The Federal Sentencing Guidelines for Organizations

Self-policing is central to minimizing liability risk.

By W. Max Rexroad, Toby J. F. Bishop, Joyce A. Ostrosky, and Linda M. Leinicke

In Brief

Helping Businesses Manage Risk from Fraud and Other Illegal Acts

The Federal Sentencing Guidelines for Organizations (FSGO) have the following implications:

* Organizations have a responsibility to implement programs to prevent and detect Federal criminal activity among their employees and agents. Organizations that fail to police themselves can be prosecuted and held liable for the criminal acts of their employees and agents.

* In light of FSGO, the Caremark decision has placed an affirmative responsibility on the board of directors to determine whether appropriate information systems are in place to provide compliance information to the board and senior management.

* FSGO contains a sweeping definition of the term "organization."

* Organizations sentenced under FSGO could be subject to very substantial fines. Organizations can also be put on probation of up to five years. Probation may involve intrusive oversight of the organization by officers appointed by the court.

* Organizations can help minimize any potential negative impacts of FSGO by implementing a seven-step compliance program.

* A compliance program will help an organization manage its business, legal, and regulatory risks; help protect the organization's reputation; help protect the organization from fraud and other illegal acts; and therefore help the organization continue in business.

* Knowledge of FSGO is important for financial statement audits. A compliance program, or lack of one, may affect a CPA's assessment of an organization's control environment and the risk of material misstatement of its financial statements due to fraud.

* FSGO provides CPAs, sometimes working with other specialists, with numerous consulting and assurance opportunities.

Practicing CPAs can take advantage of the Federal Sentencing Guidelines for Organizations to provide new consulting and assurance services to clients. Such services can reduce a client's business risks as well as help assess the CPA's audit risk from fraud. CPAs in business and industry can help their employers evaluate and manage this business risk.

History of the Federal Sentencing Guidelines

The United States Sentencing Commission (see www.ussc.com) was established in 1984 by the Comprehensive Crime Control Act. Comprised of seven commissioners appointed by the President and confirmed by the Senate and two nonvoting, ex officio members, the commission was charged with developing sentencing guidelines for offenders convicted of Federal crimes. A major objective of the legislation was to bring uniformity and fairness to the Federal sentencing process. The commissioner, therefore, developed sentencing guidelines for offenders with similar characteristics convicted of similar criminal offenses, known as the Federal Sentencing Guidelines. The guidelines became effective November 1, 1987. At that time, they consisted of seven chapters and applied only to individuals convicted of Federal offenses.

In 1991, the U.S. Sentencing Commission added chapter eight to the guidelines. Chapter eight is often referred to as the Federal Sentencing Guidelines for Organizations (FSGO). Whereas chapters one through seven apply to individuals, chapter eight applies to organizations and holds them liable for the criminal acts of their employees and agents. In effect, FSGO greatly increased the responsibility of organizations to police themselves with regard to preventing and detecting the Federal criminal activity of their employees and agents.

FSGO contains a very broad definition of organization. The term includes corporations, partnerships, associations, joint-stock companies, unions, trusts, pension funds, unincorporated organizations, governments and political subdivisions thereof, and nonprofit organizations.

Examples of Federal Crimes Covered

It is easy for organizations to run afoul of Federal criminal laws and potentially become subject to FSGO. The following are some examples of business crimes covered by FSGO: fraud and deceit; bribery in procurement of a bank loan and other commercial bribery; offering, giving, soliciting, or receiving a bribe or gratuity; bid-rigging, price-fixing, or market allocation agreements among competitors; money laundering; tax evasion; evading import duties or restrictions; embezzlement, larceny, and other forms of theft; criminal infringement of a copyright or trademark; and insider trading. Environmental crimes are addressed in a separate set of guidelines. Penalties under FSGO include monetary fines and organizational probation.

How Are Fines Determined?

If an organization is sentenced under FSGO, calculating its fine can best be described as a three-step process.

Step One. The first step involves determination of the base fine. The base fine normally will be the greatest of--

* the monetary gain to the organization from the offense;

* the monetary loss from the offense caused by the organization, to the extent the loss was caused knowingly, intentionally, or recklessly; or

* the amount from a table in FSGO to which a judge refers.

