Compliance

In this section we examine how the various “tools” of a C&E program can be deployed to mitigate COIs, as well as other matters regarding the interaction of COIs and C&E programs. Please see the various sub-categories for information about each of these tools.

The most interesting conflict of interest case of the (still young) year

The most prominent COI story in the past few days comes to us from Mexico where, as described in The Economist, that country’s president Enrique Peña Nieto “announced that he, his wife and his finance minister will become the first subjects of a conflict-of-interest investigation” that was “triggered by revelations that [they] bought houses on credit from affiliates of a building firm that has benefited from government contracts.” But for me the most intriguing story of the week (and indeed the year, at least so far) comes from the ethical wonderland that I call my home – New Jersey.

As reported initially by the Bergen Record:   “Federal prosecutors have [launched a probe] into a flight route initiated by United [Airlines] while [David] Samson was chairman of the [Port Authority, which] operates [Newark Liberty Airport]. The route provided non-stop service between Newark and Columbia Metropolitan Airport in South Carolina — about 50 miles from a home where Samson often spent weekends with his wife. United halted the non-stop route on April 1 of last year, just three days after Samson resigned under a cloud. Samson referred to the twice-a-week route — with a flight leaving Newark on Thursday evenings and another returning on Monday mornings — as ‘the chairman’s flight,’ one source said. Federal aviation records show that during the 19 months United offered the non-stop service, the 50-seat planes that flew the route were, on average, only about half full. United… was in regular negotiations with the Port Authority and the Christie administration during Samson’s tenure over issues that included expansion of the airline’s service to Atlantic City and the extension of the PATH train to Newark…” A story from NJ.Com added that the  flight’s booking rate of 50% was significantly lower than “the rate of 85 percent or higher common among carriers” and also that the Chair of the NJ assembly’s transportation committee said the benefit to United of running this unprofitable route “could be PATH. It could be how much they pay for landing planes. It could be for how flights are dispatched at the airport. It could be a multitude of things. And it could be none of them.”

Assuming for the sake of discussion that it is indeed at least one of those or other financial benefits, the case should be interesting to COI aficionados  for several reasons.

First, the main law enforcement challenges to investigating the matter will likely be (as it is many COI/corruption cases) proving wrongful intent.  Presumably, Samson knew enough not to document what was seemingly happening here (although his comments about the “chairman’s flight” may suggest otherwise),  but what about United?  Given how cost conscious airlines have been in recent years, one imagines that someone at the company would have needed to document why they were running half full planes.  Moreover, for various reasons this seems like the sort of arrangement that would have been known at a reasonably high level in the company (although finding documentation of that may be a taller order).

Second, it will also be interesting to see what role, if any, United’s compliance program played in these events. In light of how many people at the airline could well have had some suspicion about these flights, it would be pretty damning if none of them called the C&E helpline. On the other hand, if the issue was raised internally and buried, that would be even worse.

Third, it may be noteworthy that while the Company’s code of conduct does have a section called “When the government is the customer,” the bribery discussion there is limited to international transactions.   Perhaps like a lot of US companies, United’s compliance team failed to grasp the risks of homegrown corruption generally (and the Jersey variety in particular).  Other companies may wish to revisit their own codes to see if they could be subject to the same criticism.

Two final notes.  First, the facts of this case are just beginning to emerge and the speculations in my post should not be read to suggest that  Samson or United are necessarily guilty of corruption. Seriously.  Second, for an earlier story about a possible COI involving Samson (and his connections to the ethically challenged Christie administration) see this post  and the article linked to therein.

Does your company need a stand-alone conflicts of interest policy?

Last month, Pro Publica published an extensive report regarding a dispute on whether Goldman Sachs should be sanctioned by the Federal Reserve for failing to have a firm-wide policy on conflicts of interest.  An examiner for the Fed had argued in favor of such an action but the firm contended – successfully – that the COI provision in the company code of conduct coupled with COI policies for various of its divisions was good enough.

