April 20, 2017

Day 13 on One Month to Better 3rd Party Management-Internal Controls for Third Parties

11 minutes

Internal controls are a key tool to operationalize your third party risk management program. Initially, a compliance practitioner should perform an analysis of any third party representative to provide insight into the pattern of dealings with such third parties and, therefore, the areas where additional controls should be considered. The basic internal controls, that should be a part of any financial controls system, include some or all of the following:

A control to correlate the approval of payments made to contracts with third party representatives and your company’s internal system for processing invoices.

A control to monitor all situations in which funds can be sent outside the US, in whatever form your company might use, which could include accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances or other forms.

A control for the approval of sales discounts to distributors.

A control for the approval of accounts receivable write-offs.

A control for the granting of credit terms to third parties or customers outside the US.

A control for agreements for re-purchase of inventory sold to third parties or customers.

A control for opening of bank accounts specifically including accounts opened at request of an agent or a customer.

A control for the movement / disposal of inventory.

A control for the movement / disposal of movable fixed assets.

A control for execution and modification of contracts and agreements outside the US.

There should also be internal control needs based on activities with third party representatives. These could include some or all of the following internal controls:

A control for the structure and enforcement of the Delegation of Authority.

A control for the maintenance of the vendor master file.

A control around expense reports received from third parties.

A control for gifts, entertainment and business courtesy expenditures by third party representatives.

A control for charitable donations.

A control for all cash / currency, inventory, fixed asset transactions, and contract execution in countries outside the US where the country manager has final authority.

A control for any other activity for which there is a defined corporate policy relating to FCPA.

While that may appear to be an overly exhaustive list, there were four significant controls the compliance practitioner implement initially. They include: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

A DOA should reflect the impact of corruption risk including both transactions and geographic location so that a higher level of approval for matters involving third parties and for fund transfers and invoice payments to countries outside the US would be required inside an organization. Often, a DOA is prepared without much thought given to FCPA risks. Unfortunately once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.

Furthermore if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. For example, consider a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating

...more

View all episodes

By Thomas Fox

4.7

2020 ratings