Top Menu

In The Words of Stanley Sporkin

Stanley Sporkin, as Director of the SEC’s Division of Enforcement in the mid-1970’s, played a key role in addressing the foreign corporate payments issues being investigated by Congress and in shaping what would become the FCPA’s books and records and internal control provisions.  Calling Sporkin the “Father of the FCPA” (as many have) is, in all due respect, a bit of an overstatement as Sporkin’s SEC was not in favor of what would become the FCPA’s anti-bribery provisions and wanted no part in enforcing those provisions.  Nevertheless, Sporkin was a key participant, and has remained a key player, on FCPA issues throughout his storied career.

Sporkin has been talking about FCPA reform for years – long before the U.S. Chamber released its FCPA reform proposals in October 2010.

Thanks to a reader, we can all read some of Sporkin’s early FCPA reform speeches.

In a 2004 speech (here), Sporkin spoke of the SEC stumbling upon the foreign payments issue in connection with its Watergate-related investigations.  The FCPA was not a singular outgrowth of Watergate –  Congress was already actively investigating allegations of overseas bribery and corruption separate and apart from the Watergate scandal – yet Watergate is nevertheless relevant to the FCPA’s origins.  In his speech, Sporkin also talks about the relationship between the FCPA and Sarbanes-Oxley Section 404 (a hot-button issue in 2004 when Sporkin delivered the speech).  As to “Next Steps,” Sporkin stated as follows.  “[W]e need more than Congress passing new statute, and the SEC requiring strict compliance with existing legislation.  We need a comprehensive assault on the problem.  This means we need the assistance of our government and indeed all the countries of the world along with the world business community, to provide a climate which enables our corporations to compete honestly and fairly throughout the world.  There is a way to fix this problem if there is a will to do so.”  Among other things, Sporkin proposed – no doubt in recognition that most FCPA issues arise from use of foreign agents –  the “establishment of a country-by-country list of agents that have been properly vetted and have agreed to be examined and audited by an independent international auditing group.”

In 2006, Sporkin returned to the podium (see here) as the FCPA neared its 30th year.  He stated as follows.  “What I envisioned when the law was enacted was a new corporate regime where bribery of foreign officials would be almost completely extinguished at least as it pertained to major U.S. corporations.  As all of us here have observed, the wild-eyed-do-gooder predictions never occurred.  Instead statistics indicate that bribery of foreign officials has maintained a steady pace over the years.”  [Counterpoint – perhaps bribery of foreign officials, as envisioned by Congress and indeed Sporkin’s SEC, has largely been extinguished, but the issue (in 2006 and still today) is that the goalposts have been moved … and not by Congress].

In his 2006 speech, Sporkin did not advocate the FCPA’s repeal, but he did “think the Department of Justice and the SEC can do something forward-looking which would be win-win for both the government and the private sector.”  He called it the “FCPA Immunization-Inoculation Program.”  Sporkin stated that the “quasi-amnesty program” would consist of the following:  (i) “agreement by participating firms to conduct a full and complete review [conducted jointly by a major accounting firm or specialized forensic accounting firm and a law firm]  of the company’s compliance with the FCPA for the previous 3 years; (ii) the company would agree “to disclose the results of the legal-accounting audit to the SEC, its investors, and the public; (iii) “if any violations turned up in the process of the audit, the participating [company] would agree to take all steps to eliminate the problems and implement the appropriate controls to prevent further violations; (iv) participating companies “would agree to subject themselves to a similar audit on an annual basis for at least 5 years to ensure that compliance was being maintained; (v) participating companies “would be required to create the position of FCPA compliance officer, whose sole responsibility would be to ensure the company’s compliance with the FCPA” and make an annual certification; and (vi) “in exchange … the SEC and DOJ would give qualified assurances that no actions would be brought for violations exposed by the review.”  As envisioned by Sporkin, the “limited amnesty would not apply if violations rose to flagrant or egregious level.”

According to Sporkin, the “immunization-inoculation program would serve the dual purpose of: (1) creating suitable incentives to compliance-minded companies to adopt and maintain high ethical standards in the conduct of their business; and (2) reducing the case load and investigative burden of governmental agencies that enforce the FCPA while reassuring regulators that companies are taking active steps to limit corruption in their foreign contracting and other activities.”  Sporkin conceded that “some adjustments may be necessary” but he believed that his proposal “would provide the right-thinking corporate community with the necessary assurances that it needs to develop a vibrant overseas business without having to defend itself against very costly and time consuming investigations.”