At least for C&E aficionados, the story is an interesting one (and the issue, in my view, a close call), particularly given Goldman Sachs’ recent COI history.  (See this post and this one.)   But for readers of this blog the piece may be most useful as an occasion to ask: Does my company have the COI policy that it needs?

To begin, a great many businesses don’t need a stand-alone COI policy. For many what’s in the code of conduct is policy enough. But there are, in my view, quite a few companies that should have stand-alone policies but don’t.

Five things to ask in a COI policy needs assessment

Certainly where companies have client relationships that could give rise to COIs there is a good reason to have a stand-alone policy, as such businesses generally face a greater array of COI risks than do others. Such risks tend to warrant a fuller discussion of COI standards and mitigation than can fit into a code of conduct. Put otherwise., companies that have relationships of trust with clients tend to have higher COI risks – both in terms of likelihood and impact – than do other sorts of businesses, and that should be reflected in how formal and extensive the related mitigation should be.

But other types of organizations should  consider drafting stand-alone policies too, at least if they:

- Have had more than their share of COIs in recent years, as a stand-alone policy can help signal to key constituencies resolve in dealing appropriately with COIs.

- Face more diverse, complex, non-obvious or culturally challenging COI possibilities than the average company has.  The more there is to say about different sorts of COI risks, the greater the need for a stand-alone policy, as there simply won’t be enough room in the code to do justice to all pertinent issues.

- Have significant COI-related process needs – in such areas as disclosure, management and auditing. Here too the code may not offer enough space to deal with the company’s requirements.

- Face heightened COI expectations for other reasons (e.g., non-profits, or other organizations that could be held to a “Caesar’s wife” standard of ethicality).

And don’t forget organizational justice

Even companies that don’t fit into any of the above categories should consider developing a stand-alone COI policy as a means of promoting “organizational justice.” As noted in this earlier post: “The special harm that COIs can cause to organizational justice arises from their frequently personal nature: because COIs often involve a personal benefit to an individual employee that is denied to others, the latter (i.e., rule abiding employees) can feel personally harmed (from a relative perspective) by the COI in a way that they would not feel, for example, with an antitrust offense or violation of export regulations.” Implementing a stand-alone COI policy can thus, in my view, help elevate the confidence employees have in the overall ethicality of their companies. Of course, to do so the policy must be sufficiently promoted and enforced.  But being successful here could have a ripple effect – by enhancing trust that management is committed to doing the right thing generally, which can be utterly vital to compliance and ethics program efficacy.

Note that while this consideration presumably applies to all companies, it does not mean that all companies need stand-alone COI policies.  But it is a factor that all companies should weigh in determining whether to implement such a policy.

Drafting a policy

If one does opt to create a stand-alone COI policy there are obviously lots of choices to be made in determining the content of the policy, and the links below to prior posts in the COI Blog might be useful in that regard.

To start, you might see this overview,  which includes links to several leading companies’ policies (that could be helpful samples from a form – as well as substance – perspective).

Regarding the key question of what COIs to address in the policy, a fairly comprehensive list is included in this post about certifications (the content of which is equally applicable to policies).

Here are some more specific discussions:

-  G&E generally  and gifts between employees.

Supervising family members in the workplace.

Moonlighting.

- Serving on another company’s board.

Next, regarding standards for allowing COIs to continue and related process issues, see this post and this one.

Finally, note that within the above posts there are links to many other posts and resources that might be useful in drafting or revising a COI policy.

The complicated and consequential world of compliance “checking”

Over time, companies should devote an increasingly greater amount of C&E program effort/resources to “checking” – auditing, monitoring and other forms of self assessment.  More than two decades after C&E checking became the law of the land, one can imagine how little sympathy the government would have for a company that tries to get “credit” for its C&E program but which had taken insufficient steps to determine if that program was in fact fit for purpose.

However, if the need for checking is clear, where to start  (or what step to take next) may not be. Both as a conceptual and practical matter, this can be a daunting area to tackle given the many types and dimensions of checking available.

