The name sounds objective and exact — even scientific. The internal controls provisions. But in real life, how do internal controls measure up? Do they work?
To review — the FCPA requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that all transactions are properly executed and recorded and all assets are accounted for.
That doesn’t sound so hard. For example, we expect retail banks to know where their depositors’ money is, down to the penny. It’s either in the bank or it’s not. Internal controls make sure of that. Most of us apply the same zero-tolerance controls to our own checkbooks.
But here’s the tricky part. Money is special. It doesn’t spoil like food or die like animals. It doesn’t shrink like unwashed denim or evaporate like gasoline. It doesn’t break like dishes and coffee cups. Money in a bank doesn’t create wastage, like when gloves are cut from a leather sheet and scraps are left over.
In other words, internal controls that work well for a retail bank won’t work the same way for a company that produces, handles, or moves anything else.
Look at a winemaker. It grows grapes, processes them, bottles the wine, and ships it to distributors. Along the way grapes can spoil, wine can evaporate, bottles can break. Do the winemaker’s internal controls recognize and deal with those contingencies? Can the internal controls tell the difference between legitimate spoilage, leakage, and breakage and illicit pilfering or worse?
The FCPA’s internal controls provisions don’t require perfection. What they require is a system of internal accounting controls sufficient to provide reasonable assurances that the company’s transactions are authorized and the assets are all accounted for. That wiggle room is some comfort for anyone struggling to create internal controls or relying on them for compliance.
And yet nearly every FCPA anti-bribery enforcement action against an issuer also involves internal controls violations. Does that mean there’s no way to design internal controls capable of stopping bribery? Does it mean devious employees can always manipulate the spoilage, leakage, and breakage built into a company’s work flow?
The problem is even worse for personal service providers. Investment banks, for example, sell their partners’ knowledge, experience, and expertise. I-bankers are valuable because of who and what they know. They spend their time explaining that value to clients and demonstrating it through introductions, valuations, deal structuring, and the like.
What sort of internal controls could ever be sufficient to provide reasonable assurances that an i-banker won’t cheat? That he or she won’t spend time cooking up a deal tainted with kickbacks and bribery?
If FCPA corporate enforcement actions were regularly litigated, a meaningful way to measure internal controls would eventually emerge. But this is the FCPA. We don’t have judicial opinions as a guide. So we’re left with a requirement in the FCPA for internal controls that might be impossible for some companies to meet.
Richard L. Cassin, pictured above, is editor at large of the FCPA Blog.