At the turn of the century, in 2001 one of the biggest corporate frauds was uncovered in the United States when Enron filed for bankruptcy. As a result, legislation was passed in the US that was called Sarbanes Oxley or SOX in short which placed responsibility on company management and imposed criminal penalties to ensure that the right internal controls were put into place and management also had to certify that the financial statement were free of material misstatement.
Over time many other countries adopted similar frameworks to ensure internal controls were in place to prevent or detect fraud. However this requirement only applies to public companies. The lack of a legal requirement to place internal controls does not absolve management to lay a good controls framework and to ensure the company assets are safeguarded. But there are times when management itself may not subject themselves to implement good corporate governance and focus on internal controls. Without good corporate governance, integrity and business ethics even smaller, privately held companies could be exposed to fraud and potential criminal penalties in some jurisdictions.
For example, in Singapore, bribery is an offence. Under the Prevention of Corruption Act, 1960 (PCA) defines corruption and bribery as an offence punishable under the law. Whether the company is public or private and even individuals can be prosecuted under the act. Therefore organizations need to be mindful about compliance local and international laws for countries where they have operations and ensure that policies and procedures are in place for establishing a good internal control environment.
When leadership sets the right tone at the top and investigates all allegation of impropriety, fraud and illegal conduct, it protects the reputation and brand value of the business as well as sets the right values in place for the organizations continued viability.
It is therefore important to document a policy and procedure manual or an internal controls framework across all areas of the business. The framework should cover both routine and non-routine transactions with appropriate authorizations, delegation of authority, approval limits, system access controls and regular testing of these controls for effectiveness. With the right segregation of duties it is possible to minimize the opportunity for fraud, collusion or misappropriation of assets.
For public companies, regular testing of documented processes is required to assess the efficiency of the stated controls. When any weaknesses are identified, or when processes are changed, systems are updated, or any change occurs that renders the previous documentation invalid, management must ensure that the policies are updated with a view to establish the proper internal controls.
Ezee consultants have extensive experience with implementing Sarbanes Oxley requirements including documentation of controls, fixing gaps and testing for effectiveness of stated controls and can help in designing appropriate internal control environments for their clients.