In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.” The concept of a ‘second set of eyes’ is directly enshrined in this objective. Finally, Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.

I. Objective III: Control Activities

The objective of Control Activities consists of three principles. They are:

Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”

Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”

A.        Principle 10 – Selects and Develops Controls Activities

Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”

B.        Principle 11 – Selects and Develops General Controls over Technology

The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

C.        Principle 12 – Control Activities established through policies and procedures

This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.

II. Discussion

This Objective demonstrates the inter-relatedness of the corporate functions in your organization. From a financial reporting perspective, the Control Activities objectives requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets, software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.

Howell explained in the financial realm, “if you’re dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that that is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.

This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place both for the disclosures that you need to make for the reconciliation of that disclosure.

This Objective requires that you have new ways of capturing that information, gathering that information, confirming the accuracy and completeness of the controls reporting it. When selecs the control activities, what control activities do you need if you are using disparate accounting systems in different locations across the globe? Moreover, if you getting into the general controls over technology, what are the system controls are in place to ascertain that the new information that you’re getting is the information you really need and it’s what you think you’re getting? The Control Activities regarding the policies and procedures is certainly an important consideration going forward.

Three Key Takeaways

  1. Think of a second set of eyes as a primary control activity.
  2. Segregation of duties must always be employed.
  3. Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at

The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.


The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017.  The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren’t being reported back into the process of how does that affect the estimate of cheap revenue going forward.

Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There’s always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”

Three Key Takeaways

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, their determination and their management changes over time so be cognizant of changes in business practices on the ground.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at

The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. However, it built up Objectives. The 17 principles represent fundamental concepts associated with the five components of internal control. Together, the Objectives and Principles constitute the criteria will guide companies in assessing whether the components of internal controls are present, functioning and operating together within their organization.

I.         Objective-Control Environment

The first of the five objectives is Control Environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the Control Environment object are as follows:

Principle 1 – The organization demonstrates a commitment to integrity and ethical values.

Principle 2 – The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Principle 3 – Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.

Principle 4 – The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.

Principle 5 – The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

A.        Principle 1 – Commitment to integrity and ethical values

What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

B.        Principle 2 – Board independence and oversight

This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

C.        Principle 3 – Structures, reporting lines, authority and responsibility

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

D.        Principle 4 – Attracting, developing and retaining competent individuals

This Principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

E.        Principle 5 – Individuals held accountable

This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

II.        Discussion

Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable this requirement is met. Finally, there must be evidence the company has appropriate disclosure controls in place because that is central to the Objective itself. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.

Howell related that under Principle 3, “structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.”

Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well.  But it is more than simply some appropriate levels of staffing, as Howell stated, “One of the big reasons that companies have said do not have money to invest again the deep dive study and process improvement necessary to implement it [the 2013 Framework], is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures.” You must only “put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.”

All these leads of course ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Framework and to the spirit of the standard. Howell said, “those individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.” 

Three Key Takeaways

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at

This week we turn our attention to COSO, with an introduction to the organization and its framework for internal controls. I will go through the internal controls and how they relate to compliance. Finally, I will end with a discussion of evaluation of internal controls through the COSO Framework. Once again, I am joined in this exploration by internal controls and accounting expert Joe Howell, EVP at Workiva, Inc.

What is COSO? That acronym stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted in 1992, as a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, to provide a more supportable approach when adversarial third parties challenge whether a company has effective internal controls (such as the SEC). While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s compliance internal controls. This means that you need to understand what is required under the 2013 Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

COSO has produced three volumes detailing the 2013 Framework. The first lays out the Framework and is entitled “Internal Control – Integrated Framework”, herein ‘the Framework volume’. The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, herein ‘the Illustrative Guide’, which discusses how best to assess your internal control regime and provides forms and work sheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary’. All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program.

In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting Objectives – internal and external financial reporting; and (III) Compliance Objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.

The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will be exploring throughout this series.

Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework”, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls [and compliance programs] evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is significant because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

The primary object is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have the unique knowledge that a compliance officer has that would impact all the elements of the Framework. The compliance officer’s role is to provide the input to the Chief Financial Officer (CFO) and others involved in the implementation, to be sure that there is a proper focus on the risks that really are part of the compliance world. This primarily comes through the risk assessment component, the control activities, and then the monitoring. Companies typically do risk assessment from an operational standpoint and address business risks going forward and then develop the controls that deal with those business risks, which could be project financial results, doing business in certain countries, strategic decisions and similar issues. All of this puts the compliance function in the unique position to be the fulcrum on many issues which will come up with a COSO based analysis or implementation.

The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.

Joe Howell noted that the COSO Framework can be seen as both a prevent and detect control.  He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one off things that allow you to do one period and not have a process in place that is going to help you through all of the periods that you need to cover. The controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function in a manner which is sustainable throughout the organization.

