Internal Controls Enforcement: Hoisting Yourself on Your Own Petard
William Shakespeare’s Hamlet included this often used phrase – hoist with his own petard (a small bomb). Shakespeare never knew that his eloquence would apply to today’s SEC enforcement of internal controls.
The FCPA requires companies to make and keep accurate books and records and to devise and maintain an adequate system of internal accounting controls. The FCPA also prohibits individuals and businesses from knowingly falsifying books and records or circumventing or failing to implement a system of internal controls.
Importantly, the accounting provisions are not just limited to bribery-related violations. Rather, the accounting provisions ensure that all public companies account for their assets and liabilities accurately and in reasonable detail. These provisions are the fundamental requirement enforced by DOJ for criminal accounting fraud, and by the SEC for civil accounting fraud.
Sarbanes-Oxley, which was promulgated in response to accounting scandals involving major U.S. companies, strengthened these requirements. Section 302 of Sarbanes-Oxley requires a company’s “principal officers” (CEO and CFO) to certify to the integrity of the company’s financial reports on a quarterly basis. Section 404 of Sarbanes-Oxley strengthened the requirements that company disclose any deficiencies in its internal controls over financial reporting.
In tandem, the FCPA and Sarbanes-Oxley set out a comprehensive regime requiring companies to implement internal controls, to disclose any deficiencies in such controls, and to prevent any circumvention of such controls.
DOJ and, in particular, the SEC, have been aggressive in enforcing compliance with a company’s internal controls. When you take a step back and look at this regulatory and enforcement regime, there are certainly some interesting issues to address.
One the one hand, a company has an incentive to adopt and implement effective internal controls. When doing so, the company pays little to no attention to enforcement risks – criminal or civil – for failing to adhere to such controls.
Another way of looking at this, at least from my prosecutorial vantage, is that the laws set up a situation in which companies are adopting internal controls that operate and are enforced like criminal and civil statutes. In effect, a company is creating its own set of laws that the government can then use against the company to extract criminal and civil penalties – hence the relevance of Shakespeare’s comment – being hoisted on one own’s petard.
Companies never contemplate this risk when designing and implementing internal controls. It should be factor – detailed internal controls create greater enforcement risks. Failure to follow a particular control that his little benefit, may in fact open up companies and individuals to aggressive internal controls enforcement.
As the business community adjusts to an aggressive enforcement environment, such risks are no longer remote but have to be balanced against potential benefits of internal controls. Companies are under constant scrutiny to design and implement robust and targeted internal controls. To the extent the particular control addresses a risk, the company has to weigh the potential benefit from mitigating an accounting risk, as well as the potential risk of civil, or even criminal, prosecution for circumvention of controls.