Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Do internal controls have a fatal flaw?

The name sounds objective and exact — even scientific. The internal controls provisions. But in real life, how do internal controls measure up? Do they work?

To review — the FCPA requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that all transactions are properly executed and recorded and all assets are accounted for.

That doesn’t sound so hard. For example, we expect retail banks to know where their depositors’ money is, down to the penny. It’s either in the bank or it’s not. Internal controls make sure of that. Most of us apply the same zero-tolerance controls to our own checkbooks.

But here’s the tricky part. Money is special. It doesn’t spoil like food or die like animals. It doesn’t shrink like unwashed denim or evaporate like gasoline. It doesn’t break like dishes and coffee cups. Money in a bank doesn’t create wastage, like when gloves are cut from a leather sheet and scraps are left over.

In other words, internal controls that work well for a retail bank won’t work the same way for a company that produces, handles, or moves anything else.

Look at a winemaker. It grows grapes, processes them, bottles the wine, and ships it to distributors. Along the way grapes can spoil, wine can evaporate, bottles can break. Do the winemaker’s internal controls recognize and deal with those contingencies? Can the internal controls tell the difference between legitimate spoilage, leakage, and breakage and illicit pilfering or worse?

The FCPA’s internal controls provisions don’t require perfection. What they require is a system of internal accounting controls sufficient to provide reasonable assurances that the company’s transactions are authorized and the assets are all accounted for. That wiggle room is some comfort for anyone struggling to create internal controls or relying on them for compliance.

And yet nearly every FCPA anti-bribery enforcement action against an issuer also involves internal controls violations. Does that mean there’s no way to design internal controls capable of stopping bribery? Does it mean devious employees can always manipulate the spoilage, leakage, and breakage built into a company’s work flow?

The problem is even worse for personal service providers. Investment banks, for example, sell their partners’ knowledge, experience, and expertise. I-bankers are valuable because of who and what they know. They spend their time explaining that value to clients and demonstrating it through introductions, valuations, deal structuring, and the like.

What sort of internal controls could ever be sufficient to provide reasonable assurances that an i-banker won’t cheat? That he or she won’t spend time cooking up a deal tainted with kickbacks and bribery?

If FCPA corporate enforcement actions were regularly litigated, a meaningful way to measure internal controls would eventually emerge. But this is the FCPA. We don’t have judicial opinions as a guide. So we’re left with a requirement in the FCPA for internal controls that might be impossible for some companies to meet.


Richard L. Cassin, pictured above, is editor at large of the FCPA Blog.

Share this post



  1. Very interesting article! Having internal controls I guess is better than not having anything, it will prevent many bad things from happening, I think It all come down to principles and education at home. I am a former Import Specialist with the Mexican Customs Service and saw many many times how the Mexican government implemented different strategies such as cameras in the inspection areas, system controls, training, etc, and there is always someone who figures a way around the internal controls in order to get away with their corrupt ways.

  2. From the sociological perspective, it is worth pointing out that your analysis mirrors the difference between system (internal controls) and environment (human consciousness). According to the theory, the system and its environment always remain separate. From the standpoint of communication this is a feature and not a bug – it is easy to see how difficult communication could become if states of consciousness were included in its operations. From the standpoint of the system that would very much like to control its environment, this separation of psychic and system states causes some difficulty, exactly as you describe.

  3. Considero que el defecto del control interno reside en esa amplitud que explica el autor, si bien lo que funciona para un banco no necesariamente funcionará para una empresa de manufactura. Lo importante es tomar las bases adecuada del control interno y tratar de hacer más difícil que se presenten los casos de corrupción, es también importante para establecer un control visualizando el contexto de la empresa y el país del que hablamos, ya que la cultura y el nivel de educación suele influir mucho. Es mejor como dicen otros comentarios tener algún tipo de control que dejar el león suelto, buscar el ser preventivo a ser persecutorio.

  4. Thanks for yet another thought-provoking article, Dick. The conundrum of which you speak is exactly why we are such big sticklers for robust risk assessments. If your winemakers or i-Bankers know their business risks (as we think they likely do), they should be able to design controls to mitigate the most significant of them – but they must not stop there, they must also keep an eye on how those risks change over time, as they surely will. Twenty years ago who had ever heard of spear-phishing or cryptocurrency-based pyramid schemes?

  5. Excellent, thought provoking article. I don’t agree with the argument that if FCPA enforcement actions were regularly litigated that a meaningful way to measure internal controls would eventually emerge for the following reasons:
    1) The FCPA law criminalizes the payment of bribes. Any charge that connects the inducement to action proves the corrupt activity. The entire subset of these cases would not shed light onto the internal control system.
    2) The books and records provision is an SEC requirement (13b), essentially to require entities to have a sufficient system of records to prevent “slush funds” for foreign bribery. As you illustrate in your blog, every sector would have different business requirements. The business models would dictate the rigor of controls required depending on a multitude of factors such as where they operate, what they do and industry standards. Internal controls at financial institutions would look different than an energy company. Would a court opinion on an energy company be relevant to an art dealer?
    3) In 2018, the DOJ announced the conclusion of 18 enforcement actions; four of which (22%) were declinations. DOJ would be unlikely to affirm the sufficiency of any entity’s internal controls but will review the facts, including the compliance environment and internal controls to make a judgement on the propriety for prosecution. Were there instances of bribes paid, in spite of good compliance and internal controls and the DOJ passed on prosecution of the entities? Does the current justice system provide credit for a good internal control system?
    The intent of not creating a “bribery slush fund” prevails. Every entity cries “inconsistent with our ethics and values and “rogue actors” when faced with FCPA allegations but that cry does not survive a company who paid hundreds of millions in bribes; that is not emblematic of a solid corporate ethics, or a good system to account for the entity’s “millions.”
    4) Of the fourteen cases that made it to court (albeit pled or deferred), hardly provide a robust body of cases to have the courts help us define "good" internal controls.
    In summary, I’m reminded of the adage “Bad cases make bad case law.’ I’m not sure it’s really for the courts to define a good system of internal controls. That is up to us, the practitioners, recognizing the nuances in each industry and business; evangelizing good corporate conduct and compliance; and developing systems to protect the integrity and reputation of those entities we serve. I think you provide a great forum to do just that.

Comments are closed for this article!