As the pendulum of internal controls swings to a more conservative approach, many middle-market companies and larger, privately held organizations are starting ask, “What about my foreign affiliates?” To be sure, many organizations that have taken a holistic approach to risk management should have identified critical business and financial risks at foreign operations, but many have ignored smaller (less financially impactful) entities. While this may be a cost-effective approach to internal controls, it’s often these small operations that can have a significant control failure (or lack of control to begin with) that results in a material audit adjustment, FCPA violation, or other operational failure.
High-performing, well-controlled organizations establish baseline control objectives throughout the global organization — both from an entity level down to the operations (including sales offices) and from a financial and operational perspective. Smaller foreign operations shouldn’t be required to house a control suite similar to that of its parent organization. These organizations should have certain controls and expectations to meet on a monthly, quarterly, and annual basis that ensure the integrity of financial information is maintained, operational objectives are met, and compliance requirements are upheld.
Whether entering a new foreign market or executing a control health-assessment, organizations are encouraged to understand the current state of internal controls, communicate openly with their foreign entities, and develop a defined work plan to establish a system of internal controls with recurring (not necessarily annual) assessments of the operating effectiveness of those internal controls.