What is the interplay of two different pieces of legislation enacted almost 25 years apart in response to widely different crises? In the case of the Foreign Corrupt Practices Act (FCPA) and Sarbanes-Oxley Act (SOX), quite a bit. Many have speculated that the passage of SOX was one of the contributing factors to the explosive growth in FCPA enforcement actions after 2004, basically because of the SOX 404 reporting requirement. However, the development of these two laws by regulators may move well beyond where the legislators who enacted them may have intended their initial reach.
The FCPA was passed in 1977 in response to U.S. companies’ blatant use of bribery and corruption to secure business outside the U.S. SOX was passed in response to the financial fraud engaged in by companies such as Enron and WorldCom in the late 1990s and early 2000s. Both laws focused on robust internal controls as a part of the solution going forward. So we have the FCPA to prevent foreign bribery and SOX to prevent accounting fraud as was perpetrated by the likes of Enron and WorldCom.
Joe Howell, Executive Vice President of Workiva, has said that the FCPA and SOX are closely tied to one another. He believes that SOX is built on a pedestal that Congress created in the FCPA. Further, he sees a clear lineation to Dodd-Frank, which he also believes in many ways relies on much of the work done in the other areas internal controls require financial institutions to have sufficient controls. He said, “In my personal view, it … is not a stretch to draw a line from the Foreign Corrupt Practices Act of 1977 to the Sarbanes-Oxley Act of 2002 up to Dodd-Frank of 2010.”
Aaron Einhorn, writing in the Denver Journal of International Law & Policy, in an article entitled “The Evolution and Endpoint of Responsibility: The FCPA, SOX, Socialist-Oriented Governments, Gratuitous Promises, and a Novel CSR Code,” notes, “Comparison of the FCPA’s and SOX’s internal controls provisions reveals the trend toward placing greater responsibilities on corporations,” while “the FCPA’s internal controls provisions, initially drafted 30 years ago, simply declare that issuers must design and maintain internal controls, but does not require evaluation or analysis.”
However, “sections 302 and 404 of SOX together require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls and to draw conclusions about their effectiveness. While the FCPA places responsibility for internal controls upon the corporation in general, SOX specifically charges executive officers with internal controls duties.” Einhorn ends this section by noting, “internal controls have been transformed from a recitation of general duties lodged upon the corporation as a whole to a statement of specific duties imposed on corporate executives in particular.”
This interplay between the FCPA and SOX around internal controls is such that Professor Stephen Bainbridge, the William D. Warren Distinguished Professor of Law at the UCLA School of Law, in blog post entitled “Did Wal-Mart lawyers violate their Sarbanes-Oxley section 307 duties? Did Wal-Mart violate SOX 404?”, referring to the company’s Mexico subsidiary operations as reported in the New York Times, remarked, “How could Wal-Mart have provided a positive assessment of their internal controls in light of these problems?” He based this question on a requirement found under SOX §404 that a company must not only acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also report on the effectiveness of the company’s internal controls.
Karen Cascini and Alan DelFavero, in an article entitled “An Assessment of the Impact of the Sarbanes-Oxley Act on the Investigation Violations of the Foreign Corrupt Practices Act,” said, Section 404 “requires management to annually disclose its assessment of the firm’s internal control structure and procedures for financial reporting and include the corresponding opinions by the firm’s auditor.” More particularly, “while the FCPA required public companies to institute effective internal controls to stop the bribes and make executives accountable, SOX 404 goes further, but has similar goals.”
Yet, the FCPA has language around internal controls that reads:
(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that –
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences; [emphasis supplied]
Since the Smith and Wesson (S&W) FCPA enforcement action from 2014, the Securities and Exchange Commission (SEC) has more aggressively pursued companies for violations of internal controls under the FCPA. In its administrative order, the SEC stated: “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” (It should be noted that S&W did not admit or deny any of the allegations made against it, the company simply consented to the entry of the order.) All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words.
Yet the question remains: what is “reasonable?” It cannot mean “material,” as there is separate language in the FCPA about materiality. So it must be assumed that if Congress intended internal controls to only have a materiality standard, Congress would have so said. However, there is no such definition for “reasonable,” so the standard is open.
This is where I have come to believe that SOX has influenced the SEC interpretation of the FCPA. There is no reasonable or any other standard laid out in SOX. Perhaps the SEC has taken that interpretation and decided the reasonable assurances standard of the FCPA is only met if the internal controls present in a company are robust enough to demonstrate that no bribery and corruption has occurred as an affirmative finding. This may not have been what Congress intended when the FCPA was passed back in 1977, but it appears that is where we are now.