Is Strict Liability Coming to FCPA Enforcement?

I think that a strict liability standard is coming to Foreign Corrupt Practices Act (FCPA) enforcement. A number of factors have caused me to come to this conclusion. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.

I do not think this strict liability standard is coming for criminal enforcement of the FCPA by the Department of Justice (DOJ) because there is still a requirement of intent under the Act. Intent can be inferred by conscious indifference but I still do not think that day of reckoning is near for DOJ enforcement. However I do think that a confluence of events, FCPA enforcement actions by the Securities and Exchange Commission (SEC) and statements by the SEC representatives, all point towards a new enforcement angle to the FCPA. I think that the SEC is moving towards a strict liability standard for internal controls under the FCPA. That means if your compliance internal control regime is investigated, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. If not, there will be a SEC administrative complaint filed against your company, alleging failure to maintain appropriate internal controls as required by the FCPA and your company will bear the burden of proof to demonstrate that you have designed and implemented an effective system of compliance internal controls.

The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with man­agement’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to per­mit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is com­pared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. 

As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.””

My evolution of thinking on this issue began last fall with the Smith & Wesson (S&W) FCPA enforcement action. There was nothing in the reported settlement documents that tied the failure of S&W internal controls to the payment (or offer to pay) of a bribe or the obtaining of any benefit. The claims made against S&W were basically along the lines of this language laid out in the Order Instituting Cease-and-Desist Proceedings, “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.” It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the Order.

In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”

All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that ““This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.””

The second factor that informs my thinking on this issue is the updated COSO 2013 Framework that became effective in December 2014. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.”

For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

The updated Framework also gives a precise model for the SEC to use to inquire from companies about their compliance internal controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework but also evidence of their effectiveness? Unfortunately the answer is not many.

There is one other factor that informs my evolution of thinking regarding a strict liability standard under the FCPA. Under Sarbanes-Oxley (SOX), Section 404, public companies are required to report on the adequacy of the company’s internal control on financial reporting. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. External auditors must also assess and make such a report. To do so, most companies, and their external auditors were using the prior COSO Framework.

Now imagine a situation where your external auditors have made their report and your company has made such report public, under its SOX 404 reporting obligation. What if the SEC took that report, reviewed it and made an initial assessment that your compliance internal controls around bribery and corruption were not sufficient, as required under the FCPA? What if the SEC sent you a letter asking for evidence of development and implementation of compliance internal controls, also asking for your audited evidence of effectiveness? What if you respond in due course and you receive another letter from SEC, which opines that your compliance internal controls are insufficient under the FCPA giving your proposed fine. You protest that there is no evidence of bribery or corruption regarding this insufficiency of your compliance internal controls. What if your company is then invited to contest this issue through the SEC Administrative process?

Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I think a strict liability regime is coming under SEC enforcement of the FCPA. As a CCO or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Assessing Internal Controls, Part III

In this blog post I conclude my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, (herein ‘the Illustrative Guide’) as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Activities and Information and Communication.

One of the things the Illustrated Guide makes clear is the inter-related nature of internal controls. Simply because there may be a deficiency in one specific Principle or even if controls are not present around such a Principle, a company can consider its overall internal controls to effect the principles. For the compliance practitioner I think this is significant because you may have one Principle present and function in the context of another Principle. An example from the Illustrated Guide is the situation where Principle 8, Assessing Fraud Risk is not present yet if other Principles such as Principle 3 Establishing Structure, Authority and Responsibility and Principle 5, Enforcing Accountability adequately address the issue from a control perspective then a deficiency is handled. At the end of the day, unless a major deficiency is noted, it is up to senior management to assess the “severity of an internal control deficiency or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and the components are operating together, and ultimately in determining the effectiveness of the entity’s system of internal control.” So this would also be true from the compliance internal control perspective.

I.     Control Activity

Under the objective of Control Activity there are three principles which you will need to assess. The three principles are:

Principle 10 states that “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” Your entity must demonstrate that it integrates its compliance function around its risk assessment. You must demonstrate more than simply an ‘out of the box’ compliance solution but that your company has considered specific factors to it, including its relevant business processes, an evaluation of a mix of control activity types and consideration of at what level such compliance controls are applied. Finally there must be evidence that your company has addressed segregation of duties from the compliance perspective.

Principle 11 states that “The organization selects and develops general control activities over technology to support the achievement of the objectives.” Here a company must determine the dependency between the use of technology in business process and technology general controls. Then there must be evidence that it has established relevant technology acquisition, development, and maintenance process control activities over this technology. There must be evidence of the establishment of relevant technology infrastructure control activities and relevant security management process control activities.

Principle 12 states that “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.” This Principle management to put sufficient compliance policies and procedures in place to support the company’s anti-corruption compliance mandates and requires training of employees on these compliance policies and procedures with testing to determine the adequacy of such compliance training. It also requires evidence that sufficient incentives have been put in place for employees to follow the compliance regime with timely discipline administered for those employees who failed to do so. Finally it requires evidence of period re-assessments of the policies and procedures.

II.    Information and Communication 

This objective has three Principles that require assessment. They are (numbers follow the COSO Framework):

Principle 13 states that “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.” This means that from the compliance perspective you must identify information requirements for your compliance program and then capture that data via internal and external sources. If you cannot do so you must explain why you cannot do so. You must process the information and use it in your compliance function going forward and document that use.

Principle 14 states that “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” Under this Principle you must be able to demonstrate that your company communicates compliance internal control information with not only senior management but also appropriate employees and your board of directors. It re-emphasizes the need for separate lines of communications and there is documented consideration to show the reason for selection of the relevant method of communication.

