The FCPA’s books and records and internal control provisions require issuers (i.e. publicly-traded companies) to: (i) “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;” and (ii) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (among other things) transactions are executed in accordance with management’s general or specific authorization, transactions are recorded as necessary to maintain accountability of assets, and access to assets is permitted only in accordance with management’s general or specific authorization.
The SEC enforces these provisions against issuers.
Often times, the SEC enforces these provisions against issuers aggressively (see here and here).
It seems to not matter to SEC enforcement officials whether the improper recording in the company’s books or records occurred at a far flung, fifth-tier subsidiary by a rogue employee or whether the issuer actually had knowledge that a far flung subsidiary was engaged in improper conduct.
The SEC’s position is that if the far-flung subsidiary’s financial results are consolidated with the parent company issuer’s financial results for purpose of financial reporting, then the subsidiary’s violation is the issuer’s violation.
Further, it seems to not matter to SEC enforcement officials whether the violation resulted from a rogue employee acting contrary to clearly articulated and well communicated company policies and procedures prohibiting the improper conduct because, after all, if the company’s internal controls were effective, rogue employees would not exist or, if they do exist, proper controls would be put in place to monitor their behavior before it occurred.
Every so often, it is fun to spend a few moments in “hypothetical land.”
The issue in “hypothetical land” today is - if the SEC was an issuer.
If the SEC was an issuer, it would have some serious FCPA books and records and internal control issues to deal with as a result of the Government Accountability Office’s ("GAO's") recent “Financial Audit – Securities and Exchange Commission’s Financial Statements for Fiscal Years 2009 and 2008” (see here).
As detailed in the audit, the GAO “identified six significant deficiencies that collectively represent a material weakness in SEC’s internal control over financial reporting.” In short, the GAO concluded that “SEC’s internal control over financial reporting was not effective as of September 30, 2009.”
Most notably, the GAO found material weaknesses that have: (i) “resulted in unsupported entries and errors in the general ledger"; (ii) “ineffective financial reporting controls and general ledger system reporting limitations"; and (iii) “ineffective processes and related documentation concerning budgetary transactions.” (p. 5).
Among other specifics, in terms of the general ledger system and the supporting processes the SEC uses to prepare its financial statements, the GAO found that:
“unauthorized personnel can view, manipulate, or destroy data” (p. 64);
SEC controls to compensate for the general ledger limitations “are cumbersome and largely detective nature, increasing the risk that errors or fraud that could result in a misstatement to the financial statements would not be prevented” (p. 65);
in connection with deposit account activity, the SEC's processes are “labor-intensive” and that “it does not have dedicated resources assigned to address this issue” (p. 69); and
"obligations […] were not always recorded timely and were not always supported by documentation evidencing the obligation as having been approved by an authorized individual” (p. 70).
Under the FCPA, not only is it important for issuers to have effective internal controls, but issuers must also monitor those internal controls to make sure that they are effective.
The GAO was critical of the SEC on this score as well.
The report notes:
“We also identified weaknesses in SEC’s monitoring process which indicate a lack of effective oversight of controls. Management’s monitoring of controls should include whether the controls are operating as intended and include an assessing of the design and operation of controls on a timely basis and taking necessary corrective actions. As discussed previously, we found that SEC’s monitoring procedures did not address all identified risks. Further, SEC’s management oversight was not sufficient given the frequency and sensitivity of the control activity, and monitoring procedures were not always completed in accordance with SEC’s stated testing plan.” (p. 71-72).
According to the GAO – “[b]ecause of inherent limitations, [the SEC's] internal control[s] may not prevent or detect and correct misstatements due to error or fraud, losses, or noncompliance.” (p. 8).
Because of the above identified deficiencies, if the SEC was an issuer - would: (i) the SEC's main DC office be strictly liable for branch office deficiencies; (ii) the SEC disgorge all of its "profits" connected (no matter how remotely) to the improper recording or the deficient internal controls; and (iii) would high-level SEC officials be accountable under "control person" theories for the books and records and internal control violations?
As readers of this blog know, all of the above "theories" are straight from recent SEC enforcement actions against issuers.
So next time an FCPA practitioner and his/her corporate client representative are seated across the table from an SEC enforcement official who asks, "how could this payment have not been recorded properly in subsidiary X's books and records, how could the issuer not put in place effective internal controls, how could those controls not be monitored and assessed, etc. etc." the most candid response just might be "I don't know, you tell me - such issues happen at the SEC as well."
One more thing, when enforcing the FCPA's books and records and internal control provisions against issuers, the SEC insists on remedial measures and wants to see evidence of those remedial measures being put into place "yesterday." An issuer comment, such as "this takes time," would likely fall on deaf ears.
Yet, here is what SEC Chairman Mary Schapiro had to say about the GAO report and its findings of various deficiencies: “some deficiencies are likely to be resolved during the first half of FY 2010, while others – which have been the result of long-term and growing constraints affecting our information technology and human resources – will take longer to fully resolve.” (p. 29). This statement was also repeated by Kristine Chadwick, SEC CFO and Associate Executive Director (p. 33).
Alas, time to come back to reality, the SEC is not an issuer, but a couple minutes in "hypothetical land" does provide some useful perspectives as to the SEC's enforcement of the FCPA's books and records and internal control provisions.