At a minimum, as part of (emphasis added) your overall fraud risk management program, the following key processes/functions should be analyzed along with the embedded (key) internal controls, if they exist to determine who has authority and access to cash, funds, or anything of value and if those controls are properly designed to prevent and detect misbehavior.
- Quote-to-Cash (sales cycle)
- Procure-to-Pay (supply chain – third parties)
- Treasury function (cash/funds)
The analysis should be done in collaboration with internal audit, finance/accounting, compliance, legal, and the key stakeholders. Doing this in isolation could prove to be problematic in the future. If you feel there might be conscious or unconscious bias, engage outside independent professionals to lead or assist.
Often when doing this exercise there are opportunities to install additional controls that close gaps and help mitigate fraud risk. Remember controls should be designed to do something (an action of some type) and the something helps in achieving your objectives, which in this case is to prevent bribery.
When a bribe is paid, the toothpaste is already out of the tube, it’s somewhat impossible to get back in.
That being said, controls that prevent something must be tightly tuned; therefore, in higher-risk areas, I suggest you strongly consider employing the “four eyes review/approval principle“, which requires a second review by supervisors from different reporting lines for substantive decisions, transactions, changes/overrides, etc.
The second set of eyes must not only be done by someone from different reporting lines, but by someone who can be skeptical, is competent, understands the “red flags”, and if necessary can elevate any issues they might have.
The”four eyes review/approval principle” is used to facilitate delegation of authority and increase transparency with the goals being adherence to company’s policies, compliance with laws and regulations, and the deterrence and detection of misbehavior or fraud.
Note: The “four eyes approval principle” was recently mentioned by the DOJ in the Petrobras FCPA matter, so obviously the regulators think it’s a sound concept and I hope you do too!
Have a nice weekend!
Jonathan T. Marks, CPA, CFE
“Books and records don’t commit fraud or pay bribes, people do”