In other words, the same legal violation ought to be sanctioned in the same way. When the same legal violation is sanctioned in materially different ways, trust and confidence in law enforcement is diminished.
However, there sure does seem to be a lack of consistency between how the SEC resolves Foreign Corrupt Practices Act books and records and internal controls violations.
As most readers no doubt know, the FCPA has always been a law much broader than its name suggests. The anti-bribery provisions are just one prong of the FCPA.
Indeed, most FCPA enforcement actions do not involve allegations of foreign bribery, but rather violations of the FCPA’s generic books and records and internal controls provisions. These provisions generally require that issuers shall: (i) maintain books and records which, in reasonable detail, accurately and fairly reflect issuer transactions and disposition of assets (the books and records provisions); and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are properly authorized, recorded, and accounted for (the internal controls provisions).
For lack of a better term, let’s call such actions “non-FCPA FCPA enforcement actions.” Such actions are not dissected in the FCPA space and do not appear on the DOJ or SEC’s FCPA websites (here and here). Yet such actions are deserving of analysis because they highlight a troubling aspect of FCPA enforcement: that being how the same alleged legal violations are sanctioned in materially different ways.
With the SEC now fully open for business again, earlier this week it released four similar administrative actions. In each of the actions, the issuer had material weaknesses in internal controls over financial reporting that persisted between 7 to 10 years.
To resolve the matters, the issuers agreed to pay civil penalties of $35,000, $100,000, $100,000 and $200,000.
Compare these paltry civil penalties for material internal controls provisions over a long period of time with – for instance – the BHP Billiton enforcement action (see prior posts here, here and here) in which the SEC assessed a $25 million civil penalty for – better sit down for this one – the company’s “failure to devise and maintain sufficient internal controls over a global hospitality program that the company hosted in connection with its sponsorship of the 2008 Beijing Summer Olympic Games.”
The four administrative actions released this week are highlighted below.
The SEC found as follows regarding the Texas-based technology company.
“Respondent disclosed material weaknesses in each of its Forms 10-K over a period of seven years, from fiscal year 2011 through fiscal year 2017. Respondent’s disclosed material weaknesses, which often repeated year after year, related primarily to its financial close and reporting process and controls over its accounting information technology systems.
Respondent’s material weaknesses resulted from, among other things, deficiencies in the design and operation of controls related to its financial close and reporting process, including, during certain periods of time,weaknesses around the review and performance of reconciliations during the close process; and failures to maintain sufficient qualified personnel or adequate accounting information technology systems resulting in a manual close with insufficient documentation of the procedures employed.
Respondent retained a SOX consultant in 2012 but retained a new SOX Consultant in February 2015 to assist with its remediation and testing efforts. After the close of fiscal year 2015, that consultant provided Respondent with a detailed plan of remediation. Respondent began implementing the plan in fiscal year 2016. During fiscal year 2016 and part of fiscal year 2017, the Respondent made some progress towards remediating its material weaknesses. The Commission staff contacted the Respondent in May 2016. In April 2017, the Respondent rehired its SOX consultant to review and test ICFR for fiscal years 2017 and 2018.
Respondent continued to disclose the existence of material weaknesses and to engage in limited remediation but it did not fully remediate its material weaknesses until the end of fiscal year 2018 when it disclosed in its Form 10-K for the year ended March 31, 2018 that there were no material weaknesses and that its ICFR was effective.”
Based on the above, the SEC found that the company violated the internal controls provisions and without admitting or denying the SEC’s findings agreed to pay a $100,000 civil penalty.
The SEC found as follows regarding the Mexico-based steel company:
“Respondent disclosed material weaknesses in each of its Forms 10-K over a period of ten years, from 2008 through 2017. In two of those years (2015 and 2016), management disclosed it failed to complete the required management evaluation of ICFR.
Respondent’s persistent and extensive material weaknesses indicate that management did not appropriately address, and in some periods adequately assess, its admitted ICFR material weaknesses and associated risks. For example, in each year from 2010 through 2017 (eight years), Simec disclosed that it lacked an “appropriate consolidation system to allow management to properly supervise the preparation of consolidated financial information…” In certain years this disclosure was coupled with an acknowledgment that a) Simec had a “very vulnerable procedure to determine costs due to manual calculations,” and b) “[financial information of subsidiaries was presented at a level of detail that was insufficient to allow for a clear and precise understanding of operations.” In each year from 2009 through 2017 (nine years), Simec disclosed that it did not have adequate accounting resources and/or adequate segregation of duties – corporate, or subsidiary-based, or both. In at least one year, Simec conceded that this “prejudiced the financial statement close process.” In each year from 2011 through 2015 (five years), Simec acknowledged “inadequate supervision and controls…resulting in material accounting errors.” From 2014 through 2016, Simec also disclosed it lacked “specific procedures for the approval of transactions with related parties.”
In addition, SIM’s CEO and CFO failed to complete their annual ICFR evaluation in two annual reporting periods. Specifically, in both 2015 and 2016, SIM disclosed that its “management did not assess the effectiveness” of its internal controls over financial reporting because its “internal audit department did not carry out the functions necessary to analyze [its] internal control during [the relevant year]; however…management considers that the deficiencies found in [the prior year] still persist.”
