Internal Controls and their Relationship with FCPA and SOX: Two Separate Entities or Close Kin?
The Foreign Corrupt Practices Act (FCPA), passed in 1977, was a response to U.S. companies' use of bribery and corruption to secure business outside the U.S. Fast forward to 2002, the Sarbanes-Oxley Act (SOX) was enacted in response to financial fraud committed by companies such as Enron and WorldCom. Both laws, despite their distinct origins, have developed a close connection, particularly in their emphasis on robust internal controls and corporate accountability.
The FCPA, initially focused on public companies instituting effective internal controls to prevent bribes and hold executives accountable, has evolved to a degree. The Securities and Exchange Commission (SEC) may have interpreted the FCPA's "reasonable assurances" standard as requiring internal controls that demonstrate no bribery and corruption have occurred as an affirmative finding. This interpretation could necessitate internal controls to be robust enough to demonstrate that no bribery and corruption has occurred.
On the other hand, SOX §404 requires a company not only to acknowledge its responsibility for establishing and maintaining a system of internal controls and procedures for financial reporting and an assessment, but also to report on the effectiveness of the company's internal controls. Sections 302 and 404 of SOX require corporate executives to state their responsibility for designing internal controls, to create such controls, to assess and evaluate these controls, and to draw conclusions about their effectiveness.
The SEC's order against Smith & Wesson in 2014 highlighted this evolution. The order stated that Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations, despite no evidence of the payment of bribes by the company to obtain or retain business. The SEC's order against Smith & Wesson did not require the company to admit or deny any of the allegations made against it, only to consent to the entry of the order.
The close connection between the FCPA and SOX regarding internal controls has evolved beyond the original legislative intent. Both laws now emphasize stringent internal control requirements and corporate accountability, extending their scope and enforcement in ways that exceed lawmakers' initial expectations.
Professor Stephen Bainbridge has questioned how a company like Wal-Mart could provide a positive assessment of their internal controls in light of problems reported in their Mexico subsidiary operations. This raises questions about the effectiveness of these stringent internal control requirements and whether they are truly preventing corruption and fraud.
The SEC's interpretation of the FCPA may not have been what Congress intended when the act was passed in 1977. However, it is clear that the focus on internal controls has become a cornerstone of both the FCPA and SOX, shaping corporate behaviour and financial reporting practices in significant ways.
