Internal Controls: Cure-all or Snake Oil?

“Internal controls” have been touted for years as the cure-all for corporate ills. Why, then, are we bombarded with daily revelations of abuses crippling corporations around the globe?

Calls for internal control systems can be found in literature dating back almost half a century. In 1958, the American Institute of Certified Public Accountants (AICPA) took the first shot at defining a system to ensure corporate control over transactions, assets, and operations. Among other things, AICPA recommended the development of procedures to safeguard assets from pillaging and misuse and to maintain complete and accurate financial records.

It took almost 20 years for the concept to find legislative acceptance in the Foreign Corrupt Practices Act (FCPA), passed by Congress in another era of corporate scandals– one involving bribery by U.S. businesses, some of which maintained huge off-shore slush funds to grease the palms of foreign officials and U.S. politicians.

Although the FCPA has a broad anti-bribery provision, its standards for record-keeping and “internal accounting controls” sparked the collective corporate-governance imagination. One of the Act's sponsors said these new requirements would protect “bedrock elements of our system of corporate disclosure and accountability.” Commentators referred to these provisions as a “significant expansion” of the SEC's power over corporate controls, heralding a “new era” of federal involvement in the lives of public companies. For the first time, Congress required all issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that — 1) transactions are executed in accordance with management's authorization; 2) transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principals; and 3) access to assets is permitted only in accordance with management's authorization. 15 U.S.C. ' 78m(b)(2)(B).

The statute also contains a criminal provision, which punishes any attempt to “knowingly circumvent or knowingly fail to implement a system of internal accounting controls … ” 15 U.S.C. ' 78m(b)(5).

A Short History

The FCPA became effective in 1977, and within 5 years, the SEC had instituted a dozen or so actions against companies engaged in systematic acts of bribery. The internal-controls provisions, however, gathered dust. The SEC proposed rules to mandate, as a part of a company's annual filing, a report from management evaluating the effectiveness of internal controls. Citing criticism from commentators, the SEC withdrew its proposal in 1980. Then, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recommended the adoption of corporate internal control structures, the SEC again proposed requiring yearly reports from management on the state of internal controls. The SEC never acted on the proposal, and it died on the vine.

Meanwhile, the SEC only occasionally used its authority under the FCPA to address internal-control problems, focusing on cases that could fairly be likened to a train wreck. In SEC v. World-Wide Coin Investments, Ltd., for example, the SEC sought a permanent injunction against World-Wide, a rare-coin and precious-metals dealer, for a pervasive deterioration of its internal controls. See 567 F. Supp. 724 (N.D. Ga. 1983). By the time the SEC brought the action, however, the damage was already done. As the judge explained, “Any control system that had existed at World-Wide ceased to exist.” The company had no system to protect its inventory (the vault was literally left open), no records to account for the cost and valuation of its inventory, no supervisor over the accounting department, and had allowed unbonded employees to purchase and sell inventory with no separation of duties. The control environment was so poor that the court found it “impossible to ascertain whether a particular inventory item had been sold at a profit or loss, or whether it had even been sold.” The company failed to use invoices and had no reports of cash flow. Any employee could write a check for any amount. Given these findings, the judge properly characterized World-Wide's problems as an absence of internal controls, not merely a case of deficient ones.

Greater Role for Corporate Governance?

The judge in World-Wide envisaged a great role for the FCPA in corporate governance. With its powerful remedies – permanent injunctions, administrative proceedings to compel compliance, and criminal prosecutions — the judge predicted that the FCPA “will significantly augment the degree of federal involvement in the internal management of public corporations.”

The judge was wrong. Augmented power has not translated into augmented regulation and enforcement. The SEC's recent case against Solucorp Industries again showed the SEC's eleventh-hour focus on a company already suffering, in the words of Judge Conner, from a “pattern of deception [that] was so consistent and pervasive that it cannot logically be attributed to mere negligence.” 274 F. Supp.2d 379, 418 (S.D.N.Y. 2003). The prophylactic intent of the FCPA's internal-control provisions, which were central to the statute's aim of protecting shareholders from despoliation of a company's assets, was never realized — perhaps because of insufficient resources, competing priorities, or lack of expertise. Without enforcement, and without a requirement that management review and report on the effectiveness of internal controls, the FCPA's provisions were merely a placebo.