In a complimentary web cast sponsored by The Network on January 20, 2015 at 1:00 pm Eastern, I’ll try to survey the world of C&E checking, describing relevant legal expectations and best practices that apply to both the risk area and the general program dimensions.  I’ll also discuss practical measures that companies can take to begin or improve a regime of C&E checking – in effect, a needs assessment for one’s C&E auditing, monitoring, program assessment and risk assessment.  Finally, I’ll consider what the impact of “behavioral ethics” should be on C&E checking.

Postscript:  more than 500 C&E folks attended the web  cast live and another 400 are getting the recorded version.   If you’d just like the slides, please click here.

Risk assessments for office romances

Perhaps the most celebrated story ever about a love affair is Anna Karenina  and the story doesn’t end well – as the distraught heroine throws herself under a train.  Office romances typically don’t end that way, but they are not without risks – particularly those involving senior leaders.

This is indeed an oft-told tale. Here is an earlier post on “frisky executives” discussing one such case from 2012.  Others around that time involved the CEOs of Lockheed Martin and Best Buy. And the latest in this line concerns the CEO of Johnson Controls.

As described in this article of a few weeks ago in the Milwaukee Business Journal, that CEO “failed to inform the corporation’s audit committee about the potential conflict of interest in his extra-marital affair with a consultant hired by the company.”  The net result: a reduction “of his annual incentive performance plan payout to $3.92 million, down nearly $1 million.”

A few thoughts on this case, perhaps of use to any CEO conducting a pre-office affair risk assessment.

First, while the economic hit is high it seems justified for a high ranking official – anything less could be seen as a slap on the wrist. Indeed, one of the cases discussed in the “frisky executives” post also involved a million dollar penalty. So, don’t expect economic leniency.

Second, consider the risk to the other party. In the case of the Johnson Controls executive, she was a consultant in a firm that lost an apparently long standing client in the scandal. No surprise there either.

Finally, while disclosure is necessary it may not be sufficient to prevent harm.  That is because even if an actual COI can be avoided the appearance of a COI might be inescapable – as the natural suspicion among others in the workplace could be that with the relationship comes workplace favoritism. For more on how some  apparent COIs simply can’t be mitigated by disclosure see this post.

(Thanks to COI Blog reader Don Bauer for letting me know about this story.  And, happy new year to all.)

 

The cost of director and officer conflicts of interest just went up

In the vast realm of conflicts of interest those involving boards of directors tend to stand out. That is because part of the reason the role of corporate director even exists is to mitigate the conflict-of-interest-type tensions (which fall under the broad heading of “agency problems”) that managements may have vis a vis shareholders.  Moreover, while the role of officers obviously differs somewhat from that of director, the duty of loyalty that both owe shareholders is the same.

Director and officer COIs can arise in many settings but often the most consequential of these involves mergers. And, as described in a post last week in the D&O Diary:  ”Within the past few days, two merger objection settlements – one involving Activision Blizzard, Inc. and the other involving Freeport-McMoRan, Inc. — have been announced involving massive cash payments,… The Activision settlement may represent the largest cash settlement payment ever in a shareholder derivative lawsuit.” The post further describes that “[t]he common feature of these two cases that may account for the magnitude of the cash payments seems to be the conflicts of interest that were alleged to be part of the challenged transactions.”

The specific facts of these two cases – both of which are complex, as COI cases involving mergers typically are – may be less important than is what they (and another one last year involving News Corp, which is discussed in the same post) may mean for insurance costs to companies: “The rise of jumbo shareholder derivative lawsuit settlements has a number of implications. Among other things, it is a topic that will have to be taken into account as D&O insurance buyers consider how much insurance they will need to ensure that their interests are adequately protected.”

While most directly relevant to risk managers and others in companies in charge of securing D&O coverage,  I think C&E professionals also need to know about this development – because directors and officer of their companies  likely will and will be concerned about it.  And, hopefully this awareness will contribute to a greater overall sensitivity at high levels in companies to COIs generally – meaning that this may be a good time to train (or retrain – or schedule training of) your directors and officers on COIs.

