They have been there all along, hiding in plain sight: the Foreign Corrupt Practices Act requirements for internal controls.
The problem is that most compliance practitioners have not been reading them too carefully. What are internal controls in a FCPA compliance program? Aaron Murphy, a partner at Akin Gump and author of “Foreign Corrupt Practices Act,” has said that, “Internal controls are policies, procedures, monitoring, and training that are designed to ensure that company assets are used properly, with proper approval, and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand—where there are recordkeeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”
The Department of Justice and the Securities and Exchange Commission have also clearly articulated the need for internal controls in an effective anti-corruption compliance program. Their latest joint FCPA guidance states, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (for example, approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.”
Moreover, the agencies emphasize the need to tailor these internal controls to the specific environments that the businesses are operating in and the risks they face. “The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its workforce; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption,” the guidance states.
Two recent FCPA enforcement actions have driven home the need for companies to have robust internal controls. The first came late last year when the Justice Department obtained a criminal plea from Weatherford International. There were three main areas where WFT failed to institute appropriate internal controls, all prior to 2008. First, WFT failed to institute effective internal accounting controls, including corruption-related due diligence on appropriate third parties and business transactions and limits of authority and documentation requirements. Second, WFT did not have adequate internal accounting controls and processes in place that effectively evaluated business transactions, including acquisitions and joint ventures, for corruption risks and to investigate those risks when detected. Finally, WFT also did not have an effective internal accounting control system for gifts, travel, and entertainment. This led to a company practice where expenses were not typically adequately vetted to ensure that they were reasonable, bona fide, and properly documented.
The second case arose this summer involving gun manufacturer Smith & Wesson. The case did not include a criminal charge filed by the Justice Department, but was instead a civil matter handled administratively by the SEC, through an accounting and auditing enforcement. In its order instituting cease-and-desist proceedings, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.”
With the upcoming implementation of the 2013 COSO update, compliance practitioners need to be aware of what these financial reporting and auditing requirements will be so that they can map their anti-corruption internal controls to this recognized standard.
Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization,” the SEC stated.
Loose Controls, Anemic Compliance
The significance of both cases is that the failure to institute appropriate internal controls was alone the basis of the enforcement actions. In the case of WFT, this was the first time that the Justice Department had pushed through a criminal FCPA enforcement effort based simply upon violations of the internal controls provisions of the FCPA.
“Effective internal accounting controls are not only good policy, they are required by law for publicly traded companies—and for good reason,” Mythili Raman, acting assistant attorney general of the Justice Department’s Criminal Division, said in a statement announcing the WFT enforcement action, “This case demonstrates how loose controls and an anemic compliance environment can foster foreign bribery and fraud by a company’s subsidiaries around the globe.”
Because the case against S&W, however, was an administrative proceeding only and did not even require a civil complaint to be filed in a federal district court, it raises questions about where regulators draw the line on criminal lack of controls. The administrative order stated that Smith & Wesson “violated the anti-bribery provisions of the federal securities laws when it authorized its agents to provide gift guns and make other improper payments to foreign officials in Pakistan, Indonesia, Turkey, Nepal, and Bangladesh in order to induce foreign officials in those countries to award sales contracts to Smith & Wesson.” However in the same order, it noted that while S&W consented to the entry of the order, it did so “without admitting or denying the findings herein.”
Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, said in a statement that, “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales. When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”
Identify the Risks
As most compliance practitioners have a more legal-based background and training, they often wonder just how they can be expected to deal with internal controls. It comes down to identifying transaction-level risks and then asking commonsense questions. The first step is to conduct a risk assessment that involves operations and finance management to document, based upon how the company does business, the transaction-level risks. While it is a company’s financial people who propose the necessary internal controls, I do not believe that any lawyer will have difficulty challenging whether the proposed controls make sense.
Moreover, the Committee of Sponsoring Organizations provides a framework, updated last year, for the compliance practitioner to use as a basis to design and then test the effectiveness of internal controls. This provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. That means using the COSO framework provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls.
Suppose a company uses the COSO framework for internal controls, which is the accepted standard. Some of the key COSO elements that a compliance practitioner should consider begin with the control environment, a major portion of which is tone-at-the-top. Another area is risk assessment, focused on the transaction level, with specific risks identified that could affect the effectiveness of the compliance program. It would also include internal controls around effective monitoring going forward. There should be sufficient internal controls around control activities to ensure these properly address compliance risks. This will focus on the internal controls in place to prevent a violation of a company’s FCPA policies and procedures. There should also be internal controls around communication and information to help ensure there is sufficient and appropriate training, communication of policies and communication of disciplinary action if policies are not followed.
The WFT and S&W FCPA enforcement actions make clear internal controls are not a forgotten part of the FCPA. With the upcoming implementation of the 2013 COSO update, compliance practitioners need to be aware of what these financial reporting and auditing requirements will be so that they can map their anti-corruption internal controls to this recognized standard. While the internal controls provisions of the FCPA may have been little used for enforcement actions in the past, when the government comes knocking, you will need to show that you have such internal controls in place, as the failure to do so may be a FCPA violation.
No comments yet