G.   Program Audit: 

Corporate governance principles are premised on the need for corporate accountability and compliance with laws and regulations that reflect society’ s values generally, and the concerns of key stakeholders in particular.  In addition, shareholders require reasonable assurance that their assets will be protected against fraud, self-dealing and other corporate malfeasance.  To ensure that these objectives are met, anti-corruption laws, such as the FCPA, require that companies implement systems of internal control.

Private sector standards have been formalized in a widely accepted form by the Committee of Sponsoring Organizations (“COSO”) of the Treadway Commission. http://www.coso.org/.  COSO defines financial control as a process, effected by an entity’s board of directors, management or other personnel, designed to provide reasonable assurance regarding:

1)    the efficiency of operations;

2)    the reliability of financial reporting;

3)    compliance with applicable laws and regulations.

To achieve these objectives, effective internal control consists of establishing five interrelated components:

Control Environment – This is what sets the tone of an organization and provides discipline and structure.  It includes the integrity and competence of the entity's people; management's philosophy and operating style; and the way management and the board assign authority and responsibility.

Risk Assessment – This entails the identification and analysis of risks to determine how they should be effectively managed.  Once risks have been identified, sourced and measured, steps must be taken to avoid, transfer, or otherwise reduce the risks to acceptable levels.  As an example, to evaluate the risk of bribery and corruption in the procurement process, one might analyze how engineering may create specifications that favor specific vendors, how purchasing may unfairly award contracts, and how accounting may record kickbacks.

Control Activities – These are the policies and procedures that help ensure that management's directives are carried out.  They include such practices as authorization, reconciliation and segregation of duties.  Such activities would permeate the entire organization, at all levels and in all functions.  Of course they must be customized to reflect the entity’s specific control environment, objectives, and tolerance for risks.

Information and Communication Systems – These are systems that produce operational, financial and compliance related reports, and also notify personnel of their role in the internal control system. These systems must provide a means for moving important information to the very top of the organization and for receiving inputs from external parties. As an example, consider information of corrupt practices coming from a whistelblower.  The whistelblower could be a marketing clerk within the organization who views incriminating documents or overhears a telephone conversation.  The whistelblower could also be an outside vendor who witnesses corrupt practices are is solicited to participate in a fraudulent scheme.  Whatever the source, it is important that internal and external information is identified, captured, and communicated in a form and time frame that enables people to carry out their responsibility and protect the company.

Monitoring – This is the process that assesses the quality of the system's performance over time.  When deficiencies are discovered, they must be reported and appropriate remedial actions, including internal investigation, must be undertaken.

All five components should be present and functioning effectively to conclude that internal control over operations is effective.

For further detail see Audit Guidelines and Compliance Review Questionnaire.