At the November 2010 Senate FCPA hearing, FCPA practitioner Michael Volkov (here) resurrected Sporkin’s proposal – see here for Volkov’s prepared statement.  [By the way, for those of you looking for the complete transcript of that hearing, along with the prepared statements, and post-hearing Q&A’s – see here].

While Sporkin’s FCPA reform proposals are, in certain ways, different from many of the proposed FCPA amendments being discussed at the moment, the point of this post – other than to highlight Sporkin’s reform proposals, is to demonstrate that the screams of some – that FCPA reform is solely a Chamber issue or somehow akin to waving the white flag of surrender to corporate bribery – are off-base.

What various FCPA reform proposals through the years have in common is experienced and knowledgeable individuals (including many former DOJ and SEC enforcement attorneys who helped shape the FCPA and FCPA enforcement) sharing a belief that the current ad hoc, inconsistent, arbitrary, and largely opaque enforcement only climate is in need of reform.

A Focus On The SEC

From an FCPA reform perspective, most of the recent scrutiny has been on the DOJ and its enforcement policies and positions.

Yet, the FCPA is also enforced by the SEC.

As a civil enforcement agency only, the SEC’s stick is less sharp the DOJ’s. Nevertheless, the SEC’s FCPA enforcement positions on issues such as “foreign official” and “obtain or retain business” are seemingly identical to the DOJ’s.

Moreover, certain of the SEC’s enforcement theories as to the FCPA’s books and records and internal control provisions are subject to controversy. As I highlighted in “The Facade of FCPA Enforcement” (here at pgs. 976-984), with increasing frequency, the SEC has charged FCPA books and records and internal control violations based on untested and dubious legal theories, as well as theories seemingly in direct conflict with the FCPA’s statutory provisions.

For instance, the SEC routinely charges parent companies with FCPA books and records and internal control violations based solely on the conduct of indirect subsidiaries or affiliates in the absence of any allegation that the parent company participated in, or had knowledge of, the conduct at issue – even though the FCPA specifically states that issuers that demonstrate good faith efforts to cause indirect subsidiaries and affiliates to devise and maintain effective internal controls “shall be conclusively presumed to have complied with” the FCPA’s applicable requirements.

The SEC’s FCPA enforcement theories and policies are now being questioned. See here for the June 30th letter from Senator Mike Crapo (R-ID) to SEC Chairman Mary Schapiro.

The letter begins with Senator Crapo stating that “Congress and the agencies that enforce the FCPA must work together to ensure that the statute’s goals are being met without perverting the risk and reward calculus U.S. firms face when considering overseas business opportunities that would support domestic job growth.”

In the letter, Senator Crapo says he is “concerned by the recent Congressional testimony about the increased compliance costs for businesses operating in good faith to abide by the FCPA’s strictures and the deterrence of U.S. firms’ entry into, or expansion of, overseas operations.”

Senator Crapo then asks Chairman Schapiro for answers to the following questions.

1. Should the FCPA be amended to provide an affirmative defense, which may be raised where violations resulted from the conduct of individual employees or agents who circumvented compliance measures that were reasonably designed to identify and prevent such violations?

2. Does the Commission believe that regulations or guidance explaning factors it considers when determining whether an entity’s officers or employees are “foreign officials” would be helpful to U.S. firms? Would the Commission support legislation that more clearly defines the term “foreign official” under the FCPA?

3. What are the mechanisms by which the Commission could or does provide guidance on FCPA related matters?

4. Is it the Commission’s policy to hold firms strictly liable for foreign subsidiaries’ actions in violation of the FCPA?

5. Under what circumstances, if any, is it appropriate for both the Commission and the Department to seek the recovery of penalties from the same entity for the same conduct?

Prior to responding to Senator Crapo’s letter, Chairman Schapiro and others at the SEC’s FCPA Unit would be well served by reviewing a 1981 speech by then Chairman of the SEC – Harold Williams – on the FCPA’s books and records and internal control provisions.

To best understand (and place in context) current SEC FCPA enforcement positions and policies, it is useful to understand past SEC FCPA enforcement positions and policies. Statements made by the SEC Chairman in 1981 bear little resemblence to the SEC’s current enforcement of the FCPA’s books and records and internal control provisions.

*****

The year was 1981, the event was the American Institute of Certified Public Accountants, and the speaker was Harold Williams, the Chairman of the SEC. Williams focused his remarks (here) “solely to one major auditing development of recent years: the accounting provisions of the Foreign Corrupt Practices Act of 1977.”

