I have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.