An effective internal controls system, including policies and procedures, to identify, interdict, escalate, report, and keep records about activity that may be prohibited by the regulations and laws administered by authorities.
The purpose of internal controls is to outline clear expectations, define procedures and processes for OFAC compliance, and minimize the risks identified by the organization’s risk assessments. Policies and procedures should be enforced, weaknesses should be identified and remediated, and internal and/or external audits and assessments of the program should be conducted periodically.
Internal Controls
Given the dynamic nature of U.S. economic and trade sanctions, a successful and effective sanction compliance program should be capable of adjusting rapidly to changes published by OFAC.
These include the following:
- Updates to OFAC’s List of Specially Designated Nationals and Blocked Persons (the “SDN List”), the Sectoral Sanctions Identification List (SSI List), and other sanctions lists.
- New, amended, or updated sanctions programs or prohibitions imposed on targeted foreign countries, governments, regions, or persons, through the enactment of new legislation, the issuance of new Executive orders, regulations, or published OFAC guidance or other OFAC actions.
- The issuance of general licenses.
OFAC compliance programs generally include internal controls, including policies and procedures, to identify, interdict, escalate, report, and keep records about activity that is prohibited by the sanctions programs administered by OFAC. The purpose of internal controls is to outline clear expectations, define procedures and processes for compliance, and minimize the risks identified by an entity’s risk assessments.
The organization has designed and implemented written policies and procedures outlining the SCP. These policies and procedures are relevant to the organization, capture the organization’s day-to-day operations and procedures, and are designed to prevent employees from engaging in misconduct.
The organization has implemented internal controls that adequately address the results of its risk assessment and profile. These internal controls should enable the organization to clearly and effectively identify, interdict, escalate, and report to appropriate personnel within the organization transactions and activities that may be prohibited by OFAC. The organization enforces the policies and procedures it implements as part of its OFAC compliance internal controls through internal and/or external audits.
The organization ensures that its OFAC-related recordkeeping policies and procedures adequately account for its requirements according to the sanctions programs administered by OFAC. The organization ensures that its internal controls about sanctions compliance, identify and implement compensating controls until the root cause of the weakness can be determined and remediated.
The organization has communicated the policies and procedures to all relevant staff, including personnel within the compliance program, as well as relevant business segments operating in high-risk areas, and to external parties performing SCP responsibilities on behalf of the organization.
The organization has appointed personnel for integrating the SCP’s policies and procedures into the daily operations of the company or corporation. This process includes consultations with relevant business units and confirms the organization’s employees understand the policies and procedures.
Final Thoughts
Internal control is a process carried out by a company’s board of directors, management, and other personnel to provide reasonable assurance that information is reliable, accurate, and timely. In terms of adhering to applicable laws, regulations, contracts, policies, and procedures.
