Most people familiar with the Foreign Corrupt Practices Act know of it as an anti-bribery law that imposes stiff penalties for companies that bribe foreign officials. Far fewer focus on the companion provision of the law that requires companies to maintain a system of internal controls that help detect and deter improper payments. Perhaps this oversight happens because, absent a bribe payment or other primary violation, it is unusual for companies to be penalized for failing to implement these internal controls. As a result, many companies don’t identify and consider the effectiveness of operational and financial reporting controls that are relevant to corruption prevention; and in the process fail to benefit from their considerable power in promoting compliance and identifying potential issues early.
Consider the case of Sunny, an accounts payable clerk for the China-based operations of a global healthcare company. She receives an urgent payment request via email from the VP of sales. The payment requested is for consulting services related to government-regulated testing of the company’s equipment. Attached to the email is a contract executed two weeks earlier with the owner of the consulting vendor, an independent laboratory, and an invoice for RMB 74,000 (approximately USD 12,000) for consulting services. The body of the email includes the necessary banking details for paying the laboratory.
For those with a heightened sense of corruption risk, red flags abound in this scenario. But Sunny’s sense of risk is less finely tuned, and like many businesspeople in Asia, she is more concerned with not crossing her superiors. Here are four different types of controls that not only might help Sunny and the company confront this very real situation, but also are critical elements of any functioning compliance program.
Companies that control how they select and onboard vendors can create a valuable buffer between personnel who might be tempted to engage in bribery and those with the authority to commit company assets. Imposing requirements such as fair market value analysis, competitive bidding processes, and robust business rationale analyses can deter employees from engaging unscrupulous or unqualified vendors.
An independent procurement function can also serve as the means by which contracts are controlled and terms and conditions are set. Aside from merely ensuring all vendors have active agreements with the company, contracting elements such as anti-corruption clauses, audit rights, training requirements, and other fraud and corruption related terms and conditions tend to be best controlled when separated from the individuals managing the business relationship.
Although these kinds of procurement controls wouldn’t prevent Sunny from processing a questionable payment, it might prevent the VP of sales from even requesting one in the first place. At a minimum, it adds an additional layer of oversight.
A key component of an effective compliance program is the performance of risk-based due diligence on third party partners — determining which partners to vet and the appropriate level of screening required. Companies regularly screen distributors, dealers and agents because of their involvement in sales activity, but screening of other high-risk vendors — such as consultants, marketing agencies, logistics providers and customs brokers — tends to occur less often.
It is not enough to simply screen and file away the paperwork. Too often, companies commit good resources to a diligence program but do not critically analyze the results and address the red flags. For example, companies may dismiss third-party ties to government officials in countries like China where government officials’ involvement in private business is commonplace, or summarily clear partners when there is little business history.
In Sunny’s case, a robust due diligence process would have ensured that the consulting vendor had no questionable ties to government, and that the entity was a legitimate, established and reputable laboratory — not an entity designed to funnel bribery funds. With an effective due diligence process in place, Sunny can have greater confidence in the purpose and final beneficiary of a company payment.
Vendor systems store pertinent information on vendors, including banking details, addresses and other information describing vendors and services being provided. Accurate and well-controlled vendor systems can offer insights into the type of entities you are actively engaging, where they are located, which are new relationships, and into what jurisdictions you are making payments. Internal audit and compliance teams find them a rich data source for monitoring and assessing the risk of company activities.
For Sunny, effective controls and management of the company’s vendor system may have deterred a payment to this vendor, if it was indeed illegitimate. Regardless, controls should be in place to ensure segregation of duties in vendor set-up, meaning someone other than Sunny should have responsibility for scrutinizing the information provided by the vendor in the context of the company’s existing vendor list. By maintaining an accurate and informative vendor listing, it is easier to identify existing vendors providing similar services, banking information that doesn’t match the entity in the agreement, or a vendor address that matches that of a key customer or employee.
Function-specific corruption training
Too often, compliance training takes the form of high-level online programs designed to reach the widest possible audience as efficiently as possible. Regular compliance training for all employees is certainly a must, but the broad company-wide approach invariably means the training is not detailed enough for some employees. Risk-based, function-specific training, particularly for accounting and finance staff, can equip the gatekeepers of company funds with the knowledge and skills needed to detect and prevent corruption.
If she received more tailored training, Sunny would more likely be savvy enough to recognize some of the warning signs in the urgent request she received. She would know how to look into these warning signs to ascertain whether the request was legitimate, and how to properly report it if it was not.
Critically thinking about internal controls’ relevance to corruption can allow for shoring up of gaps that may allow questionable payments to be made. As with all controls, anti-corruption related controls should be reasonable; the SEC and DOJ suggest companies “take into account the operational realities and risks attendant to the company’s business.” In the best of cases, anti-corruption controls can increase efficiency, allowing business processes to proceed smoothly while lowering corruption risk. Even if they are inconvenient, carefully considered internal controls that strengthen corruption compliance are worth the extra investment.