By Thomas R. Fox, an attorney in Houston, Texas, Principal of Advanced Compliance Solutions, and the author of the FCPA Compliance and Ethics Blog.
A number of recent developments indicate that at least one federal agency with enforcement responsibility for the Foreign Corrupt Practices Act (FCPA) is moving towards strict liability application of the law. While wide disagreement may exist as to whether such a standard is warranted under the FCPA, the implications of such enforcement are sufficiently significant that corporations’ Chief Compliance Officers and private compliance practitioners should be preparing to address it.
FCPA enforcement responsibility is shared between the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). DOJ is unlikely to pursue strict liability application of the FCPA because the law requires that prosecutors prove specific intent. A confluence of events, enforcement actions, and senior officials’ FCPA-related statements, however, reflects that SEC is laying the groundwork for a no-intent standard for violations of civil internal control rules. Under such a theory, companies whose internal compliance control regimes are investigated will have to demonstrate that they meet some minimum standard that satisfies the SEC. If the SEC is not satisfied, it will file an administrative complaint alleging failure to maintain appropriate internal controls as required by the FCPA. In response to that complaint, companies will have the burden to prove that it has designed and implemented an effective system of internal compliance controls.
FCPA Internal Controls Rules. The FCPA’s internal controls rules require that companies devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that:
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.1
As the FCPA Guidance further explains, “the Act defines ‘reasonable assurances’ as ‘such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.’ The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”2
Smith & Wesson Order. SEC’s July 28, 2014 Cease-and-Desist Order filed against Smith & Wesson (S&W)3 provides one indication of the Commission’s movement toward strict liability FCPA enforcement. Nothing in the reported settlement documents tied the alleged failure of S&W internal controls to the payment of (or offer to pay) a bribe or the obtaining of any benefit. The Order detailed SEC’s claims as follows: “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.”4 S&W notably did not “admit or deny” any of the allegations made against it; the company simply consented to the entry of the Order.
SEC further stated in its Order, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.”5 Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”6
SEC reached these conclusions, however, without providing any evidence of bribes paid by S&W for the purpose of obtaining or retaining business—a strict liability standard without SEC labeling it as such. The chief of SEC’s Enforcement Division’s FCPA Unit, Kara Brockmeyer, added an exclamation point to the Commission’s message in bringing this case, stating in SEC’s accompanying Press Release that “‘This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales. When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.’”7
Influential Internal Audit Framework. The latest update of a private-sector organization’s audit framework document provides a second indicator that a strict liability standard for FCPA internal controls is emerging. The Committee of Sponsoring Organizations of the Treadway Commission (COSO), formed by five U.S. accounting and auditing industry associations in 1987, issued an update to its influential Internal Control—Integrated Framework8in May, 2013. The Framework, which had not been updates since 1992, formally took effect in December 2014.
In a June 2013 book9, COSO Chairman Emeritus Larry Rittenberg wrote that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.”10 Moreover, the updated 2013 Framework was based upon four general principles which include the following:
(1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.11
The fourth point is significantly important to corporate compliance executives and private compliance practitioners because it speaks directly to the need for those specialists to be involved in the design and implementation of internal controls for compliance, and not simply rely upon a company’s accounting, finance, or internal audit function to do so.
The updated COSO Framework also offers SEC a precise model it can follow when inquiring about companies’ internal compliance controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework, but also evidence of their effectiveness? Unfortunately the answer is not many.
Sarbanes-Oxley Act § 404. Section 404 of the Sarbanes-Oxley Act (SOX)12 requires public companies to report to SEC on the adequacy of the company’s internal control on financial reporting. The report must affirm management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. It must also contain an assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of its internal control structure and procedures for financial reporting. External auditors must also assess and make such a report. When preparing reports under SOX § 404, most companies, and their external auditors, have traditionally utilized the COSO Framework.
One can imagine the following situation arising from such SOX § 404 compliance: A company’s external auditors issue their compliance report, and the company in turn makes that report public. SEC reviews the report and concludes that the company’s internal compliance controls regarding bribery and corruption are insufficient under the FCPA. The Commission then requests evidence of the company’s development and implementation of internal controls, and also asks for its audited evidence of effectiveness. The company responds in due course. It then receives another letter from SEC, which pronounces that the company has not proven to the Commission’s satisfaction that the internal controls are effective. The letter includes a proposed FCPA Administrative Order with a substantial suggested monetary fine. The company protests in response that SEC’s proposed Order contains no allegations of bribery or corruption regarding the Commission’s claimed flaws in the internal compliance controls. Ignoring the protest, SEC indicates its intent to proceed with its charges, “inviting” the company to contest the proposed Order in the SEC administrative process.
Thomas R. Fox is an attorney in Houston, Texas and is the author of the FCPA Compliance and Ethics Blog.
- Securities and Exchange Act of 1934, 15 U.S.C. § 78m(b)(2)(B).
- A Resource Guide to the U.S. Foreign Corrupt Practices Act (Nov. 2012), at 40, available at http://www.justice.gov/criminal/fraud/fcpa/guidance/guide.pdf.
- Securities and Exchange Commission, Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21c of the Securities Exchange Act of 1934, In re Smith & Wesson Holding Corp., Release No. 72678, available at http://www.sec.gov/litigation/admin/2014/34-72678.pdf.
-  Id. at 3.
- Id. at 5.
- Securities and Exchange Commission Press Release, SEC Charges Smith & Wesson With FCPA Violations, July 28, 2014, available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370542384677#.VRVi-uEyjUI.
- See Executive Summary, available at http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf.
- Larry Rittenberg, Ph.D, COSO Internal Control—Integrated Framework: Turning Principles Into Positive Action (IIA Research Fndt. 2013).
- Id. at [Tom can you provide the page cite for this and for note 11?]
- Id. at __.
- Sarbanes-Oxley Act of 2002, 18 U.S.C. § 7262.