Combining internal audits with anti-corruption compliance monitoring

 

Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial anti-corruption legislation, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts.


Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring.


The bribery and illegal payment risks are usually linked to:

• where the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)
• who is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)
• what service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)
• how the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)

Risk mapping for corruption should balance “the where”, “the who”, “the what” and “the how”. Many companies often link their bribery risks only to high-corruption countries, and they are missing the general environment for a transaction.



Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny.



Compliance and Internal Audit may combine their reviews to detect illicit payments by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach.


Testing the control design by Internal Audit

-          Review of segregation of duties in approving new vendors, contracts, service receptions and payments, assuring the appropriate seniority of approvers and their effective counterbalance.

-          Review of  anti‐corruption obligations in contracts with business partners and the appropriate indemnities and warranties clauses.

-          Ensure that the accounting staff is trained to properly book to proper purchasing and payment categories, and to add meaningful and clear descriptions for entries. No auxiliary spreadsheet should support a global journal entry without disclosing itemized information about the service and the supplier.

-          Ensure that the financial controllers are trained about the anti-bribery, travel and expense rules, cash and bank controls, and how to identify red flags.

Substantive testing for control efficiency by Compliance (reassured by Internal Audit)

-          Test the effectiveness of the pre-contract due diligence, the verification of services and the fairness of the paid amount by selecting payments linked to all levels of risk (including any suspiciously unnecessary contracting by non-statistical sampling). Focusing the payment testing only to high-risk transactions or statistical sampling may be ineffective to cover all risks.

-          Audit of third parties (on‐site compliance audits): background checks on executives, owners and assigned employees (party screening); assure the training on extortion and bribery provisions and controls for vendor employees; and confirm the circumstances under the third party was engaged and instructed; check that the service was engaged after the due diligence was finished.

-          Review the existence of enquiries from the approvers to validate the service legitimacy. Approvals should be based on a statement of received services, summarizing the woks and deliveries provided. The review need to cover the disclosed conflicts of interest.

Monitoring by Compliance (quarterly watch-lists to trigger specific reviews by Internal Audit)

-          Automatic queries to list gifts, meals, entertainment, travel expenses, sponsorships, and political and charitable contributions to link them to the approval by sr. executives and limits.

-          Automatic queries to list payments to third parties, including vendors, suppliers, resellers, distributors, agents and consultants (lawyers and accountants).

-          Payments to offshore bank account or in different locations or currencies.

-          Automatic queries to list upfront payments, advances and customer rebates.

-          Out of tendency paid commissions by type of service or versus monthly average.

-          Substantial price increases or decreases.

-          Automatic queries to highlight changes in lease expenses, in particular for equipment.

Get the latest in corporate governance, risk, and compliance on Twitter

How Taxes Are Computed by SAP FI-AP/AR

In this post, I am summarizing the process on how taxes are managed in SAP and its involved reports. SAP is able to manage different taxation systems to comply with local regulations. Generally speaking, taxation systems can be related to input taxes (taxes on purchases) and output taxes (taxes on sales). Consumption taxes included by those systems can be classified as value added tax, taxes on sales or usage, country specific additional taxes, and withholding taxes. In the case of other complex types of taxations, SAP provides an interface to support third party software to determine local tax allocations.


SAP follows a logic to calculate taxes consisting of an access sequence and a condition type. The access sequence arranges condition tables to be used according to the field contents (eg. first calculate the VAT, then the withholding VAT). The condition table is the model to calculate the tax amount (eg. percentage on the total sale value or fixed amounts). Both tables create a tax procedure for each country. An account key links the tax procedure to the posting in the GL accounts. SAP has a number of predefined account keys.


The tax code (FTXP, tables T007a / s) is the main link to calculate, verify and post taxes for each country. Each tax code is assigned to country specific tax procedure to enter a G/L from a document (eg. Invoice or sales order). SAP includes predefined tax code templates for each country (including the relationship between the tax types (Sales Tax) with tax rates. SAP needs the posting keys, rules to determine the account (tax code or account key) and operative tax accounts to automatically assign taxes.


