As they made clear with several FCPA enforcement actions in 2020, the SEC has continued to emphasize the accounting provisions of the FCPA, specifically the internal controls provisions. Charles Cain, the Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC is committed to protecting investors in U.S. public companies and those which list other securities in the U.S., through enforcement of the accounting provisions, including internal controls provisions of the FCPA. The reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

What can you do around the FCPA’s requirements for internal controls and continued SEC enforcement emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the 2020 FCPA Resource Guide. While most compliance practitioners are familiar with the Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point.

As a CCO or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three key takeaways:

  1. Learn the internal controls your company currently has in place.
  2. Map your compliance internal controls to the COSO 2013 Internal Controls Framework.
  3. Use your gap analysis as a basis for remediation.