Strategic Lawyering Internal control and assessment
Soulier Avocats assists its clients in the development and implementation of a customized internal control and assessment system that complies with the recommendations of the French Anti-Corruption Agency and allows for the monitoring, evaluation and improvement of anti-corruption measures and procedures implemented.
Article 17, II, 8° of the Sapin 2 Law stipulates that the chairs/presidents, chief executive officers, general managers and managers of companies targeted by said Law must implement:
“a system for internal control and assessment of the implemented measures”.
Intended to ensure that the anti-corruption measures and procedures implemented by the company are appropriate and effective, this internal control and assessment system actually meets four objectives:
- Monitoring the implementation of anti-corruption measures and procedures and testing their effectiveness;
- Identifying and understanding any and all deficiencies in the implementation of the measures and procedures;
- Defining, where necessary, recommendations or other appropriate corrective measures to improve the effectiveness of the anti-corruption program;
- Detecting, as the case may be, any acts of corruption.
This internal control and assessment system should be structured around three lines of defense:
- First line of defense. First-line-defense actions are preventive and conducted before a decision or a transaction is implemented. Their purpose is to ensure the tasks that are part of an operational or support process are performed in compliance with the company’s applicable procedures. They may be performed by the operational or support staff or by their supervisor;
- Second line of defense. Second-line-of-defense actions are detective and conducted on all or part of the decisions or transactions implemented. Their purpose is to ensure that the first-line-of-defense actions are properly executed. They may be conducted randomly or with a pre-defined frequency. They are performed by the compliance officer, the quality department, the risk management department or the management control department;
- Third line of defense. The purpose of third-line-of-defense actions, also called “internal audits” is to ensure that the control system complies with the company’s requirements and is implemented effectively and kept up to date.
Soulier Avocats assists its clients in the development and implementation of a customized internal control and assessment system that complies with the recommendations of the French Anti-Corruption Agency and allows for the monitoring, evaluation and improvement of anti-corruption measures and procedures implemented.
For each line-of-defense action, the internal control and assessment system must specify the purpose and scope of the action, the person(s) responsible, the control method used (type of action, type of required documentary evidence, etc.), the frequency, the expected formalization, the terms and conditions for disclosing the findings and, as the case may be, the recommended corrective measures as well as the applicable record retention procedures.
Deficiencies must be recorded in a written report approved by the compliance officer.
The effectiveness and adequacy of the measures and procedures implemented by the company under its anti-corruption program must be regularly assessed by third-line-of-defense actions.
As such, for each measure, procedure or device provided for under Article 17 of the Sapin 2 Law, first-line, second-line and third-line-of-defense actions must be defined and implemented. Any measures or procedures put in place, as the case may be, by the company in addition to those provided under the Sapin 2 Law should also be covered by the internal control and assessment system.
The French Anti-Corruption Agency recommends that this internal control and assessment system focus on the following elements[1]:
| Risk mapping | |
| First line of defense | First line of defense actions relating to the risk map cannot be performed until the map is drawn up and after each update. |
| Second line of defense | The Department that is responsible for overseeing the anti- corruption program and that took part in the preparation of the risk map or its updates cannot perform second-line-of-defense actions. |
| Third line of defense | Review of the scope of the risk map, the methodology used and the deployment of the associated action plans. Analysis of the deficiencies found and incidents that have occurred. Analysis of the governance and proper allocation of resources. Analysis of the systemic nature of risk mapping, including but not limited to: –Analysis of the illustrations provided in the code of conduct with regard to the risks identified in the risk map; –Analysis of the targets and content of training with regard to the risks identified in the risk map; –Analysis of incidents reported by whistleblowers or found by accounting audits, and of their consequences for the update of the risk map; -Analysis of the adequacy of third-party due diligence with regard to the risks identified by the map. |
| Code of conduct | |
| First line of defense | Approval of the actions or situations governed by the policies and procedures included in or annexed to the code of conduct (in particular hospitality and gifts). |
| Second line of defense | Periodically monitoring the proper implementation of first-line-of-defense actions. Sampling to monitor compliance with the policies and procedures included in or annexed to the code of conduct. Review of the content of the code of conduct with regard to legal requirements, the risk map, and the incorporation of the code of conduct into the internal rules and regulations of the relevant entities. Ensuring that each of the illustrations provided for in the code of conduct remains relevant following each update of the risk map. |
| Third line of defense | Monitoring the proper implementation and effectiveness of the first-line and second-line-of-defense actions. Analysis of the communication, dissemination and accessibility of the code of conduct and the policies and procedures included therein or annexed thereto. Analysis of the systemic nature of the code of conduct, including but not limited to: –Critical analysis of the content of the code of conduct with regard to the risk scenarios identified in map and to the incorporation of the code of conduct content into the training and awareness program. |
