Last week, Canada-based gold mining company, Kinross Gold, settled a Foreign Corrupt Practices Act case with the Securities and Exchange Commission by agreeing to pay just shy of $1 million.
While the SEC did not pursue the case on evidence of actual bribery, it did hit Kinross with charges of violating the FCPA’s books and records and internal controls provisions. The case stands as a powerful reminder for companies that lax controls and shoddy bookkeeping, particularly at far-flung subsidiaries, can open the company up to harmful FCPA charges.
It also serves as a lesson in getting newly acquired subsidiaries up to par on financial controls and accounting in a timely manner. The two subsidiaries where the violations occurred, Tasiast and Chirano located in Africa, were acquired by Kinross in 2010. Violations were found during an internal audit in 2011, but they went unfixed for three years, ultimately resulting in an SEC investigation.
The case also has some important implications for internal auditors. The violations were repeatedly flagged by multiple internal audits, but were not remedied. The lesson here is that serious violations that go unaddressed must be highlighted and elevated up the management ranks until they get fixed.
Facts of the Case
The FCPA charges against Kinross centered on violations stemming from the company’s repeated failure to implement adequate accounting controls of two African subsidiaries. According to the SEC’s order instituting a settled administrative proceeding, Kinross Gold acquired the African subsidiaries in a $7.1 billion transaction in 2010, understanding that the subsidiaries lacked anti-corruption compliance programs and internal accounting controls. It took Kinross Gold almost three years to implement adequate controls, despite multiple internal audits flagging widespread deficiencies.
Even after implementing the controls, Kinross Gold failed to maintain them. Among other things, Kinross Gold is found to have awarded a lucrative logistics contract to a company preferred by Mauritanian government officials, despite concerns that the company was a high-cost provider with poor technical capabilities, in contravention of Kinross Gold’s bidding and tendering procedures. Kinross Gold also contracted with a politically-connected consultant to facilitate contacts with high-level Mauritanian government officials without conducting required, heightened due diligence. In addition, the company paid vendors and consultants without ensuring the payments were consistent with policies prohibiting improper payments.
“Companies should take particular care to remediate known accounting controls issues when making acquisitions to mitigate the risk that company funds will be misused for unauthorized purposes,” said Tracy Price, deputy chief of the SEC Enforcement Division’s FCPA Unit.
The SEC’s order finds that Kinross Gold violated books and records and internal accounting controls provisions of the federal securities laws. Without admitting or denying the findings, Kinross agreed to a cease-and-desist order, a penalty of $950,000 and undertakings to report on its remedial steps for a period of one year.
Lessons for Internal Auditors
According to Thomas Fox, former corporate counsel at Drilling Controls Inc. and an FCPA compliance expert, the case offers several lessons for internal auditors. “The company’s internal audit group was able to determine the internal controls deficiencies both in their initial audit and subsequent follow up audits. The problem for internal audit was that there was no management will to actually remedy the failures to move towards a present and functioning effective set of internal controls,” he wrote in the FCPA Compliance & Ethics Blog.
According to the SEC’s administrative proceeding on the case, in 2011 Kinross’ internal audit function determined that “the internal accounting controls surrounding vendor selection and disbursement for goods and services at Tasiast and Chirano were not adequate to meaningfully assess transactions for accuracy or compliance with the FCPA.” There was also a determination that there were “known control weaknesses, payments were made for a period of years without reasonable assurances that the payments were for their stated purpose or with management’s approval.”
The case is a strong reminder for internal audit and management to follow up and ensure that violations are fixed and that they are maintained. “Even after management required their implementation, Kinross failed to maintain them. The bottom line is that if management does not take care to remedy controls deficiencies there is not much internal audit can do but report on the failures,” writes Fox.
To be sure, it’s not enough for internal audit to conduct internal audits, write up a report, send it to management, and forget about it. Violations must be continually followed up on until they are remedied and repeated checks should be conducted to ensure that those remedies are maintained and that units don’t fall back to their old wayward ways.