Saying that you have policies and training in place to prevent corruption is one thing, but do you have controls built into your processes? A control could be thought of as hitting the pause button and taking a moment to prevent an action from becoming a huge problem.
Some controls are straightforward, such as the basic financial controls used to help identify and prevent bribery; It’s easy to see the value of restricting cash and putting monetary caps on certain types of activities. But bribery isn’t the only type of corruption: Gifts and hospitality, nepotism, cronyism and conflicts of interest are other forms. These other faces of corruption are often disguised in much more sophisticated ways than the typical ‘cash-stuffed suitcases’ and require therefore more innovative processes in place to be captured and controlled. Yet, too many companies fail to realize the importance of preventing them with non-financial controls. Needless to emphasize: When establishing a business’ internal controls, non-financial controls are just as important as the financial ones.
Understanding non-financial controls
Financial controls can be thought of as the management systems and processes your company uses to manage financial transactions properly and to record them accurately, completely and in a timely manner.
Non-financial controls are any other tools that help your organization stop and examine non-financial business transactions. These controls ensure that your procurement, operational, commercial and other non-financial aspects are being properly managed.
Let’s say for example that an employee working in procurement awards a small contract to a company in which he or she holds a 20 percent stake. This obviously constitutes a conflict of interest, as the employee has a personal interest in awarding the contract to this particular company. But, how can your company make sure that such breaches are not committed? One way of creating these stops or caps in the process is to require the signature of at least two persons on all contracts and documents pertaining to a contract. Other cases might require other types of non-financial controls such as using approved sub-contractors, suppliers and consultants that have undergone a pre-qualification process that assesses their likelihood of participating in bribery.
Procurement Controls
Procurement activities offer a particularly interesting context for thinking about non-financial controls. The ISO 37001 does a great job of breaking down these controls, as seen in the following examples:
- Awarding contracts, where possible and reasonable, only after a fair and, where appropriate, transparent competitive tender process between at least three competitors has taken place.
If your company has a rule that you can’t award a contract unless you’ve gone through a competitive process, that could be considered a control. The purpose of the control is to make sure someone isn’t self-dealing or giving contracts to a relative or a company in which they own a share or would gain a personal benefit. Having such a rule and control minimizes the risk of someone awarding a contract for a reason that isn’t great for your business. - Requiring at least two persons to evaluate the tenders and approve the award of a contract.
Such a control implies that your company has a better chance of identifying red flags and reporting them. It minimizes the risk of conflicts of interest or other misconduct, such as the award of the contract based non-competitive criteria.
Additional non-financial controls for procurement could include:
- Implementing separation of duties: ensuring that the personnel responsible for awarding a contract are different from those requesting the award and are not involved with the department or function managing the contract or approve work done under the contract.
- Ensuring that high bribery risk transactions are placed under a high level of scrutiny with a higher level of management oversight.
- Restricting access to tenders and other price-sensitive information.
- Assisting and empowering personnel to make the right choices by providing appropriate tools and templates (e.g. practical guidance, do’s and don’ts, approval ladders, checklists, forms, IT-workflows).
Recordkeeping requirements
Your business activities may be 100-percent above board, thanks to a combination of financial and non-financial controls, but that’s not enough. You also need the books and records (B&R) to back up those claims in the event that a certain deal looks bad from the government’s perspective.
Under the FCPA, companies with any US affiliation or presence are expected to keep scrupulous records. While businesses operating or registered in the UK are required to maintain adequate records under the Companies Act and the UK tax laws. Basically, your company must be able to provide enough detail about a given activity to demonstrate that it was handled appropriately. You can’t just throw up your hands and say, “We didn’t do anything wrong, but we can’t demonstrate it because our records aren’t in order.”
The takeaway
You may be able to say that you have controls in places, such as policies and training, but these won’t work unless you have actual stops -- moments built into business processes -- with specific steps designed to make sure there isn’t corruption. Non-financial controls are essential for providing a check on your organization’s business activities.