For those looking to develop such training, here is a prior post on that topic.  And here are some other posts, portions of which might provide helpful ideas or information for training boards on COIs:

- Friendship – and the ties that blind (directors to conflicts of interest).

- CEOs’ ethical standards and the limits of compliance.

- Are private companies more ethical than public ones?

- Catching up on the backdating cases

- Behavioral ethics training.

- Catching up on CEO COIs.

- Catching up on director COIs.

- The largest derivative lawsuit settlements (from the D&O Diary).

Here are some pertinent words of wisdom from two good friends of the blog: Steve Priest (on keeping ethics training real) and Scott Killingsworth (on mitigating C-Suite risks).

Finally, if you are training your board, and want to use the occasion to look beyond the COI area to general C&E oversight by directors this recent article by Rebecca Walker and me  from Compliance and Ethics Professional magazine might be useful.

 

 

Risk assessment: law, economics, morality science…and liquor

Many years ago a client who was in the compliance department of a pharma company told me his strategy for conducting risk assessments.  He would schedule the interviews of sales people – a key, but typically difficult, constituency for nearly any risk assessment – to begin late in the work day, and after a while suggest that the discussion continue in a nearby bar.  As the drinks began to flow, so apparently did the information about risks.

Risk assessment is the foundation of an effective C&E program – certainly as a matter of common managerial sense, and increasingly as a matter of law.  In  connection with the latter, we recently passed the ten-year anniversary of the revised Sentencing Guidelines, which established risk assessment as an official C&E program expectation of the U.S. government; and on virtually the same day, the Italian government published important new competition law compliance  guidelines, discussed in this publication from the Baker & McKenzie law firm, which include a risk assessment component.

Still, meeting such expectations – by getting business people people to talk openly about the uncomfortable topic of risk – is as challenging as is anything in the C&E field.  So, what can you use to make these conversations succeed if, like most C&E professionals, your toolkit doesn’t include a liquor cabinet?

Part of the way for dealing with this challenge is to provide that the assessment is conducted under the company’s attorney-client privilege  and, beyond this, that no attribution to the sources of information will be included in the assessment report.  These are the tools of law, and deploying them can be essential to success in a risk assessment.

But offering confidentiality alone may not be enough because while it is typically in the clear interest of a company to have a thorough risk assessment, individuals’ interests often seem (and sometimes are) out of alignment with those of the organization. This is the realm of the economics-based concept of moral hazard, discussed in various prior posts of this blog that are collected here.

There is no panacea for dealing with this impediment – but hopefully one can make a persuasive appeal to an interviewee’s being a “C&E leader,” a formulation which seeks to blend considerations of personal and organizational benefit, to get the interviewee  to be truly helpful for the  risk assessment. Of course, for an approach such as this to work, it cannot be limited to the risk assessment process. Senior executives, and even the board of directors, need make clear through various intangible and occasionally tangible ways that such leadership is duly appreciated.

Finally, there is also a psychological dimension to the challenge of risk assessment.  As discussed in this recent article in Science  - “Morality beyond the lab” by Jesse Graham (which I learned of from the Ethics Unwrapped web site ),  various  “laboratory  studies have shown a ‘holier-than-thou’  effect, in which people over-optimistically predict their own future moral behavior but accurately predict the not-so-moral future behavior of others” – a view which has now been supported by the results of an important recent field study (by W. Hofmann, D. C. Wisneski, M. J. Brandt, L. J. Skitka, which is published in the same issue of Science). As summarized by Graham: “[T]he study suggests that moral life can largely be characterized by two kinds of events: noting one’s own good deeds and gossiping about the bad deeds of others.”

For those conducting risk assessments, the path suggested by this research is clear:  to the maximum degree possible, one should structure the inquiry so that it is not seen as asking about the interviewee’s own risks but those of others.  And, in providing information about others, at least in the aggregate, employees of an organization will likely be helping you analyze risks that in fact involve themselves.

