Ten years ago, Sarbanes-Oxley was the focus of compliance and corporate governance reform. Sarbanes-Oxley was enacted in response to major corporate scandals involving financial reporting fraud and accounting misrepresentations.
Sarbanes-Oxley resulted in major corporate reforms of the auditing process, and corporate oversight of the financial and auditing process.
For FCPA purposes, Sarbanes-Oxley is an important component in corporate decisions to disclose potential FCPA violations to the government and to the public. In addition, Sarbanes-Oxley covers every company’s internal controls, including anti-bribery compliance.
Sarbanes-Oxley imposes certification and reporting requirements on “issuers” which may compel a company to disclose the problematic payments. Key provisions of Sarbanes-Oxley require:
1. CEOs and CFOs to certify the accuracy of their companies’ financial statements;
2. Companies to conduct annual assessments of their internal control structures and procedures; and
3. Companies to disclose material changes in their financial conditions or operations.
Sarbanes-Oxley requires companies to design and monitor internal controls and compliance programs, including FCPA compliance. Moreover, under Sarbanes-Oxley, the company and responsible officials have to certify that all material issues, including potential FCPA and fraud issues, have been disclosed to the auditors and the Board of Directors. In addition, Sarbanes-Oxley requires periodic reports filed with the SEC to identify any significant change in internal controls, including corrective actions with respect to material deficiencies and weaknesses. This requirement applies to remedial measures which a company may implement in response to an internal investigation of an FCPA violation.
Sarbanes-Oxley also increases the role and responsibilities of independent audit committees and the Board of Directors in corporate compliance matters, including the oversight of internal investigations.
In many respects, the voluntary disclosure process which has fueled the FCPA enforcement program is the result of reforms required by Sarbanes-Oxley. Prior to Sarbanes-Oxley, companies may not have been required to disclose an FCPA violation to the public, which in turn would permit the company to resolve the matter internally without having to report the violation to the Justice Department and the SEC.
All of that changed in 2002 when Sartbanes-Oxley was enacted, and companies now recognize the need to disclose a potential violation to the government when public disclosure may be required by Sarbanes-Oxley and SEC rules and regulations.
The power of Sarbanes-Oxley stretches from corporate headquarters all the way down to corporate subsidiaries, affiliated entities and joint ventures to the extent they are part of any consolidated financial reports. FCPA books and records requirements flow down in the same way to corporate subsidiaries, affiliated entities and joint ventures.
Civil and criminal liability follows along this path to ensure that corporate actors comply with Sarbanes-Oxley and other requirements, including the FCPA. Corporate actors in subsidiaries can be prosecuted for causing or aiding and abetting a violation by the corporate parent.