Compliance professionals, we need to talk about accounting controls again. They’re back in the news these days as an important part of FCPA compliance.
In fairness, accounting controls have never stopped being an important part of FCPA compliance. Lately, however, the corporate compliance community has seen a string of news reminding us of how true that is.
For example, the Securities and Exchange Commission recently sanctioned several U.S. pharmaceutical firms for poor accounting controls that allowed executives to hide corrupt payments they had been making for years. We’ve also seen more attention paid to accounting issues in the newly revised FCPA Resource Guide.
So what should compliance professionals keep in mind about accounting controls? What do effective internal controls for FCPA compliance achieve? Let’s consider a few issues.
Look at the Revised FCPA Resource Guide
First, the newly revised FCPA Resource Guide makes clear that our shorthand term “internal controls” actually means internal accounting controls. The relevant section of the Resource Guide is even titled “Internal Accounting Controls Provision.” Messages don’t get any clearer than that.
What are internal accounting controls supposed to do, exactly? They should provide “reasonable assurance” - the standard spelled out in the statute - of four things:
- Transactions are executed according to management’s general or specific authorization;
- Transactions are recorded as necessary (a) to permit preparation of financial statements in conformity with generally accepted accounting principles, and (b) to maintain accountability for assets;
- Access to assets is permitted only in accordance with management’s general or specific authorization;
- The recorded accountability for assets is compared with existing assets at reasonable intervals, and appropriate action is taken for any differences.
In other words, internal accounting controls should provide reasonable assurance that the company’s financial transactions are executed according to management’s intentions, and that the transactions truly are what they purport to be.
When we study SEC enforcement of the Foreign Corrupt Practices Act, that’s what we see go wrong: phony contracts, doctored evidence, accounting policies manipulated beyond all bounds of proper accounting rules. Employees execute financial transactions against management wishes (that is, they’re paying bribes) and then they submit bogus documentation to hide the truth.
That has important implications for corporate compliance programs. Because if internal accounting controls are supposed to confirm the amount and the nature of a financial transaction, that rests upon your ability to collect evidence — which, in turn, depends on employees providing said evidence.
Who is Responsible for the Accounting Controls in FCPA Compliance?
Now we get to the tricky part: Who is responsible for establishing and maintaining effective internal accounting controls for FCPA compliance?
Compliance officers might be tempted to say, “This is accounting stuff, so it’s the accounting team’s responsibility!”
But, really, collecting sufficient and appropriate evidence of financial transactions is a question of driving employee behavior. The company needs a policy about it, and training for employees to do it, and an ability to assess how well everyone is following those rules.
Policy, training, risk assessment… Doesn’t that sound more like a compliance officer’s responsibility? There is a large intersection between internal accounting controls and compliance.
Consider the Particular Challenges of FCPA Internal Controls
Organizations need for effective internal controls is a set of policies, procedures, and training that guide human behavior in a way that supports documentation standards, data analytics and proper accounting. It’s a tricky needle to thread.
For example, the best control against bribery is a strong corporate culture that frowns on bribery in the first place. It’s about exhortations from senior managers that cheating isn’t how the company does business, and compensation schemes that don’t pit one employee against another, and sales training with clear anti-bribery messages all the way through.
But those kinds of ethics and culture questions are far removed from the accounting function.
The answers need to be translated into policies and procedures that work on a practical basis for your company. Which is very suitable for the compliance officer’s job description.
Meanwhile, accounting teams also need training specific to recognizing potential bribery schemes. They need technology that collects supporting documentation in one place so they can see the evidence for a transaction — or the lack thereof. They need the expertise to audit transactions from time to time, to uncover schemes such as secret spreadsheets recording the “real” transactions, which inevitably stink to high heaven of deliberate misconduct.
You can see the challenge here.
Strong compliance programs begin with an ethics and compliance foundation, which drives employees to follow an exacting set of internal accounting controls — controls that rely on technology, expertise, and analytics to reduce books-and-records violations.
In practice that requires a lot of collaboration between compliance and accounting teams, to assure that each side’s efforts support the other’s:
- Compliance officers could talk with accounting teams and say: “Here is the FCPA violation we want to avoid. How could our accounting policies allow that to happen? What could we change to seal up fraudulent transactions?”
- Accounting teams need to consider: What’s the level of evidence we would want to see to feel confident that a transaction is legitimate? How could that evidence be gathered and secured? What technology would allow us to do that reliably?
- And back to compliance teams: What policies, procedures, or training would drive employees to follow those internal controls? (For example, no payments issued until all documentation is complete and verified.)
Those are the lines of conversation that can lead to a better grip on internal accounting controls. And as the SEC is happy to demonstrate, the issue is not going away any time soon.