New COSO framework for internal controls addresses third party risk that firms like Smith & Wesson have been targeted for
In cautionary articles about toughening FCPA enforcement by the Department of Justice and the SEC, a lot of attention has been paid to a sharp spike in the size of settlements since 2008. But a recent case resolved with a comparatively minuscule settlement may have implications that should be much more worrisome to public companies.
Last summer, Smith & Wesson settled an FCPA case with the SEC for just $2 million. In agreeing to the settlement, the firearms manufacturer neither admitted nor denied any wrongdoing. In fact, the SEC’s charges focused on a lack of proper internal controls to prevent bribery rather than on any hard evidence of bribes paid to officials in Pakistan, Turkey and Indonesia to secure business contracts.
Some legal experts suspect the Smith & Wesson settlement represents a case of authority creep by the SEC, which traditionally has cited the way a company has accounted for certain payments in its financial filings. In a March 9 post on the FCPA Blog, Thomas Fox warned that this settlement could mark a move toward ‘a strict liability regime’ where the SEC will try to enforce the FCPA in the absence of evidence that misconduct has taken place, solely based on judgment of a company’s compliance program.
‘Under Sarbanes-Oxley (SOX) Section 404, public companies are required to report on the adequacy of their internal controls on financial reporting,’ Fox says in his blog post. ‘I think where we are heading under FCPA enforcement is that if your SOX 404 reporting does not detail appropriate compliance internal controls, you may well be charged with an FCPA violation in a civil proceeding by the SEC.’
Last September, in an article for Bloomberg’s Corporate Accountability Report, Ropes & Gray said ‘the SEC may be seeking to expand its authority with this enforcement action to establish precedent that the mere failure of a public company to have an adequate anti-corruption compliance program could constitute a securities law violation.’
Geoffrey Atkins, a co-author of the Ropes & Gray article, together with Daniel O’Connor and Lauren Modelski, says in an email that although FCPA enforcement actions commonly include charges for internal controls violations, ‘the charges typically focus on a company’s failure to install a system to ensure transactions are described adequately in the company’s records.’ By contrast, ‘the Smith & Wesson settlement suggests the SEC is seeking to establish that the mere failure of a public company to maintain an adequate anti-corruption program (including policy, training and monitoring) could itself constitute a securities law violation. The difference in the charges, as described, is subtle. But it’s a meaningful difference. The potential for authority creep means it is more important than ever for public companies to carefully evaluate their FCPA compliance programs.’
The revised COSO framework for internal controls that most public companies are in the process of transitioning toward could help them withstand the SEC’s broadening scrutiny; it should be seen as this, rather than as an administrative burden. ‘COSO 2013 is the lens companies typically use to comply with SOX 404 requirements,’ George Graves, partner in KPMG’s internal audit, risk and compliance services, recently told Corporate Secretary. ‘The new [framework] is more specific. It should narrow the level of diversity of practice you see. That’s not necessarily easy to do. Some companies will have to think about what they do [as far as compliance is concerned] and how they’re able to support that. For some companies, there may be some activities they don’t do today ‒ or can’t prove they do.’
Atkins says that while the new COSO principles are still broad, ‘they provide a more specific benchmark against which the SEC could measure a company’s internal controls. The new framework also introduces concepts, such as the management of third parties, that are critical to FCPA compliance. Essentially, the SEC staff seem to see their authority as stemming from a requirement to maintain a system of internal controls to ensure the proper management of a company’s assets. If the use of assets is described inaccurately to hide bribes, that could tie back in through the new standards.’
Graves agrees that the extensive use of third parties by many companies is one of the top challenges in companies’ internal controls, which COSO addresses. ‘That has to be evaluated and understood in terms of risk,’ he says.
The SEC has indicated it will accept the use of the old COSO framework for a period of time beyond the December 2014 transition date. Graves likens this to an expiration date on food: ‘The [earlier framework] is probably good for a certain period of time but, the longer you wait, the riskier it is in terms of SEC scrutiny.’