The SEC knows that it has broad enforcement authority.  In the FCPA arena, the SEC has civil authority over bribes, but more importantly, enforcement authority over books and records and internal controls.  It is this latter concept – “internal controls” which can be stretched and used against companies and individuals in some pretty bizarre ways.

Relying on the authority of an internal controls investigation, the SEC is free to roam around every part of a company’s operations to determine if the so-called controls are effective.  This can be a license to keep a company under investigation for years.

The term “internal controls” defines all of the internal processes, checks and balances that a company uses to ensure that it meets its goals.  Most important in this area is the ability of internal controls over financial reporting as reflected in Sarbanes-Oxley.

In the FCPA context, internal controls are used to define processes and procedures to protect against the improper use of money for bribery purposes.  The SEC’s reliance on this topic is being used to expand the inquiry to include compliance with laws, regulations and policies.

The FCPA Guidance noted that internal controls “include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g. approvals, authorizations, reconciliations, and segregation of duties) information and communication; and monitoring.”   All of these terms are applied to ensure that companies “devise and maintain a system of internal controls sufficient to provide reasonable assurances that management’s control, authority and responsibility over the firm’s assets.  The bottom line is that “internal controls” covers a lot of territory and are apply to everything that controls risks to an organization.

In the SEC’s view, an “effective” compliance program is a critical part of its internal controls.  The SEC considers effective controls as a key backstop to prevent FCPA violations, as well as other illegal or unethical conduct, such as financial fraud, commercial bribery, export controls violations, and embezzlement or self-dealing by company employees.

All of this sounds good on paper – who can argue against these concepts?  The problem is how do you enforce these requirements?

The SEC is relying on this broad legal coverage to investigate issues beyond bribery and into new and more amorphous concepts.  In the end, companies have little notice as to what exactly is being investigated and why.  The term “internal controls” can be used to investigate just about anything which occurs in the company.

The danger of this practice was demonstrated in the Oracle case, which was settled on August 16, 2012.  Oracle agreed to pay a $2 million penalty for violation of the books and records and internal controls requirements by its subsidiary in India.  Oracle’s subsidiary structured transactions with India’s government relating to a contract that enabled the subsidiary to retain about $2 million in “side” funds, meaning unaccounted funds.  This money was eventually used to pay phony vendors in India.  The transactions were documented with fake invoices.   I concede the facts sound bad, but remember there was no proof of a bribe being paid to any Indian government official.

The Oracle case now gives the SEC self-created rationale for digging even deeper into a company’s operations to verify the accuracy of its books and records.  If carried to its logical extreme, the SEC is fast becoming a forensic auditor examining all of a company’s financial operations and surrounding controls.  It is an investigation without limits.

The SEC needs to re-examine this practice and consider what resources should be used and allocated to investigate companies.

No one can argue against accurate books and records.  Companies struggle every day to maintain accurate books and records, with the assistance and guidance from outside auditors.  There is always room for improvement but the question is whether the government should use this weakness as a license to conduct unending investigations of a company’s “internal controls.”