Time to Review and Revise Your Internal Controls (Part I of II)
Laws control the lesser man — right conduct controls the greater one – Mark Twain
A company’s internal controls define the backbone of its operations, encompassing financial, operational and compliance functions.
The FCPA defines requirements for publicly-traded companies to implement internal controls, including compliance controls. Under the internal controls requirements, issuers must devise and maintain a system of internal accounting controls sufficient to assure management’s control, authority, and responsibility over the firm’s assets. Internal controls include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.
While the core purpose of a company’s internal controls is to ensure that a company’s financial statements conform to generally accepted accounting principles, a company’s internal controls extend into compliance and operational functions. Given this broad purpose, companies have to answer these two importance questions:
Who is responsible for organizing and maintaining your company’s internal controls?
How does your company ensure that its internal controls adequately address financial, operational and compliance functions?
I will wager that anyone who answers this question will identify silos of responsibility – compliance designs its own controls, operations design its own controls and finance maintains a set of financial accounting and reporting controls. No one is responsible for coordinating these three categories of controls, or for ensuring adequate input from internal stakeholders. Moreover, most companies do not have a structure to coordinate the company’s internal controls and ensure consistency in the drafting, application and implementation of the internal controls across the organization.
As we have watched the Justice Department and the SEC push on the edges of enforcement of internal controls, companies have to respond to this serious risk.
Section 13b(5) of the Securities and Exchange Act provides:
No person shall circumvent or knowingly fail to implement a system of internal accounting controls or knowingly, falsify any book, record or account.
Criminal penalties for violation of internal controls differs depending on whether the violator is a company or an individual.
An individual who willfully and knowingly violates the internal controls provision is subject to 20 years imprisonment and a $5 million fine.
A publicly-traded company that knowingly violates the internal controls provision is subject to a $25 million fine.
The SEC knows it has a powerful enforcement weapon, and when necessary, they use it. In 2012, the SEC settled a case with Oracle for $2 million for violating internal controls by structuring transactions involving sales to the Indian government resulting in Oracle distributors holding $2.2 million. The funds were not reported in Oracle’s consolidated reports. The SEC found that the transactions created a risk that the money could be used for bribery.
In 2009, the SEC prosecuted Thomas Wurtzel who authorized multiple payments to an agent relating to a military aircraft depot project for the Egyptian air force. Wurtzel knew the agent had not gone through due diligence and there was no documentation of the services the agent provided. The SEC cited not evidence of any bribery payments paid to a foreign official. Wurtzel agreed to pay $35,000.
Last year, Halliburton paid $29.2 million to the SEC for failure to follow its internal controls with respect to a high-risk transaction. A senior officer paid $75k for circumventing specific controls related to the review of the high-risk transaction. The SEC cited no evidence of bribery.
The Justice Department’s FCPA prosecutors are fully aware that they have the ability to charge individuals and companies for criminal violations of the internal controls provision without any evidence of bribery, fraud or other crimes. To date, DOJ and the SEC have prosecuted civil and criminal internal controls violations while relating these violations to other law-breaking conduct. DOJ is ready and willing to bring a criminal case for circumvention in these unique circumstances – when there is no evidence of a related crime, including bribery, fraud or other criminal activity.