Two Big Mistakes, One Huge Lesson on Internal Control Documentation
Please welcome Matt Kelly, Editor and CEO of Radical Compliance, to the Workiva blog.
If internal control and audit professionals were looking for fresh reminders on the importance of documentation, invoice fraud, and vendor oversight, federal regulators served up a couple examples of just that.
What happened? Here's the short version:
First, the company paid consultants and sales agents a total of $14 million to secure necessary approvals for a building project. However, they didn't collect evidence to show what the consultants were actually doing. Executives greenlighted the payments, and approvals were granted—but that is all we know. (Corrupt payments or embezzlement are well within the scope of possibility, the SEC notes.)
Second, the company failed to get proper contract signatures from outside sales agents, resulting in an underhanded subcontract seemingly designed to funnel money back to a senior executive of the company.
In short, the company spent millions on consultants over five years, without any documentation of who those consultants really were or what services they were providing, leading them to be in hot water with the SEC.
For companies of all sizes, there is a lesson to be learned here, and it is one about documentation.
The devil is in the internal control documentation
It is critical to remember that SEC did not accuse the company of bribery. That is a crime, and only the Justice Department can prosecute a crime.
The offense here was that the company's policies and internal controls over financial reporting were so poor, the company could not provide assurance that it didn’t pay bribes. That alone can leave companies exposed to liability under the civil side of the FCPA, which the SEC enforces.
And the biggest risk of all are poor controls specifically over vendors—in this company's case, consultants. That's not to say other kinds of vendors, including ones that manage your online data, are not worthy of scrutiny.
What saves companies from this enforcement risk is documentation: proof that intermediaries working for the company served a legitimate purpose, billed the company a reasonable amount, and delivered the services they were contracted to perform.
That need for documentation isn’t just common sense. The Justice Department and SEC published extensive guidance in 2012 about compliance with the FCPA, and included this about vendors:
Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed. Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country.
Regulators in the U.K. have also published guidance on how to comply with their anti-bribery statutes, and it includes similar language about transparency into contracts and payments to vendors.
So, what internal control documentation lessons can be gleaned from this?
What we can learn
Two principles of the COSO internal control framework come to mind here:
- Principle 10: The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- Principle 12: The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Audit and compliance executives need to design those control activities, so they extract the documentation needed when working with an intermediary. However, to do this correctly, audit and compliance executives must work together closely.
The compliance officer understands what the risk is, while the auditor is the expert in designing a control commensurate to the risk. Without delegation and understanding between the two parties, the design will not get off the ground.
It is worth noting that the company in question reorganized in 2014: new board, new executive team. They then discovered the earlier shoddy accounting, disclosed the issue to the SEC, and cooperated fully to investigate and remediate the weaknesses. Those efforts led the SEC to hit them with a penalty of $500,000, rather than something worse.
Which reminds me of COSO Principle 1: “The organization demonstrates a commitment to integrity and ethical values.” Funny how that one keeps cropping up.