Indeed, the FCPA's criminal proscription against “knowingly circumvent[ing] or knowingly fail[ing] to implement a system of internal controls” has never been used to keep a check on corporate actions – except in rare cases as a “tack-on” count in an indictment charging pervasive fraud and other criminal conduct. Even then, reported criminal enforcement actions charging this provision can be counted on one hand. In United States v. Lockheed, for example, the government charged the company with failing to make and keep complete records, but as a single count in a broad-ranging indictment accusing the company of defrauding the Department of Defense and bribing an Egyptian official. See 1995 WL 17064259 (N.D. Ga., Jan. 9, 1995). So rare are FCPA prosecutions for internal-control violations that the US Sentencing Guidelines do not contain a sentencing provision for such convictions.

Thus the “new era” of “sweeping” federal involvement in corporate control structures was more like an ice age, with one of the FCPA's most important provisions receiving as much criminal enforcement attention as unauthorized reproduction of “Smokey the Bear” (18 U.S.C. ' 711) and attempting to barter a migratory bird (16 U.S.C. ' 707(b)). A similar fate may well be in store for the much-heralded curative power of ' 404 of Sarbanes-Oxley, 15 U.S.C. ' 7262(a); 17 C.F.R. ' 229.308.

What Went Wrong

The internal-controls elixir could have been powerful had the SEC adopted the broad standards for “internal control” articulated in COSO's 1992 report. After a comprehensive study on control problems within corporations, and after a long due diligence process, the COSO report recommended a system for internal controls that ensured: 1) efficiency and effectiveness of operations; 2) reliability of financial reporting; and 3) compliance with applicable laws and regulations.

Although the SEC continues to encourage companies to adopt COSO-like standards, the Sarbanes-Oxley 404 does not require it. Instead, the statute and the SEC rule implementing it can be satisfied by a watered-down system for “internal controls over financial reporting” — which is essentially the same standard put in force more than 25 years ago in the FCPA. Like the FCPA, Sarbanes-Oxley 404(b) requires a system of internal controls to assure the proper authorization and recording of transactions. It contains one purported innovation: an annual management report and auditor review concerning the effectiveness of the controls — the requirement the SEC proposed, and then withdrew, in 1980.

If the SEC wanted a real cure, it should have mandated the broad COSO framework for internal controls combined with a meaningful corporate amnesty program similar to the one run by DOJ's Antitrust Division. Since that program was revamped in 1993, amnesty applications increased from one per year to one per month, then to three per month by 2003, resulting in the eradication of numerous price-fixing cartels. Companies are motivated to participate because they are offered a clean bill of health – no criminal prosecution of the company, no criminal prosecution of officers, directors and employees and no fines.

DOJ and the SEC should give meaningful incentives for companies to turn on and turn in corrupt actors in exchange for corporate amnesty. If audit committee members and independent directors know that corporate amnesty is available – as opposed to the mere hope that some prosecutor might dole out a measure of leniency – widespread efforts to root out problems would ensue, all to the benefit of shareholders, who are often victimized during the fraud and then victimized again by huge corporate fines and share prices in free-fall

Conclusion

In the current environment of flashy headlines and pictures of CEOs in handcuffs, amnesty seems to be a dirty word, so don't count on this miracle cure. Instead, even the watered-down version in Sarbanes-Oxley 404(b) is slow in coming.

The Public Company Accounting Oversight Board did not issue final standards until March 9, and the SEC has twice extended the compliance dates, most recently on March 1, 2004. For “accelerated filers” (domestic companies with a $75 million float that have been subject to the Exchange Act's reporting requirements for at least 12 calendar months and have filed at least one annual report), the cure starts in the first fiscal year ending on or after Nov. 15, 2004. Time will tell whether it's the strong medicine some companies need or just another sugar pill.

