Discipline and Rigor in Your Internal Controls

This article was republished with permission from Tom Fox’s FCPA Compliance and Ethics Blog.

In a recent New York Times (NYT) Op-Ed by David Brooks, entitled “The Good Order,” he discussed how routine can lead to creativity. He cited the example of three well-known authors and their habits. “Maya Angelou would get up every morning at 5:30 and have coffee at 6. At 6:30, she would go off to a hotel room she kept — a small modest room with nothing but a bed, desk, Bible, dictionary, deck of cards and bottle of sherry. She would arrive at the room at 7 a.m. and write until 12:30 p.m. or 2 o’clock.” Another example was John Cheever, who “would get up, put on his only suit, ride the elevator in his apartment building down to a storage room in the basement. Then he’d take off his suit and sit in his boxers and write until noon. Then he’d put the suit back on and ride upstairs to lunch.” Finally, there was the example of Anthony Trollope, who “would arrive at his writing table at 5:30 each morning. His servant would bring him the same cup of coffee at the same time. He would write 250 words every 15 minutes for two and a half hours every day. If he finished a novel without writing his daily 2,500 words, he would immediately start a new novel to complete his word allotment.” Brooks’ thesis for his piece seemed to be summed up by a quote from Henry Miller (of all people): “I know that to sustain these true moments of insight, one has to be highly disciplined, lead a disciplined life.” Sort of gives a whole new meaning to the word “discipline.”

However, moving back to somewhat salacious concepts, I thought about those words in the context of internal controls around a Foreign Corrupt Practices Act (FCPA) compliance program. Brooks’ thoughts on building and maintaining order inform today’s post. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls, but also the universe of potential transactions within the operations of a particular company. Once again relying on my friend and internal controls expert, Henry Mixon I queried him about some of the other types of internal controls a company should consider around gifts, travel, business courtesies and entertainment.

One area that companies need to be mindful of is corporate checks and wire transfers in response to falsified supporting documentation, such as check requests, purchase orders or vendor invoices. Mixon believes that the delegation of authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the U.S. might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria could require approval by the Finance Manager, a knowledgeable person in the compliance function and one officer. The key is that the DOA should specify who must give the final approval for such an expense.

I asked Mixon about the situation where checks are drawn on local bank accounts in locations outside the U.S., on “off books” bank accounts, commonly known as slush funds. Petty cash disbursements in locations outside the U.S. – the unique control issues regarding locations outside the U.S. will be discussed in a future podcast. Some petty cash funds outside the U.S. have small balances but substantial throughput of transactions. In this instance, Mixon said that the DOA should address replenishment of petty cash funds in countries outside the U.S., as well as approval of expense reports for employees who work outside the U.S., including those who travel from the U.S. to work outside the U.S.

Another area for concern is travel, the reason being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Mixon noted that internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. Mixon advises that you should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites, but also any compliance restrictions that might be in place.

An area for fraud, corruption and corporate abuse has long been procurement cards or “p-cards.” Mixon cautions that if your company uses procurement cards, assume this to be a very high-risk area, not just for FCPA but also for fraud risk generally. Banks have made a great selling job to corporations for the use of p-cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here, a control objective should be put in place along the lines of written policies and procedures defining the acceptable and unacceptable use of company procurement cards, required forms, required approvals, documentation and review requirements.

An interesting analogy that Mixon used is that misbehavior, like water, seeks its own level. Mixon explained that this meant if the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which, Mixon noted, would be subject to stringent controls. He added that in such cases, a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports, still elevating the gifts/travel items to the appropriate level of review and requiring appropriate documentation.

I inquired as to why a compliance officer relies on the audit controls that are in place regarding gifts because in many companies, internal audits of expense reports are common. Mixon noted that it is important to keep in mind that, with respect to gifts, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So it will be a false sense of security if a compliance officer relies on the internal audit of expense reports to be the control needed over violation of gift policies.

I thought about one line in Brooks’ piece, which seemed to echo Mixon’s thoughts on internal controls.  Brooks wrote, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Mixon has identified, you can go a long way toward detecting and, more importantly, preventing a FCPA violation from occurring.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business advice, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.