One other point about the above-discussed research, which is that while I have highlighted its use for risk assessment there are other ways in which this aspect of  what Graham calls “morality science” can enhance the efficacy of a C&E program.  Mostly notably, it can be used in training and other communications to underscore the overarching behavioral ethics notion that “we are not  as ethical as we think,” which should help reinforce an appreciation for the help that C&E staff and other resources can provide to employees when  confronted with legal risks or ethical dilemmas.

For further reading on risk assessment, here’s a link to a complimentary e-book comprised mostly of my risk assessment columns in Corporate Compliance Insights.

For an index of posts on “behavioral ethics and compliance” please click here. 

Compliance programs and the culture of care

Samuel Johnson once said: “It is more from carelessness about truth than from intentionally lying that there is so much falsehood in the world.” And carelessness is obviously at the root of many other types of wrongdoing too.

In a keynote speech at the just-concluded SCCE  10th annual Compliance and Ethics Institute, FBI director James Comey spoke of the need for companies to have a “culture of care” when it comes to cyber-security.  (Unfortunately the speech is not yet published on the FBI web site, so I can’t link to the text.)  While focusing on cyber-security, Comey did indicate that the concept of a culture of care might have broader application to the world of compliance and ethics.

I think the concept is indeed potentially quite useful for C&E professionals.  But what might be included in such a culture?

One example is suggested by a presentation – Beyond Agency Theory: The Hidden and Heretofore Inaccessible Power of Integrity, by Michael Jensen and Werner Erhard – discussed in this earlier post. The authors argue that honesty requires more than sincerity: “When giving their word, most people do not consider fully what it will take to keep that word.  That is, people do not do a cost/benefit analysis on giving their word.  In effect, when giving their word, most people are merely sincere (well-meaning) or placating someone, and don’t even think about what it will take to keep their word. This failure to do a cost/benefit analysis on giving one’s word is irresponsible.”    This argument makes sense to me – and I think it would to Samuel Johnson  and James Comey as well.

And, as noted above, the need for carefulness goes beyond being honest.  More broadly, a culture of care would help shape an organization’s values, policies, procedures, risk assessment, approach to incentives and  C&E training and communications.  As well, carelessness would be addressed sufficiently through the investigations and disciplinary policy/process – something that too few companies do, as discussed here.  

Finally, I asked Steve Priest, a true master at diagnosing and shaping corporate cultures, what he thinks about the “culture of care” concept.  He said “Emphasizing a ‘culture of care’ makes great sense. However for many who do not understand the full sense in which James Comey used the phrase, it will seem soft. It isn’t soft, but to balance it I encourage organizations to aim for these three in your culture: care, competence and courage. Organizations and leaders that demonstrate care, competence and courage may not win every sprint, but they will win most marathons.”

I agree with Steve that care alone cannot a culture make.  And, as with virtually any part of a C&E program, one has to guard against overdoing it.   In this connection, nearly 20 years ago, I was concerned that my then eight-year-old daughter occasionally ran out into the street without checking for traffic – and so to help make her more careful I tried to get her to keep a “safety journal.”  I’m proud (in retrospect) to say that she refused – as my idea was a bit over the top, and this story from the archives of Kaplan family compliance history helps to remind me that one must be careful not to promote over-cautiousness.

 

Conflicts of interest, compliance programs and “magical thinking”

An article earlier this week in the New York Times takes on the issue of “Doctors’ Magical Thinking about Conflicts of Interest.”  The piece was prompted by a just-published study  which examined “the voting behavior and financial interests of almost 1,400 F.D.A. advisory committee members who took part in decisions for the Center for Drug and Evaluation Research from 1997 to 2011” and found a powerful correlation between a committee member having a  financial interest (e.g., a consulting relationship or ownership interest ) in a drug company whose product was up for review and the member’s voting in favor of the company – at least in circumstances where the member did not also have interests in the company’s competitors.

Of course, this is hardly a surprise, and the Times piece also recounts the findings of earlier studies showing strong correlations between financial connections (e.g., receiving gifts, entertainment or  travel from a pharma company) and professional decision making (e.g., prescribing that company’s drug). Nonetheless, some physicians “believe that they should be responsible for regulating themselves.”