Williams began has remarks as follows. “When viewed from an abstract perspective, the Act’s accounting provisions seem merely to codify a basic and uncontroversial management principle: no enterprise of any size can operate successfully without maintaining effective controls over its transactions and the disposition of its assets. Perhaps in part because these provisions were considered truisms, the Act was passed without Congressional dissent. However, practical experience with new legislation – even a law thought to be noncontroversial – often will reveal unanticipated problems. Newly enacted standards, for example, may be subject to differing constructions or raise compliance difficulties and ambiguities unforeseen by their draftsmen. And, until these problems are resolved by an agency, the courts or the Congress, those who are subject to these laws are often faced, unfortunately, with some disquieting circumstances. The anxieties created by the Foreign Corrupt Practices Act – among men and women of utmost good faith – have been, in my experience without equal.”

Williams noted that “such uncertainty can have a debilitating effect on the activities of those who seek to comply with the law. My sense is that, as a consequence, many businesses have been very cautious – sometimes overly so – in assuring at least technical compliance with the Act. And, therefore, business resources may have been diverted from more productive uses to overly-burdensome compliance systems which extend beyond the requirements of sound management or the policies embodied in the Act. The public, of course, is not well served by such reactions.”

Unlike many SEC speeches that contain the usual – this is only my personal opinion disclaimer – Williams specifically noted that he “conferred” with his “colleagues before presenting these remarks, and they have authorized me to advise you that these remarks constitute a statement of the Commission’s policy.”

As to the FCPA’s books and records provisions, Williams stated as follows. “This provision is intimately related to the requirement for a system of internal accounting controls, and we believe that records which are not relevant to accomplishing the objectives specified in the statute for the system of internal controls are not within the purview of the recordkeeping provision. […] nor could a company be enjoined for a falsification of which its management, broadly defined, was not aware and reasonably should not have known.”

As to the FCPA’s internal control provisions, Williams stated as follows. “The Act does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘Reasonableness,’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.”

Under the heading “deference” Williams stated as follows. “Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”

Under the heading “state of mind” Williams stated as follows. “The accounting provisions principal objective is to reaching knowing or reckless conduct.”

As to the “purposes of the Act,” Williams provided a brief review of the “events which led to the [FCPA].” He stated as follows. “Clearly, Congress went further than determining whether the payments which gave the new law its name were ethically and commercially justifiable. It also chose to consider the corporate accounting and control deficiencies which had been breeding grounds for these practices. And, by doing so, it addressed the far more serious issues raised by these disclosures. […] These payments and falsifications were not only previously unknown to public investors and independent auditors, but many were also unknown to the payor’s board and, in numerous examples, even to its senior management. In some of these instances, internal controls existed, but they were shown to be ineffective or easily subverted. Unauthorized payments and related falsifications of corporate records seemed to evidence – indeed, were fostered by – a lack of adequate accounting records and controls. Consequently, in the legislation which ultimately emerged from Congress, prohibiting questionable payments and mandating control and recordkeeping were inexorably interconnected.”

Williams stated as follows. “The primary thrust of the Act’s accounting provisions, in short, was to require those public companies which lacked effective internal controls or tolerated unreliable recordkeeping to comply with the standards of their better managed peers. That is the context in which these provisions should be construed.”

Williams then addressed “four of the most important” interpretative questions concerning the then-young FCPA: “first, the degree of exactitude in recordkeeping mandated by the Act; second, the deference it affords business decisions concerning internal controls; third, whether a particular state of mind is necessary for a violation to exist; and finally, liability for compliance by subsidiaries.”

As to the “degree of exactitude” Williams stated as follows. “I turn first to the question of whether the Act’s text or purpose mandates that business records and controls conform to a standard of absolute exactitude or that a company’s control system meet some absolute ideal. The answer is ‘no.’ Both of the Act’s accounting provisions, it should be noted are modified by the key term ‘reasonable.’ […] In essence, therefore, the Act does provide a de minimus exemption, though not in absolute quantitative terms.”

Williams noted that Congress specifically declined to adopt a materiality test and stated that “internal accounting controls are not only concerned with misconduct that is material to investors, but also with a great deal of misconduct which is not.” He noted that while materiality is “appropriate as a threshold standard to determine the necessity for disclosure to investors, [it] is totally inadequate as a standard for an internal control system.”