Step Two. Once the base fine has been determined, the judge will compute a culpability score for the organization. This score attempts to measure the blameworthiness of the organization. Aggravating factors increase the score while mitigating factors reduce it.

Aggravating factors are as follows:

* High-level personnel were involved in or tolerated the criminal activity;

* The organization willfully obstructed justice;

* The organization had a prior history of similar misconduct; and

* The current offense violated a judicial order or injunction or condition of probation.

Mitigating factors are as follows:

* The organization had an effective program to prevent and detect violations of law; and

* The organization self-reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and accepted responsibility for the criminal conduct.

Step Three. The third and final step is for the judge to determine the total amount of the organization's fine. The actual fine is the result of multiplying the base fine, determined in step one, by a multiplier derived from the organization's culpability score determined in step two.

Generally, the worst-case scenario would be a maximum organizational fine of $290 million. This fine applies to organizations that were not operating primarily for criminal purposes. However, in certain cases an organizational "death penalty" can be imposed by the judge. That is, the judge can set the fine high enough to divest the organization of all its assets if the organization operated primarily for a criminal purpose.

Organizational Probation

In addition to or in lieu of fines, judges can also sentence organizations to a term of probation for up to five years. In cases of probation, the organization may have to report its financial condition periodically to the court. It might be subject to unannounced examinations of its books and records by the probation officer or experts appointed by the court or "interrogation of knowledgeable individuals within the organization." It may also have to report its progress in implementing a compliance program periodically to the court, and it may have to submit to unannounced examinations to determine if its compliance program, as discussed later, is in place and working.

Even though organizational fines, probation, and the costs of legal defense may be burdensome, the real risk to a business is the negative publicity that can result from the commission of criminal offenses. The adverse publicity might result in a significant loss of sales, a lack of confidence by providers of financing, a drop in stock price, and other market deprivation penalties.

Compliance Program

When faced with sentencing under FSGO, obviously it is in the best interest of the organization to have the lowest possible culpability score. A critical way to reduce this score is to have in place an effective program to prevent and detect violations of law, commonly referred to as a compliance program. A compliance program is defined as "a program that has been reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct."

FSGO prescribes, at a minimum, seven steps of an effective compliance program; they can be summarized as follows:

* Management Oversight. A high-level individual must be put in charge of and held accountable for the compliance program.

* Corporate Policies. Organizations must establish policies and procedures that can reasonably reduce the prospect of criminal conduct in their organization.

* Communication of Standards and Procedures. It is necessary to effectively communicate to every employee and agent the organization's ethics policies.

* Compliance with Standards and Procedures. The organization must take reasonable steps to effectively implement its compliance program. For example, these may include appropriate monitoring, reporting, and assurance procedures and a system for employees and agents to report suspected criminal conduct without fear of retribution.

* Delegation of Substantial Discretionary Authority. The organization must exercise due care not to delegate substantial discretionary authority to individuals who might have a propensity to engage in criminal conduct.

* Consistent Discipline. Organizations need to have a discipline program in place that is consistently applied. Additionally, individuals who fail to detect an offense should receive appropriate discipline.

* Response and Corrective Actions. The organization needs to respond appropriately to actual and suspected criminal offenses, learn why the offenses occurred, and take appropriate corrective action to prevent further similar offenses.

FSGO contains commentary stating that the specific actions necessary for an effective program will depend on several factors, including the size of the organization, the likelihood certain offenses will occur because of the nature of the organization's business, and the prior history of the organization. Prevailing industry practices are also relevant.

Impact on Financial Statement Audits

SAS No. 55, Consideration of Internal Control, as amended by SAS No. 78, states that "[The] control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure." Needless to say, a well-designed and effectively functioning FSGO compliance program would be a very valuable part of an organization's control environment. According to SAS No. 82, Consideration of Fraud in a Financial Statement Audit, "If the entity has established a program that includes steps to prevent, deter, and detect fraud, the auditor may consider its effectiveness." It also states, "The auditor should specifically assess the risk of material misstatements of the financial statements due to fraud and should consider that assessment in designing the audit procedures to be performed." The risk of material financial statement fraud may be reduced if the client has an effective compliance program.

