January is named for the two-headed Roman god, Janus, who looks to the future and the past. I thought this visual concept was an appropriate introduction for the subject of COSO, internal controls, and Foreign Corrupt Practices Act enforcement going forward.
I recently wrote about the importance of effective internal controls under FCPA enforcement. That’s the rear-facing focus for Janus as he related to compliance officers. But Janus looks forward as well, and I suspect that one thing we will see for FCPA enforcement going into 2015 and beyond is that the Securities and Exchange Commission will use the COSO framework to evaluate corporate internal controls that may be in question during an anti-bribery probe.
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, whose 1987 report calling for stronger corporate oversight led to the original framework for internal control over financial reporting back in 1992. The “COSO model” became the standard for assessing internal control as required by the Sarbanes-Oxley Act, and it provided a structure for companies to address the key elements that should result in an effective system of internal control.
Still, 1992 is now a long way in the past, and COSO introduced an updated framework in 2013. It goes into effect for companies’ first annual reports filed on or after Dec. 15—which means, for the roughly 80 percent of U.S. companies that work on a Dec. 31 fiscal year-end, the new COSO framework goes into effect right now.
The COSO framework provides a supportable approach when adversarial third parties—like, say, an SEC staff attorney investigating possible books and records violations under the FCPA—challenge whether your company has effective internal control. COSO defines the fundamental elements of effective internal control as follows: (a) control environment, (b) risk assessment, (c) control activities, (d) information and communication, and (e) monitoring. Visually, those five elements are represented as one dimension of the famous “COSO cube”:
The COSO 2013 framework (also informally known as “COSO 2.0”) articulated 17 principles to further explain and provide structure to each of the five key points. The control environment, for example, has five principles within it: (1) the organization demonstrates a commitment to integrity and ethical values; (2) the board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control; (3) management establishes—with board oversight—structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives; (4) the organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives; (5) the organization holds individuals accountable for their internal control responsibilities in pursuit of these objectives.
As you can see from this initial list, all these principles can easily be mapped to the appropriate section of the U.S. Sentencing Guidelines, the U.K. Bribery Act’s six principles of adequate procedures for a compliance program, the OCED Good Practice Guidance for internal controls, and other similar pieces of guidance.
The recent FCPA enforcement actions involving Smith & Wesson, Layne Christenson and Bio-Rad all focused on the lack of, or failure of, internal control. Further, these were all SEC enforcement actions where the Justice Department either took a pass on bringing an enforcement action, issued a declination, or granted a non-prosecution agreement. All of these SEC enforcement actions were made through SEC administrative proceedings, where the companies involved did not admit or deny the allegations made against them. (Indeed, one commentator asked whether the SEC had even tried to meet the business nexus requirement under the FCPA itself in bringing these actions.)
For any company looking to institute appropriate FCPA internal controls, the COSO framework would be an excellent starting point. The 17 principles with their attendant points of focus lay out what a company needs to have in place.
Why do I believe COSO will be so important going forward? The original definition of an internal control remains unchanged in the 2013 framework. It states: “Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.” So the framework itself lays out the logic for use in an anti-corruption compliance program based on the FCPA or the Bribery Act. It requires that objectives must be articulated and measurable, and that risk and its assessment relate to business objectives.
This means that as business objectives flow down in a company, the risk analysis should follow and relate back to those business objectives. Certainly this requires independent judgment, by not only company employees designing and implementing such internal controls, but also to any internal auditors who might be assessing a company’s internal controls using the Framework.
The framework can also offer a regulator or reviewing organization a checklist through which there can be an easier, yet more focused, review of a company’s internal controls. The first principle, for example, requires a company to demonstrate a commitment to ethical values. In COSO’s “points of focus” there are four actions that a company might take to demonstrate its commitment to ethical values. These include:
Setting the appropriate tone at the top;
Establishing a Code of Conduct;
Communications from management that it expects adherence to the standards as set out in the Code of Conduct; and
Deficiencies in any actions going forward to be timely addressed and remedied.
An auditor might look at these four points, and if one is absent or ignored, that could lead to a determination the control was not functioning.
For any company looking to institute appropriate FCPA internal controls, the COSO framework would be an excellent starting point. The 17 principles with their attendant points of focus lay out what a company needs to have in place. The COSO commentary also discusses how auditing standards should be matched up to evaluate internal controls. All this would lead to the adoption of my mantra about the three most important things in FCPA compliance: document, document, and document. By using COSO to create a system and then measuring against it by auditing, a company can document the steps it has taken.
This is where the Roman god Janus enters the picture, because the SEC will see the same thing. Now those regulators have a roadmap to determine whether a company has a set of internal controls appropriate for FCPA compliance. The SEC may be able to do something as simple as requiring a company to present credible evidence of each one of the 17 COSO principles. Without proper documentation and then having that documentation audited by an established auditing firm, a company may not have the evidence to prove that it meets its requirements under the FCPA.
Tie that type of analysis with the seeming lack of requirement in pleading any business nexus in the SEC enforcement actions against Smith & Wesson, Layne Christenson, and Bio-Rad; and throw in the resolution of these cases through the SEC administrative procedure, rather than a civil action filed in federal district court subject to judicial oversight—all that together, and I think this may be a harbinger of a brave new world in 2015 going forward.