However, such self regulation can’t work, the article notes,  because “our thinking about conflicts of interest isn’t always rational. A study of radiation oncologists  found that only 5 percent thought that they might be affected by gifts. But a third of them thought that other radiation oncologists would be affected.  Another study asked medical residents similar questions. More than 60 percent of them said that gifts could not influence their behavior; only 16 percent believed that other residents could remain uninfluenced. This ‘magical thinking’ that somehow we, ourselves, are immune to what we are sure will influence others is why conflict of interest regulations exist in the first place. We simply cannot be accurate judges of what’s affecting us.”

While the findings of these and similar studies are, of course, most relevant to conflicts involving doctors and life science companies, there is a broader learning here which, I think, is vitally important to C&E programs generally.  That is, they help to show that “we are not as ethical as we think” – a condition hardly limited to the field of medicine or to conflicts of interest, as has been discussed in various prior postings on this blog.

One of the overarching implications of this body of knowledge is that we humans need structures – for business organizations this means  C&E programs, but more broadly these have been called “ethical systems” – to help save us from falling victim to our seemingly innate sense of ethical over-confidence.  So, to make that case, C&E professionals should – in training or otherwise communicating with employees (particularly managers) and directors  - address the issue of “magical thinking” head-on.

Moreover, using the example of COIs to prove the larger point here may be an effective strategy, because employees are more likely to have experience with ethical challenges in this area  than with other major risks, such as corruption, competition law or fraud – which indeed may be so scary as to be largely unimaginable to many employees.  I.e., these and other “hard-core” C&E risk areas might be subject to an even greater amount of magical thinking than is done regarding COIs.  So, at least in some companies,  discussing COIs might offer the most accessible “gateway” to addressing the larger topic of ethical over-confidence.

“The inner voice that warns us somebody may be looking”

Within the treasure trove of H.L. Mencken’s sayings, this definition of “conscience” may be my favorite.  And, various studies have indeed shown that the sense that somebody may be watching can help promote ethical behavior.  Among these are  experiments exposing individuals to “eyespots” –  drawings which create a vague sense of being watched, even among those who know as a factual matter that they aren’t being seen. (See, e.g., this study, showing that exposure to eyespots can promote generosity.)

While actually deploying eyespots around the workplace is hardly a viable option for most companies, various technological advances offer not only the appearance of being watched but the actuality of it.  Such monitoring technologies can be particularly promising for promoting compliance by parts of a workforce for whom supervision is relatively remote – which is often the case for sales people.

For two other risk-related reasons, sales people can be a logical choice for C&E monitoring:

- Their incentives may not align well with those of their respective companies – a “moral hazard” condition.  (Indeed, in a risk assessment interview I conducted last week, the interviewee responded to a question about conflicts of interest by saying – only somewhat in jest – that the whole company sales force had such conflicts.)

- Sales people tend to be in a position to cause legal/ethical violations – e.g., corruption, collusion and fraud – much more than the average employee at a company.

But, while the case for monitoring sales people is strong as a general matter, obviously not all monitoring strategies are equally effective.  According to a paper published in the September 2014 issue of the Journal of Business Research, “Does transparency influence the ethical behavior of salespeople?” John E. Cicala, Alan J. Bush, Daniel L. Sherrell and George D. Deitz (rentable on Deep Dyve): “it is not the perception of visibility that drives sales persons behavior, but rather the perception of the likelihood of negative consequences resulting from management use of knowledge and information gained from technologically increased visibility.”

Of course, these results – based on an on-line survey which is described in the paper – presumably won’t surprise any C&E professionals. (Nor, likely, would they have impressed Mencken, who also said: “A professor must have a theory as a dog must have fleas” – although I should add that that’s just another chance to quote the great man – not a reflection of my view of this paper.) But, as with much of the social science research discussed in this blog, having data to back up what is intuitively known may be useful, particularly when seeking to make C&E reforms in a company that are being resisted.