Williams stated that “procedures designed only to uncover deficiencies in amounts material for financial statement purposes would be useless for internal control purposes” and noted that “systems which tolerated omissions or errors of many thousands or even millions of dollars would not represent, by any accepted standard, adequate records and controls.” Indeed, Williams noted that many of the “questionable payments that alarmed the public and caused Congress to act” […] were in most instance of far lesser magnitude than that which would constitute financial statement materiality.”

“Reasonableness, rather than materiality, is the appropriate test,” Williams stated. He noted as follows. “Reasonableness, as a standard, allows flexibility in responding to particular facts and circumstances. Inherent in this concept is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds. Further, not every procedure which may be individually cost-justifiable need be implemented; the Act allows a range of reasonable judgments.”

As to the “specific recordkeeping requirement” in the FCPA, Williams stated as follows. “… [T]his provision is not an independent unrestrained mandate to the Commission to establish novel or unprecedented corporate recordkeeping standards; it is, rather, an integral part of Congress’ efforts to assure that the business community records transactions and assets in such a way as to maintain adequate control over them. And this leads to two important conclusions: First, the Act does not establish any absolute standard of exactitude for corporate records. And, second, records which are not related to internal or external audits or to the four internal control objectives set forth in the Act are not within the purview of the Act’s accounting provisions.”

As to “deference” with respect to “issuer liability for recordkeeping violations” Williams stated that the SEC “will look to the adequacy of the internal control system of the issuer, the involvement of top management in the violation, and the corrective actions taken once the violation was uncovered.”

In a sign of just how much FCPA enforcement has changed, Williams then stated as follows. “If a violation was committed by a low level employee, without the knowledge of top management, with an adequate system of internal control, and with appropriate corrective action taken by the issuer, we do not believe that any action against the company would be called for.”

Williams next turned to the “state of mind needed to violate the Act’s accounting provisions.” He reiterated that the “Act’s principal purpose is to reach knowing or reckless misconduct.”

In another sign of just how much FCPA enforcement has changed, William stated as follows. “… [D]epending on the circumstances, intentional circumventions of a company’s system of records and of accounting controls by a low-level employee would not always be considered violations of the Act by the issuer. No system of adequate records and controls – no matter how effectively devised or conscientiously applied – could be expected to prevent all mistaken and improper transactions and disposition of assets. Given human nature, regardless of the adequacy of the system, a bookkeeper may still erroneously post entries, an overzealous agent may make unauthorized payments, or an unscrupulous employee may falsify records for his own purposes. The Act recognizes each of these limitations. Neither its text and legislative history nor its purposes suggest that occasional, inadvertent errors were the kind of problem that Congress sought to remedy in passing the Act. No rational federal interest in punishing insignificant mistakes has been articulated. And, the Act’s accounting provisions do not require a company or its senior officials to be the guarantors of all conduct of company employees.”

In concluding this portion of his speech, Williams stated as follows. “The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”

As to subsidiaries, Williams stated as follows. “Where the issuer controls more than 50 percent of the voting securities of the subsidiary, compliance is expected. So, too, would it be expected if there is between 20 percent and 50 percent ownership, subject to some demonstration by the issuer that this does not amount to control. If there is less than 20 percent ownership, we will shoulder the burden to affirmatively demonstrate control.”

As to the SEC’s enforcement policy, Williams concluded his remarks as follows. “The genius – and challenge – of [the FCPA’s accounting provisions] , it should be remembered, is their reliance on private sector decisionmaking – rather than specific federal edicts – to address an area of public concern. The Act’s eventual success or failure will, therefore, depend primarily upon business’s response. The Commission’s obligation, in turn, is to provide a regulatory environment in which the private sector can address these issues meaningfully and creatively. In this regard, we must encourage public companies to develop innovative records and control systems, to modify and improve them as circumstances change, and to correct recordkeeping errors when they occur without a chilling fear of penalty or inference that a violation of the Act is involved.”

Smith & Wesson’s Recent Disclosures

In January, Amaro Goncalves was one of the individuals indicted in the Africa Sting case.

Goncalves is described in the indictment as “the Vice President of Sales for Company A, a United States company headquartered in Springfield, Massachusetts. Company A was a world-wide leader in the design and manufacture of firearms, firearm safety/security products, rifles, firearms systems, and accessories. The shares of Company A were publicly traded on the NASDAQ stock exchange.”

