Yesterday the Securities and Exchange Commission (SEC) resolved a Foreign Corrupt Practices Act (FCPA) enforcement action involving Kinross Gold Corporation (Kinross). It was a civil matter and there was no evidence of bribery presented in the SEC Order but rather a violation of the FCPA’s accounting provisions; both in terms of the books and records and internal controls provisions. Although Kinross is headquartered in Canada, it was subject to SEC jurisdiction, pursuant to Section 12(b) of the Securities Exchange Act of 1934 and through its listing on the New York Stock Exchange. For its violations of the FCPA, Kinross agreed to pay a civil fine of $950,000.

The enforcement action presents some excellent lessons for every Chief Compliance Officer (CCO), compliance practitioner and compliance program on what constitutes effective internal controls, the role of internal audit in a best practices compliance program, the requirements of both pre-acquisition due diligence and post-integration in mergers and acquisitions (M&A) and what happens when senior management is not committed to doing business in compliance under the FCPA.

M&A Lessons

The trouble for Kinross started when it acquired two mines from Red Back Mining Inc. (Red Back) in 2010,  the Tasiast mine in Mauritania and the Chirano mine in Ghana. The Order noted, “In the few months prior to the purchase of the mines from Red Back, Kinross conducted due diligence on Red Back. As part of the process, Red Back acknowledged that it lacked an anti-corruption compliance program and associated internal accounting controls.” Unfortunately for Kinross, it did not integrate these business operations into its compliance program. Kinross did not move to “timely address the adequacy of the internal accounting controls” at the new business units nor did it make the necessary improvements to the inadequate internal controls.

Internal Controls Lessons

Fortunately, Kinross did have an internal audit group that accurately assessed the inadequate internal controls. In 2011, Kinross’ internal audit function determined that “the internal accounting controls surrounding vendor selection and disbursement for goods and services at Tasiast and Chirano were not adequate to meaningfully assess transactions for accuracy or compliance with the FCPA.” The disbursement systems could not identify such suspect payments “as excessive rebates and discounts, advance payments, government commissions and unjustified business expenses.” Further, there was a “lack of contract administration procedures prevented it from adequately reviewing the contracting and tendering processes.”

Internal audit went back to these mines in 2012 and found not only were the 2011 deficiencies not remediated but discovered several other internal controls failures including no delegation of authority under which disbursements were approved, no formal process for contract tendering and approval, sporadic use of the internal controls which were present and function and failure to maintain adequate documentation “for disbursements, including invoices, purchase orders, and/or good receipts. Internal audit found minimal evidence of a functioning bidding or tendering process.”

These findings laid out the types of internal controls the SEC expects in a FCPA compliance program. There must be some assurances that persons making disbursements have the authority to do so and there is documentation of said authority. There must also be a review and approval process for spending limits based on a fully functioning Delegation of Authority (DOA). Additionally, if you have the basic internal controls around spending and disbursements, you must actually use them.

Internal Audit Lessons

The company’s internal audit group was able to determine the internal controls deficiencies both in their initial audit and subsequent follow up audits. There was a determination that there were “known control weaknesses, payments were made for a period of years without reasonable assurances that the payments were for their stated purpose or with management’s approval.” The problem for internal audit was that there was no management will to actually remedy the failures to move towards a present and functioning effective set of internal controls. Moreover, even after management required their implementation, Kinross failed to maintain them. The bottom line is that if management does not take care to remedy controls deficiencies there is not much internal audit can do but report on the failures.

Senior Management Lessons

Finally, in 2013, management did require that some internal controls be instituted to remedy the deficiencies noted by internal audit. The problem for Kinross was that senior management turned around and failed to follow those same controls when it suited them to do so. The first instance arose in 2014 when the company was going to let a three-year, $50 million logistical contract to the low bidder with the best ability to fulfill the technical requirements. The business unit learned the Mauritanian government preferred another bidder who was not only a higher bidder but a “prominent and influential Mauritanian businessman with ties to the official.” Senior management over-rode the internal control requirements on the commercial aspects of the contract and the technical capabilities of the service provider to award the contract to the entity preferred by the government official.

A second senior management override occurred when another person “well-connected with high-level government officials” approached Kinross about representing the company. His proposed fee was far above the normal wage scale, so he was given a Consulting Agreement for which he as paid $750,000 in less than 12 months. He was hired with insufficient due diligence performed by the company’s third-party agent program.

At some point Kinross management finally did wake up and understand they were in FCPA hot water. There is nothing in the Order or SEC Press Release as to how the matter was brought to their attention. Eventually Kinross did understand they had to abide by the accounting provisions of the FCPA and remediate itself. The remediation efforts included:

• implementing a new ERP system to enable finance personnel to more effectively track and manage expenditures,
• replacing personnel at the Tasiast and Chirano mines and terminating suspect third-party consultants;
• increasing compliance personnel, updating relevant policies and procedures, and conducting compliance training;
• improving internal controls;
• bringing in a third-party consultant to assist it in evaluating its current controls for additional enhancements; and
• taken steps to improve training of its senior decision-makers, especially in the government-relations department, to recognize the corruption risks in hiring a consultant to work as a liaison.

In its Press Release, Tracy L. Price, Deputy Chief of the SEC Enforcement Division’s FCPA Unit, said, “Companies should take particular care to remediate known accounting controls issues when making acquisitions to mitigate the risk that company funds will be misused for unauthorized purposes.” This enforcement action provides a very good example that internal controls must be present and functioning.

[View source.]