Much has been made in the last few months of the SEC’s seemingly aggressive stance in the BHP Billiton case. Many FCPA practitioners have taken the view that the SEC likely over-reached and set a wobbly precedent in extracting a $25 million civil settlement from BHP for its alleged internal control failure relating to the identification of hospitality payments to government officials that could potentially have been subject to some quid pro quo arrangement.
Most notable in this case is the fact that the SEC did not charge BHP with either a books and records violation or an anti-bribery violation, but an internal controls violation alone. This appears to be a standout case for the SEC, even when compared to the 2012 Oracle case. In Oracle, the SEC had at least the existence of an off-the-books slush fund which on its surface appeared to have been set up for nefarious purposes. In most if not all SEC enforcement actions in the last 5 years, it would appear that internal controls violations were coupled with a books and records violation: in other words shady accounting. With BHP, the SEC had a company that identified a specific corruption risk, established a control to mitigate that risk but failed to execute it adequately. No off-the-books slush fund, no fake invoices, no fictitious vendors, no circuitous payments to government officials….. In other words: no shady accounting.
Accounting Controls vs. Compliance Controls
The BHP case is important for another reason. It helps to illustrate a thorn in the side of most organizations when it comes to establishing and documenting a comprehensive control structure: the distinction between accounting controls and compliance controls. I won’t argue here whether a literal interpretation of the law should restrict our regulators and law enforcement to violations of accounting controls or whether it extends to other operational controls – e.g. compliance controls – as well. What I will argue is that the distinction between accounting controls and compliance controls is not purely semantic but one with practical implementation, enforcement and reporting differences within most organizations.
When one of thinks of accounting controls in the context of corruption risk, one thinks of controls over accounts payable, petty cash, vendor set-up, disbursements and the like. In essence, these are controls that address whether cash out the door is going to its intended recipient and whether it is properly accounted for in the company’s books and records. These types of controls over financial reporting have received persistent scrutiny under SOX 404 and are typically “owned” by a company’s finance function (e.g. accounting manager, controller, CFO). Conversely, compliance controls are ones that do not necessarily impact a company’s financial reporting process but are meant to ensure compliance with laws and regulations. In the case of the FCPA, such controls might include mandatory FCPA training for employees, audit rights in third party contracts, and due diligence surrounding third party representatives. These controls are not usually “owned” by the finance function but are typically fall to the legal department or CCO. This division of labor makes sense for most organizations but it has the often-times negative effect of creating control “silos” where neither finance nor legal has a complete picture of FCPA risk mitigation. The primary mechanism for countering this silo effect is (1) implementing an enterprise wide risk management process (2) mapping those risks to the detailed internal controls (both accounting and compliance) designed to mitigate and (3) disseminating this information to upper management across the entire organization.
The Risk Management Process and Linking Controls to Identified Risks
A company’s Enterprise Risk Management Process should be used to identify perceived risks to the organization and put in place a risk mitigation plan. In most company’s though, the mitigation plan is often kept at a very high level and rarely includes a deep dive into the detailed accounting and compliance controls currently in place or that must be implemented to adequately mitigate risk. In the case of FCPA risk, we often see companies undertaking corruption risk assessments and addressing internal controls at a very high level, but similarly, we rarely see such risk assessments taking a deep dive into the specific controls in place to manage corruption risk.
In the case of BHP, employees actively identified a new corruption risk and sought to mitigate it. Where it looks to have failed was by not integrating the newly identified risk into its overall risk management process and ensuring that the newly established control was adequate to mitigate the risk. Had BHP included the identified risk into its overall risk management process, it likely would have benefited from:
- visibility of the perceived risk by various parts of the organization including Finance, Legal, Operations and members of the Risk Committee of the Board, if one existed;
- A clear determination of who within the organization was responsible for mitigating the risk;
- A chance for internal audit or another group within the organization to evaluate whether the established controls were sufficient and operating effectively.
Linking detailed internal controls to identified risks is a laborious task, in particular in decentralized organizations with varying types of internal controls in different geographic locations and/or business segments. The BHP case and newly established COSO guidelines would suggest however that organizations should seriously consider performing this task. FCPA scholars will wait to see whether the SEC’s position on BHP is part of an emerging pattern of internal controls enforcement or a one off anomaly. Regardless, public issuers should take heed and look to shoring up their risk management and internal control processes before the regulators come knocking.
Jean-Michel Ferat, CPA, CFF is a Managing Director in the Washington D.C office of the Claro Group and has over eighteen years of experience in the specialized fields of forensic accounting and fraud detection. He has applied his skills in a variety of cases involving financial statement fraud, high-level corruption, terrorist financing, collusive bidding rings, money laundering, embezzlement, asset misappropriation. HE has undertaken dozens of corruption investigations around the globe including a lead role in the United Nations Oil-for-Food Programme investigation. He can be reached at email@example.com.