In addition, SAP can process single level taxes (eg. VAT in Europe, South Africa and Australia) and multi level taxes by jurisdictions (eg. state or city specific, US, Brazil, India). In order to adjust the access sequences to the multi level taxes, jurisdiction codes are created to determine the local tax rate. In conjunction with a tax code, a jurisdiction code determines the amount of tax (and is breakdown among jurisdictions). Jurisdiction codes are made up of multiple levels: state (first 2 digits), county (next 3 digits) and city (last 3 digits).


Tax categorization in SAP involves several modules. In SAP SD, it specifies if a customer is liable of sales taxes for each country in the pricing process. In SAP MM, it specifies the applied tax at a material, plant and account category level in the sales process. In SAP Fi, the G/L master record specifies whether or not a posting without tax is allowed. The tax category determines which type of tax should be applied (e.g. input tax only). Customers and vendors are defined as either taxable or tax-exempt.


Standard tax reports in SAP are country specific and pre-defined to meet the standards set up by those countries. There are several useful reports to control how revenue taxes are set:

J1I2 Display Sales Tax Register by entering company code, posting date (fiscal year), ledger and condition type
Report RFUMSV00 Advance Return for Tax on Sales/Purchases
FTXA Display a Tax Code, SAPMF82T Report to Generate FTXP
FMBGUL S Sales Tax List, RFFMBGA Report to Generate FMBGUL
FMBG3 Display Input Tax Adjustments
FO8D Display Input Tax Distributions
GJVA Advance Tax Report

Offshoring Finance Activities in Buenos Aires (Shared Services Centers)

Organizations follow the strategy to integrate, consolidate, and standardize processes as part of success of continuous improvement initiatives. The creation of Shared Services Centers (SSC) plays a key role in this strategy. These entities are responsible for the flawless execution of operational tasks mostly related to accounting, payroll/HR, IT, auditing and supply chain functions. Their functions are migrated from corporate headquarters and subsidiaries, and then, standardized for better implementation (eg. process streamline, elimination of duplicative or non-value added activities, staffing rationale). SSCs are location sensitive in terms of labor costs/market and operational security. In the last years, Buenos Aires was chosen as a major business hub for SSCs. Buenos Aires is a preferred platform because of the sizable qualified staff, availability English/Spanish bilinguals, good communication infrastructure, time-zone between Europe and US, top international living standard, Western European culture, workforce flexibility and cost competitiveness.

I will describe the current SSC projects related to accounting functions in Buenos Aires (Argentina).

Exxon: The ExxonMobil Business Support Center Argentina (Catalinas) was established in Buenos Aires in 2004 to provide centralized services to affiliates in Controlling (Accounting/Processes), Procurement, and Human Resources. Controllers supports the Upstream, Downstream, Chemicals and Corporate functions in Financial accounting & reporting, Fixed Assets and Intercompany accounting, Inventory and Exchange accounting, and AP/AR. It employs 580 professionals.

Chevron Texaco: The Chevron Buenos Aires Shared Services Center serves the LATAM, UK and US region for accounting posting and reconciliation. It typically hires junior and senior accounting analysts, some of them with some experience in SOX and US GAAPs since 2007.

Google: With more than 100 professionals, Google Shared Services (Puerto Madero) supports adwords clients from LATAM, Italy and Spain. Finance is focused on billing, and customer care. Google was chosen as one of the best company to work for by Fortune.

McDonalds. The McDonalds Centro de Servicios Compartidos (Martinez) supports AR, AP, accounting, reporting, planning, administration and controls from the LATAM region from 2007.

IBM: The IBM Service Delivery Centers (Martinez) employs 300 professionals since 2000 (headcount increase is recent). They are currently migrating more activities.

SAP: The SAP Latin America Shared Services Center (Puerto Madero) supports areas related to billing, contact admin, procurement, AR/AP and internal customer care since 2007. The German software developer employs 40 professionals in this center. It supports North American operations (Can&US).

Cargill Shared Services Center delivers services for regional HR and payroll functions.

Other players are DHL Buenos Aires Shared Service Center related to imports/exports, MySpace, Phillip Morris, Huawei, Accenture for consulting and backoffice services, Quilmes (Inbev) for backoffice services, Centro de Servicios Compartidos de SC Johnson (Global Shared Services Center), TMF Argentina and Axial Analytics outsourcing finance services. The Big Four audit firms are implementing global audits and outsourcing to Argentina.