previous in series || table of contents || next in series

INTERNAL ACCOUNTING CONTROL :
IT'S THE LAW

by
Dr. D. R. Carmichael
Vice-president--Auditing, AICPA
February 11, 1980

[Introductory note: Dr. D. R. Carmichael, CPA, is vice president -- auditing of the American Institute of Certified Public Accountants and directs the organization's Auditing Standards Board. Prior to his appointment in 1978, he served the AICPA as its vice president -- technical services. Before that he was managing director -- technical services, director of the auditing standards division, director of the research division, and editor of the accounting and auditing column of The Journal of Accountancy.

Numerous articles by Dr. Carmichael have appeared in professional periodicals, and he is co-author of two widely used college texts on auditing -- Auditing Concepts and Methods and Perspectives in Auditing. He is also author of the first auditing research monograph published by the AICPA -- The Auditor's Reporting Obligation, a co-editor of the book on the third Seaview Symposium -- Corporate Financial Reporting: The Benefits and Problems of Disclosure, and the principal writer and editor of the report of the commission on auditors' responsibilities.

He has served on the faculties of the University of Texas at Austin, the University of Illinois, Columbia University, New York University, and Baruch College and has acted as a consultant to public accounting firms.]

How would you feel if you could be fined or jailed because your checkbook didn't balance -- even if you didn't write a bad check? Or how would you feel if you could be fined or jailed even if your checkbook was in balance, but you failed to reconcile it monthly? Believe it or not, that is the position of all public companies subject to the Securities Exchange Act of 1934. What was once considered prudent business practice is now the law of the land; the Foreign Corrupt Practices Act is that law.

The FCPA has been in effect for over three years, and it has two main parts. The first part makes it unlawful to bribe foreign officials or politicians to get or to keep business. This part is administered by the Department of Justice and covers all U.S. companies. Its subject, "anti-bribery," is what you would expect from the title of the law.

The other part, which the law calls the "accounting standards," establishes requirements for accurate accounting records and sound internal accounting control. These requirements apply to domestic as well as foreign transactions and locations but only to public companies subject to the 1934 act, and they are administered by the Securities and Exchange Commission. The fact that the law applies to both domestic and foreign transactions has caused some observers to label the act's title as "very misleading." And, perhaps even more significant, no bribe (foreign or domestic) has to be involved for the SEC to invoke this part of the law.

My thesis is that the FCPA's origin has many parallels with the passage of the federal securities acts in 1933 and 1934 and that the SEC's administration of the securities acts provides important insights into the implications of the FCPA for business, society and public accounting.

Passage of the securities acts -- a parallel

On Tuesday, October 29, 1929, the bubble burst on Wall Street. Over 16 million shares were traded on the New York Stock Exchange. This resulted in a loss in share value of over $10 billion -- twice the amount of currency in circulation in the whole country. It was the culmination of a financial disaster estimated to have resulted in losses of $50 billion. A worldwide depression followed.

The scandal resulted in the passage of the federal securities acts, but the form of the legislation with its emphasis on financial disclosure and audited financial statements had little to do with the causes of the crash. Speculative fever gripped the nation. Everyone borrowed to the hilt to buy stock. Unscrupulous traders formed pools designed to manipulate the price of stock.

In a recent popular book giving a full history of the crash, The Day the Bubble Burst, by British reporters Gordon Thomas and Max Morgan-Witts, there isn't a single mention of false or misleading financial statements. (1) Indeed, there is little evidence that financial statements published before passage of the securities acts were fraudulent or misleading or that required disclosure has made them more useful to investors. According to George Benston, a professor at the University of Rochester, in 1929, stocks of 100 companies on the NYSE were manipulated by pools. All 100 companies published financial statements for at least two years before the crash with better than average disclosure.

The hearings on the securities acts actually produced only two revelations of deceptive or dishonest financial reporting. Yet the common opinion today is that the securities acts were needed to correct abuses in financial reporting and that poor disclosure or lack of auditing were big contributors to the stock market crash. The legislative response to the newspaper reports of scandals and the general public's demand to "do something" were shaped largely by special interest groups' demands of investment bankers and reformers rather than by objective analysis.

