Division of Research Graduate School of Business Administration The University of Michigan July 1980 BUSINESS DIVERSITY AND GOVERNMENT REGULATION: THE ACCOUNTING PROVISIONS OF THE FOREIGN CORRUPT PRACTICES ACT AS A CASE STUDY Working Paper No. 222 Robert K. Mautz Alan G. Merten The University of Michigan FOR DISCUSSION PURPOSES ONLY NONE OF THIS MATERIAL IS TO BE QUOTED OR REPRODUCED WITHOUT THE EXPRESS PERMISSION OF THE DIVISION OF RESEARCH.

Business Diversity and Government Regulation: The Accounting Provisions of the Foreign Corrupt Practices Act As A Case Study On the theory that some corporations are not as accountable to their shareholders and to the general public as they should be, the legislative and executive branches of the government have enacted laws and established regulatory bodies designed to oversee and influence the actions and activities of corporations and their executives. Either explicit or implicit in such laws and regulatory actions is the assumption that companies should conform to some acceptable norms or standards. A criticism of these laws and regulatory actions frequently mentioned by business spokesmen is that they fail to recognize and take into account the wide diversity among business units with respect to a variety of internal and external variables and conditions. Exchanges between business and government representatives on the extent, nature, and importance of diversity are seldom enlightening to either party for a number of reasons, not the least of which is the absence of credibility for claims of diversity that are often unsupported by examples or analysis. We have recently participated in an extensive study of internal control practices in U.S. corporations. That experience provided a rare opportunity to observe the extent of diversity in U.S. corporations.* The immediate incentive for the research was passage of the Foreign Corrupt Practices Act of 1977, which included accounting provisions requiring that systems of internal control be maintained within all SEC-listed companies and that such systems of internal accounting control provide reasonable assurance that certain stated objectives will be obtained. Our study contributed a *Internal Control in U.S. Corporations: The State of the Art, Financial Executives Research Foundation, New York, 1980.

-2 - number of insights into the relationship of regulation and business diversity. In the hope that our experience can contribute to a better understanding of the difficulties involved in reconciling the fact of diversity with the purposes of regulation, we offer some facts and some observations from the standpoint of disinterested but concerned researchers. The Foreign Corrupt Practices Act (FCPA) couples the prohibition of. bribes by U.S. companies and their representatives to foreign officials (and to candidates for such offices) for purposes of obtaining business, with a requirement that listed companies devise and maintain a system of internal control. The precise wording is as follows: TITLE I —FOREIGN CORRUPT PRACTICES Short Title SEC. 101. This title may be cited as the "Foreign Corrupt Practices Act of 1977." Accounting Standards SEC. 102. Section 13(b) of the Securities Exchange Act of 1934 (15) U.S.C. 78q(b) is amended by inserting "(1)" after "(b)" and by adding at the end thereof the following: "(2) Every issuer which has a class of securities registered pursuant to secion 12 of this title and every issuer which is required to file reports pursuant to section 15(d) of this title shall — "(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; and "(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that — "(i) transactions are executed in accordance with management's general or specific authorization; "(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

-3 - "(iii) access to assets is permitted only in accordance with management's general or specific authorization; and "(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences." The close proximity of the antibribery and procontrol provisions of the act implies a strong linkage between bribes and internal control —that is, internal control systems should prevent, or at least reveal on a timely basis, the illicit activities which facilitated and concealed corrupt practices by U.S. companies in foreign countries. The Paton Accounting Center of The University of Michigan was asked by the Financial Executives Research Foundation to make a study of the state of the art of internal control practices in U.S. corporations. Our research included a questionnaire containing some 255 points (usable responses were received from 673 corporations) and a two-man, one-day interview program at each of 54 companies that obtained information from more than 350 executives. Our assignment was to describe the state of the art. We did so as fully and as objectively as could be done within the constraints of timely completion and available research procedures. In doing so, we had an extraordinary opportunity to observe diversity within U.S. business and to relate that diversity to the apparent legislative intent and practical consequences of the Foreign Corrupt Practices Act. As might be expected, a variety of impressions were reported by the seven members of the interdisciplinary research team. But, however different our interests and backgrounds, each of us came away from our research literally overwhelmed by the extent of diversity in business directly relevant to internal control. A repeated theme in many of the interviewees' and questionnaire responses was that existing practices were a direct result of