This would be done as part of the CPA's assessment of the client's internal control environment and also as part of the assessment of the risk of material fraud in the client's financial statements. The CPA might evaluate and, in many cases, test their client's compliance programs. Well-designed and effectively functioning compliance programs can lower internal control and fraud risk.

Consulting and Assurance Opportunities for CPAs

Organizations vary in many ways, and thus it is only possible to present examples of opportunities for CPAs that are meant to be thought provoking; they are not all-inclusive. With a reasonable understanding of FSGO and some creative thinking, a CPA should be able to develop an array of consulting or assurance services. However, to consult in certain FSGO areas, CPAs may need to work with attorneys, ethics professionals, fraud experts, and regulatory specialists. Additionally, significant investment in staff training and development will likely be required. The examples presented below are organized around the seven steps of an effective compliance program. CPAs in business and industry should view the example from the perspective inside an organization.

Management Oversight. Ideally, an organization would have a compliance committee of the board of directors in addition to a compliance officer. This compliance officer should report operationally to the CEO but have direct reporting responsibility to the compliance committee. This model is similar to the traditional relationship between an audit committee and internal audit director. Unquestionably, this approach would demonstrate the organization's commitment to high-level management oversight of its compliance program. In many cases, however, organizations will not have sufficient compliance issues to justify a separate committee. Therefore, a reasonable alternative would be to assign the responsibility for compliance issues to the audit committee or its equivalent.

If the client cannot justify a full-time compliance officer, management should be careful in selecting the individual who will be assigned these duties on a part-time basis. In the selection process, a major goal would be to minimize the potential conflicts of interest the compliance officer would have in carrying out her duties. An organization particularly helpful to compliance officers, or their equivalents, is the Ethics Officers Association (www.eoa.org).

CPAs should be aware of the Caremark decision when advising their clients as to what management oversight structure should be adopted [In re Caremark International Inc. Derivative Litigation, No. 13679 (Del. Ch. Sept. 25, 1996)]. According to Caremark, "a director's obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists." This system should be reasonably designed to provide information about the organization's compliance with laws and regulations to senior management and the board. This decision, for the first time, establishes a judicial precedent that the board of directors has an affirmative responsibility to make a good-faith evaluation as to whether their organization already has or needs to develop such a system. It is incumbent upon the board to assure itself that appropriate compliance information "will come to its attention in a timely manner as a matter of ordinary operations." The important issue here is that the board of directors makes the evaluation and that any system put into place operates right up to the board level. If a fraud or other Federal criminal activity occurs, failure to have made this evaluation could result in personal liability to the directors.

Corporate Policies. FSGO requires that policies be in place that are reasonably capable of reducing the prospect of criminal conduct by an organization's employees and agents. A key element in meeting this requirement is a written organizational code of conduct that is based on values, addresses cultural differences, encourages employee support, and is integrated with the other elements of the compliance program. CPAs will often need to work with ethicists, behaviorists, and attorneys who have complementary expertise in these areas. CPAs should be wary of requests for examples of codes of conduct that the organization can copy and implement. Experience indicates that off-the-shelf codes are unlikely to work effectively because they probably will not address the organization's particular risks or reflect the organization's values and thus are unlikely to be embraced by employees.

If the organization does not have a written code of conduct, a logical place for the CPA to start is the assessment of general business, legal, and regulatory risks. Ideally, as part of this assessment process, employee input should be sought from the various functional areas of the organization. CPAs can serve as facilitators in gathering this input regarding risks. CPAs have an opportunity to add value through their expertise in risk assessment, information gathering, and analysis. CPAs can also assist in researching industry practices regarding risk factors and compliance program design. Based on this assessment, CPAs (in conjunction with ethicists, behaviorists, and attorneys, as required) could then assist in the preparation of an organizational code of conduct and aid in the development of procedures to implement it.

If, on the other hand, the organization already has a written code of conduct, the CPA can still, in most cases, provide advice. For example, the CPA could raise the following questions: When was the code of conduct last updated? Does the code of conduct address all significant business, legal, and regulatory risks? Was there employee input in its development? How does the organization know whether employees understand and support the code? This will assist in determining whether or not the code of conduct needs updating.