| Training and awareness program | |
| First line of defense | Monitoring the attendance of the relevant employees and the knowledge acquired during training sessions. |
| Second line of defense | Periodic monitoring of the proper implementation of first-line-of-defense actions. Ensuring that training content is appropriate for target audiences and their potential risk exposure, as identified in the risk map. Review the attendance of the relevant employees and potential sanctions for failure to attend training sessions. |
| Third line of defense | Monitoring the proper implementation and effectiveness of the first-line and second-line-of-defense actions. Analysis of the governance and proper allocation of resources. Analysis of the systemic nature of the training and awareness program, including but not limited to: –Analysis of the targeting and content of training for managers and the staff with the greatest exposure to the risks identified in the risk map; –Ensuring that references to the code of conduct and internal whistleblowing system are clear. |
| Third-party due diligence | |
| First line of defense | Monitoring the implementation of third-party due diligence procedures. Example – It is necessary to check, before entering into a business relationship with a new supplier, the following elements: –The proper delivery of all the documents required under the procedure (list of beneficial owners, answers to a questionnaire, etc.); –The proper conduct of the necessary researches (open sources, databases, etc.); –The consistency of the assessment with the documentary evidence analyzed; –The proper formalization of the decisions to enter, or not to enter, into a business relationship with the new supplier. |
| Second line of defense | Periodic monitoring of the proper implementation of first-line-of-defense actions, on the basis of a representative sampling; Checking the proper implementation of due diligence measures and the effective monitoring thereof; Checking the proper implementation of third-party due diligence assessment updates; Monitoring the appropriateness of the due diligence measures implemented. |
| Third line of defense | Monitoring the proper implementation and effectiveness of the first-line and second-line-of-defense actions. Analysis of the systemic nature of the third-party due diligence process, including but not limited to: –Monitoring the adequacy of third-party due diligence with regard to the risks identified in the risk map. -Ensuring that accounting control systems are updated with regard to the risks identified in third-party due diligence assessments. |
| Internal whistleblowing system | |
| First line of defense | Monitoring the proper deployment and the proper use of the whistleblowing procedure. Examples: –Monitoring the accessibility to the whistleblowing channels and broad-based communication about the whistleblowing system; –Monitoring the analysis of the admissibility of the whistleblower reports and the identification of the roles and responsibilities within the team in charge of the investigation; –Monitoring the procedures for closing investigations and for notifying the close of an investigation; –Monitoring sanctions and action plans; –Ensuring that confidentiality and anonymity are always maintained; –Monitoring the follow-up of protection measures. |
| Second line of defense | Periodic monitoring of the proper implementation of first-line-of-defense actions, on the basis of a representative sampling. |
| Third line of defense | Monitoring the proper implementation and effectiveness of the first-line and second-line-of-defense actions. Qualitative and quantitative analysis of the whistleblower reports received over the reference period (channels used, issues raised, etc.). Monitoring the adequacy of the responses given to the reports received. Analysis of the systemic nature of the whistleblowing system, including but not limited to: –Checking what consideration is given to whistleblower reports when updating the risk map, third- party due diligence procedures and accounting controls. –Checking that employees are trained/informed about the whistleblowing system and that the persons responsible for processing whistleblower reports receive special training for this purpose. |
| Accounting controls | |
| First line of defense | Automated monitoring of some transactions. Monitoring approval authority. “Four eyes rule”: Review by an employee other than the one recording the transaction. Monitoring the proper application of anti-corruption accounting controls before the completion of the relevant transaction. |
| Second line of defense | Periodic monitoring of the proper implementation of first-line-of-defense actions after transactions are completed, on the basis of a representative sampling. |
| Third line of defense | Monitoring the proper implementation and effectiveness of the first-line and second-line-of-defense actions. Analysis of the proper implementation of accounting controls and the proper allocation of resources. Analysis of the appropriateness of the accounting controls with regard to the risks identified in the risk map. Analysis of the systemic nature of the accounting control system including but not limited to: –Critical analysis of existing accounting control measures with regard to updates of the risk map |
| Disciplinary system | |
| First line of defense | Checking compliance of the disciplinary system cannot be monitored until sanctions are imposed. |
| Second line of defense | Monitoring sanctions imposed for each incident. Ensuring that the sanction is appropriate for the incident. |
| Third line of defense | Monitoring Monitoring the proper implementation and effectiveness of the second-line-of-defense actions. Analysis of the systemic nature of the disciplinary system, including but not limited to: -Analysis of the sanctions imposed, the need to enhance senior management’s communication or the need for further training about a specific measure provided for under the anti-corruption program. |
[1] The data are derived from the latest recommendations of the French Anti-Corruption Agency.