When crises of corporate conduct reveal widespread shortcomings in public company disclosure, lawmakers and regulators turn to questions of internal controls.

Dissatisfied with the output of corporate reporting, they tinker with its inputs and the processes that connect the one to the other. With the new certification and attestation requirements of the Sarbanes-Oxley Act, this tinkering will likely create a significant growth area in SEC enforcement activity.

The History

Before 1977, no requirement existed that public companies have any internal controls whatsoever.

At that time the scandal de jour was the discovery that U.S. businesses were not above enhancing their competitiveness in overseas markets by paying the occasional bribe to foreign officials. Congress responded with the Foreign Corrupt Practices Act, which established civil and criminal penalties for such conduct.

More to the present point, it went after a common impediment to detecting improper payments, the understandable reluctance of companies to make line-item disclosure for "bribes," "kickbacks," or "slush funds," instead concealing such activities behind innocuous SG&A accounts.

The FCPA required that public companies maintain books and records that accurately describe their transactions, and to implement internal controls to assure the integrity of their bookkeeping. These provisions are found in Section 13(b) of the Securities Exchange Act of 1934 and related rules.

FCPA Enforcement Fallout

Enforcing the anti-bribery provisions of the FCPA goes in and out of fashion, perhaps due to an underlying ambivalence as to whether our government shouldn't be more concerned about corporate misconduct harmful to Americans than that merely serving to enrich foreign bureaucrats.

On the other hand, the "books and records" and "internal controls" provisions of the FCPA — usually divorced from issues of commercial bribery — figure in almost every SEC accounting case.

Rarely, however, do these causes of action go to the core of the alleged misconduct. They appear as an afterthought to allegations of financial fraud or false reporting, adding ballast to the bottom end of the charging document. The few pure books and records of internal controls cases are typically settled matters in which the SEC staff fell short of proving fraud but declined to go away empty-handed.

Violations of these provisions can be established without proof or a material misstatement of the issuer's financial statements.

Imperfect Logic

Notably, in hundreds of SEC cases alleging violations of the internal controls provisions, almost no analysis is provided as to what distinguishes good from bad internal controls.

Most cases rest on a dubious syllogism: good internal controls make for good financial statements; Company X had bad financial statements; ergo, Company X had bad internal controls.

Next case.

This logic is imperfect; in fact, good controls are no guarantee of accurate financial statements. More importantly, this approach has provided little guidance to companies seeking to establish controls appropriate to their operations.

Indeed, the term "internal controls" has eluded specific definition, largely because there is no one-size-fits-all model that applies irrespective of company structure and business sector. The Exchange Act refers to mechanisms that deliver the "degree of assurance as would satisfy prudent officials in the conduct of their own affairs." How the private affairs of the CEO of a multi-national mega-corporation are relevant to that corporation's accounting controls is left to the imagination.

No Guidebook, Little Guidance

An influential attempt at putting meat on the bones of the term "internal controls" arrived in 1992 with a report from the Committee of Sponsoring Organizations of the Treadway Commission, known as the "COSO Report."

It describes internal controls as a process involving such components as risk assessment, the accurate compilation and reporting of performance data to management, and a capacity to monitor and evaluate the process over time. Although offering a helpful framework for analysis that has been accepted by the auditing profession, the COSO Report does not purport to provide an instruction booklet for creating adequate internal controls.

In addition, because few companies are so deficient in their control structure that they don't make some attempt to perform each of the functions cited by the COSO Report, it has not provided the SEC with clear enforcement candidates. Thus, the SEC's approach to enforcing these provisions has remained, until now, backward-looking and result-oriented, testing the adequacy of financial reporting controls based solely on their failure to prevent accounting errors.

Rather than specifically target potential violations of the internal controls provisions for investigation, the SEC has treated these charges as a "gimme" in cases in which other, more serious violations are pursued.

Falling The Ivory Tower

The Sarbanes-Oxley Act and the SEC's implementing rules endorse the COSO framework, while offering little additional guidance as to what good internal controls should look like. At the same time, these measures have raised dramatically the stakes in those cases in which hindsight implicates a control failure.

Now, under Sections 302 and 404 of the Act (the latter provision not yet in effect), the CEO and CFO of every public company must certify in their companies' periodic filings that they hold personal responsibility for the company's internal control structure and have actively confirmed its reliability.

