This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.
Compliance officers need to dig into and understand a company’s internal controls. Many compliance officers tend to leave that issue to internal auditors. That is a big mistake.
Compliance officers have to be multidisciplinary experts, well versed in areas ranging from legal to financial and business strategies. Frankly, in the corporate governance world, compliance officers serve as internal psychologists, cheerleaders, strategists and overall hand-holders.
Compliance officers have to attend to internal controls and work closely with the internal auditor, comptroller and the chief financial officer. Every company faces internal fraud and theft risks. To the extent that such risks exist, misappropriation of funds means increased corruption risks.
I always remind everyone: bribery requires unauthorized access to money. Whether it is through third parties or internal theft, bribery requires violators to secure access to money.
Internal financial controls have to be effective. Fraud risk means that employees can easily gain access to money and steal it for their own direct benefit or to secure another benefit that may include bribery of a foreign official (usually when the potential illegal benefit is greater than the cost of keeping the stolen money).
When it comes to stealing money, criminals can be very creative in securing access to money and then covering their tracks. Usually they are caught, fired and sometimes referred for criminal prosecution. Sometimes the criminals get away with it and are never caught.
It is impossible to implement “perfect” financial controls. However, the objective of every set of controls is to reduce the risk as much as possible. Some important elements of financial controls include:
- Global financial authorizations — A company has to establish specific financial authorization limits for specific manager and employee levels. For example, a country manager should have a ceiling set for financial expenditures that he or she is authorized to spend. A country manager in a specific area should only be allowed to authorize an expenditure of a certain amount of money. For amounts greater than that level, the officer or employee would have to secure written authorization from a senior-level officer or employee.
- Segregation of duties and conflicts – A company has to identify those functions where conflicts may exist that could enable a single employee (or even a small number of employees) to gain unauthorized access to money. For example, if a single employee is allowed to review an invoice, approve the invoice and then submit the invoice for payment, the failure to segregate the duties in the payment system will increase the risk of theft and unauthorized use of money.
A company should prioritize its efforts to reduce segregation of duty conflicts by focusing on high-risk countries (not just for bribery, but kickbacks, theft and other improper use of funds).
- Security and access to financial systems – One significant recipe for disaster in the financial arena is preserving security measures for access to the company’s financial security system. A group of employees who have access to the financial system should not share passwords and other security measures among themselves. Often these employees will share such information in case one of them is out of the office, but alternative security measures should be used. No group of employees should have access to each other’s financial accounts.
- Robust internal auditing systems – A company’s internal audit program is a critical backbone of any financial controls system. Too often, these internal audits are structured around activities that could raise “material” risks. That is too narrow a perspective. It is important to identify other risk areas, such as gifts, travel and entertainment that involve potential legal risks but lower “material” risks, meaning that, in isolation, these expenditures rarely, if ever, have a “material” impact on a company’s operations.