Gibson D. Lewis
Center for Business Research and Economic Development
THE AUDIT COMMITTEE'S ROLE REGARDING THE PROVISIONS OF THE FOREIGN CORRUPT PRACTICES ACT
Albert D. Spalding, Jr.
Wayne State University
Detroit, Michigan
Alan Reinstein
Wayne State University
Detroit, Michigan
Abstract
The Foreign Corrupt Practices Act (FCPA) of 1977, as amended in 1988, prohibits individuals and corporations from using bribes and kickbacks to enhance foreign commerce. Imposing stiff penalties for noncompliance, the FCPA includes internal control and accounting and recordkeeping provisions. Several studies show that corporate codes of conduct and other formal ethical policies help assure compliance with ethical policies, including the provision of the FCPA.IntroductionCongress, the Securities and Exchange Commission (SEC), the courts, the American Institute of Certified Public Accountants (AICPA) and many other financial statement users and preparers have endorsed the audit committee concept as a means to oversee the audit function and otherwise strengthen the financial reporting process. As such, audit committees should ascertain the effectiveness of the entity's internal control structure and compliance with the provisions of the FCPA.
After highlighting the provisions of the FCPA, this study examines the extent of the audit committees' involvement in corporate compliance with the FCPA--focussing on corporate codes of conduct--based on a study of 152 audit committees whose securities are traded on the New York Stock Exchange (NYSE). Recommendations for strengthening the committees' and companies' roles in this area are also presented.
Many provisions of the Foreign Corrupt Practices Act (FCPA), an anti-bribery law enacted in 1977 and amended in 1988, depend upon effective corporate internal control structures. The audit committee of the corporate board of directors is the most logical group to develop, implement and ascertain observance of corporate codes of ethics. The monitoring of compliance with such codes is critical to firms' compliance with the FCPA, because the codes establish corporate policy regarding bribes, grease payments and inappropriate disbursements. Based upon an analysis of audit committee operations, this study examines their oversight role regarding the FCPA.
Background: History and Importance of the FCPA
In 1976, such publicly traded companies as Bendix, IT&T and Lockheed admitted
to making millions of dollars in "questionable payments" to Japanese and European
high officials--with or without their companies' top executives knowledge.
These events and the post-Watergate environment (under the leadership of then-President
Carter) helped enact the FCPA of 1977. Adopted as an amendment to the Securities
Act of 1934, the law makes it a criminal offense for publicly traded companies
to bribe foreign officials, foreign political parties or candidates for foreign
public office to obtain "favorable" business decisions. The 1988 FCPA amendments
allowed companies to give "token" or other "minor" gifts to clerical or "low-level
employees to facilitate such administrative functions as expediting shipments
through customs or securing required permits.
Congress enacted the FCPA after ascertaining that many U.S. corporations bribed foreign officials and performed other forms of unsavory conduct to secure business abroad.[1] So widespread was the appearance of corruption, that Securities and Exchange Commission (SEC) investigations found over 300 American companies making such questionable payments to foreign officials.[2]
Despite accusations of attempting to export American puritanical values to different types of cultures, Congress enacted the 1977 FCPA to stress that corporate bribery was per se unethical and detrimental to American business.[3] The FCPA allowed many foreign companies, based in countries that view bribery simply as a way to do business, with little concern about corporate ethics--who often received local export incentives--an opportunity to edge out American companies.[4] As indicated at hearings on the original FCPA, Congress believed that bribery (a) tainted the credibility of American business operations and the principles of free enterprise in general; (b) caused embarrassment with allies and foes alike; (c) created foreign policy difficulties; and (d) tarnished our Nation's worldwide image.[5]
Anti-Bribery Provisions.
The FCPA bans bribery, with prohibitions inserted both as an amendment to the
Securities and Exchange Act, as applied to publicly held companies considered "issuers" of
securities, and as an identical stand-alone provision directed at all other
American businesses.[6] While the 1977 FCPA prohibited companies from
offering compensation to foreign officials to obtain or retain business,
the 1988 FCPA allows them to make "grease payments" to essentially clerical
or low-level employees that facilitate performance of routine administrative
functions such as clerical processing or procurement of licenses.[7]
Accounting Provisions.