Company A is Smith & Wesson, a fact quickly acknowledged by the company in this press release.

I noted in January:

“At present, this case only involves individuals.

However, as indicated by Assistant Attorney General Breuer in yesterday’s DOJ release (here) the investigation is “ongoing” and you can bet that many of the companies which employ these individuals are “lawyering up” as past FCPA enforcement actions demonstrate that corporate enforcement actions or investigations often, but not always, precede or follow individual enforcement actions.”

Indeed, the companies indirectly implicated in the Africa Sting by their employees alleged conduct did “lawyer up.”

Because Smith & Wesson is a public company, the public is provided a better glimpse of how the Africa Sting case is affecting this company compared to the many other companies indirectly implicated – many of which are small, private businesses.

On June 30th, Smith & Wesson reported its Fourth Quarter and Full Year 2010 Financial Results Ended April 30, 2010 (see here). The company release contains this paragraph:

“Operating expenses of $89.1 million, or 21.9% of sales, for fiscal 2010 decreased versus operating expenses of $170.5 million, or 50.9% of sales, for fiscal 2009. Excluding the impact of the impairment charge recorded in the second quarter of fiscal 2009 and $9.7 million of operating expense at USR not contained in prior year results, operating expenses increased $7.1 million for the current fiscal year. This increase included $3.2 million in legal and consulting fees related to allegations against one of our employees under the Foreign Corrupt Practices Act (FCPA).”

If nothing more, Amaro Goncalves is probably not on the short-list for employee of the month because of his alleged conduct.

Yesterday, Smith & Wesson filed its annual report (see here). The report contained the following:

Foreign Corrupt Practices Act (FCPA)

On January 19, 2010, the U.S. Department of Justice (“DOJ”) unsealed indictments of 22 individuals from the law enforcement and military equipment industries, one of whom was our Vice President−Sales, International & U.S. Law Enforcement. We were not charged in the indictment. We also were served with a Grand Jury subpoena for the production of documents. We have always taken, and continue to take seriously, our obligation as an industry leader to foster a responsible and ethical culture, which includes adherence to laws and industry regulations in the United States and abroad. Although we are cooperating fully with the DOJ in this matter and have undertaken a comprehensive review of company policies and procedures, the DOJ may determine that we have violated FCPA laws. We cannot predict when this investigation will be completed or its outcome. There could be additional indictments of our company, our officers, or our employees. If the DOJ determines that we violated FCPA laws, or if our employee is convicted of FCPA violations, we may face sanctions, including significant civil and criminal penalties. In addition, we could be prevented from bidding on domestic military and government contracts, and could risk debarment by the U.S. Department of State. We also face increased legal expenses and could see an increase in the cost of doing international business. We could also see private civil litigation arising as a result of the outcome of the investigation. In addition, responding to the investigation may divert the time and attention of our management from normal business operations. Regardless of the outcome of the investigation, the publicity surrounding the investigation and the potential risks associated with the investigation could negatively impact the perception of our company by investors, customers, and others.

SEC Investigation

Subsequent to the end of fiscal 2010, we received a letter from the staff of the SEC giving notice that the SEC is conducting a non−public, fact−finding inquiry to determine whether there have been any violations of the federal securities laws. It appears this civil inquiry was triggered in part by the DOJ investigation into potential FCPA violations. We have always taken, and continue to take seriously, our obligation as an industry leader to foster a responsible and ethical culture, which includes adherence to laws and industry regulations in the United States and abroad. Although we are cooperating fully with the SEC in this matter, the SEC may determine that we have violated federal securities laws. We cannot predict when this inquiry will be completed or its outcome. If the SEC determines that we have violated federal securities laws, we may face injunctive relief, disgorgement of ill−gotten gains, and sanctions, including fines and penalties, or may be forced to take corrective actions that could increase our costs or otherwise adversely affect our business, results of operations, and liquidity. We also face increased legal expenses and could see an increase in the cost of doing business. We could also see private civil litigation arising as a result of the outcome of this inquiry. In addition, responding to the inquiry may divert the time and attention of our management from normal business operations. Regardless of the outcome of the inquiry, the publicity surrounding the inquiry and the potential risks associated with the inquiry could negatively impact the perception of our company by investors, customers, and others.”

Smith & Wesson’s disclosure is hardly surprising. Anytime a company’s employee is criminally indicted for an FCPA violation, it is reasonable to assume that the DOJ will wonder “who knew what and when” and will seek to discover whether the employee’s alleged conduct is isolated or evidence of broader, more systemic conduct. When that employee is the “Vice President−Sales, International & U.S. Law Enforcement” it is virtually guaranteed that the DOJ will ask such questions.