Most relevant here is the often-contentious issue of how open a company is with its discipline for violations (meaning not just of sales persons but any employee).  While C&E professionals typically understand that true “public hangings” – i.e., full identification of individual transgressions and transgressors – can be undesirable for all sorts of reasons, there is still a lot that their respective companies can do in a general way to show that   negative consequences do exist for breaches of C&E  standards. Hopefully, this new research can help C&E professionals make such a case.

Liability for faking compliance – a new-fashioned type of deterrence?

I have long felt that C&E programs should do more to appeal to the better angels of our nature. (For more information on how “pro-social” qualities can be built on to promote more ethical workplaces, see this research page from the Ethical Systems web site.) But at the end of the day there will always be a place for good old-fashioned deterrence.

Deterrence, in the business realm, traditionally operates by punishing those who engage in conduct that harms others (e.g., corruption, collusion, pollution). But as C&E program expectations themselves become more central to promoting responsible behavior by companies,  it is inevitable that a more “upstream” form of deterrence should emerge – in which faking compliance is itself the punishable (or otherwise addressable) wrong.  Indeed, this could be considered “new-fashioned” type of deterrence.

The COI Blog has previously discussed two cases of this sort – one involving Goldman Sachs , the other S&P  – both having to do with allegedly false claims by the defendant firms that they had taken strong compliance measures against conflicts of interest.  And at the end of last month, another case was brought in which faking compliance was itself found to be a punishable wrong.

The case – In the Matter of Mark Sherman — can be found here, but readers may find more useful a post about it on the Harvard corporate governance blog by attorneys from the Ropes & Gray law firm.  As they note:

“On July 30, 2014, the Securities and Exchange Commission (“SEC”) advanced a novel theory of fraud against the former CEO (Marc Sherman) and CFO (Edward Cummings) of Quality Services Group, Inc. …, a Florida-based computer equipment company that filed for bankruptcy in 2009. The SEC alleged that the CEO misrepresented the extent of his involvement in evaluating internal controls and that the CEO and CFO knew of significant internal controls issues with the company’s inventory practices that they failed to disclose to investors and internal auditors. This case did not involve any restatement of financial statements or allegations of accounting fraud, merely disclosure issues around internal controls and involvement in a review of the same by senior management. The SEC’s approach has the potential to broaden practical exposure to liability for corporate officers who sign financial statements and certifications required under Section 302 of the Sarbanes-Oxley Act (‘SOX’). By advancing a theory of fraud premised on internal controls issues without establishing an actionable accounting misstatement, the SEC is continuing to demonstrate that it will extend the range of conduct for which it has historically pursued fraud claims against corporate officers.” (Emphasis added.)

Of course, there is much more that could be said about the various connections that the legal systems draws between violations of law and poor compliance than what’s in this and the other two cases mentioned above.  (See, for instance, this prior post about the SAC insider trading case brought last year - where the weakness of the company’s compliance program was used as a basis for finding corporate liability for insider trading by individual employees.) And, the notion of punishing fake (or otherwise weak) compliance efforts has long been part of enforcement strategies in highly regulated areas (e.g., broker-dealer compliance). But the Sherman case seems especially important, as it can be utilized in training corporate officers in public companies of all kinds on the need to be careful in executing their S-Ox certifications which, in turn, should lead them to have a greater appreciation of the value of strong compliance generally.

Finally, the Ropes & Gray post concludes with the following observation: “this case, which includes fraud charges in an accounting case without any restatement of financials, seems to represent an application of SEC’s ‘Broken Windows’ strategy first announced by Robert Khuzami and reiterated by Mary Jo White—to pursue small infractions on the theory that minor violations lead to larger ones—to the public company disclosure and accounting space.”  To this I would add that a “Broken Windows” strategy to preventing wrongdoing is also supported by behavioral ethics research (see this post ), and the Sherman case should also be a reminder for C&E officers to review whether their own companies’ deterrence systems  take this approach into account to a sufficient degree.