The FCPA's record-keeping requirements mandate U.S. corporations to keep books,
records and accounts in reasonable detail--to reflect fairly their transactions
and dispositions of assets--and to develop and maintain adequate systems
of internal control.[8] Congress intended that these accounting standards
would strengthen the credibility of corporate records, making the concealment
of bribes less likely.[9]
The FCPA's accounting requirements require affected companies to maintain an internal control structure to assure that (1) transactions are executed per management's authorization, (2) records sufficiently permit preparing appropriate financial statements, (3) access to assets are limited to appropriate personnel, and (4) periodic checks are made to verify the existence of recorded assets and to resolve any differences thereto.[10]
Penalties For Noncompliance With The FCPA
FCPA Statutory Penalties.
Both the FCPA's anti-bribery and the accounting provisions are enforced via
civil liabilities and criminal sanctions.[11] The SEC has jurisdiction to investigate potential
violators and bring civil injunction actions against them to the Department
of Justice for prosecution.[12] The Department of Justice can investigate U.S.
companies other than issuers, and handles all criminal prosecutions,[13] and
its Criminal Division responds to written requests for an advance indication
of its position in light of specific circumstances under its "Review Procedures."[14]
Under the 1988 FCPA, corporate violators face fines up to $2 million, and individuals face fines up to $100,000 for willfully bribing foreign officials. Companies may not pay their employees' fines, and violators face up to five years imprisonment; corporations are "vicariously" liable for their employees' acts, and such employees may be convicted even if their employer was found not to have violated the FCPA.[15] In fact, General Electric Corporation was recently fined $9.5 million and agreed to pay an additional $59.5 million civil penalty, largely for failing to keep accurate books and records per the FCPA's requirements.[16]
Sentencing Guidelines.
Penalties imposed under the FCPA are subject to the U.S. Sentencing Commission's[17] guidelines,
which require federal judges to examine the extent to which corporate defendants
have established policies and procedures designed to ensure compliance with
the FCPA. Corporations proving that violations of FCPA provisions occurred
despite the establishment of an effective compliance program face significantly
reduced sentences.[18]
Ancillary Litigation
Corporations violating the FCPA risk having claims arising from laws other
than the FCPA. For example, companies suffering damages from lost business
caused by a competitor's illegal bribe of foreign officials can seek relief
under the Racketeer Influenced and Corrupt Organizations statute.[19] Companies victimized by such violations can
also bring traditional state causes of action for damages incurred as a result
of FCPA violations, such as claims of tortious interference with contractual
relations.[20]
The Audit Committee's Role In Achieving Compliance With The FCPA
Background of Audit Committees
Many entities use audit committees to protect themselves from fraud, mismanagement
and financial liability. Generally comprised of outside directors, the committee
serves as an intermediary between the external and internal auditors and
the full board of directors in their oversight role of the financial reporting
process. They are primarily responsible for selecting the entity's auditor,
discussing the audit scope with both types of auditors, inviting direct auditor
communications on major problems that arose during the audit, negotiating
audit fees, reviewing the financial statements and related external audit
report for the full board of directors' ultimate approval and otherwise overseeing
the audit process to enhance the independence of both types of auditors.
Wagner, O'Keefe and Bostwick[21] found that effective audit committees (1) communicate better with internal and external auditors, (2) provide enhanced external auditor independence, (3) more likely implement the auditors' suggestions relating to internal controls, and (4) bring added advisory personnel relating to the financial reporting process.
Many authoritative bodies and accounting organizations strongly support the audit committee concept. The importance and number of audit committees have grown significantly since they became mandatory for all New York Stock Exchange (NYSE) listed companies in 1978. The AICPA's Commission on Auditors' Responsibilities,[22] the National Commission on Fraudulent Financial Reporting (Treadway Commission), the federal courts[23] and the United States Congress[24] regard the audit committee as the most logical, cohesive body to insure the prevention of illegal or questionable acts. The SEC also expects the committee to monitor corporate conduct and indicated that "... in all but one instance, companies found to have rendered illegal payments did not have a full-time audit committee."[25]
Establishment & Implementation of Written Ethics Codes
Serving as financial overseers, audit committees represent an important step
towards achieving effective internal controls and compliance with government
regulations. Several large CPA firms stress,[26] that a major committee responsibility includes
ascertaining if their companies have in place adequate controls (i.e. to
meet the FCPA's requirements) and, if not, determine what additional controls
are necessary.