Passage of the FCPA -- history repeats itself

The FCPA also resulted from a public scandal, and the specific form of the legislation is also at variance with the causes of the scandal. Nearly 450 companies -- including some of the biggest in the country- are known to have made kickbacks, bribes or other questionable payoffs. The so-called culprits range from Bell Helicopter, a subsidiary of Textron, Inc., to giant oil companies such as Gulf Oil Corporation and Exxon Corporation. The litany of corporate misdeeds reported daily in the press shocked the public and toppled two foreign heads of state. Some secret payments were recorded and inadequately described; others were made from off-the-books funds set up for that purpose. A tire manufacturer listed payments as CDs for "crooked deals."

In all but a few cases, however, payments were authorized by an official acting within normal pre-scandal authority. In certain fields -- transportation, liquor and military sales-payoffs had been common for years. Thus, the payoffs were not the result of poor internal control. No system of internal control -- no matter how well-designed and policed -- can prevent misjudgment or immorality on the part of an officer with authority to approve transactions. Yet the conventional idea has developed that "the proven inadequacy of systems of internal control" or "accounting gimmicks" were significant factors in corporate bribery.

Thus, there was a public scandal and Congress was under pressure to take action. The FCPA was the legislative solution to the problem. The prohibition of bribery was responsive to this problem, but the "accounting standards" were a special-interest addition. The special-interest group was the SEC. It asked to have an existing rule-making proposal of its own incorporated in the FCPA.

The internal accounting control provision

The focus of the accounting standards in the FCPA -- internal accounting control -- is largely an invention of accountants and auditors. Management has many objectives in operating a business and establishes controls to ensure that results meet those objectives. Management has no independent need to classify controls and has difficulty separating internal control from managing a business. Classification of one group of controls separate from the other controls needed for the orderly and efficient conduct of business was the idea of accountants and auditors.

Controls can be classified in many useful ways. Auditing literature combines classification by objectives (such as safeguarding assets) with classification by jurisdiction (accounting vs. administrative controls). Note that it is a combination and not exclusively jurisdictional. Accounting controls are not confined to the accounting department.

The FCPA adopts the definition of accounting control in the auditing literature. The broad objectives are asset safeguarding and reliable accounting records. More detailed objectives concern: (a) transaction authorization; (b) transaction recording; (c) restricted access to assets; and (d) accountability comparisons of asset counts to records.

Since this definition of internal accounting control is adopted in the law, the distinctions made by accountants may determine whether an action is a poor business judgment or an illegal act. However, it is often difficult to separate accounting controls from other controls.

The complexity of the classifications can be illustrated by considering the objective of safeguarding inventory. Internal accounting control protects against unintentional exposure to risk. Determining the intentional exposure is a business policy decision. Setting the acceptable level of inventory shrinkage is a management judgment and a matter of administrative control. Comparing actual to planned shrinkage is an accounting control. Establishing a budget is an administrative control; using the budget to detect variation from plans achieves an accounting control objective. Auditors are not concerned with whether inventory shrinkage should be 2 percent, 4 percent or 6 percent. They are concerned with whether the system will promptly detect shrinkage that exceeds the established level. These distinctions, however, may be overlooked by non-accountants.

Auditor involvement -- a short history

Auditors have flirted with expressing an opinion on the "adequacy" of a system of internal accounting control for years. The CPA Handbook, issued by the American Institute of Accountants shortly after World War II, discussed an auditor's responsibility to include a judgment on a system in the opinion on financial statements if it was determined that the system was "poor." (2)

The feasibility and desirability of expressing an opinion on a system of internal control were debated among accountants in the following years. The feasibility of expressing an opinion on the "adequacy" of a system was seriously questioned. There is no formula to determine the adequacy of a system. Also, auditors knew the link between inadequate controls and modification of audit procedures was poor. Desirability was also questioned because users might easily misunderstand the Significance of an opinion. Every system has inherent limitations; no system is perfect.

