Financial Controls

This section provides guidance in relation to the requirement that an organisation should implement financial controls which minimise the risk of corruption by, on behalf of, or against the organisation (Measure 15 of the Anti-Corruption Programme for Organisations).

Financial controls are the management systems and processes implemented by the organisation to help it ensure that its finances are being properly managed.  These financial controls are primarily intended to ensure that the financial resources of the organisation are properly used, protected and recorded, and are only paid out to legitimately appointed personnel or business associates for legitimate work properly done.  Most organisations will already have in place financial controls which comply with independently established accounting standards, and will be independently audited.  Organisations which are listed on stock markets will also have to comply with the stock market’s financial control requirements.   The purpose of these controls is therefore much wider than corruption prevention.  However, these controls can also have an anti-corruption effect, and, in designing and implementing these controls, the organisation should consider and take account of their effectiveness in reducing corruption risk.

From a corruption prevention perspective, the organisation should undertake a risk assessment of the corruption risks which face the organisation (see Organisation Corruption Risk Assessment), and then assess the extent to which its existing financial controls help reduce these corruption risks.  The organisation should consider whether enhanced financial controls would help reduce or further reduce the assessed risks, and if, so, enhance the controls as far as is reasonable and proportionate.

Financial controls which may have a beneficial anti-corruption impact are listed below.  The following list does not attempt to include all possible controls.  The type and extent of control will depend on the organisation and the corruption risks it faces. There is sometimes an overlap between these recommended financial controls and other controls recommended on other GIACC web-pages (e.g. Commercial Controls, Procurement Controls, Decision-Making Process).  It does not matter under what management control category the organisation deals with these issues, as long as they are dealt with adequately in a reasonable and proportionate manner.

(1) Approval should be given by a person(s) of appropriate seniority

The authorisation of expenditure and payment in relation to transactions which carry a more than low corruption risk should require the approval of a manager(s) of appropriate seniority (See Decision-Making Process).

(2) Approval should be given by a sufficient number of persons

The authorisation of expenditure and payment in relation to transactions which carry a more than low corruption should require the approval of more than one appropriate manager. In the case of high corruption risk transactions, the approval of the Board could be required. The organisation may determine that small low risk transactions do not need a second approval. (See Decision-Making Process). Such approvals should be given only after appropriate checks and enquiries have been made. For example, if a manager wishes to pay a bribe on behalf of the organisation, or to obtain reimbursement for a bribe that the manager has paid out of the manager’s own funds, then the manager will need to obtain funds from the organisation. The risk of this occurring is reduced if a second manager is obliged to countersign the request, and is obliged to make reasonable enquiries as to what the payment is for, and to undertake reasonable checks on the supporting documentation. While it is possible that the manager may lie about the transaction and falsify the documentation, it makes it more difficult than if the manager could approve the payment without a second signatory.

(3) Where appropriate, there should be a separation of duties between approvers

In relation to more than low corruption risk transactions, persons from the same department or function should not be able to both initiate and approve a payment. Therefore, in addition to requiring two signatures as per paragraph 2 above, the organisation could ensure that the second signature is from a different department or function. This reduces the risk of a conspiracy between the two managers (e.g. the risk that a bonus based on department or function success could corruptly influence two managers from the same department or function).

(4) Ensure that the payee’s appointment and work, services or supplies carried out have been approved by the organisation’s relevant approval mechanisms

In addition to having appropriate approval mechanisms in place for the appointment of a business associate (see Procurement Controls), the organisation should have processes in place to verify that the work has actually been carried out effectively by the business associate (see Commercial Controls). From a financial control perspective, no payment should be made to a business associate unless the finance department has evidence that both the appointment and work carried out have been properly approved under the organisation’s procurement and commercial controls.

(5) Require the appropriate supporting documentation to be annexed to payment approvals

The person(s) approving the relevant payment should easily be able to inspect the appropriate appointment and approval documentation so that they can verify, on the face of the documents, that the payment is appropriate. Therefore, the documentation should be attached to the payment request, or be easily accessible (e.g. in an on-line filing system).

(6) Restrict the use of cash and implement effective cash control measures

If cash is readily accessible (i.e. in a site cash box, or through the use of corporate debit cards), then this makes it easier for a manager to pay a bribe out of cash without having to go through the approval processes referred to above in advance of making the payment. The organisation will be unable to stop the payment if it is discovered when it has already been made. It may also be difficult to identify the recipient or prove that the cash was received (which is much easier when using bank transfers). The use of cash by the organisation should preferably, therefore, be eliminated, or at least be restricted to very small payments and be strictly controlled.

(7) Be cautious of payments to off-shore jurisdictions

Avoid payments to off-shore jurisdictions, unless there are good legitimate reasons for this payment location.

(8) Verify payee location

Ensure that payments are made to a payee in the same location in which the payee resides and/or carries on business, unless there are good legitimate reasons for payment to another jurisdiction.

(9) Ensure that payment categorisations and descriptions in the accounts are accurate and clear

Bribes can be concealed in the accounts by falsely describing them as commissions, fees or expenses. The organisation’s accounting system should, therefore, be carefully categorised and controlled so that all payments are accurately described and recorded. In the event that the organisation discovers that a bribe or facilitation payment has been paid, it should be separately categorised in the accounts while the organisation takes appropriate action to investigate and deal with the issue, so that no accounting offence is committed. Note that in many jurisdictions, falsely describing an entry in the accounts can constitute a criminal offence.

