The speaker was a national partner in a big accounting firm. What he said was simple and profound: “When it comes to internal controls, ask yourself how long it would take to detect an improper payment. Would it take a year, a quarter, or a month? That’s how you test your company.”
The room full of controllers, internal auditors, accountants, and lawyers was quiet.
The speaker continued: “Companies routinely go the extra mile vetting suppliers, agents, and joint venture partners. But when that’s done and the decision is made to work with the third party, what then? Will the controls in place uncover improper payments the intermediary might make to government officials? Who’s checking third-party invoices to confirm the services rendered are worth the amount of the invoice?”
Someone in the audience asked how deep into the invoices the review needs to go. What are best practices for internal controls?
“There’s no easy answer,” the speaker said. “But again, ask yourself how long it would take to discover improper payments by your suppliers. The longer the time, the weaker your argument that the company didn’t act ‘knowingly’ in paying bribes indirectly through the third party.”
* * *
The internal control provisions at 15 U.S.C. Section 78m(b)(2)(B) require issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that–
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.