The last serious look at the topic before the current interest generated by the FCPA was during the late 1960s. Statement on Auditing Procedure no. 49, Reports on Internal Control, made issuance of reports on internal control a management option, but the report form was so hedged to avoid user misunderstanding that it was a triumph of precision over comprehension. SAP no. 54, The Auditor's Study and Evaluation of Internal Control, stimulated a reexamination of the audit process in CPA firms that resulted in current firm materials that needed only slight retooling for use by clients in adopting programs to comply with the FCPA. The key is a systematic approach to evaluation that depends on comparing control procedures to control objectives by class of transaction or asset. If procedures won't provide assurance of achieving the objectives, there is a weakness. How to decide whether the weakness precludes sufficient assurance is a current debate. Statement on Auditing Standards no. 20, Required Communication of Material Weaknesses in Internal Accounting Control, was either a holding action or one shoe being dropped depending on your viewpoint. It acknowledged an obligation to communicate material weaknesses to senior management. It also pledged a continuing study of expressing an opinion on a system of internal control.

Internal control is an integral part of the management of a corporation, and internal accounting control is a difficult to define part of it. Thus, the FCPA provides the SEC with authority over important aspects of corporate management activity. Auditors have long been associated with internal accounting control and have given serious consideration to publicly reporting on the condition of a control system. Thus, the SEC can be expected to involve auditors in its administration of the FCPA.

SEC administration of the FCPA

The SEC's administration of the securities acts -- including the FCPA -- involves both enforcement and rule-making. In pursuing administration of the FCPA, the SEC will be interested in ensuring that no major scandal similar to the illegal payments scandal recurs and using the FCPA to achieve other goals that will prevent or reduce management violations of fiduciary responsibility. The SEC receives no benefits from taking risks. If it can avoid a serious fraud or scandal by imposing rules, its benefits will exceed its costs. (The SEC is serious about this even though auditors and corporate executives warn that the FCPA accounting provisions cannot guarantee this result.)

In enforcement actions, the SEC has already demonstrated the flexibility of the FCPA to reach any violation of management's fiduciary responsibility. The FCPA has been invoked in court actions involving diversion of corporate assets with no hint of foreign bribery. The Aminex case involved charges of falsified accounting records and weaknesses in internal accounting control. The Wyoming Coal case also involved violations of both aspects of the accounting provisions but no bribery. These cases demonstrate that the law that resulted from foreign corrupt payments goes well beyond the stimulating scandal.

A proposal for "disclosure"

In rule-making, the SEC has proposed "disclosure" requirements that have been widely misunderstood because they have been analyzed at face value as disclosure of information. The SEC proposed that companies state in 1979 annual reports whether the internal control systems provide reasonable assurance of meeting the control objectives specified in the FCPA at the end of 1979. In 1980, the same representations would have been required for the entire year rather than only at year-end. Auditors would have been required to state whether they disagreed with that judgment in 1979 and to positively state agreement in 1980. This proposal has been analyzed as if it were similar to disclosure of replacement cost data or line-of-business (segment) data. It has been viewed as another "accounting headache" rather than recognized for what it is -- a permanent electrode planted in the figurative brain of every corporation subject to the 1934 act.

Nevertheless, the proposal attracted a barrage of nearly 1,000 comment letters -- almost all of them against it. The SEC delayed action for 1979 and may adopt a milder version for 1980 or later. The delay has been characterized as "a staged retreat" that "threatens to become a rout." However, I believe the proposal is only the opening battle in a long war.

The SEC and the courts have always interpreted the securities acts to meet changing public expectations, In today's public climate, deregulation is almost automatically praised and increased regulation opposed, but the climate can change quickly. Since the FCPA is part of the law, it will not change and cannot be influenced by public attitudes. Future enforcement actions and rulemaking are limited only by the FCPA, which is tantamount to a federal code for corporations developed and enforced by the SEC.

The securities acts are based on disclosure and most of the SEC's rule-making involves requirements for disclosure of information. Thus, it is probably natural that the recent internal accounting control proposal was put forth and has been analyzed as a matter of disclosure. However, disclosure is not the objective.

The actual objective -- compliance

Initial consideration of reports on internal control by the AICPA and past use of reports on internal control in practice involved reports closer to a management letter than an opinion. These reports are relatively detailed and describe weaknesses. They are useful primarily to those who can make changes in the system or base decisions to withhold funds on the condition of the system. However, the SEC proposal contemplated removal of weaknesses, not disclosure of them. It was structured to achieve compliance with the FCPA and not to provide information content, even though the SEC argued that its objective was to provide information to investors.

