Here is another obvious point – internal controls are intended to ensure compliance with relevant policies and procedures.  Internal controls are not just for show, or not just limited to financial reporting.   A compliance program is a subset of a company’s internal controls.

So, all this is well and good.  But it appears that a number of companies have been getting into trouble because they are ignoring or circumventing the company’s controls.  It is one thing to fail to craft appropriate controls to address an organization’s risks; it is quite another to ignore or circumvent known rules.

Gatekeepers play an important role in the application and enforcement of an organization’s internal controls.  Legal staff, compliance officers, internal auditors and financial staff all play important roles in overseeing corporate operations.

A number of enforcement actions for FCPA and OFAC violations have underscored the failure of an organization to respect or even conform to directions from gatekeepers.  If you look at the relevant facts for FCPA and OFAC  enforcement matters, there is often a common theme – legal staff, compliance officers and internal audit staff uncover or ignore potential problems or stand in opposition to a course of action and either give in to business opposition or their concerns are ignored. 

An organization has to craft internal controls and then enforce them.  A basic requirement for review and approval of a course of action – e.g. a proposed acquisition, or a risky contract with a third-party – is the review and approval of the legal and compliance leadership.  If compliance identifies red flags, those concerns cannot be ignored or over-ridden unless specific facts are developed that resolve the specific concerns.

If such a control requirement for legal and compliance review and approval is on the books, the company has to follow the control and document the approval.  If legal and compliance will not sign off on a proposed transaction, the transaction cannot move forward.

Gatekeepers have to stick to their guns.  When they raise concerns, they have to commit to their position and cannot waive or ignore those concerns.  In some cases, gatekeepers themselves back down or revise their opinion.  In those cases, companies are handing federal prosecutors powerful evidence – gatekeepers raise a legal or compliance concern, the business objects and the gatekeeper backs down.  If the internal control on the books is ignored or inappropriately applied, federal prosecutors have a significant violation in their pocket with the obvious requisite intent provable against the company.

Gatekeepers cannot ignore red flags by hoping they go away all by themselves.  If an internal audit report identifies problems with certain company expenses or other financial activities, the internal audit department cannot sit on these deficiencies.  In a number of cases, internal audit findings are not promptly addressed by management and/or the board’s audit committee. 

A gatekeeper has to follow up on a red flag or problematic activity, set a schedule for addressing, and if necessary, investigate and resolve the concerns.  Delay and obfuscation will create a perception of failure to adhere to internal controls and organizational commitments to compliance.

A gatekeeper has to carry out his/her functions promptly and with professional commitment.  Companies that suffer enforcement actions often can cite gatekeeper failures to act or situations when gatekeeper’s concerns are ignored.  If a company adheres to its internal controls, empowers its gatekeepers and supports gatekeepers when they raise concerns, the organization can avoid the difficult circumstances of legal and code violations and potential enforcement actions.