Principle 15 states that “The organization communicates with external parties regarding matters affecting the functioning of internal control.” This Principle relates to your communications to third parties so you will need to demonstrate internal controls around your compliance communications with parties external to your company. You will also be required to show compliance internal controls inbound to your organization from third parties.

III.   Monitoring Activities

The Monitoring Activities objective consists of two principles that require assessment. They are (numbers follow the COSO Framework):

Principle 16 states that an “organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” This requires you to have employees knowledgeable in your business processes who can review it on an ongoing basis. You must show that there is a compliance internal controls which, in an objective manner evaluates rates of compliance changes, with an understanding of the baseline and projected business changes. All of this must be integrated with business processes with appropriate adjustments in scope and frequency.

Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” Under this Principle you must be able to demonstrate that from the compliance perspective your results were assessed, any deficiencies were communicated to the appropriate parties and finally there was corrective action which was appropriately monitored.

I regularly say that the three most important about FCPA compliance is Document Document Document. I believe the COSO 2013 Framework puts that point into practice, particularly with the auditing requirement. As Ron Kral noted in his article, “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered” you must “Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively.”

The auditing process should also work to determine not only if your compliance internal controls are are properly designed, operating effectively but also that the five components are operating together. Kral believes that “This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders.” To which I agree. By going through the auditing exercise, you will have created a framework to operate, assess and update your compliance internal controls to meet the ever-evolving nature of FCPA and other anti-corruption compliance programs.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Assessing Internal Compliance Controls – Part II

In this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

1. The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
9. The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

COSO and Internal Controls – Part V

This post concludes my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fifth component, Monitoring Activities. In its Executive Summary of the 2013 Framework, COSO said, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of direc­tors as appropriate.”

However, as with the other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken in singularly. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” I heartily agree with the author when he says that he believes monitoring will take on increased importance. For the Chief Compliance Officer (CCO) or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In their Five Principles of an Effective Compliance Program, developed by Paul McNulty and Stephen Martin at the law firm of Baker and McKenzie, they listed oversight as Principle 5, including ongoing monitoring and this is reinforced in the 2013 COSO Framework.

In an article in Corporate Compliance Insights, entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activities objective consists of two principles. They are:

(1) Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”

(2) Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” This clearly incorporates McNulty and Martin’s dictate that Principle No. 5 consists of not only auditing but ongoing monitoring as well. The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated. 

Principle 17 – Communication of internal control deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.

Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Audit Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

This concludes my exploration of COSO and internal compliance controls. While I have cited directly to the language of the COSO 2013 Framework, I hope that you now have a sense of how these concepts directly relate to your company’s compliance program. With the Securities and Exchange Commission’s (SEC) invigorated interest in internal controls, I believe that through adherence to these five objectives and 17 Principles will allow you to not only withstand such government scrutiny but also have a better run organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

COSO and Internal Controls – Part IV

This post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fourth component, Information and Communication. In its Executive Summary of the 2013 Framework, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the orga­nization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant exter­nal information, and it provides information to external parties in response to require­ments and expectations.”

However, as with the other components of the COSO Cube, Information and Communication are not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

The objective of Information and Communication consists of three principles. They are:

(1) Principle 13 – “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”

(2) Principle 14 – “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

(3) Principle 15 – “The organization communicates with external parties regarding matters affecting the functioning of internal control.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the Chief Compliance Officer (CCO) or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the Securities and Exchange Commission (SEC) will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.

Principle 13 – Use of relevant and quality information

Rittenberg notes this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas with in a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.”

 Principle 14 – Communication up and down the organization about internal controls

This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but he adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.

Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15 – Communication with external parties regarding internal controls

This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any FCPA related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”

Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success with the Information and Communication objective. You can bring a wide range of talents, skills and imagination to bear on the objective.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

COSO and Internal Controls, Part II

This post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adherence to the COSO 2013 Framework. Today I will begin a discussion of the updated COSO Framework. Brian Christensen, in an article in Corporate Compliance Insights, entitled “The Updated COSO Framework: Time for a Fresh Look at Internal Control”, said that the updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.

Christensen believes that “COSO has chosen to formalize more explicitly the principles embedded in the 1992 version of the framework that facilitate development of effective internal control and assessment of its effectiveness. While the 1992 version implicitly reflected the core principles of internal control, the 2013 version explicitly states them in the form of 17 principles, each of which is mapped to one of the five components. The 17 principles represent fundamental concepts associated with the five components of internal control. There isn’t any new ground broken by these principles as they reflect widely known tenets of sound internal control that have been around for a long time.” The principles remain broadly stated as they are intended to apply to for-profit companies, not-for-profit entities, government bodies and other organizations. Moreover, “supporting each principle are points of focus, representing characteristics associated with the principles and providing guidance for their application. Together, the components and principles constitute the criteria and the points of focus provide the guidance that will assist management in assess­ing whether the components of internal control are present, functioning and operating together within the organization.”

 

The first of the five objectives is ‘control environment’. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the control environment “sets the tome for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the control environment object are as follows:

1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Commitment to integrity and ethical values

What are the characteristics of this principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, I think that this principle requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

 Board independence and oversight

 

This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

 

Structures, reporting lines, authority and responsibility

 

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

 

Attracting, developing and retaining competent individuals

 

This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

 

Individuals held accountable

 

This is the ‘stick’ principle. A company must show that it enforces compliance accountability through its compliance structures, authorizes and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and finally clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

 

I will take a short break from my explorations of COSO and Internal Controls next week, but do not worry the subject will return the week of February 9. Next week I will have a series of guest posts from Joe Oringel, Principle at Visual RiskIQ on data analytics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Welcome to COSO and the World of Internal Controls – Part I

I have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015