It is unlikely that Smith & Wesson is the only company implicated in the Africa Sting case under investigation. However, as stated above, because Smith & Wesson is a public company, the public is provided a better glimpse of how the Africa Sting case is affecting this company compared to the many other companies implicated – many of which are small, private businesses. These companies are “domestic concerns” and thus subject to the FCPA, it’s just that FCPA inquiries of non-public companies generate less attention that FCPA inquiries of public companies.

Nor is it surprising that Smith & Wesson disclosed the existence of an SEC investigation.

I noted in January:

“Given that one of the individuals indicted is employed by a public-company issuer, the SEC may also be interested in that company from, at the very least, an FCPA books and records and internal control perspective.”

Even if Smith & Wesson is never charged with violating the FCPA’s antibribery provisions, it is likely that the company could face some exposure under the FCPA’s books and records and internal control provisions.

The SEC’s analysis would likely be as follows.

Goncalves, if the alleged conduct is true, no doubt, while a Smith & Wesson employee, made entries on the company’s books and records that did not accurately or fairly represent the transactions at issue. That, in and of itself, would be an FCPA books and records violation. Further, the SEC will take the position that if Smith & Wesson had effective internal controls, Goncalves could not have engaged in the conduct he is alleged to have engaged in. If he did, this in and of itself, is evidence that Smith & Wesson lacked effective internal controls.

A bit simplistic, yes. But this is perhaps how the Smith & Wesson inquiry will play out.

A final point.

Smith & Wesson is a supplier to numerous government customers and military installations. Under guidelines issued by the Office of Management and Budget, a person or firm found in violation of the FCPA may be barred from doing business with the Federal government. Add this issue to the list of issues to follow as the Smith & Wesson FCPA inquiry escalates. However, this sanction (to my knowledge) has never been used against an FCPA violator.

If the SEC Was An Issuer …

The FCPA’s books and records and internal control provisions require issuers (i.e. publicly-traded companies) to: (i) “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;” and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (among other things) transactions are executed in accordance with management’s general or specific authorization, transactions are recorded as necessary to maintain accountability of assets, and access to assets is permitted only in accordance with management’s general or specific authorization.

The SEC enforces these provisions against issuers.

Often times, the SEC enforces these provisions against issuers aggressively (see here and here).

It seems to not matter to SEC enforcement officials whether the improper recording in the company’s books or records occurred at a far flung, fifth-tier subsidiary by a rogue employee or whether the issuer actually had knowledge that a far flung subsidiary was engaged in improper conduct.

The SEC’s position is that if the far-flung subsidiary’s financial results are consolidated with the parent company issuer’s financial results for purpose of financial reporting, then the subsidiary’s violation is the issuer’s violation.

Further, it seems to not matter to SEC enforcement officials whether the violation resulted from a rogue employee acting contrary to clearly articulated and well communicated company policies and procedures prohibiting the improper conduct because, after all, if the company’s internal controls were effective, rogue employees would not exist or, if they do exist, proper controls would be put in place to monitor their behavior before it occurred.

Every so often, it is fun to spend a few moments in “hypothetical land.”

The issue in “hypothetical land” today is – if the SEC was an issuer.

If the SEC was an issuer, it would have some serious FCPA books and records and internal control issues to deal with as a result of the Government Accountability Office’s (“GAO’s”) recent “Financial Audit – Securities and Exchange Commission’s Financial Statements for Fiscal Years 2009 and 2008” (see here).

As detailed in the audit, the GAO “identified six significant deficiencies that collectively represent a material weakness in SEC’s internal control over financial reporting.” In short, the GAO concluded that “SEC’s internal control over financial reporting was not effective as of September 30, 2009.”

Most notably, the GAO found material weaknesses that have: (i) “resulted in unsupported entries and errors in the general ledger”; (ii) “ineffective financial reporting controls and general ledger system reporting limitations”; and (iii) “ineffective processes and related documentation concerning budgetary transactions.” (p. 5).