A management statement to meet the requirements of the proposal could be nothing other than a paraphrased declaration of compliance with the act. By proposing reporting as of the end of 1979, the SEC would have permitted companies to correct weaknesses during 1979 and not disclose them. This grace period would have exerted pressure to get the house in order.

The SEC suggested that one of the benefits of the proposed management statement would be increased assurance of the reliability of un-audited interim financial information. However, no case has been made that such information is now unreliable, and a disclosure provision on internal accounting control is too indirect a method. The SEC requires certain registrants to have interim data reviewed by their auditors. The review requirement could and should be expanded to other registrants if the SEC is really concerned about the reliability of interim data.

Finally, the proposed management statement used the same standard for an exception as for a violation of the FCPA "reasonable assurance." Both the FCPA and the proposed disclosure requirement had no materiality limitation. Since immaterial information is unlikely to affect the market price of the issuer's securities, the proposed disclosure is obviously more concerned with achieving compliance than providing information useful to investors.

Also, the reasonable assurance standard would allow management to avoid disclosing weaknesses if it could justify the costs of correction as exceeding the benefits of reducing the risk of an error or irregularity. In other words, a material amount of assets could theoretically be at risk, but the risk would not be disclosed if cost of correction exceeded the potential monetary effect. The AICPA has pressed for a standard dependent solely on materiality and risk, but the SEC has clung to the cost-benefit approach under reasonable assurance.

The economics of "disclosure"

In addition to arguments against the constitutionality of requiring a declaration of compliance with the law and objections to the law's subjectivity, some have argued that the proposed management statement and companion auditor involvement should be subjected to a rigorous economic analysis of the costs and benefits of disclosure.

The unscholarly analysis is that with an estimated 20 percent increase in audit costs combined with internal costs of documentation and review, the overall cost will be over $160 million annually. Since the highest estimates of illegal payments made over many years place them at a total of $300 million, it will soon cost more to stamp out bribery than to allow it.

A scholarly analysis would attempt to determine whether disclosure would be rewarded in the marketplace by increased returns on stock price or whether alternative incentives for disclosure would provide information without disclosure regulation. However, this approach should not be expected to be any more convincing than similar research related to financial disclosure under the securities acts.

The fact that research does not support the need for regulation of disclosure to produce all the financial information that investors need has not stimulated any serious consideration of repeal of the securities acts. Thus, the fact that the SEC's rule-making to achieve compliance with the FCPA may not be cost beneficial as an informative disclosure, or even that the costs of the FCPA may not be economically justifiable, will not result in repeal of the FCPA or impede so-called disclosure requirements.

The real question -- what will the SEC do?

The real question is not how the SEC will modify its disclosure proposal or what the requirements will be for 1980, but how the SEC will use the FCPA over the next 45 years in enforcement and rule-making.

In 1934 it was probably of great interest to know which financial statement disclosures would be required in 1935. However, consider what has happened in the intervening years with the securities acts which granted broad jurisdiction to the SEC over audited financial statements. The SEC's impact on financial reporting is readily apparent in the extensive body of accounting rules either issued by the SEC or issued by the AICPA or the Financial Accounting Standards Board under the SEC's oversight.

The audit requirement in the securities acts assured a minimum demand for audit services and tied the growth of the accounting profession to the securities markets. It also strengthened the auditor's ability to influence the presentation of financial statements and resist client pressures, and it gave stature to the accounting profession's standard setting.

Rule-making and enforcement by the SEC or standard setting by the accounting profession acting under the threat of the SEC's rule-making power have resulted in a rigid definition of auditor independence; impediments to changing auditors; codification of auditing standards and procedures; defensive auditing practice in response to liability; and a self-regulatory organization with quality control and peer review requirements. With this perspective, what are the possible implications of internal accounting control as a law administered by the SEC?

Some predictions

I believe that SEC rules on the control procedures and documentation required to comply with the FCPA will remain flexible, but there will be a trend toward more detail and selective use of authority to achieve particular goals. Certain things will be required, but no comprehensive rules on how to comply with the FCPA will be issued.

