Internal controls are a critical but still poorly understood component of any anti-corruption programme. According to the 2016 Thailand Economic Crime Survey by PwC, 80% of companies in Thailand say they have a formal anti-corruption programme in place and 68% rely on internal audit to ensure the effectiveness of their anti-corruption controls.
But how do such anti-corruption controls differ from other "internal controls", such as controls over financial reporting? And how can a company design robust anti-corruption controls that really work?
Last week, I addressed the Institute of Internal Auditors Thailand about recent corruption cases in the headlines and the forensic audit approach to identifying corruption schemes. Beyond the techniques, let's focus on how to practically design effective internal controls first. A good starting point is to build your controls around known business processes.
1. PROCURE-TO-PAY
Vendor selection and disbursement controls: Value lost due to corrupt vendors can be staggering. For this reason, conducting integrity due diligence -- whether during the new vendor selection process or when renewing an arrangement with an existing vendor -- is a critical component of any anti-corruption controls.
At its most basic, this involves identifying the vendor's bona fides: that it is a known and functioning entity with existing customers and correctly registered with local authorities.
Typical steps may include searching business registration records and performing adverse media searches to validate the existence of the vendor and assess its reputation, track record and relationship with customers, government and even its own employees.
Integrity due diligence can also confirm the ultimate beneficiary owner, and whether there are risks attached to working with that owner.
Thorough vendor qualification and bidding processes reduce the risk that a third party not suited to providing goods or services could become a vendor. A robust process will also screen out vendors that may be part of an overbilling scheme to create a slush fund to make inappropriate payments, such as bribes and kickbacks.
Vendor contracting and payments: The vendor contracting process offers companies an opportunity to further strengthen their anti-corruption controls. The process should include a framework of expectations covering what a vendor will do (e.g. maintain accurate books and records) and what it will not do (pay bribes) on behalf of its customer. A right-to-audit clause provides an opportunity to verify such expectations.
A control mechanism that requires a suitable contract to be on file prior to adding a vendor to the payments module will ensure expectations match reality.
Processes are also needed to verify that the expected goods or services are actually delivered. Consider a control where the buyer or procurement committee reviews and acknowledges receipt of goods or services prior to releasing funds to the vendor.
2. SALES-TO-CASH
Customer identification, vetting and setup: This process offers companies an opportunity to reduce conflict-of-interest risks. It can help identify and screen out entities related to employees and that have been set up for the purpose of reselling services to make a profit on the margin.
Confirming the identity of customers and determining if your goods or services will be on-sold to end customers, and conducting reputation due diligence around both, is a common step to ensure that sales relationships don't expose your company to risk.
Consider implementing a control that prevents making sales to new customers until customer identification and vetting procedures are completed.
Special pricing scrutiny: Special pricing models (discounts, rebates, gifts, etc) can be used by employees to generate excess cash that can be siphoned into a slush fund for inappropriate payments such as kickbacks and bribes. A heavier level of scrutiny over special pricing models and enhanced documentation requirements will help mitigate corruption risk.
When lower prices are offered to a distributor -- and the expectation is that the distributor will, in turn, offer lower pricing to its customer -- consider requiring the distributor to provide a copy of the invoice as a condition for upholding the company's agreement to share in the discount. Not doing so may create a large margin, possibly used for illicit purpose.
3. REIMBURSEMENTS
Ghost employees: Businesses, particularly those with centralised payroll functions and outsourced HR involving full-time, part-time and contract employees, are at risk from "ghost" employees -- people recorded on the payroll but do not work for the business.
If a ghost employee is a relative or friend of an employee -- or if the excess funds generated could make their way into paying bribes -- corruption risk abounds. Periodic review of the payroll, monthly reconciliations of personnel records to payroll, and having payroll personnel deliver pay stubs in person on a surprise basis can enable companies to better identify ghost employees.
Expense reimbursements: Recently, we've seen increasing numbers of cases of phony expense reimbursements aimed at getting cash out of a company to fund inappropriate payments. Specific expense controls, such as elevated approval requirements for larger reimbursements, and other risk-based validation of supporting documents may be a great investment of resources.
Anti-corruption internal controls are widely used in companies in Thailand, but we have observed that they remain poorly understood and implemented and, as a result, threats may multiply.
By taking the proper steps to understand and implement the controls at your disposal, and dedicating your resources appropriately, you can protect and defend your organisation against corruption and ensure the ongoing health of your company.
This article was prepared by Vorapong Sutanont, a forensic services partner of PwC Consulting Thailand, and James Gargas, an advisory services director of PwC US. We welcome your comments at leadingtheway@th.pwc.com