Exchange Act section 13(b)(2)(B), added to the 1934 Act as part of the Foreign Corrupt Practices Act of 1977, is concerned with internal accounting controls.  The statute requires that there be sufficient controls to ensure that transactions are executed as directed by management; to permit the preparation of the financial statements; and to ensure that access to assets is permitted only in accord with management’s authorization.  The section underscores the fact that management serves as the steward of the shareholders’ investment.

The “internal accounting controls” focus of the section has been repeatedly emphasized by the Commission in a variety of cases that range from FCPA corruption actions to those centered on accounting fraud.  Two recent developments, however, suggest that issuers take a new look from a different prospective when evaluating internal accounting controls: The Commission’s section 21(a) Report on Certain Cyber-Related Frauds (Oct. 16, 2018) and its FCPA settlement, In the Matter of Vantage Drilling International, Adm. Proc. File No. 3-18899 (Nov. 19, 2018).  

The Report is well grounded in the language of the statute and the traditional views of the agency regarding internal accounting controls, citing at points the history of the section.  The Report also ties those notions together with risk management policies, stating that “”[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws,’” quoting from the Commission Statement on Guidance on Public Company Cybersecurity Disclosures.  

Subsequent sections of the Report emphasize that the cyber schemes investigated were typically simple and there were often numerous red flags.  Yet there were repeated failures.  Those failures resulted in many instances because the personnel did not take the appropriate steps or fully appreciate the situation.  As the Report states: “Systems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them.”  This “human element,” tied to section 13(b)(2)(B) concepts adds a dimension to the traditional discussion of internal accounting controls. 

Key to the ultimate outcome of Vantage Drilling is a similar concept.  That action involved in the first instance a relatively new drilling firm seeking to acquire a deep-water drilling vessel under construction at a Korean ship yard for a Taiwanese shipping magnate identified as Director A.  Through a series of agreements Vantage Drilling was to acquire the deep-water drilling vessel and other assets.  As part of the deal, the shipping magnet would become a director. No due diligence was done on Director A.  

Vantage Drilling later learned that Director A made misrepresentations at the same ship yard in connection with another vessel and even at one point claimed not to be able to pay for a ship.  Yet the drilling firm “did not enhance its internal accounting controls in regards to its transactions with respect to Director A,” according to the Order.  That failure ultimately took the firm down the path to a bribery scheme hatched and executed by Director A.  

While the Order in Vantage Drilling does not specifically discuss the “human element” of internal controls in those terms like the Report, the reason to strengthen the internal controls in that action was the risk posed by Director A.  Stated differently, the man was not trustworthy and tying the enterprise to him put the stewardship of management, and thus the shareholders’ investment, at risk.  Vantage Drilling, however, failed to recognize this risk and take precautionary steps – a failure which resulted in its undoing when the bribery scheme was uncovered in the now infamous “Operation Car Wash” scandal in Brazil.

Vantage Drilling’s failure is little different from that of management at the various firms cited in the Report.  When faced with an untrustworthy Director A –as with the cyber threats -- management failed to act as an effective steward, failed to take the proper steps or even to appreciate the risks to the enterprise and thus the shareholders’ investment.  It is this human element of internal accounting controls, and the failures with regard to this element, that was critical to the actions underlying the Report and in Vantage Drilling.  It is the emergence of this human element of internal accounting controls that is critical to the cyber-security Report and the  FCPA case.  It is the recognition of this element which issuers must carefully consider and evaluate in terms of risk, training and the testing of internal accounting controls in the future.