Welcome to COSO and the World of Internal Controls – Part I

I have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

A Royal Fan Responds: Russ Berland on the SEC Financial Report for FY 2014

Ed. Note-today we have a guest post from KC Royals fan and Stinson Leonard Street partner Russ Berland. 

As a Kansas City Royals fan, I would like to use this opportunity to congratulate the Royals on a great season and say to them, “Ya done good.”  Despite losing an extremely close seventh World Series game to a very able and talented San Francisco Giants team, which included a pitcher whose name and face will one day be memorialized in Cooperstown, this year has been a banner, or should I say, a pennant year for the boys in blue.

The SEC likewise would like to take a moment to be congratulated on their banner year in their annual enforcement preview of their Agency Financial Report.  So here goes … The SEC wants us to know that they are using creative means to find misconduct on their own and go after it, to hold people and corporations accountable,  and to pay and protect whistleblowers.  On October 16, the SEC put out its official preview of its upcoming Agency Financial Report for FY 2014.  The SEC’s fiscal year ends September 30, so this spans every enforcement action the SEC has taken since October 1, 2013.  The report has four major themes:

1. The SEC is enforcing the law against people, not just companies. It takes people to commit misconduct on behalf of companies so those same people should be held accountable.  And if the SEC is counting on you to watch over companies and transactions you better take it seriously.  The SEC does and they will hold you accountable.  The preview made this point in showcasing its major enforcement actions against Fifth Third Bancorp and its former CFO, Diamond Foods Inc. and its former CEO and CFO, World Capital Market and its founder, and many, many others.  The most poignant example was the enforcement action against the Chairman of the Audit Committee of AgFeed Industries, Inc.  The SEC alleges that Ivan Gothner, the chairman of AgFeed’s audit committee received information that AgFeed’s Chinese operations were conducting accounting fraud and instead of taking a fellow director’s advice to “hire professional investigators guided by outside legal counsel,” he directed internal resources to assess the situation.  When that resulted in late and inadequate information, the SEC charged him “with violating or aiding and abetting violations of the anti-fraud, reporting, books and records, and internal controls provisions of the federal securities laws” and ” with making false statements to AgFeed’s outside auditors.”  Andrew Ceresney, Director of the SEC’s Division of Enforcement, called this “a cautionary tale of what happens when an audit committee chair fails to perform his gatekeeper function in the face of massive red flags.”
2. Corporations must admit their actions. Last year, the SEC Chairman, Mary Jo White, announced that more companies must admit their wrongdoing in settlements.  The SEC’s Admissions Policy states that the companies may be required to admit their wrongdoing when there is “(1) misconduct that harmed large numbers of investors, or placed investors or the market at risk of potentially serious harm, (2) egregious intentional misconduct, or (3) when the defendant engaged in unlawful obstruction of the commission’s investigative processes.”  Now, the Preview adds two more categories to those required to make admissions: “[4] where an admission can send a particularly important message to the markets, or [5] where the wrongdoer poses a particular future threat to investors or the markets.”  For example, in the settlement with ConvergEx for misrepresenting its commissions to brokerage customers, ConvergEx was required to admit the facts stated by the SEC and admit that it had violated Securities Laws.  In one interesting twist, Wells Fargo Advisors LLC was forced to admit its wrongdoing when one of its brokers traded on non-public information about the sale of Burger King to a private equity firm. The “wrongdoing” that Wells Fargo Advisors admitted encompassed inadequate policies, inadequate coordination among internal groups tasked with policing insider trading and the compliance officer who should have spotted the insider trading missing it. This is an interesting view of what constitutes “egregious intentional misconduct.” The message seems to be that in order to settle a matter with the SEC without admitting or denying facts or legal conclusions, the defendant will need to prove they do not fit in one of the five listed categories.  It’s possible that the SEC forced Wells Fargo Advisors to admit it’s wrongdoing because it delayed production of relevant documents or because one of the documents that they turned over had been altered by the compliance officer herself.  Or perhaps they are sending “a particularly important message” to compliance officers that they need to be vigilant in doing their jobs.
3. Whistleblowing Pays.  In FY2014, the SEC paid $35 million to 9 whistleblowers.  One of them received $30 million by him or herself.   Because the SEC rules protect the identity of whistleblowers, we don’t know who got paid.  But the SEC whistleblowing process has multiple stages, which include bringing original information or an original analysis of existing information to the SEC, having the SEC pursue that information leading to a prosecution, and successfully prosecuting or settling that matter with a recovery of over $1 million.  This takes  a long time from beginning to end.  Dodd Frank was passed in 2010.  The first REAL money ($14 million) was paid last year.  And now someone is getting $30 million.  The pipeline took a while to fill, but it is reaching a full state and we can probably expect to see a lot more whistleblower payments in the next few years.
4. If you don’t come to us, we’ll find you. The SEC is using more and more data analytics on financial and trading activity to find wrongdoers.   According to the SEC, ” innovative use of data and analytical tools contributed to a very strong year for enforcement marked by cases that spanned the securities industry.”   Right now, they are telling us that they are using those techniques to look at filing deficiencies, hedge fund returns, and insider trading.  But we can anticipate they are looking at more than just those categories and we should expect to see more and more use of these techniques over broader areas in the coming years.  And, the SEC is telling us that they are also currently implementing and developing “next generation tools” to review market and other data for suspicious activity.

So, this Preview of the FY2014 Agency Financial Report suggests that the SEC should not be seen as sitting back and waiting for cases to come to them.  And when companies and people violate Securities Laws, the SEC will work hard to make sure that they each take accountability, either personally through fines and penalties or corporately, through admissions.   Like the Royals, the SEC would like us to know that they have had a banner year.

Berland can be reached at russ.berland@stinsonleonard.com. He was lead investigative counsel for Layne Christensen in its recently concluded FCPA enforcement action by the SEC. In my podcast, the FCPA Compliance and Ethics Report, Episode 104, I interview Berland on how the company was able to receive a declination from the DOJ. The Episode will post Thursday, Nov. 7.