Among other specifics, in terms of the general ledger system and the supporting processes the SEC uses to prepare its financial statements, the GAO found that:

“unauthorized personnel can view, manipulate, or destroy data” (p. 64);

SEC controls to compensate for the general ledger limitations “are cumbersome and largely detective nature, increasing the risk that errors or fraud that could result in a misstatement to the financial statements would not be prevented” (p. 65);

in connection with deposit account activity, the SEC’s processes are “labor-intensive” and that “it does not have dedicated resources assigned to address this issue” (p. 69); and

“obligations […] were not always recorded timely and were not always supported by documentation evidencing the obligation as having been approved by an authorized individual” (p. 70).

Under the FCPA, not only is it important for issuers to have effective internal controls, but issuers must also monitor those internal controls to make sure that they are effective.

The GAO was critical of the SEC on this score as well.

The report notes:

“We also identified weaknesses in SEC’s monitoring process which indicate a lack of effective oversight of controls. Management’s monitoring of controls should include whether the controls are operating as intended and include an assessing of the design and operation of controls on a timely basis and taking necessary corrective actions. As discussed previously, we found that SEC’s monitoring procedures did not address all identified risks. Further, SEC’s management oversight was not sufficient given the frequency and sensitivity of the control activity, and monitoring procedures were not always completed in accordance with SEC’s stated testing plan.” (p. 71-72).

According to the GAO – “[b]ecause of inherent limitations, [the SEC’s] internal control[s] may not prevent or detect and correct misstatements due to error or fraud, losses, or noncompliance.” (p. 8).

Because of the above identified deficiencies, if the SEC was an issuer – would: (i) the SEC’s main DC office be strictly liable for branch office deficiencies; (ii) the SEC disgorge all of its “profits” connected (no matter how remotely) to the improper recording or the deficient internal controls; and (iii) would high-level SEC officials be accountable under “control person” theories for the books and records and internal control violations?

As readers of this blog know, all of the above “theories” are straight from recent SEC enforcement actions against issuers.

So next time an FCPA practitioner and his/her corporate client representative are seated across the table from an SEC enforcement official who asks, “how could this payment have not been recorded properly in subsidiary X’s books and records, how could the issuer not put in place effective internal controls, how could those controls not be monitored and assessed, etc. etc.” the most candid response just might be “I don’t know, you tell me – such issues happen at the SEC as well.”

One more thing, when enforcing the FCPA’s books and records and internal control provisions against issuers, the SEC insists on remedial measures and wants to see evidence of those remedial measures being put into place “yesterday.” An issuer comment, such as “this takes time,” would likely fall on deaf ears.

Yet, here is what SEC Chairman Mary Schapiro had to say about the GAO report and its findings of various deficiencies: “some deficiencies are likely to be resolved during the first half of FY 2010, while others – which have been the result of long-term and growing constraints affecting our information technology and human resources – will take longer to fully resolve.” (p. 29). This statement was also repeated by Kristine Chadwick, SEC CFO and Associate Executive Director (p. 33).

Alas, time to come back to reality, the SEC is not an issuer, but a couple minutes in “hypothetical land” does provide some useful perspectives as to the SEC’s enforcement of the FCPA’s books and records and internal control provisions.

Books and Records and Internal Controls Compliance … The Importance of FCPA Goggles

A reader recently commented that most companies know “what to do” when it comes to FCPA anti-bribery compliance training, but that when it comes to FCPA books and records and internal controls compliance training most people “scratch their heads.”

Below, I offer some thoughts on books and records and internal controls compliance training, but by no means does this cover the entire landscape.

I think the reader is correct in that most companies do in fact focus compliance efforts (if they have pro-active compliance efforts – see here) on the FCPA’s anti-bribery provisions. The FCPA’s other prong – the books and records and internal control provisions are usually mentioned (if at all) in passing.

An explanation for why likely has to do with the statute itself.

The anti-bribery provisions have specific elements tied to things we can all generally understand such as – things of value, foreign official, and obtain or retain business – and companies can easily tailor compliance training to those elements, or it is probably more accurate to say, DOJ and SEC’s interpretations of those elements.

In contrast, the FCPA’s book and records and internal control provisions are rather generic and have key terms such as “reasonable detail,” “accurately and fairly,” “sufficient,” “reasonable assurances, and “general or specific authorization.”

Tailoring compliance training to such general concepts can be difficult. Moreover, the books and records, and internal control provisions apply to issuers in ALL instances, not just those instances in which the company is doing business or seeking business abroad. Thus, it may be more difficult to frame books and records and internal control issues to training, because the provisions apply to everything an issuer does.

