy and completeness of its accounting data in order to enable a business to produce reliable and timely financial and management information
- to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties, and others.
Mixon adds that internal controls are entity-wide; that is, they are not just limited to the accountants and auditors. Mixon notes that for compliance purposes, controls are those measures specifically designed to provide reasonable assurance that any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs, as well as the distribution of assets.
A Critical Component
The FCPA guidance goes further. It specifies internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.”
After a company analyzes its own risk through a risk assessment, it should design its most robust internal controls around its highest risk.
Global Payroll Internal Controls
Max van der Klis-Busink, in his Global Payroll magazine three-part series “Take Charge With a Global Payroll Control Framework,” laid out how to design, implement, and improve internal controls. His article was based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework.
Several specific internal global payroll controls will facilitate a company doing business in compliance with the FCPA. These controls help keep an eye on the money trail or, as is often said, to “follow the money,” as the money to pay a bribe is usually hidden in some company expenditure.
The four general areas of payroll control are:
- Segregation of duties
- Accountability, authorization, and approval
- Security of assets
- Review and reconciliation
A Checklist of Controls for Payroll Systems
To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
- Audit—Have either internal or external auditors conduct an annual audit of the payroll accuracy
- Change authorizations—Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so
- Change tracking log—Establish secure change tracking if you are processing payroll in-house with a computerized payroll module
- Expense trend lines—Look for changes in payroll-related expenses in the financial statements and then investigate if warranted
- Issue payment report to supervisors—Request that supervisors review payroll summaries for correct payment amounts and unfamiliar names
- Restrict access to records—Prevent unauthorized access to payroll records
- Segregation of duties—Never allow one person to prepare the payroll, authorize it, and create payments
The role of global payroll in FCPA compliance is not often considered, yet the monies to fund bribes in violation of the FCPA must come from somewhere.
Unfortunately, one of those places is out of global payroll. All Chief Compliance Officers need to sit down with their head of global payroll to review the internal controls in place to see how they facilitate the goals of compliance.
Even better would be for the head of global payroll to sit down with the compliance function to explain the role of global payroll and how that role will facilitate a best practices compliance program.