Internal controls for third parties - a podcast by Thomas Fox

One of the questions GSK faced during the bribery and corruption investigation of its Chinese operations was how an allegedly massive bribery and corruption scheme occurred? Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior DOJ investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place.
It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in company policies. It should fall to compliance to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. 1) Is the correct level of person approving the payment/reimbursement?; 2) Are there specific controls (and signoffs) that the gift had proper business purpose?; 3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?; and 4) If controls are not followed, is that failure detected?
Obviously, the use of third parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.
Three key takeaways:

GSK continues to be an example of the lack of internal controls for third-parties in an effective compliance program.

General areas of review for compliance internal controls.

Third parties are still the highest risk of corruption related issues.

Further episodes of 31 Days to a More Effective Compliance Program

Further podcasts by Thomas Fox

Website of Thomas Fox