Against this backdrop, what works best I think is to view FCPA compliance as not just a task that company lawyers and selected key positions from an anti-bribery perspective (i.e. sales, marketing, business development) need to be concerned with, but rather a task that internal audit and finance should also be concerned with and actively involved in as well.

This means that internal audit and finance personnel must be specifically trained to approach their specific job functions not only in a traditional way, but also with “FCPA goggles” on.

It is clear from recent FCPA enforcement actions that the SEC expects much more from non-legal personnel when it comes to FCPA compliance, including the ability to spot FCPA issues and display a high degree of (I’ll call it) intellectual curiosity as to certain issues.

For instance, in the 2007 York matter, the SEC alleged in its civil complaint (see here at para 51) that (i) “York International’s management had the ability to review or cause internal audit to review [the problematic contracts] and, had this been done, it would have been immediately apparant that the consultancy agreements were a sham; and (ii) it was “clear that local finance personnel did not provide an independent internal control function, but rather acquiesced in questionable practices and documentation without critical review.”

Again, because the FCPA’s books and records and internal control provisions are rather generic, I think a “best practice” (not only for issuers, but for any company) is to specifically train internal audit and finance personnel to view their job with “FCPA goggles” on.

This means that internal audit and finance personnel should:

(1) Understand the broad interpretations given to the anything of value, foreign official, and obtain or retain business elements of anti-bribery violation so that they clearly understand that conduct other than a “suitcase full of cash to a government official to get a government contract” is problematic. For instance,
excessive travel and marketing expenses, payment of scholarships, etc. can be things of value. Internal audit and finance personnel also need to understand that employees of state-owned or state-controlled companies are considered “foreign officials” by DOJ/SEC (even if that interpretation has not been tested or challenged). This means that things a company does to “wine and dine” its purely private customers can become problematic when state-owned or state-controlled customers receive the same treatment. In terms of state-owned or state-controlled customers, it is also a good idea for a company to maintain a roster of such entities so that heightened review will be triggered when any corporate personnel deals with such customers or prospective customers. Internal audit and finance personnel also need to understand that payments which result in a company securing a foreign license, permit, or certification can satisfy the “obtain or retain business” element of an anti-bribery violation on the theory that such payments help the company, in the general sense, obtain or retain business.

(2) Pay particular attention to employee reimbursement requests and think about FCPA issues in connection with these requests. For instance, if a specific sales and marketing employee is the designated “wine and dine” person, is there any heightened scrutiny of that individuals reimbursement requests?

(3) Be aware of the FCPA’s third-party payment provisions and be able to spot (and follow-up on) the following issues relevant to engaging and supervising a foreign agent or representative: payments made to personal (rather than company) bank accounts; payments to off-shore bank accounts; payments which could be made in one lump sum but are split up to avoid detection; and payments made to an account in a country different than where the service provider is located. When utilizing third parties, commission payments are obviously a big FCPA risk. Thus, internal audit and finance personnel need to ask what steps the company has taken to assure itself that the commission payments are reasonable. Moreover, such personnel should specifically look for evidence that the third party actually provided legitimate value-added services before payment was made by the company.

(4) Figure out who within the company, the relevant business unit, etc. has the authority to authorize large payments and make sure those authorizations are scrutinized. Because of title, prestige and in some countries – gender – certain individuals are subjected to less oversight and scrutiny when it comes to authorizing payments. If any such trends or patterns emerge within a company as to this issue, internal audit and finance personnel must be diligent in understanding why.

(5)Pay particular attention to the following accounts (all of which, per recent FCPA enforcement actions, were used to conceal improper payments) – “additional assessments,” “extra costs,” “extraordinary expenses,” “urgent processing,” “urgent dispatch,” “customs processing,” “importation advances,” . These accounts, and all other accounts described in a vague or ambiguous manner, should be subject to heightened scrutiny by internal audit and finance personnel.

Back to the original issue raised by the reader as to how best to offer FCPA books and records, and internal controls compliance training. Again, because the books and records and internal control provisions are so generic, I think the “best practice” is to couple such training with anti-bribery training and to make sure that internal audit and finance personnel have the FCPA tools necessary to properly execute their jobs.

Internal audit and finance personnel clearly have an FCPA compliance role to play, and the SEC is clearly expecting them to play that role. However, internal audit and finance personnel can only raise FCPA issues if they first know what FCPA issues to look for. Providing internal audit and finance personnel with a good pair of “FCPA goggles” is a good way to achieve books and records, and internal controls compliance.

Powered by WordPress. Designed by WooThemes