Digging Into Your Internal Controls
Corruption risks follow the money. If a company has effective controls over money, then the company has a good chance of mitigating corruption risks.
A key indicator of a company’s internal controls is to ask if the company has suffered any significant fraud in the last five years. If your company has experienced a high fraud rate, the company’s controls may be weak and corruption risks are likely higher than desired.
Bribery requires fraud in securing money. The difficulty is that internal financial controls are designed around the concept of materiality, and bribery often occurs with non-material misconduct. As a consequence, financial controls governing bribery risks have to dig down deeper into potential funding sources.
That is why we have bribery cases that revolve around petty cash funds and gifts, meals, entertainment and travel. In these cases, the transactions themselves are non-material but the unauthorized use of the money can fund a bribery scheme.
Similarly, the manipulation of invoices and third-party interactions can fund bribery schemes. Inflating invoices is a very common scenario and one that is difficult to catch. Also, manipulating marketing funds or other third-party support systems is another common funding technique, especially in the high-tech industry.
In light of these common non-material financial transactions, companies have to approach financial controls around bribery with a new mindset. Materiality is a concept that has to be thrown out the window and a new approach is needed.
One way to focus attention is to ask yourself a simple question – if I were engaged in bribery, how would I get money from petty cash, gifts/meals, or through invoicing? With respect to third parties, if I wanted to pass money to a third-party to engage in bribery, how would I get the third-party money?
The design of controls around these types of risks requires awareness, commitment and resources. Let’s break down the issues.
The approval or authorization process for these expenditures is the first place to start. Someone in the company has to approve the expenditure of these funds – it may be routine, or it may be almost automatic. Finding the person who sits in that role is the first step. After that, it is important to make that person (or persons) aware of the risk and exactly what the company’s concern is with respect to these expenditures. Based on some awareness training, the financial person usually will have ideas about these kinds of expenditures and how they can flag the review of system to isolate risky expenditures for further review.
As you can tell, the process will require coordination between the compliance and financial departments. This is yet another example of why compliance and finance need to work closely together.
As a separate control on top of the financial office’s role in identifying suspect transactions or patterns, companies have to implement some monitoring function over these expenditures. Whether it is monthly or quarterly, an informal audit or data analytics program with specified rules for flagging transactions, or other mechanism, the compliance and/or audit departments have to monitor these categories of expenditures to identify suspect transactions and patterns.
The same principles have to be employed in a company’s process for reviewing, approval and payment of invoices. Again, a person or persons responsible for processing of invoices is the proper person to make aware of corruption risks. Once trained, the invoice processing personnel can identify suspect invoices on the front lines – in coordination with the compliance and audit departments, the personnel can be an important backstop to prevent bribery schemes from growing.