There appear to be two reasons for this requirement. First, it reflects the theme running through Sarbanes-Oxley that the more people who are held responsible for corporate control and governance functions, the more likely it is that someone will catch whatever problems appear. And all the better for this "more eyes" approach if the people on the hook are those at the top, who have the power to oversee what everyone else is doing.

Second, these provisions respond to the vexing phenomenon of the ivory tower CEO and CFO. In many accounting investigations, the SEC has been confronted with corporate officials who claim to be almost wholly ignorant of the nuts and bolts of their company's operations, including its internal accounting functions.

While skeptical of these claims, the staff is often unable to disprove them.

With the new certification provisions, however, it will no longer be enough for top management to say: "I thought the hired help was taking care of that." At the very least, the CEO and CFO must demonstrate that they have retained direct oversight responsibilities over the technicians to whom they have delegated responsibility for internal control functions. Gross failures will be hard to pass off as someone else's responsibility and the SEC will have an additional avenue to pursue top management of companies guilty of inaccurate filings.

Failing Grades

Indeed, based on anecdotal evidence, it appears that the SEC staff now addresses the internal reporting process of companies under investigation in a more comprehensive fashion than was the case prior to Sarbanes-Oxley. Eventually, this will result in the fleshing out of this previously undeveloped area of the law, at the expense of those corporate officers named in enforcement actions.

Further, Sarbanes-Oxley Sections 103(a)(2)(A) and 404(b) require that each reporting company's auditors "attest" to CEO and CFO certifications as part of the annual audit engagement. In its proposed implementing rule on this provision, the PCAOB takes a highly prescriptive approach, making clear that auditors must do far more than a mere tire-kicking exercise to properly attest to the efficacy of the company's controls.

Auditors who fail in this responsibility can assume that they will be subject to disciplinary sanctions from the PCAOB and possibly the SEC.

Later this year, when the Section 404(b) requirements being to take effect, it is likely we will see a significant number of auditors reporting failings in issuer internal controls. This too will contribute to the development of a new frontier in SEC enforcement, investigations into financial controls that are not merely tag-alongs to other matters. It follows that reporting companies would be wise to get their control systems in order before their auditors take out their white gloves or the SEC comes knocking.

The CEOs and CFOs who must assess and certify the efficacy of their companies' internal controls face a dilemma. Few have the expertise (or the time) to design or test complex data storage, retrieval and analysis systems. Yet it is apparent that they will be held responsible for having personally conducted — rather than merely delegated to qualified subordinates — a significant level of due diligence to back up their signatures.

In addition, this obligation is ongoing and even the best practices will be held insufficient if not regularly applied.

The Bare Minimum

The following should be seen as the minimum likely to satisfy regulators evaluating through hindsight an officer's discharge of his or her Section 302 and 404 duties. Obviously, any known or reasonably suspected deficiencies in a company's internal controls will call for a heightened level of inquiry.

The officer (CEO of CFO) should understand the basic structure and processes of the company's controls, including the procedures used to capture and verify data to be entered into its financial reporting system and the provisions for controlling and documenting access to that system. He or she should know the identity and qualifications of the employees and consultants primarily responsible for the design and maintenance of the company's internal controls.

The officer should receive on a quarterly basis, supplemented as necessary to reflect significant events, a comprehensive written report describing — at a level of technical specificity appropriate to the officer's understanding — the performance of the company's internal controls and any recent changes made to those controls.

He or she should conduct quarterly meetings with the employees and consultants responsible for monitoring the company's internal controls to discuss and verify the information contained in the written reports. In particular, the officer should determine whether any control failures occurred during the most recent period and, if so, the actions taken to remedy those failures. He or she should also learn the results of any tests conducted during the period to confirm the effectiveness of the company's internal controls.

And, most important, all of these items should be fully documented in the officer's files.

If the job description of corporate CEO and CFO need not include a specialty in the design and implementation of internal accounting controls, with Sarbanes-Oxley's emphasis on personal responsibility at the top this is no longer an area outside these officers' sphere of responsibility.

Their role may remain essentially supervisory, but it must now be a supervision informed both by a general understanding of internal control functions and by regular infusions of timely and reliable information. To neglect these responsibilities will invite liability in a degree not previously associated with the internal controls provisions of the federal securities laws.

What did you think of this column? If you'd like to react or respond, we urge you to write a letter to the editor.

This column solely reflects the views of its author, and should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.

Topics