Accounting controls Sapin 2
Is automation of controls sufficient?
As more and more companies embark on the automation of their Sapin 2 accounting controls, some of them are waiting for tools put in place more than they can bring. This delay can lead to project failure and waste valuable time and budget.
Indeed, unlike the messages conveyed by some publishers, the mere fact of having an accounting control tool does not necessarily make it possible to comply with the obligations imposed on companies subject to the Sapin 2 law.
Although it involves risks if the project is not well framed, the implementation of an IT tool to identify risky transactions, document controls and have an audit trail is however the right solution.
The recent publication by the French Anti-Corruption Agency (AFA) of the draft guide dedicated to accounting controls provided for in the Sapin 2 law is the right time for companies that have chosen to automate their controls to question the adequacy of existing solutions with their specific needs and contexts.
What is an anti-corruption audit within the meaning of the Sapin 2 law?
An anti-corruption accounting control is a control operated at the level of a company’s financial services to ensure that accounting transactions do not mask a fact of corruption. It goes beyond traditional financial control by ensuring that the anti-corruption compliance procedures that must be done by operational or support departments have been followed.
Let’s take the example of the fees of business introducers or lobbyists: this nature of expenditure being a possible vector of corruption, the accounting control must make it possible to verify that the expenditure is not related, for example, obtaining a contract or administrative authorization.
Accounting teams must therefore ensure that the types of transactions at risk resulting from the mapping exercise have been subject to operational compliance controls. These controls may, for example, concern the verification of the existence of due diligence of integrity, a formal contract established according to the model defined by the company or a deliverable materializing the reality of the service.
In practice, how to do and where to start?
Corruption risk mapping is the cornerstone of the anti-corruption framework. It should serve as a guide for defining specific anti-corruption accounting controls, before even thinking about their automation. The statutory third-party valuation procedures are also a key element for the definition and execution of relevant and comprehensive anti-corruption accounting controls.
To carry out this exercise, it is essential not simply to «map» the existing controls with the mapping but to establish specific anti-corruption accounting controls to address the corruption risks resulting from the mapping. In addition and to the extent possible, financial transactions with third parties classified by the company as high risk should be monitored.
Anti-corruption accounting controls in the face of IT complexity
While the approach described above may seem obvious, it is nonetheless complex.
A first difficulty of the exercise lies in the need to articulate computer controls, general accounting controls, internal control and anti-corruption accounting controls.
There is also the issue of traceability and documentation of controls, to which the AFA pays particular attention during its audits. This topic is even more complex for companies with multiple accounting information systems.
Thus, the implementation of an IT tool to identify risky transactions, document controls and have an audit trail is the right solution. However, there are risks.
Three tips to avoid pitfalls in setting up an automation tool
Controlling, documenting and tracing are the key words of the AFA in terms of anti-corruption accounting controls.
However, implementing a tool that does not exactly meet its needs and risks is a pitfall that many companies have experienced.
The sizing of requirements in terms of the scope of controls, the ability of the tool to adapt to specific risks and to evolve the controls according to the test campaigns and the context of the company are key parameters to anticipate for the choice of its solution.
A few simple recommendations can help avoid investments that may prove unsuccessful:
- Determine its appetite to entrust to a third party its data, by nature sensitive since corresponding to risky operations, and to store them on an environment that may not be fully controlled: cyber risks, GDPR risks, risks related to the different jurisdictions in which the company operates, etc.
- Assess the ability of the tool to capture and report transactions that are really at risk in order to avoid being buried under the transactions to be analyzed: the regulator would not understand that transactions identified as “at risk” are not subject to verification.
- Ensure the possibility of developing specific controls within the selected tool, beyond the «off-the-shelf» control libraries, according to the particular context of the company concerned.
In addition to these three points, the best tools on the market make it possible to document directly in the tool the checks carried out, to upload the controlled parts and to set up automated validation circuits onmeasurement, depending on the types of controls but also entities, systems, etc.
The tool must also allow perfect traceability of controls and quickly give, through a dashboard or a specific report, the results of a test campaign.
All these elements are fundamental in the reflection to be conducted to set up a tool to automate the realization of accounting controls in accordance with the Sapin 2 law, relevant and proportionate with regard to the activity and context specific to the company concerned.
Sapin 2: what support in the implementation?
Some companies opt for support from their teams to define, deploy and automate their Sapin 2 accounting controls. This support can be both business and digital. It can range from defining the control strategy to investigating complex cases, developing specific controls and training teams.