Ethics and compliance officers talk constantly about the importance of corporate culture, ethical values, and a strong tone at the top; and we should. You can’t have an effective corporate compliance program without them. Still, despite all the uplifting and urgent talk about ethics, we’d be remiss if we didn’t also stress the other indispensable element of effective compliance: financial controls.
Unsexy as they may seem, financial controls have been on my mind lately because we’ve seen a wave of FCPA enforcement actions and scandals over illicit payments. Time and again, companies suffer compliance failures because money somehow got out the door when it should have stayed put.
Poor financial controls can allow an employee to work with a third party on an improper transaction – and that is very much within the compliance officer’s purview.
This requires some skillful juggling from compliance officers. On one side, we must nurture a strong ethical culture so people aren’t tempted to send bribes or other illicit payments out the door. On the other, we must enforce strong financial controls so that the door stays closed, even when someone tries to sneak an improper payment through it.
Compliance officers from a legal background might feel a bit uneasy delving into financial controls – isn’t that something the audit team does for SOX compliance? On the contrary, financial controls are hugely relevant to compliance officers when considering their third-party oversight responsibilities. Poor financial controls can allow an employee to work with a third party on an improper transaction – and that is very much within the compliance officer’s purview.
Make Sure Your Compliance Efforts Meet Justice Department Expectations
The Guidelines for Evaluating Compliance Programs (February 2017) mention accounting controls and payment systems, and their connection to third-party risk, several times. The questions center on three points:
- Documentation: Why was a certain third party hired, and why did your company pay the amount it did?
- Processes: What specific method did someone use to make an improper payment, and could other controls or processes have prevented it?
- Approvals: Did managers who allowed the payment understand their anti-bribery duties and have a means to speak up?
The trickiest part for compliance officers will be the right mix of “hard controls” embedded in accounting procedures, versus “human controls” rooted in the approvals that managers must give (or withhold, or even report to the audit committee).
Micro Learning: Ethical Leadership for Managers
The simple answer, of course, is to say “it depends on the risk.” Are several solid accounting controls, coded directly into your accounts payable system, better than one well-trained ethical supervisor who knows a bogus payment when he or she sees it?
The answer, of course, is an organization should have both – but those controls don’t have to, or even should, reside with the compliance function. Financial controls are organization-wide concerns and should rely on the expertise and efficiencies of surrounding departments.
Share Financial Control Responsibility Appropriately Across Departments
Payment processes can range from petty cash to discounts, employee reimbursements, purchase orders, and so forth. How often do you meet with the accounts payable team and talk about them, to explore what types of illicit payments might fit through each one? How do you identify the best control to reduce the risk of potential abuse?
For example, one recent scandal featured a company paying millions of dollars to improper sales agents, funded via a company account under the sole discretion of one executive. Another had companies paying large sums to a newly formed shell company with a single employee.
Compliance officers understand the legal risk in those situations: accounting fraud, criminal bribery violations, kickbacks, and more. Your audit team might understand the fraud risk of certain accounting controls, and recommend steps to reduce it.
Then come the conversations with accounting and finance teams about how to fit their payment processes with other business functions. It can be a complex conversation: you, the ethics and compliance function; prodding the accounting or finance functions; to strengthen processes used by other operating functions (sales or procurement, for example).
Controls Fit Together to Prevent Improper Payments
Spoiler alert: accounting controls can be a hassle. Demands for documentation, counter-signatures, background checks, matches of purchase order to invoice – nobody likes them, but they’re a necessary part of modern finance.
As a compliance officer, you do have to ensure that broader policies, compliance training, and values support the proper execution of those accounting controls, and vice-versa.
The design and implementation of many accounting controls may be outside your purview. That’s probably a good thing, unless you yearn to be an accountant. As a compliance officer, you do have to ensure that broader policies, compliance training, and values support the proper execution of those accounting controls, and vice-versa.
For example, a policy of three-way matching (purchase order, invoice, receipt) can be overridden by corrupt management; so how often are managers trained in the importance of ethics, and told about whistleblower channels to report suspicious payments? Requiring documentation of travel and entertainment expenses is wise, but if you don’t match those expenses to high-risk third parties, that’s a fraud control flying solo when it should be paired with an anti-bribery program to reduce FCPA risk.
All the pieces need to fit together in a productive way. That’s as true for obscure accounting controls as it is for a sweeping tone at the top: you can’t have a strong ethics and compliance function without them.