Question

In quantifying the need for Internal Control, we generally look at the risk associated with a particular process or entity. Answer the following questions regarding risk & internal control:

1. What are the two components generally used to assess risk, and what do they mean?

2. Why is an awareness of risk useful for the application of internal control? What would happen if risk were not accounted for in internal control?

3. Give three examples of specific internal controls, and explain a scenario/risk that each would be effective at reducing.

Answer 1

Risk Components are: The event that could occur – the risk, The probability that the event will occur – the likelihood, The impact or consequence of the event if it occurs – the penalty (the price you pay).

Effective internal control reduces the risk of asset loss, and helps ensure that plan information is complete and accurate, financial statements are reliable, and the plan's operations are conducted in accordance with the provisions of applicable laws and regulations. ... Why internal control is important to your plan.

Last week’s announcement by the Securities and Exchange Commission (SEC) of the resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company continues to resonate and provide lessons for the compliance practitioner. [Full disclosure – I am a Halliburton shareholder] I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.

In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise.

According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period.

However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton.

PREVENTIVE CONTROLS

Preventive controls aim to decrease the chance of errors and fraud before they occur, and often revolve around the concept of separation of duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on quality.

Examples of preventive controls include:

• Separation of duties
• Pre-approval of actions and transactions (such as a Travel Authorization)
• Access controls (such as passwords and Gatorlink authentication)
• Physical control over assets (i.e. locks on doors or a safe for cash/checks)
• Employee screening and training (such as the PRO3 Series to increase employee knowledge)

DETECTIVE CONTROLS

Detective controls are designed to find errors or problems after the transaction has occurred. Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.

Examples of detective controls include:

• Monthly reconciliations of departmental transactions
• Review organizational performance (such as a budget-to-actual comparison to look for any unexpected differences)
• Physical inventories (such as a cash or inventory count)