“Internal controls” have been touted for years as the cure-all for corporate ills. Why, then, are we bombarded with daily revelations of abuses crippling corporations around the globe?

Calls for internal control systems can be found in literature dating back almost half a century. In 1958, the American Institute of Certified Public Accountants (AICPA) took the first shot at defining a system to ensure corporate control over transactions, assets, and operations. Among other things, AICPA recommended the development of procedures to safeguard assets from pillaging and misuse and to maintain complete and accurate financial records.

It took almost 20 years for the concept to find legislative acceptance in the Foreign Corrupt Practices Act (FCPA), passed by Congress in another era of corporate scandals– one involving bribery by U.S. businesses, some of which maintained huge off-shore slush funds to grease the palms of foreign officials and U.S. politicians.

Although the FCPA has a broad anti-bribery provision, its standards for record-keeping and “internal accounting controls” sparked the collective corporate-governance imagination. One of the Act's sponsors said these new requirements would protect “bedrock elements of our system of corporate disclosure and accountability.” Commentators referred to these provisions as a “significant expansion” of the SEC's power over corporate controls, heralding a “new era” of federal involvement in the lives of public companies. For the first time, Congress required all issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that — 1) transactions are executed in accordance with management's authorization; 2) transactions are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principals; and 3) access to assets is permitted only in accordance with management's authorization. 15 U.S.C. ' 78m(b)(2)(B).

The statute also contains a criminal provision, which punishes any attempt to “knowingly circumvent or knowingly fail to implement a system of internal accounting controls … ” 15 U.S.C. ' 78m(b)(5).

A Short History

The FCPA became effective in 1977, and within 5 years, the SEC had instituted a dozen or so actions against companies engaged in systematic acts of bribery. The internal-controls provisions, however, gathered dust. The SEC proposed rules to mandate, as a part of a company's annual filing, a report from management evaluating the effectiveness of internal controls. Citing criticism from commentators, the SEC withdrew its proposal in 1980. Then, when the Committee of Sponsoring Organizations of the Treadway Commission (COSO) recommended the adoption of corporate internal control structures, the SEC again proposed requiring yearly reports from management on the state of internal controls. The SEC never acted on the proposal, and it died on the vine.

Meanwhile, the SEC only occasionally used its authority under the FCPA to address internal-control problems, focusing on cases that could fairly be likened to a train wreck. In SEC v. World-Wide Coin Investments, Ltd., for example, the SEC sought a permanent injunction against World-Wide, a rare-coin and precious-metals dealer, for a pervasive deterioration of its internal controls. See 567 F. Supp. 724 (N.D. Ga. 1983). By the time the SEC brought the action, however, the damage was already done. As the judge explained, “Any control system that had existed at World-Wide ceased to exist.” The company had no system to protect its inventory (the vault was literally left open), no records to account for the cost and valuation of its inventory, no supervisor over the accounting department, and had allowed unbonded employees to purchase and sell inventory with no separation of duties. The control environment was so poor that the court found it “impossible to ascertain whether a particular inventory item had been sold at a profit or loss, or whether it had even been sold.” The company failed to use invoices and had no reports of cash flow. Any employee could write a check for any amount. Given these findings, the judge properly characterized World-Wide's problems as an absence of internal controls, not merely a case of deficient ones.

Greater Role for Corporate Governance?

The judge in World-Wide envisaged a great role for the FCPA in corporate governance. With its powerful remedies – permanent injunctions, administrative proceedings to compel compliance, and criminal prosecutions — the judge predicted that the FCPA “will significantly augment the degree of federal involvement in the internal management of public corporations.”

The judge was wrong. Augmented power has not translated into augmented regulation and enforcement. The SEC's recent case against Solucorp Industries again showed the SEC's eleventh-hour focus on a company already suffering, in the words of Judge Conner, from a “pattern of deception [that] was so consistent and pervasive that it cannot logically be attributed to mere negligence.” 274 F. Supp.2d 379, 418 (S.D.N.Y. 2003). The prophylactic intent of the FCPA's internal-control provisions, which were central to the statute's aim of protecting shareholders from despoliation of a company's assets, was never realized — perhaps because of insufficient resources, competing priorities, or lack of expertise. Without enforcement, and without a requirement that management review and report on the effectiveness of internal controls, the FCPA's provisions were merely a placebo.

