To understand the FCPA‘s internal controls provisions, and the related concepts, the SEC’s recent resolution with Eli Lilly and Company provides useful insights. Through offshore entities, improper discounts, falsified records, and charitable donations, improper payments were made by the Russian, Chinese, Brazilian, and Polish subsidiaries of Eli Lilly. In addition to violations of the anti-bribery provisions, numberous violations of the record-keeping provisions were alleged. Yet most significant in terms of providing guidance were the alleged internal controls violations.
In announcing its resolution with Eli Lilly, the SEC made specific reference to the need for companies to avoid a “check the box mentality” in conducting due diligence. The absence of specialized audit procedures to address bribery risks in emerging markets was one of the underlying bases for the internal controls violation.
For a violation of the internal controls provisions, unlike the record-keeping or anti-bribery provisions, no clear formula or bright-line standard exists. Because of their esoteric nature, they are seldom the basis for criminal violations. Yet, since no proof of intent is required for a civil violation, internal controls have frequently been the basis of SEC enforcement in many contexts not limited to the bribery of foreign officials.
Consistent with concepts associated with internal controls, such as those spelled out in the COSO framework, an ongoing need exists for entities to adjust their procedures to circumstances that may pose a basis for increased risk. It is that failure to adjust to the heightened degree of risk of bribery and the attendant greater likelihood of false records that constituted one of the bases for the internal controls violation and the public admonition against a “check the box” approach.
In particular, in its complaint, the SEC focused on the failure of Eli Lilly’s audit department to adjust to the circumstances. “[T]he auditors relied upon the standard accounting controls which primarily assured the soundness of the paperwork. There was little done to assess whether, despite the existence of facially acceptable paperwork, the surrounding circumstances or terms of a transaction suggested the possibility of an FCPA violation or bribery.” In short, this is precisely what prompted its admonition against a “check the box” approach.
These seemingly nebulous concepts associated with internal controls can be confusing and, at times, never ending. So often the key is to keep in mind the type of controls that one places on his or her activities in one’s daily lives. If one goes to a cold climate, one takes extra clothes. When one goes to a more crime-ridden area, one takes precautionary measures. The same basic thought process applies in devising adequate internal controls. One needs to step back a take a look at the larger picture.