(10) Implement periodic management review of significant financial transactions

The organisation should implement a management review process for significant financial transactions. For example, on a monthly basis, the project manager and responsible finance manager could examine significant transactions by way of sample. The finance manager could question the project manager on these transactions (e.g. How was the contractor or supplier selected? What was its scope of work? Has the milestone on which the payment became due actually been satisfactorily achieved?).

(11) Implement periodic financial audit

The organisation should implement appropriate financial auditing of its processes and expenditure. This audit could be by either or both an internal or external audit process. In many jurisdictions, external audits are compulsory.

Examples of the successful operation of financial controls in preventing corruption

The following are three examples of how the operation of a combination of some of the above financial controls and the organisation’s procurement and commercial controls may successfully prevent a potential corrupt act:

Example 1: 

The organisation’s sales director wishes to secure a contract for the organisation, and agrees to pay a secret and illegal fee of $100,000 to a government official in return for the official approving the contract. The sales director requests the organisation’s accounts department to pay $100,000 to a bank account nominated by the official. The organisation’s financial controls prevent a payment of this size being made by the organisation’s accounts department unless:

  1. following a proper procurement process, a contract has been placed with the payee by the organisation’s procurement department, which has been approved by two of the organisation’s managers with authority to approve contracts of $100,000; and
  2. two managers from the organisation’s operations department have signed an appropriate document that work has been done by the payee to a value of at least $100,000 and that payment is due; and
  3. an invoice has been submitted by the payee, showing the same name of payee and amount as on the contract and work approval; and
  4. a copy of the contract and work approval is attached to the invoice, or is available to be viewed on the organisation’s on-line management system; and
  5. two authorised signatories (one from accounts department and one director) have signed the payment approval, having reviewed the invoice, contract and work approval, and verified that the documents are correct and that the relevant signatories have approved those documents.

The procurement department should not place a contract without a legitimate commercial need for legitimate work or services, and without a competitive process (see Procurement Controls and Commercial Controls). In this case, there were no legitimate work or services, and there would have been no competitive procurement process. The operations department should not approve work done unless legitimate commercial work or services have actually been provided. In this case, they would not have been. Therefore, unless there is agreement with knowledge of the circumstances by all of the managers involved above, or unless some of them are negligent in their review, it is very unlikely that the sales director will succeed in getting the payment made to the official due to the strength of the organisation’s controls.

Example 2: 

A site manager of the organisation is required to pay a facilitation payment of $100 to a customs official in order to get the organisation’s equipment released by customs. He pays from his personal cash, and tries to claim reimbursement from the organisation. The organisation prohibits facilitation payments, and requires all cash reimbursement claims to be backed up by a receipt and valid reasons. The manager can provide neither and, provided that the accounts personnel are alert, they will not reimburse a payment of this nature. Therefore, to get reimbursed the manager would need to fabricate a receipt and reason, which is possible, but is less likely as he should be aware that he would be committing fraud on the organisation.

Example 3

The organisation’s contracts manager is having difficulty obtaining agreement from a client for a variation. He takes all the client’s site managers to an expensive restaurant and night club, at a cost of $250 per person, believing that this entertainment would help improve personal relations with the client’s managers, and so help with negotiation of the variation. He pays on his company credit card. This entertainment is contrary to the organisation’s gifts and hospitality policy, which prohibits all of (1) hospitality at a cost of over $50 per person, (ii) hospitality which could improperly influence a contractual outcome; and (iii) entertainment at a night club. The organisation’s accounts department identifies the expenditure on the company credit card bill in its review at the end of the month. They query it with the manager. An investigation is implemented. The manager is found to have breached the organisation’s policy and is disciplined. The client has not issued the variation in question, so no outcome resulted from the entertainment. An e-mail is sent to all staff warning against this type of occurrence. In this case, although the financial controls did not prevent the occurrence, they allowed it to be discovered, and for the organisation to react appropriately. [Note also in this case that the organisation would probably need to take legal advice to ascertain whether the entertainment could have breached applicable law, and, if so, what actions the organisation would need to take in addition to the above. For example, notify the client, and/or notify the authorities].

Implementation checklist for Measure 15

  1. The organisation should identify from its Organisation Corruption Risk Assessment the categories of corruption risk which could be minimised by good financial controls.
  2. The organisation should assess whether its existing financial controls are effective in reducing these corruption risks to an acceptable level.
  3. In cases where the organisation assesses that its existing financial controls do not adequately reduce the corruption risk to an acceptable level, the organisation should consider whether enhanced financial controls would reduce the risk appropriately.  If yes, and if reasonable and proportionate, the organisation should implement these enhanced financial controls.
  4. In undertaking the above assessment, the organisation should measure its financial controls against the suggested controls in paragraphs 1 to 11 above.  It should also take account of the effect of other applicable controls (e.g. Procurement Controls and Commercial Controls), as it may be the cumulative effect of these controls which reduces the corruption risk to an acceptable level.
  5. The organisation should ensure that an appropriate manager is responsible for implementing and managing its financial controls.
  6. The organisation should document and implement the financial controls.
  7. The organisation should monitor and periodically audit that the financial controls are being correctly followed.

Updated on 10th April 2020