10 most important internal controls for FCPA compliance
Updated in 2019
Under the FCPA, companies can be punished not only for the wrongful things they do, like paying bribes, but also for certain things they don’t do. In particular, the FCPA’s accounting provisions require companies to have internal controls in place. When companies do not have certain protections, such as appropriate accounting systems and anti-corruption policies, procedures and processes, they risk violating the law.
Specifically, the FCPA’s accounting provisions require issuers (both U.S. and non-U.S. companies that are publicly traded in the United States) to establish and maintain a system of internal controls sufficient to assure that (1) transactions are executed in accordance with management’s authorization, (2) access to assets is permitted only with the proper authorization and (3) the accounting records reflect the existing assets.
Below and in part two, we provide our list of the 10 most important internal controls for FCPA compliance. We arrange them into two categories – the first five are accounting-specific safeguards, and the next five are other types of processes for high-risk business activities.
ACCOUNTING CONTROLS. Accounting controls help ensure that company funds are not used for bribery. At a very basic level, this means that:
- Individuals with approval power for expenses are independent and have properly delegated authority,
- Approvals are based on supporting documentation,
- Transactions are properly and accurately recorded,
- Processes are regularly monitored, audited and tested and
- Finance personnel are trained to spot red flags.
It is important for companies to ensure such controls for the following types of payment processes.
1. Accounts Payable. Controls should be designed to ensure that types and amounts of the items and services invoiced to the company are legitimate and correctly correspond to the values and descriptions in written contracts, as well as the supporting documentation. Payments should be authorized against original invoices, and invoice numbers should be checked against files to prevent duplicate invoicing. Companies can require special approvals for payments to account numbers not on the master file, manual payments and unusual or unfamiliar vendors. The monitoring and testing program should give particular attention to variations in the normal purchasing process, unusual vendors, split payments to avoid authorized payment thresholds amounts, duplicate payments and frequent payments to the same vendor.
2. Expense Reimbursement. Written travel and hospitality policies should establish standard expense reimbursement rules. They can require approvals from management, the submission of original backup documentation and the timely entry of expense reports. Companies should keep records of the identities of recipients of funds, the business purposes of the expenses and internal authorizations required and received. Heightened oversight should be applied to expenses made on behalf of non-employees, which can include pre-approvals and special value and frequency limits,.
3. Payroll. Payroll responsibilities should be segregated for activities like data entry of employee details, authorizations and payments. Any changes to payroll files, such as salary increases, should include supporting documentation and be approved by someone other than the person inputting the information. Department heads should regularly review and approve payment reports to ensure that salary recipients currently work for the company.
4. Petty Cash. Companies should adopt written policies governing the disbursement of petty cash that dictate appropriate and authorized uses. Policies should ensure that access to petty cash is limited and subject to approvals and that reimbursements are based on supporting documentation and sufficient detail about use. Companies should frequently conduct reconciliations of petty cash disbursements.
5. Claims. Written policies for management of claims, such as returned goods or disputed services, should establish consistent methods for handling these issues. This can include requiring claims to be supported by documentation, recorded properly and approved by someone not involved in the original transaction.
This article was republished with permission from FCPAméricas Blog, for which Matteson Ellis is founder, editor and regular contributor.
The opinions expressed in this post are those of the author in his or her individual capacity and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.