Shaun O'Malley,[27] Managing Partner of Price Waterhouse, states that the last decade has brought "dramatic" changes in the public's expectations from the board of directors, management and both internal and external auditors. Management is primarily responsible for establishing adequate internal accounting controls and avoiding "sensitive payments" whenever possible, and for disclosing them should they occur.
Audit Committees and External Auditors
In 1947, the AICPA informally endorsed the audit committee concept in a Journal
of Accountancy editorial.[28] In 1967 and 1977, it formally endorsed the
audit committee concept as a means to strengthen the auditor's independence
and competence.[29]
In 1988, the AICPA's Auditing Standards Board issued four Statements on Auditing Standards (SASs) dealing with audit committees to help narrow the "expectations gap" between what CPAs perform and what the public expects from them. SAS Nos. 53 and 54, The Auditor's Responsibility to Detect and Report Errors and Irregularities and Illegal Acts by Clients, require auditors to notify audit committees (or equivalent authority, such as the finance or budget committee) of suspected fraud or illegal acts; SAS No. 60, Communication of Internal Control Structure Related Matters Noted in an Audit, expanded the set of internal control deficiencies that auditors should report to audit committees or their equivalent; and SAS No. 61, Communications with Audit Committees, requires auditors to disclose certain potential and resolved matters pertaining to the audit to audit committees or their equivalent. CPAs auditing publicly traded entities, thus, must be especially careful to discuss potential internal control weaknesses with their audit committees.[30]
Audit Committees and Internal Auditors
Audit committees should ascertain that their internal auditors examine the
prescribed and actual internal control structure by (1) examining appropriate
documentation of compliance with the all regulatory policies and provisions
(e.g., flowcharts and organizational charts), (2)preparing internal control
questionnaires and other documents that test actual compliance, and (3) focussing
on potential inherent risk areas of potential weaknesses in the control structure
(e.g., areas where much cash is spent without strong controls).
Schiff and Balog[31] note that by updating, monitoring and enforcing these codes (e.g., by protecting whistleblowers), internal auditors can assume such new duties as resolving ethical conflicts. Many audit committees now use internal auditors to help assure compliance with the provisions of regulatory acts and corporate ethical policies by focussing more on operational audits and using more sophisticated information technology and communications and computer skills. The Treadway Commission also concluded that internal auditors monitoring compliance with corporate codes of conduct benefit from exposure to the audit committee and other high levels of the corporation.
Audit Committees and Management Accountants
As corporate employees, management accountants are more directly responsible
for assuring compliance with regulations and policies than are their independent
auditors. Thus, they should help perform such tasks as providing detailed
analytical operating reports and other data regarding the company's adherence
to the rules (i.e. the provisions of the FCPA), and ascertaining that the
company considers all suggestions to strengthen the internal control structure.
The audit committee can also ask management accountants to identify and monitor transactions between management and supervisory personnel to comprehend better how the company delegates decision-making authority between these two parties. The committee should check that such transactions are documented properly, that management continuously improves its internal control structure, and that it follows its prescribed procedures. In their interactions between management, internal and external auditors and management accountants, audit committees can help assure adherence with the provisions of the FCPA. They should ascertain that (a) internal control mechanisms are functioning that can detect questionable behavior and that (b) financial reporting and other audit processes are operating as prescribed. Continuous monitoring, reinforcing and strengthening internal control mechanisms will help prevent abuses and provide compliance with the FCPA provisions.
A Survey Of Audit Committees
Impetus
The above discussion shows the audit committee's key role in helping
their companies comply with the provisions with the FCPA, including the monitoring
of corporate codes of conduct. A survey of present practices was taken to
determine how audit committees help monitor their companies' ethical and
related policies.
Methodology
After reviewing the FCPA and related literature, a survey instrument was pretested
and revised based upon the comments of six academicians, five audit committee
members and seven other corporate directors. The data were obtained from
a mail survey of one randomly selected committee member from 152 randomly
selected companies whose securities are traded on the NYSE. A total of 109
usable responses were obtained, and 22 committee members did not respond
for reasons beyond their control (e.g., they were undergoing major surgery,
were retired, or no longer with the company). Moser and Kalton[32] found
that such addressees who are "outside" the original survey population should
be subtracted from the original survey population before calculating the
response rate. Thus, the adjusted 83.3% response rate {i.e., (109)/(152-22)}
exceeds Kerlinger's[33] 80 percent criterion
for a satisfactory response rate, where no further testing for non-response
bias appears necessary.