Although Respondent hired a SOX consultant in August 2016, there was limited progress in devising a control structure and remediating material weaknesses prior to the staff’s outreach in February 2017. Respondent completed the design and testing of its internal controls during the period ending March 2018 though there continues to be material weaknesses that it is still in the process of remediating.”
Based on the above, the SEC found that the company violated the internal controls provisions and without admitting or denying the SEC’s findings agreed to pay a $200,000 civil penalty.
FCPA Institute - Denver (May 4-5)
A unique two-day learning experience ideal for a diverse group of professionals seeking to elevate their FCPA knowledge and practical skills through active learning. Learn more, spend less. CLE credit is available.
The SEC found as follows regarding the Illinois-based dairy company:
“Respondent disclosed material weaknesses in each of its Forms 10-K for a period of nine years, from 2007 through 2015, and significant deficiencies in the aggregate that constituted a material weakness in 2016. Respondent’s disclosed material weaknesses often repeated year after year, and involved certain high-risk areas for the company’s financial statement presentation. For three consecutive years from 2007 to 2009, Respondent disclosed that it lacked a “requirement to post monthly activity to [its] general ledger,” contributing to a material weakness in each period. In six of the ten years, Respondent disclosed material weaknesses related to financial reporting controls. 3. Prior to 2016, Respondent’s material weaknesses resulted from, among other things, incomplete, inadequate and undocumented financial reporting processes; the lack of sufficient, competent and independent financial statement review; and the failure to consistently demonstrate effective preparation, support and review of journal entries and account reconciliations. In four years between 2010 and 2016, Respondent disclosed a material weakness or significant deficiencies related to its accounting for and controls related to income tax or deferred income tax.
Many of Respondent’s material weaknesses were recurring, and involved either financial reporting, accounting, or entity controls. For the most part, the material weaknesses were identified by Respondent’s management team in the course of its annual ICFR assessment and evaluation; however, the management team failed to complete its ICFR assessment and evaluation in 2013 and 2014.
Respondent initiated remediation efforts beginning in 2013, but did not begin to include detailed disclosure in its filings regarding its material weaknesses remediation plans until the quarter ended June 30, 2014. In its annual report for the period ending December 31, 2013, Respondent disclosed the engagement of an outside SOX consultant to assist in developing a remediation plan for its material weaknesses. Respondent also engaged a SOX consultant to assist with its 2015 ICFR assessment and continues to work with that consultant currently. Nonetheless, Respondent continued to disclose the existence of material weaknesses through September 30, 2017, and did not fully remediate its material weaknesses and conclude that ICFR was effective until its fiscal year ended December 31, 2017.
Respondent’s failure to address its material weaknesses has been compounded by three announced restatements since fiscal 2012, including two restatements announced during fiscal 2016. The company disclosed that its restatement announced in November 2016 was consequential to its remediation efforts. Each of the three restatements involve Respondent’s failures to appropriately account for and assign costs related to manufacturing, cost of goods sold, or inventory, although none of the restatements had a material effect on Respondent’s financial results. Respondent disclosed in four of the ten years various material weaknesses related to inventory and assignment of cost of goods sold.”
Based on the above, the SEC found that the company violated the books and records and internal controls provisions and without admitting or denying the SEC’s findings agreed to pay a $100,000 civil penalty.
The SEC found as follows regarding the Washington-based biotechnology company:
“Respondent disclosed material weaknesses in each of its Forms 10-K over a period of nine years, from 2008 through 2016. Respondent’s disclosed material weaknesses often repeated year after year, relating primarily to segregation of duties and the review, recording and financial reporting of transactions. 3. Respondent included in its public filings the same disclosure of material weaknesses for nine years straight. From 2008 through 2016, CytoDyn’s boilerplate disclosure indicated the company had “[s]everal material weaknesses… because of inadequate segregation of duties over authorization, review and recording of transactions, as well as the financial reporting of such transactions.” The general and sweeping description provided no information as to the specific material weaknesses observed.
From 2012 through 2015, Respondent reported no material changes in its internal controls, but did take certain steps to improve controls. These remediation steps included doubling its accounting staff by hiring a CPA; instituting certain controls around wire transfers, cash disbursements, financial statement reconciliations, and quarterly financial statements; and outsourcing certain of its information technology needs. After being contacted by Commission staff, Respondent retained, for the first time, a SOX consultant. Respondent has remediated its material weaknesses and determined that ICFR was effective as of May 31, 2017.”
Based on the above, the SEC found that the company violated the internal controls provisions and without admitting or denying the SEC’s findings agreed to pay a $35,000 civil penalty.
As these four recent examples once again demonstrate, the SEC has some explaining to do and owes the legal and compliance community an explanation for why FCPA books and records and internal controls violations are not sanctioned in similar ways.
Strategies For Minimizing Risk Under The FCPA
A compliance guide with issue-spotting scenarios, skills exercises and model answers. "This book is a prime example of why corporate compliance professionals and practitioners alike continue to listen to Professor Koehler."