Internal Controls Enforcement (Part I of IV)
I was recently inspired by Tom Fox’s excellent writings on the COSO 2013 framework, and his examination of internal controls issues – see here, here, and here. Today, I begin my own series on internal controls but from a slightly different perspective.
The Justice Department and the SEC are evolving FCPA enforcement strategies and theories. The SEC’s evolution is not so significant but its realization of its enforcement power and authority is becoming more aggressive. The Justice Department’s approach to FCPA enforcement is undergoing comparable changes.
As I begin this series, I have to acknowledge the influence of one of my mentor’s, Judge Stanley Sporkin, the (grand)father of the FCPA and the SEC Enforcement Director, who played such a critical role in the creation of the FCPA. If you have heard Judge Sporkin speak on this topic, you will know exactly what I am talking about.
Judge Sporkin was the original actor in pushing for the FCPA. He was watching the Watergate hearings and listening to how public companies were using cash slush funds to pay bribes all around the world to foreign governments. He asked himself a very simple question – How did public companies account for these funds? How were they recorded on the company books?
Judge Sporkin eventually pushed the FCPA idea but focused on one of two existing enforcement provisions – a requirement that companies keep accurate books and records. He was not in favor of an anti-bribery provision because he thought violations would be difficult to prove. Nonetheless, Senator Proxmire of Wisconsin with whom he was consulting decided to include both provisions, and the two-pronged FCPA – anti-bribery and accounting provisions – was born. The rest is history.
The accounting provisions of the FCPA apply only to public companies. They consist of two important provisions.
First, the books and records provision requires public companies to maintain books, records and accounts that, in reasonable detail, accurately and fairly reflect an issuer’s transactions and dispositions of assets.
Second, under the internal controls provision, public companies must maintain internal controls to ensure transparency in the financial condition of the company, the relevant risks to the company and the transactions conducted by the company.
The accounting provisions were originally enacted as part of the FCPA but they apply not only to FCPA violations but are generally aimed at ensuring that pubic companies account for all their assets and liabilities and in reasonable detail. The SEC relies on these same provisions when charging companies with accounting fraud or failure to disclose cases.
At the heart of Judge Sporkin’s thinking was the idea that public companies would avoid falsely recording bribery payments in their books and records. Judge Sporkin understood that a books and records requirement would prevent companies from maintaining off-the-books slush funds and payments of bribes.
Judge Sporkin was well ahead of his time — he knew that bribes were being mischaracterized under the guise of legitimate payments and that a requirement of accuracy would help to ensure that companies implemented appropriate controls to prevent such inaccurate reporting. Just as a bribe can be for a small amount, so can an inaccurate recording of an expense – there is no materiality requirement.
Internal controls are designed and implemented by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. Internal controls consist of five important components:
- The tone set by the organization regarding integrity and ethics;
- Risk assessments;
- Control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties);
- Information and communication; and
- Monitoring
The law does not specify a particular set of controls that companies are required to implement. Rather, companies have flexibility to implement controls that are appropriate to their particular circumstances.
An effective compliance program is a critical component of a company’s internal controls. This is a critical concept to understand. In the absence of an effective compliance program, a company does not have adequate internal controls. This applies directly to anti-corruption compliance programs.
A company has to account for its operational realities and risks surrounding its business, including: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s anti-corruption compliance program should be tailored to these differences.