Results
The survey first ascertained if audit committees follow detailed work programs
for their activities, including reviewing the internal control structure--an
indispensable component of ascertaining compliance with the provisions of
the FCPA. A total of 75 percent of the respondents followed such work programs,
and, as several respondents indicated, that number that will undoubtedly
rise as the audit committee process matures.
The survey next examined aspects of the respondents' Codes of Ethics with these results appearing in Table One, below. The vast majority (93 percent) of sampled companies use codes of conduct barring questionable or illegal payments, and 66 percent of them require employees to provide written assurances that corporate funds were not used for illegal purposes.
Table One
Characteristics of Corporate Codes of Ethics Percent
Code of Ethics Established at Corporation 93.4
Code of Ethics Publicized Throughout the Corporation 67.1
Code of Ethics Includes Anti-Bribery Provisions 35.9
Code of Ethics Defines "Grease Payment" Provisions 14.0
Code Administered Via Internal Control Functions 8.7
Code Compliance Included in Internal Control Functions 58.6
Key Managers Annually Certify Code Compliance 35.6
Code Compliance Monitored Annually in Other Ways 20.2
FCPA Compliance Report Provided to the Audit Committee 10.7
FCPA Compliance is Audited by the Independent Auditors 25.8
Upgrading Compliance with Written Anti-Bribery Policies
Increased Involvement of the Audit Committee
To comply with the FCPA, management must establish and monitor a written code
of ethics prescribing appropriate behavior, identifying penalties for noncompliance,
and developing effectuate programs to insure adherence to these procedures.
As shown in Figure A, the audit committee must work with such parties
as internal and external auditors, management accountants and top management
to assure that FCPA requirements are met. Marsh and Powell[34] stress
that effective audit committees use charters to emphasize that they receive
adequate information from management and both types of auditors. Some elements
of the charter include authorizing adequate resources to discharge its responsibilities,
methods to enhance both types of auditors' independence, means to strengthen
the internal control structure and otherwise assure compliance with the FCPA's
provisions.
Certification of Compliance by Key Personnel
While management is responsible for establishing internal accounting controls,
most violations of the FCPA occur when management overrides these controls.[35] Just
as independent auditors obtain management's representations to confirm oral
or implicit representations and to remind management of its primary responsibilities
for the financial statements, audit committees should obtain management's
written assurances that they have met the FCPA's requirements. As shown in Table
Two, several survey respondents also indicated that management, rather
than the committee, receives such written assurances, and two stated that
they receive these reports "via their independent auditors."
Corporate Personnel Providing Written Assurance of Compliance Percent
Presidents 88.6 Vice Presidents 81.4 Other Corporate Officers 78.6 Directors 58.6 Other Corporate Employees 32.8
Table Two
The category "Other Corporate Employees" includes certain marketing manufacturing and financial managers. The above table suggests that, while over half of the directors provide these assurances, a much larger majority of presidents, vice-presidents and other corporate officers must also comply, since non-director officials make many more day-to-day decisions than do directors and have more exposure to potentially illegal acts.
Audit Committee Review of Management Compliance Procedures
Written assurances alone do not relieve audit committees of the responsibility
of overseeing compliance with the FCPA. To properly monitor internal accounting
controls and to ascertain that compliance with the FCPA is based upon objective
and competent evidence, audit committees should review management's evaluation
of the adequacy of corporate internal control procedures and request that
both types of auditors corroborate these conclusions. Management should also
respond formally to pertinent comments found in the independent auditor's
management letter and in internal audit reports. These responses should detail
management's agreement or disagreement with the auditors' findings and resolve
the problem or deficiency.