The control environment as stressed in the SEC disclosure proposal will be a fertile source of specific requirements. It is a mixed bag of conditions, methods and goals which include organizational structure, competence and integrity, and budgets and financial reports. Many auditors believe that the control environment is too broad to be useful in reviewing a system, and they object strenuously to the idea that evaluation of the environment is an essential prelude to an evaluation of the system. They contend that controls must be tested and evaluated in specific applications. The control environment is viewed as either untestable or, at best, a source of background information. However, environment, according to the SEC, includes the audit committee; the internal auditor; a corporate code of conduct; and documentation of policy and management's review. Thus, emphasis on the control environment in rule-making and enforcement can and, I believe, will be used to ultimately require, for example, audit committees and possibly to secure a bigger role for internal auditors.

The relative responsibility of management and the independent auditor for information on internal accounting control will remain flexible and be debated just as it is for financial statements. The balance will shift back and forth depending on the SEC's immediate objective.

In auditing practice, there will be a trend toward greater uniformity in the approach to auditing and better integration of the general and computer aspects of an audit.

SEC rule-making and enforcement will shift the risk/cost ratio of incurring costs for documentation, auditing and other surveillance. These costs will fall disproportionately on smaller companies, and the results will be increased barriers for entry to public securities markets and less capital for innovation and expansion.

Other federal, state and local agencies will seek authority comparable to the SEC's and implement similar "disclosure" requirements. Prime candidates for such regulation are banks, casinos, charities and municipalities.

Educators will revise the accounting curriculum to view accounting as involving both information and control with equal emphasis on control.

The primary point

However, the primary point is that the FCPA -- and SEC administration of it -- is not temporary regulation. The FCPA is the law, and it makes internal control the law. Thus, attention to current proposals, such as disclosure concerning internal control, should not cause us to lose sight of the fact that the FCPA is not simply another section of the securities acts. It is the most potent enforcement and rule-making tool ever placed at the disposal of a federal agency.

(1) Gordon Thomas and Max Morgan-Witts, The Day the Bubble Burst (New York: Doubleday & Company. Inc., 1979).

(2) CPA Handbook, vol. 2., chap.16 (New York: American Institute of Accountants. 1953). p. 16.

QUESTIONS AND ANSWERS

Question -- Dr. Saxe:
I want to know about the effects of materiality; does it apply to the bribery section as well as to the internal accounting control section, and if it differs, what is the difference?

Answer:
Materiality doesn't apply in either section. My concern was that as a matter of disclosure, the SEC proposal -- by ignoring materiality -- was obviously not intended to provide information. If the concern was with providing information to investors it would be reasonable to apply some kind of materiality standard. The fact that a materiality standard was applied in required disclosure would in no way change the law and its enforcement side. For enforcement purposes, any difference in the accounting records or weakness in controls can be used to support a charge that a company has violated the Act. The burden would be on the company demonstrating that the failure to correct the weakness was based on a careful evaluation of the cost and benefits and that they had made and documented their judgments. The only out provided in the act with respect to the internal accounting control provision is cost-benefit. For the accurate books and records provision, any mistake in the accounting records would be an inaccuracy and might be subject to prosecution. There is some general wording I believe, that the books and records should "accurately and fairly reflect in reasonable detail."" But that's not materiality, and the discussion of those particular words is also very sparse in the legislative history.

Question:
What's holding up the proposal the SEC made in March for disclosure by management of a statement on internal accounting control?

Answer:
When the SEC made the proposal it asked for comment letters and received over one thousand responses. Almost all of them were against the proposal. Thus, the public climate was not favorable for the kind of disclosure proposal the SEC had made, so time was needed to revise it. Too much time elapsed for the SEC to adopt any requirement for 1979 year-end filings. I believe at this point the SEC still has not figured out what to do. We've had continuing discussions with the SEC staff. They would like to have confidence that all registrants have a system of internal accounting control that will provide reasonable assurance of preventing illegal payments in amounts that are qualitatively material, even if quantitatively immaterial. If a payment would have to be disclosed under some provision of the Securities Acts it would be qualitatively material. The Chief Accountant's staff, I believe, would like to find some way to have the independent auditor provide assurance that there are no weaknesses that would permit illegal payments in amounts that would be qualitatively material. Of course, there is no way for any system to prevent illegal payments in amounts that are quantitatively immaterial. But the Internal Accounting Control provision was sold to Congress on the basis that it would prevent these kinds of things from happening and the SEC staff clearly believes that objective must be achieved. How to do it at a reasonable cost is the problem and no one seems to have a ready answer.