Three Key Takeaways

  1. You must use the COSO Framework or a similar source for your internal controls structure.
  2. The 2013 Framework identifies the following areas: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at



Last year, one of the most interesting non-Foreign Corrupt Practices Act (FCPA) enforcement actions was announced by the Securities and Exchange Commission (SEC). It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The reason that it is so interesting from an enforcement prospective is that it is not foreign corruption but domestic corruption, therefore not subject to the FCPA. However, the actions of United’s former Chief Executive Officer (CEO), Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials. That sounds suspiciously like a books and records violation of the FCPA. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement (NPA) settlement with the Department of Justice (DOJ), which resulted in a penalty of $2.25 million. Chairman Samson has also pled guilty in July for putting pressure on United to reinstitute a flight service which was near his weekend residence.

The scandal also cost the resignation of Smisek and two high-level executives from United. In a Press Release at the time of the resignation, the company stated, “The departures announced today are in connection with the company’s previously disclosed internal investigation related to the federal investigation associated with the Port Authority of New York and New Jersey. The investigations are ongoing and the company continues to cooperate with the government.”

Adding another twist to this also fascinating case was that it all came out of the Bridgegate scandal from New Jersey, although it was not related to the original claim that the New Jersey Governor’s office ordered the closing of certain traffic lanes around Fort Lee, NJ to punish the mayor for not supporting the Governor. The entire affair involved a flight from Newark to Columbia, South Carolina. The flight was reported to be a money-losing route, yet it was reinstated by United at either the request of the Chairman of the Port Authority of New York and New Jersey, Samson, or was reinstated by United to obtain a benefit from Samson.

It turned out Samson had a weekend home at Aiken, which is near Columbia, SC and was not happy there was no direct flight service from Newark. So he got a direct flight. The flight was money loser it was derisively named “the chairman’s flight.” The SEC Cease and Order (Order) said that United lost some $945,000 on the flight.

However, at the time United was in the midst of trying to renegotiate its lease at Newark airport with the Port Authority. The flight from Newark to Columbia was cancelled after Samson resigned his post as Chairman.

According to the Order, “In the summer and fall of 2011, representatives of United and the Port Authority’s Aviation Department (which manages Newark Liberty) negotiated a proposed agreement that the Port Authority would lease approximately three acres of land at Newark Liberty to United for the construction and operation of a wide-body aircraft maintenance hangar (the “Hangar”). The Hangar would facilitate United’s ability to perform maintenance on its incoming fleet of wide-body aircraft at Newark Liberty, rather than having to perform such maintenance at a suitable United facility at another airport. Based on preliminary assessments and using information available at the time, United estimated that the Hangar would result in efficient routings that would drive $47.5 million in value to the United network on an annual basis post-construction.”

During this time period, Samson was communicating to a third party his desire that United reinstate the Chairman’s Flight. This culminated in a dinner meeting between Smisek, his senior team and Samson. Samson once again pressured for a reinstitution of the route, “Samson stated that Continental Airlines used to have a non-stop route between Newark Liberty and Columbia, South Carolina and asked the CEO to consider re-establishing that non-stop route.”

United’s “Network Planning Group analyzed the projected financial performance of the South Carolina Route… United’s standard process for initiating new routes generally included: the preparation and consideration of financial forecasts and other market data of how the route could be expected to perform, review and approval by several levels of United’s Network Planning Group, including approval by the Chief Revenue Officer (“CRO”) or his staff, and thereafter presentation of the route and its details to a group of senior United executives at a regularly scheduled marketing meeting.”

This review determined that the Chairman’s Flight would likely be a money loser and, indeed, when it was previously operated by Continental Airlines, prior to its merger with United, the route “was continually one of the hubs poorest performing markets”. (Recall the Order reflected the flight did lose United $945K.) However, after United declined to reinstitute the Chairman’s Flight, Samson pulled the proposal from consideration by the full Board, effecting scuttling the arrangement. Shortly after this development, “the CEO (Smisek) approved the establishment of the [Chairman’s]route.” On the same day, United’s contract for the new hangars was approved by the Port Authority.

At the time United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to improperly influence the recipient.” Only the United Board of Director’s could grant a waiver to the Code and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s Policies.”

Mike Volkov has often worried that if that companies create internal controls and then do not follow those internal controls, will be prosecuted for such action (or perhaps inaction). This is the situation which led to the SEC enforcement action against United. The company had a Code of Conduct, it was not followed but was violated by the CEO and this caused the company to violate Section 13 of the Securities Exchange Act of 1934. It would be easy enough to see this resolution in the FCPA context but this was all domestic conduct and jurisdiction. This may be the first time the violation of a Code of Conduct resulted in an enforcement action by the SEC around domestic bribery and corruption.

Yet the company was also sanctioned for not having internal controls in place to prevent such actions as those taken by Smisek, with the SEC also finding this was a violation of Section 13. This was in the face of detailing the protocol for United instituting or reinstituting a route. The Order stated, “In particular, United had insufficient internal accounting controls in place to prevent approval of the South Carolina Route in derogation of United’s Policies.”

All the underlying facts, enforcement theories and remediation points towards the use of failure of internal controls when domestic bribery corruption occurs. This might well be a new enforcement theory to use inside the United States, for domestic bribery allegations. Imagine if United’s profit estimates of $47.5 million had been used as the basis of a profit disgorgement order.

Three Key Takeaways

  1. It is very unusual for the FCPA to form the basis of a domestic bribery violation.
  2. A Code of Conduct can be an internal control.
  3. Even a CEO must follow internal controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at