Recommendations of the Treadway Commission
The Treadway Commission, comprised of leaders from the AICPA, National Association
of Accountants (now Institute of Management Accountants), Financial Executives
Institute, American Accounting Association and Institute of Internal Auditors
found that the most influential factor in deterring fraud (including, implicitly,
violations of the FCPA) was the tone or atmosphere set by top management,
the board of directors and the audit committee.[36] The Commission also recommended that all public
companies maintain internal controls to provide reasonable assurance to prevent
fraudulent financial reporting or subject it to early detection. Companies
should also develop written codes of conduct. All publicly traded companies
should also create internal audit departments whose directors have unrestricted
and direct access to both the audit committee and the chief executive officer.
Audit committees should also ascertain that the internal and external auditors
coordinate their efforts.
The Commission stated that top management overseen by the board of directors[37] is primarily responsible for the company's financial reporting, and all public companies should establish effective audit committees to achieve this goal. These committees should (1) be informed and vigilant, (2) set forth its responsibilities in a written charter, (3) receive adequate resources to perform its duties, and (4) discuss with management and the auditors areas of potential internal control weakness, contingencies, claims and assessments--all areas directly relating to compliance with the provisions of the FCPA.[38]
The Commission encouraged all firms to adopt, publicize and enforce written codes of conduct that contain a conflict-of-interest and corporate policies of compliance with domestic and foreign laws, including those related to proprietary information, and also protect whistleblowers. The Commission emphasized that the audit committee should review compliance with the corporate code and report its findings to the entire board of directors.
These developments suggest that the FCPA will buttress the CPAs' study and evaluation of internal control structure. CPAs currently evaluate those controls and ascertain the reliability of accounting data to determine the nature, timing and extent of other audit tests, not to form an opinion on management's representations of the adequacy of the entire accounting control system. Yet audit committees will undoubtedly request CPAs to expand their scope to help the committee measure compliance with the FCPA. Approximately 92 percent of the surveyed audit committees not only reviewed the CPA's audit scopes, but several respondents noted that the audit scope had been expanded to enable the committee to determine adherence to the FCPA.
CPAs assisting audit committees in judging the overall adequacy of internal control should help ascertain if employees adhere to management's formal Code of Conduct. If such codes do not exist, CPAs can help prepare them and monitor adherence to them,[39] by (a) determining that all employees read and sign it, (b) evaluating the level of management's compliance monitoring and the adequacy of reporting deviations from policy and (c) scrutinizing the most susceptible areas of risk (considering the nature of the industry and the company's scope of operations). These findings can become part of the CPA's management letter, which audit committees should view as a partial indication of compliance to the FCPA.
Audit Committee Review of Internal Controls: FCPA Implications
Since internal auditors focus on improving the efficiency of corporate operations
and strengthening the internal control structure, they should be primarily
and directly responsible for adherence to this aspect of the FCPA. Audit
committees should monitor internal auditors' operations and provide them
with direct access to the committee. The survey found that 95 percent of
the sampled firms' chief internal auditors had direct access to the audit
committee. The remaining five percent observed that since the chief internal
auditor reported directly to the chief executive officer and has
direct access to the committee should the need arise, no reason existed to formally report
to them.
In monitoring compliance to the FCPA, audit committees should coordinate the efforts of internal and independent auditors to minimize any duplication of efforts. About 85 percent of the sampled audit committees reported that they plan to use both types of auditors as their "independent financial staff" in gaining assurance of compliance with the FCPA.
The surveyed audit committees overwhelmingly (93 percent) reviewed the internal auditors' reports and suggestions for improving internal accounting controls and compared them with similar reports received from the CPAs--a process that helps audit committees ascertain if management rectifies all reported, material weaknesses in internal accounting control.
Conclusion
Compliance with the FCPA is still a challenge for many corporations. The survey results indicate that while most firms have codes of ethics, they often do not audit compliance with them, including adhering to the provisions of the FCPA. Although many internal and external auditors have given this area increased attention, the importance of this issue suggests that audit committees should monitor their progress and otherwise help them achieve full compliance with the FCPA's provisions.
As a result of the FCPA, financial statement users and governmental authorities expect greater audit committee involvement in the monitoring of corporate conduct. In turn, the committees must rely heavily on management and internal and independent auditors to assure compliance with the FCPA. Audit committees should initiate a "top down" approach to the problem, including reviewing compliance with corporate codes of conduct.
References
Gibson D. Lewis
Center For Business and
Economic Development
SHSU Box 2056
Huntsville TX 77341-2056
936-294-1518 Center Office
936-294-3957 Center Fax