-4 - specific business situations and needs. Many practices which have important internal control implications are nothing more than sound business practices developed for or adapted to a given set of circumstances, often for the purpose of either controlling costs, increasing sales, or improving the quality of service. The character and manner of employment of these practices is highly dependent on the specific situation. The result is wide diversity in the nature and extent of internal control measures and in the reasons for the measures used in any specific system. We have little doubt that researchers seriously concerned with other business activities of similar complexity will find equal diversity. To avoid presenting a lengthy but unorganized list of differences, we have classified observed instances of diversity in the following categories for the purposes of this discussion: Differences in the nature of business activity Differences in external environment Differences in management background and attitude Business Activity. For years, the influence of business activity on internal control has been recognized in the auditing literature. A typical illustration is a comparison of the activities of a bank and a heavy equipment manufacturing company. Cash, especially in the form of currency, is an asset readily convertible to personal use. Inventories of raw materials or parts that cannot be used directly by employees and are difficult to dispose of in those markets that are available to them have much less appeal than does cash. Hence, banks are considered to have more important internal control problems than do most manufacturing companies which do not keep substantial amounts of currency on hand.

-5 - Out of the Watergate era and the sensitive payments experience associated with it came recognition of another kind of internal control problem based on the nature of business activity. The officers and employees of companies dealing in very big ticket items with limited markets and a minimal number of ways to meet aggressive competition apparently face temptations not known to equivalent staff members of companies that make and/or sell products of lower value in more open markets with a great variety of ways to meet competition. Under real or imagined pressure to make sales, some executives and employees resort to payments and supporting activities that members of Congress and others find to fall below the level of acceptable business conduct. At least two matters warrant comment here. One is that internal control is no longer, if it ever was, restricted to the activities of relatively lowlevel employees. Internal control is now expected to reach and influence the highest executive levels in a company. Second, internal control is expected to prevent, or at least deter, certain activities undertaken for the good of the company (yet viewed by Congress as unethical), as well as activities that benefit only some one or more persons at company expense. It seems apparent that the concept of internal control is changing significantly; it is becoming more inclusive in its purposes. The implications of that kind of change are not nearly so apparent, and one of the differences we found among companies was in the grasp their managements had on the importance of this change. Because of the increased scope of internal control, geographic dispersion of company plants and activities influences the control problem directly. As officers and employees increase their physical distance from corporate headquarters, they seem less inclined to accept the authority that

-6 - corporate headquarters represents. They tend to think of themselves as facing situations that headquarters neither understands nor appreciates adequately, thereby giving the local authorities reason to modify corporate rules and instructions because of observed local needs. Because U.S. corporations range from one-location operations to world-wide organizations subject to a seemingly infinite variety of customs and cultures, physical distance from the corporate office has a decided effect on the extent of internal control risks and the measures needed to meet that risk. With managerial and investor interest in diversification on the increase, the range of operating activities within some companies grows apace. A general concensus exists that the difficulty of establishing and maintaining internal control increases with the extent and range of diversification in activities within the company. Like geographical dispersion, diversification in U.S. corporations ranges from none in some unitary companies to a great deal in other companies encompassing activities which bear little or no relationship to one another as well as many possible levels in between these extremes. Accordingly, the characteristics and components of internal control systems likewise range over a broad spectrum. Differences in External Environment. One important feature of a company's external control environment is the market from which it draws its personnel. Some large companies headquarter in very small communities, in some cases so small that the company is the dominant institution in the community. Representatives from such companies often claim that such a location provides them with a personnel selection opportunity not available to companies located in metropolitan areas. "Everyone knows everyone. We work together, attend church together, serve on the PTA together, golf together. Our children know one another. There is no place to go if you get caught

-7 - with your hand in the till or you are involved in any kind of a scandal. When you live and work in a town like this, you face a strong incentive to avoid any kind of deviant behavior." Other company representatives contend that, partly because of the nature of their work, they draw their officers and employees from well-educated, highly motivated people unlikely to be interested in immediate and illicit profit carrying such high risks. Closely related is the matter of geographical location. Some localities have ethnic concentrations that emphasize education, integrity, and dependability. Even in a metropolitan area, such concentrations provide a stability of work force and an internal control advantage not shared by companies in other locations. Another aspect of personnel turnover and personnel quality leads to important diversity among companies. Companies with a high rate of turnover need a more formalized, well-documented system of internal control which can be applied by whoever happens to be holding the position at the time. The quality of personnel also has an influence. The control system in a highly technical scientific or engineering unit may be much looser with no disadvantage to the company than the control system in a company dependent on less well trained and motivated people. Certain skills are increasingly necessary as internal control becomes more important and as the operating and control environment becomes more complex. Our research reports that the internal control weaknesses of greatest concern are in data processing and in the development and monitoring of internal control measures. Skilled EDP technicians and managers are in short supply. So are competent internal auditors and especially internal auditors with a working knowledge of data processing. The ability of companies to find, recruit, and hold such professionals varies considerably.

-8 - We also found much diversity in the way that companies use those staff members they describe as internal auditors. Some were involved in wellorganized auditing programs. In other companies, the internal auditor was no more than an assistant to the controller assigned to "special projects." Some companies have deliberately changed the emphasis of internal auditing from financial to operational auditing in an effort to improve profitability. Others, under the influence of the FCPA, are reversing that trend. Management Factors. Quite a different set of variables, loosely describable as management factors, operates to provide diversity well beyond our expectations. Some of these involved personal talents and characteristics of the chief executive officer and his associates; others reflected deliberate decisions that may or may not have been influenced by the personal characteristics in question. Many of the executives interviewed during the conduct of our research expressed the view that a financial or legal background and education tended to make executives more alert to the risks and needs for internal control. Equally important in our own observations was any previous experience in the company's recent past that represented an internal control breakdown. We found that few things sharpened executive's perceptions of possible risks as much as an unfortunate experience demonstrating fully that internal control risks do exist and breakdowns do occur. Because of personal interest or experience, or for whatever other reason, some top level executives participate much more fully than do others in the actual establishment and maintenance of a positive internal control environment within the company. They talk about it in public presentations and in small group meetings, striving to impress on their associates their

-9 - own feelings about its importance. They provide the impetus for developing manuals and keeping them current. They demand reports from their internal auditors and give them every encouragement to monitor internal control practices in a satisfactory way. Others, as one would expect, have a lesser interest. Sometimes this is due only to the personal interests and experience of the officers themselves. In other cases, it is more a matter of giving time and attention to the most urgent problems. Among top executives in a company with many important problems demanding urgent attention, internal control, no matter how important it is in its own right, may have to wait until other matters even more vital to the company's survival receive attention. We do not wish to leave the impression that top managers impose a favorite style regardless of its appropriateness in a given situation because we did not find this to be true. Nevertheless, there do exist some significant differences in the ways that managers direct the affairs of their companies, and often these differences have implications for internal control. Centralization versus decentralization, strong headquarters control versus maximum local autonomy, defined responsibilities versus broad statements of goals to be achieved —these and other approaches impact internal control possibilities and practices. A company management that is engaged in a series of acquisitions unavoidably adds to a company ' s internal control problems because of the different practices and the different stages of development of internal control in some of the companies acquired. Similarly, a management that relies on a tight financial planning and budgetary approach to management is likely to have a different concept of appropriate internal control than a management that sets profit goals and leaves the operating units free to achieve those

-10 - goals in any way they can. Indeed, an intense pressure on goal achievement may itself influence the attitude of operating staff members toward internal control. Another factor that influences internal control is management's reliance on electronic data processing facilities for operational controls as well as for information. The more computerized the company's operations become, the more susceptible it is to computer shutdown or error, and the greater the impact of such a breakdown, should it occur. Unless proper measures are provided to protect the computer hardware and software, to prevent access to confidential files, and to provide some viable back-up service in case of computer failure, the internal control situation may verge on total collapse. While the risk involved in greater utilization of computers are substantial, the overall benefits appear such that the trend is likely to continue. As a result of background, attitude, experience, and the needs of the situation, some subset of the totality of internal control measures available to a company is selected and applied. Again we found considerable diversity among companies as to which specific procedures they used. Some part of this resulted from the fact that there appears to be little in the way of intercompany communication about internal control matters and measures, and until recently, there appeared to be little reason for such communication. Most of the systems we discussed tended to be ad hoc solutions to a company's needs as perceived by management. The test of adequacy of these ad hoc solutions was the company's experience. In the face of minimal known losses or breakdowns, the system was accepted. When experience showed a weakness, or changes in practice alerted someone to a possibility, the system might be changed or modifications added. An informal but effective kind of cost/ benefit balancing goes on all the time. Are we getting done what we want to

-11 - get done? Is there a better way of doing it? What will improvement cost? What have we lost under the present system? Given that experience, what do we think we might lose if we make no changes? Do we have any reason to change, given our experience? Those charged with responsibility for internal control often take a very pragmatic approach: "If it ain't broke, don't fix it." Size and Industry Differences. Our research assignment was not specifically directed at discovering differences in the state of the art of internal control practices in U.S. corporations resulting from company size or industry. Nevertheless, because we obtained information about size and industry in our questionnaire and in our interviews, we were able to arrive at some interesting conclusions about the influence of these factors on diversity fc among companies. Without any question;', they add to that diversity. For example: The larger the company, the more likely it is to: — convey to employees knowledge about the existence of its internal control system in manuals and documents — have an internal audit function — have a written code of conduct — have provisions for monitoring compliance with internal control measures — review and document its internal control system in response to the FCPA For example, while only 40% of the smallest companies had either an internal audit function or a written code of corporate conduct, 100% of the largest companies had an internal audit function and 97% of them had a written code of conduct.

-12 - As company size increases, the following also increases: — the size of the internal audit staff — the extent to which the internal control system is described in company manuals — company representativesi; assessment of the quality of its internal control system — the belief that the provisions for monitoring compliance with internal control measures are about right The influence of industry differences on internal control is not so easily described, yet if companies are classified into the seven basic SIC categories, we find that the employment of an internal audit function within the company ranges from a low of 83.3 percent for wholesale/retail companies to a high of 100 percent for financial institutions. Similarly, use of a code of corporate conduct ranges from a low of 48.1 percent for utilities to a high of 89.1 percent for agricultural/mining firm. Another difference, and not a surprising one, is that manufacturing companies view inventories and material handling as activities for which internal control is very important; transportation companies are more concerned with control over cash receipts. As our sample did not include a specific effort to obtain proportional representation by industry, these results are indicative only. Internal Diversity. One last aspect of diversity must be mentioned, if only because of its importance should public reporting of internal control become a requirement. When asked if the quality of internal control was consistent throughout the company, 72 percent of the respondents stated that it was not. When asked to rank the reasons why inconsistent quality of internal control existed within their companies, respondents provided the following order of reasons: 1. Permitted variations in local management style 2. Geographical dispersion

-13 - 3. Lack of management attention 4. Recent business acquisitions 5. Changes in key personnel 6. General personnel turnover 7. Differing standards of appropriate conduct arising from dissimilar cultural backgrounds Additional remarks in the questionnaire and observations from interviews provide insight into the reasons underlying inconsistent control practices and their quality. Divisions or units differ widely in the nature of their activities, organization size, organizational structure, and maturity. Adequate separation of incompatible duties may be impossible in small units. This kind of diversity encourages corporate management to permit local managers to select their own management style and to seek their own internal control solutions as long as results are satisfactory. Even if corporate management desired consistent control practices and quality, the geographic dispersion of operating units may not allow corporate officials to impose their control philosophy in any effective way on the daily activities of some units. Whether dispersed or not, the control practices in any unit are primarily dependent on the managers and other influential personnel within the unit. The quality of those personnel, the extent of training, their past experience, and the experience of the unit may strongly influence the internal control environment and practices within the unit. Similarly, differing interpretations of manuals and instructions, whether deliberate or unintentional, may influence the practices in effect. Finally, business acquisitions during the year may account for inconsistent controls until suchtiime as the new addition can be brought into conformity with other unit practices, sometimes a difficult result to achieve.

-14 - When one considers the variety of the causes of diversity, their possible extent in specific situations, and the ways they may combine and influence one another, the total number of combinations and permutations becomes staggering. In the face of that possibility, the regulator could conclude that diversity is something about which nothing can or should be done and that he must just accept it as an unfortunate complication and proceed. His question necessarily must be: Does it make any difference? Concerns of Corporate Executives. We respond to that query by citing the concerns of corporate executives as expressed to us in interviews and through the questionnaire. They do indeed believe that diversity makes a difference. A first concern is that the failure to recognize the extent of diversity and the variety of its causes will unavoidably lead to unwarranted expectations. Absent such an appreciation of the complexity of internal control, those people unacquainted with business will anticipate a simplicity and conformity totally impractical of attainment. Why cannot every company have excellent internal control? If one company can do so, why not all? If the law makes no adequate allowance for the extent of diversity that actually exists, how can courts and the public be expected to do so? A reading of the act leaves one with the impression that internal control adequate to achieve the purpose of the FCPA is a simple matter of management requirement. Executives argue convincingly that the facts of business life are entirely different from that simplistic assumption. They state: "We fear the expectations that this law encourages." Executives also point out that a rule that takes no account of differences in circumstances cannot be applied equitably to all the variety of circumstances in which it applies. For example, should a small company

-15 - drawing its employees from a limited labor market in a small community where standards of personal integrity and performance are high be required to employ all the same procedures as a large company in a metropolitan area taking employees from a much more diverse market? Must a company that is in a low internal control risk industry but is facing other problems of survival devote the same attention to internal control as the company that has no other survival problems but has had a bad internal control experience? Questions of this kind illuminate the potential inequities in the administration of an act that does not appear to recognize adequately the extent of diversity in the activity it seeks to regulate. Another complaint of corporate executives is that of forced cost incurrence without significant benefit. An act that includes criminal penalties for executives convicted of failure to comply is not one to be taken lightly. A flurry of compliance activity followed recognition by the business community of the requirements and importance of the new FCPA. Although we found a wide range of responses to the act, there is no question that many companies incurred substantial costs, either in making certain that they were complying or in establishing a record of compliance which they hoped to use in a defensive sense if ever charged with noncompliance. In some cases, massive efforts to document or formalize internal control practices were found to be underway because it was anticipated..that documentation and formalization would be viewed as compliance with the FCPA in the eyes of the regulators. Because the requirements of the act were not as precise as they might be, what constitutes either compliance or noncompliance is not all that clear. Consequently, many companies, in a spirit of prudence, did considerably more then they believed absolutely necessary.

-16 - Some companies assigned to their corporate controller and divisional controllers a thorough review and documentation of the company's internal control system. Others relied on the internal audit staff or, in some cases, called in independent public accountants to advise or otherwise help with a compliance review. Other companies, confident that nothing in their past records or future activities was likely to draw the attention of the SEC, and also satisfied with their past record for internal control, did little or nothing. Our experience was that many of the companies with the best controls were the most cautious in their efforts to be prepared for any eventuality. Some companies with what can only be called marginal systems went blithely along with little or no response. Not all of this variation can be attributed to the lack of clarity in the act, although a substantial amount can. A significant part of the lack of response to the act results from unawareness of its nature and importance, and even of its very existence. One of our observations was that concern with compliance sometimes led companies to undertake actions, including the installation of control measures, that were intended more to make a record than to actually improve controls. The FCPA encourages the adoption of those measures which give the appearance of strong controls regardless of their actual usefulness, and discourages more informal types of control that may be equally effective. A final concern on the part of corporate executives is that the concern with improved controls and compliance required by the act will demand time, energies, and other resources that might well be spent more productively elsewhere. There is nothing in the act to suggest that cost/benefit analysis of proposed additional controls should take into account the opportunity costs of using those resources for internal control purposes. The law

-17 - mandates controls that accomplish certain objectives no matter what the company's other needs may be. Some executives suggest that the act creates a mood of defensiveness and caution that is the antithesis of the innovative, risk-taking role essential for success in a competitive, market-directed economy. Conclusion. Putting all this together, we see the Foreign Corrupt Practices Act and its accounting requirements as something of a classic confrontation of diversity and regulation. If those responsible for the wording of the act had any real awareness of the extent of diversity in American industry with respect to internal control conditions, systems, and practices, the act does not show it. Is it then a bad law? We would rather describe it as an unfortunate one, and we use a simple analogy. One never knows just how rigorous an examination is until it is graded. In the same way, the FCPA has the potential to become something of a disaster if attempts are made to apply and enforce its provisions uniformly and strictly. On the other hand, if it is administered with some caution and awareness of the diverse population on which it is imposed, it may be little more than a very expensive means to effect some improvements in internal control. And that leads us to another question. Need the government be so awkward in its attempts to prevent unwanted activities? We have the strong feeling that if a state of the art study of internal control practices in U.S. corporations had been completed and made available to Congress before the FCPA of 1977 was placed before it, we would have had a substantially different piece of legislation that would accomplish the purpose of that act far more efficiently and economically.

-18 -Bibliography Mautz, Kell, Maher, Merten, Reilly, Severance, and White, Internal Control in U.S. Corporation, Financial Executives Research Foundation, New York 1980.