The effectiveness of a compliance program is enhanced by implementing adequate internal controls. The FCPA’s accounting and record-keeping provisions and the UK’s Financial Conduct Authority (“FCA”) require entities subject to their jurisdiction to implement adequate internal controls. More recently, the decree implementing Brazil’s Clean Company Act mandates the adequacy of an entity’s internal controls.
In many respects, concepts associated with internal controls are similar and, indeed, overlap with those relating to compliance programs. For this reason, regardless of whether an entity is subject to the internal control provisions of the FCPA, the FCA’s jurisdiction, Brazil’s Clean Company Act or other similar regulatory regimes, concepts associated with internal controls should be incorporated into a compliance program.
Given their esoteric nature, understanding internal controls and their application to deterring and limiting corruption and bribery risks can be challenging. But in various fora, a growing body of guidance is beginning to emerge, particularly from the SEC and FCA.1 The emerging guidance demonstrates that enforcement officials in the United States and the United Kingdom follow the same basic principles in determining whether an entity has adequate internal controls. They provide insight as to mechanisms that have been recognized as necessary and useful in limiting and detecting corruption and bribery risks.
What constitutes adequate internal controls is not precisely defined. In general, the criteria are “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”2 An effective system of internal accounting controls includes a range of review and approval guidelines designed to detect and deter questionable conduct. It also includes mechanisms to ensure that critical information is timely shared with appropriate units and people within an entity.
Indeed, the planning, implementation, and monitoring of a compliance program should be closely linked to if not intertwined with an entity’s system of internal accounting controls. While not specifically directed to bribery and corruption risks, the effective implementation and active monitoring of internal controls are essential to limiting and timely addressing bribery and corruption risks. Entities not subject to the jurisdiction of the FCPA’s accounting and record-keeping provisions, the FCA, and similar regulatory regimes need to consider and implement concepts associated with adequate internal controls in the context of anti-bribery compliance.
1A pattern also emerges when one analyzes the applicable rules, regulations, and guidance issued by the Justice Department, the SEC, and the FCA as well as the settlements or plea agreements reached with these regulatory agencies.
215 U.S.C. § 78m(b)(7) (2017).