In a settlement highlighting the need for public companies to implement – and adhere to – effective internal controls, United Airlines “United” recently paid a $2.4 million civil penalty to the Securities and Exchange Commission “SEC” for failing to follow its own compliance policies and procedures designed to prevent corrupt payments.1 By allowing management to bypass its internal approval process and authorize a money-losing route from Newark, NJ, to Columbia, SC, in exchange for benefits from a senior official with the Port Authority of New York & New Jersey “Port Authority”, United failed to enact an adequate system of internal controls and, as a result, prepared inaccurate accounting books and records. Coupled with a criminal Non-Prosecution Agreement with the United States Attorney’s Office for the District of New Jersey whose terms contain a $2.25 million penalty and multiple remedial anti-bribery compliance requirements,2 the case draws parallels to those seen in the Foreign Corrupt Practices Act context3 and illustrates the need for companies to impose and enforce robust internal controls.

I. Quid Pro Quo: Transportation for Expansion

In September 2012, United’s request for approval for a new hangar at its Newark Liberty International Airport hub was under consideration by the Port Authority, a government organization that operates transportation and other facilities in New York and New Jersey. On several occasions, the then-Chairman of the Board of Commissioners of the Port Authority, David Samson, had communicated through a third-party consultant his desire for United to reinstitute a non-stop flight route from Newark to Columbia, where Samson maintained a vacation home. Despite United having previously discontinued the route due to poor financial performance, its then-Chief Executive Officer bypassed the standard process for initiating new routes – which included an analysis of financial forecasts and other market data, as well as approval at multiple levels including the Chief Revenue Officer and other senior executives – and unilaterally approved it. On the very same day, the Port Authority’s Board of Directors signed off on United’s request for a lease on a new hangar in Newark.

In addition to bypassing United’s standard business approvals for new air routes, the Chief Executive Officer ignored a requirement in United’s Code of Business Conduct which called for transactions that benefitted a government official to be approved in writing by the Audit Committee of the Board of Directors and disclosed to the SEC and on United’s public website. In addition, legacy Ethics and Compliance Guidelines that remained in force from United’s merger with Continental Airlines provided that certain gifts or benefits to government officials required a written exception by the Director of the Ethics and Compliance Program and prompt disclosure of the transaction to the stockholders. By unilaterally approving the Newark-to-Columbia route, the Chief Executive Officer also disregarded these requirements.

United continued the route from September 2012 until January 2014, when it was ultimately terminated at a total loss of approximately $945,000 (including opportunity costs). Samson, a former New Jersey Attorney General, pleaded guilty to bribery for using his authority to pressure United to institute the non-profitable route for his personal benefit, and is awaiting sentencing.4 Despite having compliance policies and procedures in place to prevent such a quid pro quo arrangement with a government official, United’s internal controls failed to prevent exactly such an arrangement from being put in place and resulted in a nearly $1 million loss over several years.

II. Managing Management Override

Even a perfectly designed internal control environment will not operate effectively when management can circumvent or ignore controls intended to prevent fraud or other misconduct. The American Institute of Certified Public Accountants describes management override of internal control the “Achilles’ heel” of fraud prevention, highlighting the need for a “diligent audit committee [to] evaluate whether oversight mechanisms are in place and functioning that will prevent, deter, or detect management override of internal control.”5 Similarly, the Public Company Accounting Oversight Board requires external auditors to perform specific procedures during every audit to attempt to detect management override, including journal entry testing, the review of account estimates, and evaluating the business rationale for significant unusual transactions.6 This last procedure – reviewing the business rationale for significant unusual transactions – likely would have invited additional inquiry into United’s unprofitable Newark-to-Columbia route.

Management override keeps auditors up at night because most major fraud cases are perpetrated by senior members of management circumventing or overriding internal controls. Because the internal control environment is designed, implemented and maintained by management, reducing the risk of management override entirely is not a plausible goal. Nevertheless, proper oversight and continual monitoring by the Board of Directors and the Audit Committee, in particular, is necessary.

III. Conclusion

Preventing management override of internal controls presents multiple challenges to legal and compliance teams – it is uniquely difficult to make sure the ones charged with creating and maintaining an effective control environment are not abusing their positions and circumventing the controls they oversee. The SEC’s action against United serves notice that an effective internal control environment requires that all employees follow the rules, and that no one is “above the law” (even in the C-suite). Not only must public companies have appropriately designed internal controls that are operating effectively, but the Board of Directors and, particularly, the Audit Committee must reasonably and appropriately inquire and monitor for potential management override of the control environment they are entrusted with overseeing.