Question:
How was it sold to Congress so easily?

Answer:
The way legislation usually is passed. There was a real uproar and concern, a lot of attention nationally was focused on the issue. Hearings were held. The Chairman of the SEC testified and said that the accounting control provision was necessary to prevent bribery and would assist the SEC in doing that. The proposed legislation had four parts and two parts were taken out largely as a result of the testimony of a representative of the accounting profession. However, the two remaining provisions on accurate books and records and required internal accounting control, were certainly the most important and basic.

They were adopted almost exclusively as a result of the SEC's urging.

Question:
How difficult might it be to prove in court that a company had a system that provided reasonable assurance given an actual diversion of funds or fraud of some kind?

Answer:
It would be very difficult to prove. A company would need to demonstrate good faith. I believe that that's why there is pressure to take steps that are regarded as necessary to demonstrate compliance, such as having an audit committee, adopting a code of corporate conduct, having an internal auditor to provide surveillance of areas that might involve illegal payments, and obtaining confirmations from officers in key positions that in their areas there is an adequate system of internal accounting control. This is a kind of a due diligence demonstration. The more that a company can do of that nature, the more defensible position they're in. Nevertheless, proving that the controls that would have prevented a fraud that occurred were not cost beneficial is going to be very difficult because inevitably they'll be based on some probability evaluation -- the chance that that kind of fraud might occur. However, when a company ends up in court the probability will be one, or one hundred percent. So the original estimate of the risk of loss will apparently have been inaccurately measured, even though it might have been the best possible estimate. Thus, the cost benefit computation that a company went through in the decision to adopt or not adopt a set of control procedures that would have prevented a particular fraud isn't going to carry much weight at all. However, if they can trot out enough people that say wonderful things about the kind of system they have and the code and what the internal auditors do and how much the audit committee does and all of that, that might carry some weight. Even though it might have nothing to do with preventing that particular fraud.

Question:
Why did you say that the cost of compliance, the costs involving documentation and increased auditing costs and so on, would fall disproportionately on smaller companies? Also, what effect will that have on those companies?

Answer:
The cost is disproportionate because, for example, the cost of producing a policy manual is a relatively fixed cost. The cost of producing a policy manual for a huge company is not going to be that much greater than the cost for a smaller company. This will mean that the costs of being a public company are that much greater so that there will be barriers to entry to the securities markets. The cost to a company of selling securities in the public markets will go up. This is one of many areas where the costs fall disproportionately on small companies. Today, there is substantial concern with trying to alleviate other costs of regulation that are seen now as inhibiting the growth of smaller companies and the ability of small companies to use the securities markets. The SEC is devising new forms to make it easier for those companies to file, and providing exemptions and so on. However, when a new proposal like the disclosure provision of the Foreign Corrupt Practices Act comes along, the SEC is reluctant to exempt smaller public companies because all companies have to comply with the Act. It's possible that after many years these increased costs and the fact that they fall disproportionately on smaller companies will be recognized by some Presidential Commission on Small Business and then repeal might be considered, but the argument doesn't carry much weight now.

Question:
Are there different reporting requirements or other requirements for domestic versus foreign corrupt practices?

Answer:
There are none. Even though it's called the Foreign Corrupt Practices Act, the requirements that relate to accurate books and records and internal accounting control do not have to involve foreign locations and they do not have to involve corrupt practices. The SEC can and has invoked those provisions of the act without any bribery, foreign or domestic, being involved.

Comment -- Dr. Mellman:
Apparently, the Act has already made itself felt in the academic institutions, not in terms of the curricula, but rather what we see is that corporations are coming on-campus recruiting for accounting graduates of the calibre that normally gravitate to public accounting firms. Thus, for example, we have within a very short of time Morgan Guaranty, IBM, and Bethlehem Steel coming to Baruch to recruit undergraduate accounting majors. They're looking for the types of people that would normally be picked up by large accounting firms and they're offering a substantially higher salary, all with the intent of beefing up, and this is my understanding, their internal audit staff, and this is a growing factor in the recruiting process, as I see it.

Comment -- Dr. Carmichael:
In general one of the results of the Act is the transfer of wealth to the accounting and legal segments of the economy.

 


previous in series || table of contents || next in series

Newman Library Digital Collections