Indeed, the FCPA's criminal proscription against “knowingly circumvent[ing] or knowingly fail[ing] to implement a system of internal controls” has never been used to keep a check on corporate actions – except in rare cases as a “tack-on” count in an indictment charging pervasive fraud and other criminal conduct. Even then, reported criminal enforcement actions charging this provision can be counted on one hand. In United States v. Lockheed, for example, the government charged the company with failing to make and keep complete records, but as a single count in a broad-ranging indictment accusing the company of defrauding the Department of Defense and bribing an Egyptian official. See 1995 WL 17064259 (N.D. Ga., Jan. 9, 1995). So rare are FCPA prosecutions for internal-control violations that the US Sentencing Guidelines do not contain a sentencing provision for such convictions.

Thus the “new era” of “sweeping” federal involvement in corporate control structures was more like an ice age, with one of the FCPA's most important provisions receiving as much criminal enforcement attention as unauthorized reproduction of “Smokey the Bear” (18 U.S.C. ' 711) and attempting to barter a migratory bird (16 U.S.C. ' 707(b)). A similar fate may well be in store for the much-heralded curative power of ' 404 of Sarbanes-Oxley, 15 U.S.C. ' 7262(a); 17 C.F.R. ' 229.308.

What Went Wrong

The internal-controls elixir could have been powerful had the SEC adopted the broad standards for “internal control” articulated in COSO's 1992 report. After a comprehensive study on control problems within corporations, and after a long due diligence process, the COSO report recommended a system for internal controls that ensured: 1) efficiency and effectiveness of operations; 2) reliability of financial reporting; and 3) compliance with applicable laws and regulations.

Although the SEC continues to encourage companies to adopt COSO-like standards, the Sarbanes-Oxley 404 does not require it. Instead, the statute and the SEC rule implementing it can be satisfied by a watered-down system for “internal controls over financial reporting” — which is essentially the same standard put in force more than 25 years ago in the FCPA. Like the FCPA, Sarbanes-Oxley 404(b) requires a system of internal controls to assure the proper authorization and recording of transactions. It contains one purported innovation: an annual management report and auditor review concerning the effectiveness of the controls — the requirement the SEC proposed, and then withdrew, in 1980.

If the SEC wanted a real cure, it should have mandated the broad COSO framework for internal controls combined with a meaningful corporate amnesty program similar to the one run by DOJ's Antitrust Division. Since that program was revamped in 1993, amnesty applications increased from one per year to one per month, then to three per month by 2003, resulting in the eradication of numerous price-fixing cartels. Companies are motivated to participate because they are offered a clean bill of health – no criminal prosecution of the company, no criminal prosecution of officers, directors and employees and no fines.

DOJ and the SEC should give meaningful incentives for companies to turn on and turn in corrupt actors in exchange for corporate amnesty. If audit committee members and independent directors know that corporate amnesty is available – as opposed to the mere hope that some prosecutor might dole out a measure of leniency – widespread efforts to root out problems would ensue, all to the benefit of shareholders, who are often victimized during the fraud and then victimized again by huge corporate fines and share prices in free-fall

Conclusion

In the current environment of flashy headlines and pictures of CEOs in handcuffs, amnesty seems to be a dirty word, so don't count on this miracle cure. Instead, even the watered-down version in Sarbanes-Oxley 404(b) is slow in coming.

The Public Company Accounting Oversight Board did not issue final standards until March 9, and the SEC has twice extended the compliance dates, most recently on March 1, 2004. For “accelerated filers” (domestic companies with a $75 million float that have been subject to the Exchange Act's reporting requirements for at least 12 calendar months and have filed at least one annual report), the cure starts in the first fiscal year ending on or after Nov. 15, 2004. Time will tell whether it's the strong medicine some companies need or just another sugar pill.