No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home FCPA

The FCPA and SOX & Internal Controls – Twin Sons of a Different Mother?

by Thomas Fox
May 17, 2016
in FCPA
FCPA and SOX compliance are closely linked

What is the interplay of two different pieces of legislation enacted almost 25 years apart in response to widely different crises? In the case of the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley Act (SOX), quite a bit. Many have speculated that the passage of SOX was one of the contributing factors to the explosive growth in FCPA enforcement actions after 2004, basically because of the SOX 404 reporting requirement. However, the development of these two laws by regulators may move well beyond where the legislators who enacted them may have intended their initial reach.

The FCPA was passed in 1977 in response to U.S. companies’ blatant use of bribery and corruption to secure business outside the U.S. SOX was passed in response to the financial fraud engaged in by companies such as Enron and WorldCom in the late 1990s and early 2000s. Both laws focused on robust internal controls as a part of the solution going forward. So we have the FCPA to prevent foreign bribery and SOX to prevent accounting fraud as was perpetrated by the likes of Enron and WorldCom.

Joe Howell, Executive Vice President of Workiva, has said that the FCPA and SOX are closely tied to one another. He believes that SOX is built on a pedestal that Congress created in the FCPA. Further, he sees a clear lineation to Dodd-Frank, which he also believes in many ways relies on much of the work done in the other areas internal controls require financial institutions to have sufficient controls. He said, “In my personal view, it … is not a stretch to draw a line from the Foreign Corrupt Practices Act of 1977 to the Sarbanes-Oxley Act of 2002 up to Dodd-Frank of 2010.”

Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code,” notes, “Comparison of the FCPA’s and SOX’s internal controls provisions reveals the trend toward placing greater responsibilities on corporations,” while “the FCPA’s internal controls provisions, initially drafted 30 years ago, simply declare that issuers must design and maintain internal controls, but does not require evaluation or analysis.”

However, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls and to draw conclusions about their effectiveness. While the FCPA places responsibility for internal controls upon the corporation in general, SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.”

This interplay between the FCPA and SOX around internal controls is such that Professor Stephen Bainbridge, the William D. Warren Distinguished Professor of Law at the UCLA School of Law, in blog post entitled “Did Wal-Mart lawyers violate their Sarbanes-Oxley section 307 duties? Did Wal-Mart violate SOX 404?”, referring to the company’s Mexico subsidiary operations as reported in the New York Times, remarked, “How could Wal-Mart have provided a positive assessment of their internal controls in light of these problems?” He based this question on a requirement found under SOX §404 that a company must not only acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also report on the effectiveness of the company’s internal controls.

Karen Cascini and Alan DelFavero, in an article entitled “An Assessment of the Impact of the Sarbanes-Oxley Act on the Investigation Violations of the Foreign Corrupt Practices Act,” said, Section 404 “requires management to annually disclose its assessment of the firm’s internal control structure and procedures for financial reporting and include the corresponding opinions by the firm’s auditor.” More particularly, “while the FCPA required public companies to institute effective internal controls to stop the bribes and make executives accountable, SOX 404 goes further, but has similar goals.”

Yet, the FCPA has language around internal controls that reads:

(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that –

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences; [emphasis supplied]

Since the Smith and Wesson (S&W) FCPA enforcement action from 2014, the Securities and Exchange Commission (SEC) has more aggressively pursued companies for violations of internal controls under the FCPA. In its administrative order, the SEC stated: “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” (It should be noted that S&W did not admit or deny any of the allegations made against it, the company simply consented to the entry of the order.) All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words.

Yet the question remains: what is “reasonable?” It cannot mean “material,” as there is separate language in the FCPA about materiality. So it must be assumed that if Congress intended internal controls to only have a materiality standard, Congress would have so said. However, there is no such definition for “reasonable,” so the standard is open.

This is where I have come to believe that SOX has influenced the SEC interpretation of the FCPA. There is no reasonable or any other standard laid out in SOX. Perhaps the SEC has taken that interpretation and decided the reasonable assurances standard of the FCPA is only met if the internal controls present in a company are robust enough to demonstrate that no bribery and corruption has occurred as an affirmative finding. This may not have been what Congress intended when the FCPA was passed back in 1977, but it appears that is where we are now.

 


Tags: Dodd-Frank ActInternal ControlsSOX ComplianceTone at the Top
Previous Post

The Secret Sauce to Boardroom Composition: Start Telling Your Story

Next Post

Total SEC Enforcement Actions against Public Companies and Subsidiaries Rise

Thomas Fox

Thomas Fox

Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, risk management and international transactions. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division, which included the logging, directional drilling and drill bit business units. Tom attended undergraduate school at the University of Texas, graduate school at Michigan State University and law school at the University of Michigan. Tom writes and speaks nationally and internationally on a wide variety of topics, ranging from FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets. Thomas Fox can be contacted via email at tfox@tfoxlaw.com or through his website www.tfoxlaw.com. Follow this link to see all of his articles.

Related Posts

personnel management

Preparing for Budget Cuts in 2023? Be Sure Personnel Management Isn’t on the Chopping Block

by Vera Cherepanova
March 1, 2023

For compliance departments that need to do more with less, it’s tempting to lean into automated systems. Compliance and ethics...

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

cci top 10 stories collage

Top 10 Compliance Stories of 2022

by Jennifer L. Gaskin
December 7, 2022

The more things change, the more they stay the same. This time last year, we summarized the top 10 ESG...

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

Next Post
Total SEC Enforcement Actions against Public Companies and Subsidiaries Rise

Total SEC Enforcement Actions against Public Companies and Subsidiaries Rise

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT