Division of Research Graduate School of Business Administration The University of Michigan July 1980 INTERNAL CONTROL AND THE FOREIGN CORRUPT PRACTICES ACT Working Paper No. 226 Alan G. Merten Dennis G. Severance Bernard J. White The University of Michigan FOR DISCUSSION PURPOSES ONLY None of this material is to be quoted or reproduced without the express permission of the Division of Research.

INTRODUCTION Corporate management's long-standing concern with effective internal control was reinforced by passage of the Foreign Corrupt Practices Act (FCPA) of 1977.1,2 A key provision of the law requires that every SEC reporting company devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that transactions are properly authorized and recorded, access to assets is limited, and periodic reconciliations are made of records with assets. The internal controls provision has aroused interest and concern among knowledgable executives for several reasons. It is not limited to material transactions (i.e., those which would have a measurable impact on corporate financial statements). It applies to domestic as well as foreign transactions (despite the law's title). Willful violation of this or any other provision of FCPA is punishable by imprisonment for up to five years and a fine of up to $10,000. And, the broad language of the provision appears to have the potential of involving almost any corporate transaction at any level of the firm, since most involve the use of corporate assets. While some ambiguity remains about actual management responsibilities under the law (ambiguities which will eventually be resolved only be SEC enforcement action and court interpretations), a persuasive case can be made for viewing them broadly. This posture makes imperative the asking the following question: how can an executive provide "reasonable assurance" about the adequacy of internal control in his or her firm? It is to this question that a major research study in which the authors participated was addressed. 1Hurd Barach, "The Foreign Corrupt Practices Act," HBR January-February 1979. 2Hurd Barach, "The Audit Committee: A Guide for Directors," HBR May-June 1980, pp. 174-186.

-2 - THE RESEARCH In late 1978, the Financial Executives Research Foundation (the research arm of the professional organization of chief financial officers and corporate controllers) commissioned a study of the state of the art of internal control in U.S. corporations. The study was undertaken by an inter-disciplinary research team of seven faculty members of the Graduate School of Business Administration at The University of Michigan. A key assumption behind the research was that a rational response to the FCPA, as well as-'an assessment and strengthening of an individual firm's controls, could best be undertaken against a backdrop of data on prevailing practices. The study, conducted in 1979, drew on two major sources of information: (1) On-site interviews with corporate executives in 50 U.S. corporations randomly selected from the Fortune 1300. Chief financial officers, controllers, legal counsel, internal auditors, data processing managers, and a variety of other staff and operating executives were included. A total of over 350 executives were interviewed. (2) A questionnaire completed by 673 firms representing a broad crosssection of industry types and company sizes. Two thousand questionnaires were mailed to the chief financial officers of the Fortune 1000, and an additional 1000 members of the Financial Executives Institute - The purpose of this article is to highlight some of the findings of the study in the following areas:3 (1) corporate response to the internal control provision of FCPA (2) executive perceptions of their most significant internal control risks (3) executives' self-assessments of the effectiveness of their firms' internal controls. 3For a full report of the findings see R. Mautz, W. Kell, M. Maher, A. Merten, R. Reilly, D. Severance, and B. White, Internal Control in U.S. Corporations, (New York: Financial Executives Research Foundation, 1980).

-3 - CORPORATE RESPONSE TO THE INTERNAL CONTROL PROVISION OF FCPA Two key questions have faced the corporate community since passage of the FCPA: what are an executive's responsibilities under the law, and what is an adequate response to the Act? Some authorities have argued for a narrow interpretation of the term "internal accounting control." Under this interpretation, the law would be satisfied by a company by recording all financial transactions accurately and fairly in its books and records. Others, however, argue convincingly that it is more prudent to assume that management's responsibilities will be interpreted broadly by the Securities Exchange Commission. SEC Chairman Williams has warned executives against "accepting a narrow construction of the Act," and encouraged them to fully consider "Congress's intent in enacting this statute."4 This intent appears to extend to areas of corporate governance and responsibilities beyond financial records. Questionnaire data from our research study suggest that the four most common corporate responses to FCPA have been: a comprehensive review of internal controls to determine adequacy and strengthen where necessary (35%); documentation of the company's present internal controls (26%); discussion only, no specific action (13%); strengthening the internal control environment without significant changes in specific internal control measures (11%). 4Hager, "SEC Rebuffs ABA Unit on FCPA Interpretation," The Legal Times of Washington, February 5, 1979, p. 3.

-4 - It is interesting to note that the most frequently mentioned responses \ of the largest companies (the 10% with sales5 of over $4 billion) were quite different than those of the smallest firms (the 10% under $60 million). The largest companies cited "a comprehensive review" and "strengthen where necessary" as their most common response. By contrast, the smallest firms cited "no attention given" and "discussion only" as their most frequent response. One might conjecture, therefore, that the smaller firms are more satisfied with and confident in their internal controls. Our questionnaire data (presented later in this report) refute this explanation and, indeed, suggest that the opposite is true. Two alternative explanations are suggested by our interview experience. One is that many smaller firms simply do not realize that the Act affects them. A second is that many smaller firms have been prevented, however reluctantly, from engaging in a more active response to FCPA because of the lack of a legislative monitoring function, and the general scarcity of management time, specialized personnel, and other resources which larger firms can assign to the task. Our interviews provided more detailed insights into the specific activities involved in general corporate response to FCPA. These included selfconducted reviews of the internal control system and environment, CPA-aided review, organization and detailing of documentation related to internal control, education and training, revisions in control procedures, changes in or the development of a code of conduct for employees, and an enlarged and strengthened internal audit function. A self-conducted review of internal control was by far the most common response. Such reviews typically include an examination of internal accounting control procedures, an assessment of the extent to which these procedures are 5Assets in the case of financial institutions.

-5 - documented, a survey of key personnel to determine compliance with the firm's code of conduct, and an evaluation of the role of internal audit and its ability to accomplish the assigned task with current resources. In spite of an often negative attitude toward FCPA, most managers saw some benefits to the firm deriving from this internal review process. The most tangible result of the review of internal controls is greater documentation of policies and procedures. Although some firms saw this as a simple "indexing" activity of existing material, most described a more substantial effort. Outdated materials had been updated or discarded and useful detail was added to more general policy and system descriptions. Documentation methodologies were being developed and undocumented systems were being formalized. Thus, much of the documentation effort is directed toward improving the overall management and operation of the firm. There is, however, another side to the documentation effort. Many firms seemed to be developing a "defense file" for the purpose of protecting the firm in the case of possible future legal action arising out of FCPA. Unlike the documentation activity undertaken to improve management and operations, defense file materials are developed to convince external parties of the existence of adequate internal controls. Several of the interviewed firms cited changes in control procedures which could be related to FCPA. Illustrations include changes in authorization procedures for resource commitments, changes in plant security measures, and changes in data processing control practices. Many firms noted, too, that codes of conduct have been recently revised, in part as a result of FCPA. Typically, a document which was only a conflict of interest statement has been strengthened and expanded to include questions related to the illegal payments portion of FCPA.

-6 - Finally, many firms had reassigned or added people to the internal control effort, typically within internal audit. Audit departments which previously had a "low profile" and reported to the corporate controller now have new reporting relationships (sometimes including a direct reporting line to the Audit Committee of the Board) and a much higher profile. Events leading to, as well as actual passage of, FCPA and the growth in size and stature of the internal audit activity seem at least to some extent related. Those companies that had not responded in any positive fashion to the FCPA generally cited two related reasons. First, they had the comfortable feeling that the Act was directed at companies which had heavy overseas activities or which were engaged in activities likely to encourage improper payments. Second, they were also comfortable about their internal control, generally because they had no history of errors and irregularities. It is safe to say that there have been a wide range of corporate responses to the FCPA. In all but a few cases the responses have been made by financial personnel not operating personnel. While all of management is potentially liable under the provisions of the Act, in most cases only financial management is aware of the Act and is responding to it. For some companies the Act has been a triggering mechanism for action on internal control. For others, the Act has had little or no effect. With respect to the general problem of internal control, very few companies would not benefit from an evaluation and upgrade of their systems. On the other hand, the question of whether corporate response to the FCPA is truly adequate will have to wait for court actions and rulings.

-7 - EXECUTIVE PERCEPTIONS OF SIGNIFICANT INTERNAL CONTROL RISKS One particular question asked of every financial officer in the on-site interviews led to a greater range of discussion than any other. The respondents were asked: "What do you think is the greatest internal risk you face in this company? If you were to come in-Monday morning and find waiting for you on your desk news of the worst thing that could happen from an internal control point of view, what would it be?" The questionnaire also included questions designed to identify both important and problem areas with respect to internal control risk. Three of the risk areas mentioned most often were computer failure and abuse, failure of a major project, and failure to conform to government regulations. In this section we will discuss each of these risk areas. In addition, we will provide a summary of questionnaire results on executive perceptions of their greatest control concerns. Finally, we will summarize financial managers' assessment of internal control exposure. Areas of internal control concern One control concern that weighed heavily on the minds of chief financial officers was computer failure and computer abuse. This finding was reinforced by the questionnaire respondents who ranked "Electronic Data Processing" as the area of greatest internal control risk (Table 1). Many companies have come to rely so heavily on their computer facilities for daily processing of transactions and the control of operations that a significant computer breakdown could effectively disable their operations. Since few companies were found to have adequate backup facilities or tested recovery procedures, the fear that some unanticipated event might deprive them of the use of their computer was well founded.

Table 1 Questionnaire Results on Executive Views of Company Activities Causing the Greatest Control Concern* Industry Categories Company Activities Electronic data processing Decentralized operations Foreign operations Compliance with regulation Purchasing Other Marketing Production quality control Treasury function activities Budgeting External financial reporting Research and development All Companies 61% 53% 35% 32% 32% 21% 11% 11% 9% 8% 5% 2% Ag./ Mining 61% 59 54 39 26 15 2 0 11 9 7 0 Mfg. 61% 54 42 30 32 13 15 14 10 10 4 3 Trans. 69% 73 15 27 42 15 8 0 12 15 8 8 Util. 74% 19 0* 52 41 33 0 4; 19 19 7 4 Whole/ Ret. 60% 52 2 36 48 26 0 10 10 7 0 0 TO tO Fin. 73% 50 27 35 4 37 10 4 10 2 10 0 Serv. 58% 52 42 30 49 15 9 0 12 0 0 3 I I *Respondents were permitted to indicate up to three activities

-9 - Increased use of distributed data systems in which the number of computer terminals is increased and their locations are geographically separated has increased the number of people who have access to stored data, and has also increased the opportunity for influencing the results of the computer's data processing. This greatly increases the susceptibility of the system to misuse and was perceived by the financial executives as a potentially serious problem. Another commonly mentioned concern was the loss of financial control over a major project. This could be a capital expenditure item, a research and development project, a contractural arrangement, expansion into a new market, or any other major financial committment. In approving such a project, plans and decisions are based upon a given set of actual and projected data, and on the expectation that project supervision will be adequate. Once a large project is under way, the dollar amounts involved in daily decisions may be so large that any loss of control even for a short period, can place the project's economic success and the company's profitability in jeopardy. And, unless management is kept informed on a very frequent basis of any departures from the plan, the extent of loss can accelerate rapidly. The increasing number, range, and complexity of various governmental rules and regulations for conducting and reporting on business activity is a source of control concern. The need to train and keep employees competent in all the regulated aspects of business is considered to be an almost impossible task. Coupled with this is the extent of bad publicity that can attend even an inadvertent breach of such regulations especially if the company becomes the object of an enforcement action of some kind. As a matter of fact, some executives responded that a regulatory agency investigation, or an executive or employee's actions that drew the interest of regulators, constituted the most undesirable internal control problem they could identify.

-10 - The responses to the questionnaire demonstrate variation of control concern, based both on industry type and size of the company. As shown in Table 1, EDP and decentralized operations are viewed as the greatest risk areas by companies in most industry categories. Beyond these two, the concerns vary by industry type. In some industries such as utilities, there is a predominant area of concern while in others there is.a perception that there are a number of relatively equivalent areas of control risk. While variation based on company size was not as pronounced, some observations are suggested by the questionnaire data. EDP and decentralized operations are again problems for most companies, except for the very small companies. In addition, production/ operations, purchasing, and budgeting are of significantly greater concern to small companies than to large companies. Management's overall assessment of the risk situation One executive characterized the internal control risks faced by his company as "the things management does not know about in this company." There is no way in a large and complex company for management to be aware of everything they might need to know in order to forestall all undesirable possibilities. An acquisition, for.example, may buy problems that were not at all expected and that did not appear even remotely possible during the acquisition discussions. Gradual deterioration of internal controls is another possibility that may occur without any warning, until some problem of major proportion suddenly appears. We were struck in some companies by the feeling of assurance on the part of the financial officers that although some improprieties could always be expected, the total risk of material loss to the company was slight. We were equally impressed in other companies by the feeling of some financial officers that they were to a considerable extent helpless in the face of certain risks

-11 -they recognized but could not further reduce in a cost-effective manner. No amount of internal control can provide them with complete comfort, and given the possibility of prosecution under FCPA, they expressed a need for some luck, as well as diligence and skill, to avoid such an outcome.

-12 - MANAGEMENT ASSESSMENT OF THE EFFECTIVENESS OF THEIR CONTROL SYSTEMS A review of the background of FCPA and the associated Congressional hearings leads to the obvious conclusion that the main purpose of the Act was to prevent bribery. However, with the addition of the accounting provision, the legislative intent also may have included the strengthening of the corporate internal control system. A key determinant of whether companies will improve their control systems is their assessment of the effectiveness of their present internal control environment and the effectiveness of their internal control system. It is reasonable to expect that in most cases management will adopt the policy that "if it ain't broke, don't fix it." Do managers believe that their control systems need fixing? In this section, we will summarize financial managers' self-assessment of their corporate control systems. We will then offer some comments on the reliability of these assessments. Self-assessment of the internal control system Very few financial officers would admit to anything less than a high degree of control consciousness in their companies, although some pointed out that different degrees of consciousness existed at different levels in the company. Any assessment of the level of control consciousness suffers from the very subjective and inexact use of terms like "excellent," "strong," "very good" and the like. But, over three quarters of the interview respondents used such positive terms in evaluating their own firms' level of control consciousness. In cases where significant change for the better had occurred over the last several years, words like "improving" and "emerging" were used. Several interviewees recognized important differences between control

-13 - consciousness at corporate and operating levels, with corporate always rated higher. It is noteworthy that no firm thought its environment could best be described using terms such as "fair" or "poor" or "deteriorating." Likewise, corporate management are generally satisfied with the overall effectiveness of their internal control systems. Over 26% of the companies responding to the questionnaire believe that their company's system is either excellent or approaching excellence. Only 7% feel that it needs major improvement while the rest believe that it is satisfactory. Similarly, the majority of interview respondents felt satisfied with their present control systems. They believe that while more controls could always be installed, for the most part they have adopted the control system which approximately equates the costs with the benefits of controls. While in general financial executives appear very satisfied with their systems of internal control, the degree of satisfaction varies with the size of the company. As can be seen from the data below, financial managers of the larger companies have a significantly higher opinion of their control systems than their counterparts in the smaller companies. Self Evaluation of Internal Control System All Large Smallest Companies Companies Companies Excellent or Approaching Excellence 26% 57% 10% Satisfactory 65% 42% 68% Needs Major Improvement 7% 0% 21% The variation in assessment is not as great when we look at companies by industry type. However, financial companies did rate their systems the highest while wholesale/retail companies rated their systems lowest.

-14 - Validity of the self-assessment of the control systems \ Are financial manager's assessment of the effectiveness of internal control accurate? We can only say that we found two factors which raise concerns. First, managers tend to have very limited knowledge of the control system and environment of other firms. Their relative evaluation of their own systems was most often based upon limited experience: their own firm at a prior time or another firm for which they had worked. Second, as the research team talked to others in the organization (especially operating people who worked away from the corporate office), reviewed company manuals.and read management letters from independent CPAs, our assessment of the level of control consciousness and the quality of the control systems often declined. The assessment of corporate financial personnel may be more optimistic and hopeful than fully realistic. Why is this so? However important internal control is, for many chief financial officers it is far from the most urgent problem at the moment. Unless the company has had a bad experience recently, other more pressing problems will occupy management's attention. Unfortunately, there is no guide or set of standards by which executives can judge the quality of controls other than the presence or absence of errors and irregularities. We did not find corporate executives convinced that their controls are perfect. Rather, the system generally received little attention simply because it had not yet let them down. CONCLUSION Approval of the Foreign Corrupt Practices Act with its present wording by the Congress at the request of the SEC is seen by many executives as evidence of an important failure by government to understand the nature, limitations, and possibilities of internal control. The reasoning follows:

-15 - — Perfect internal control in the sense that errors and irregularities cannot occur, or that they will always be discovered in a timely manner, is an impossibility. — No internal control system can guarantee against personnel failure. People will ignore and disobey rules. Training cannot guarantee compliance with the practices taught. For many reasons, people will occasionally fall short of ideal or expected performance. Both unintentional errors and deliberate irregularities will occur no matter what precautions are taken. — The cost of reducing the probability of errors and irregularities to some hypothetical minimum can become so burdensome as to interfere seriously with efficiency and economy. — Internal control is a desirable means to an important end; it should not be made an end in itself. — Even if the preceding propositions are recognized as valid and accepted on a conceptual basis, few if any representatives of regulatory bodies, or of the public at large, have sufficient experience with business conditions and activities to evaluate managerial judgment in internal control decisions fairly. On the other hand, it was apparent to the research team, and admitted by a number of respondents, that most chief financial officers, controllers, data processing managers, internal auditors, and company counsel lack complete and accurate information about the control practices of other firms. Although many were willing to assess their own systems as "best," "equal to any," "better than most" or some other relative designation, few could provide the basis for this assessment. When other firms' names were provided, they tended to be large, "in the news" companies which have been noted publicly as having good (or bad) controls.

-16 -More knowledge and understanding of control system possibilities would enhance a firm's ability to build for itself a set of practices which really is best. Such information could also help executives assess with confidence the adequacy of their own company's control practices. Clearly a good deal of work and learning remains to be done to close this information gap.