Communication of Standards and Procedures. All employees and agents must be aware of the organization's ethics policy. After the ethics policy has been written, a copy should be distributed to every employee and agent. Thereafter, all new hires should be given a copy of the ethics policy. However, mere distribution of the policy does not ensure that employees and agents have read and understood it. A better approach for the initial distribution of the policy would be to communicate its contents at an ethics training session. The training session not only signals senior management's support of the ethics program but also allows employees and agents to ask questions about the policy. Ideally, ethics training and retraining programs should take place on a periodic basis.

A possible consulting opportunity for CPAs would be to advise organizations on the various methods that have been used to communicate ethics policies. Once a communication method is implemented, the CPA could, on a periodic basis, test its effectiveness. For example, the CPA could test whether employees actually received certain materials or attended required training sessions, providing assurance as to the proper functioning of the communications process.

Compliance with Standards and Procedures. Appropriate systems and procedures should be in place to give reasonable assurance that an organization's compliance program is effective. CPAs are particularly suited for testing the effectiveness of compliance procedures once they have been put into place. In fact, the CPA can design tests to be performed on a regular basis to provide reasonable assurance to senior management and the board of directors that the compliance procedures are in place and working as designed. If the tests show weaknesses, the CPA can suggest appropriate modifications. The CPA could prepare a limited use report for management regarding the results of the evaluations and tests of compliance procedures.

FSGO specifically suggests that a compliance program may include a mechanism for employees and agents to report suspected criminal conduct without fear of reprisal. This mechanism must be publicized throughout the organization. Many organizations have implemented ethics hotlines as a way to meet this requirement. The CPA, in conjunction with the organization's legal counsel, can test whether such systems are being used appropriately and are accepted by employees.

Delegation of Substantial Discretionary Authority. FSGO indicates that organizations must use due care not to delegate substantial discretionary authority to employees and agents who might have a propensity to engage in criminal conduct. CPAs can help organizations establish appropriate policies and procedures regarding employee background checks. CPAs should counsel organizations to consider performing appropriate background checks on all new hires. Before employees are hired or promoted to key positions, the organization should consider performing an in-depth background investigation. A best practices approach is to perform appropriate background checks periodically on all personnel with substantial authority over the organization's assets or substantial influence over its reputation. Remember, frauds are often perpetrated by well-respected, long-term employees.

Specialist providers of background investigation services are highly cost competitive. Generally, CPAs cannot effectively compete in the low-cost, high-volume segment of this market. CPAs can, however, provide valuable assistance in ensuring that the right cost/benefit analysis is made. For example, extensive, in-depth background investigations normally should be performed on people in high-risk positions whereas less extensive investigations of people in low-risk positions would be appropriate.

Consistent Discipline. FSGO requires that an organization's ethical standards be uniformly enforced. For example, if a lower-level manager embezzles $1,000 through fictitious expense claims and the CEO does the same thing, is the discipline the same for both individuals? If the organization does not have a written disciplinary policy, the CPA might advise it to assemble a team of individuals who have the necessary expertise to develop one. Many organizations have used a disciplinary committee to carry out their policy. Members of this committee might include a representative from human resources, senior management, and the operating unit involved. Once a disciplinary policy is implemented, the CPA could periodically test the procedures to see if they are being carried out consistently.

Response and Corrective Actions. After an actual or suspected criminal offense has been detected, the organization must take all reasonable steps to respond to the offense and prevent further similar offenses. Furthermore, if required, the organization must appropriately modify its compliance program. CPAs can provide consulting services regarding what control breakdown, or lack of control, allowed the offense to occur and what corrective action could be taken. *

W. Max Rexroad, PhD, CPA, is a professor of accounting, and Joyce A. Ostrosky, PhD, CPA, and Linda M. Leinicke, PhD, CPA, are associate professors of accounting, all at Illinois State University. Toby J. F. Bishop, CPA, is coordinating partner of the business fraud and investigation services of Arthur Andersen LLP in Chicago, Ill.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.