The SEC took a seemingly aggressive stance in the BHP Billiton case, penalizing the Australian company $25 million for FCPA offenses because it sponsored foreign officials to attend the 2008 Summer Olympics in Beijing.
But did the SEC over reach for alleging internal control failures with hospitality payments to government officials that potentially were subject to some quid pro quo arrangement?
While the SEC did charge BHP with a books and records violation, this violation did not relate to any accounting misrepresentations or falsified accounting records.
This case appears to be an outlier for the SEC. In all other SEC enforcement actions, internal controls violations were coupled with a books and records violation relating to some type of shady account. But with BHP, the SEC found that the company identified a specific corruption risk, established a control to mitigate the risk, but failed to execute and document it adequately.
There was no slush fund, and no fake invoices, fictitious vendors, or circuitous payments to government officials. In other words, there was no shady accounting.
What can learn here?
BHP employees actively identified a new corruption risk and sought to mitigate it. Where the company apparently went wrong was by not integrating the newly identified risk into its overall risk management process, and not ensuring that the newly established control was adequate to mitigate the risk.
Had BHP included the identified risk into its overall risk management process, it likely would have benefited from:
- Visibility of the perceived risk by various parts of the organization including finance, legal, operations and members of the risk committee of the board, if one existed
- A clear determination of who within the organization was responsible for mitigating the risk, and
- A chance for internal audit or another group within the organization to evaluate whether the established controls were sufficient and operating effectively.
Linking detailed internal controls to identified risks is a laborious task. And it’s harder in decentralized and far flung organizations. But it’s a powerful compliance tool.
Compliance professionals and commentators will eventually know whether the BHP case was part of an emerging pattern of internal controls enforcement or a one off anomaly. That’s later. For now, issuers should consider shoring up their risk management and internal control processes before the regulators come knocking.
Jean-Michel Ferat is a managing director in the Washington D.C office of the Claro Group. He has over eighteen years of experience in the specialized fields of forensic accounting and fraud detection.He has undertaken dozens of corruption investigations around the globe including a lead role in the United Nations Oil-for-Food Program investigation.