Archive for the ‘Audit Committee’ Category

Twenty Anti-Fraud and Corruption Governance Red Flags

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Does your Audit Committee Need a Reset?

I was recently asked to speak to audit committee members in Niagara-on-the-Lake on best practices for audit committees. See my slides here. I was particularly critical of how audit committees and boards oversee risk. Risk systems in many companies are immature. Look at BP, Wal-Mart, JP Morgan, HSBC, News of the World, Barclays, SNC Lavalin and MF Global. These are all risk management failures, which are turn are governance failures.

There is good reason for risk management failure.

Proper risk management requires internal controls to mitigate risk. (Internal controls are processes and procedures such as segregation of duties, documentation, authorization, supervision, physical safeguards, IT security and prevention of management override.) No one likes to be controlled. Risk management is not intrinsically profit-making. Therefore there is an inherent aversion to risk management by management.

This is why regulators now are targeting boards with greater risk governance obligations because only the board has the authority to control management. Recent bank governance guidelines in Canada require much stronger risk oversight by boards and audit committees. Recent Ontario Securities Commission guidelines offer advice to boards and audit committees with operations in emerging markets, coming out of the Sino-Forest debacle.

There is a strong bias for audit committees to oversee many risks, not just financial. No regulation mandates this however. Audit committees should not oversee risks that they are not qualified to oversee.

Here are a dozen broader questions to determine whether your Audit Committee needs a reset.

1. Do your board and board committees have coordinated coverage, assurance and reporting over all material enterprise risks, both financial and non-financial?

2. For any non-financial risks that your Audit Committee may oversee, do the skills and experiences on the committee match the oversight?

3. Has the Audit Committee proposed a written risk appetite framework, approved by the board, which translates into explicit limitations and thresholds throughout the organization?

4. Are there any acute risks that you do not understand, or over which management is capable of overriding existing controls?

5. Do all Audit Committee members have tenure on the board for fewer than nine years? (Exceeding nine years is a red flag for lack of independence.)

6. Does independent external audit firm have tenure for fewer than nine years? (This is also a red flag for lack of independence.)

7. If your company operates in an emerging market, do you have one Audit Committee member with direct experience operating in this market?

8. If your company has over 300 employees and it is a financial institution, or over 600 employees for any other type of company, do you have an effective internal audit function reporting directly to the Audit Committee?

9. Has your Audit Committee benchmarked the company’s risk management and internal control framework against best practices, using an independent external advisor?

10. Do you have an effective risk function that reports directly to the Audit Committee or board of directors?

11. Does your Audit Committee understand fraud implications of accounting policies, methods for making estimates, and compensation metrics?

12. At each Audit Committee meeting, do you meet separately with each of: the CFO; the internal audit function; the risk function; and the independent external auditor, without any member of management present?

When I asked for a show of hands during my lecture, not a lot of hands went up for many of the above types of questions.

If you answered yes to all questions, or even almost all, you likely have a truly outstanding audit committee. You may even wish to apply for a governance award, here.

If you cannot answer yes to the majority of these questions, you have work to do.

Join me in my next blog where I will ask if your Compensation Committee needs a reset.

Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Russia is one of the most corrupt nations in the world (see a recent anti-corruption story on Russia by the New York Times). It ranks 143rd of all 182 countries on Transparency International’s corruption perception index, with a score of 2.4. Canada ranks the 10th least corrupt country in the world with a score of 8.7. New Zealand is the least corrupt country globally, ranking first with an overall score of 9.5. The US ranks 24th and the UK 16th, with scores of 7.1 and 7.8 respectively. See the “Full Table and Rankings,” where countries can be searched via the table. Lower rankings and higher scores mean the country is perceived as being less corrupt.

Prime Minister Harper visited China, India and Brazil to enhance trade with these countries, which are also some of the most corrupt nations in the world, ranking in at 95th, 75th and 73rd respectively. Libya, which involved the alleged Montreal-based SNC Lavalin bribes of some $56 million, comes in at 168. Within these countries, the governments themselves are the net beneficiaries of much of the corruption, so these politicians are far from motivated to impose reform.

Is it realistic to expect that Anglo-American nations, such as the US, UK and Canada, can impose “Western” will on the very way business is done, and has been done, in some countries for centuries? And if things will not or perhaps cannot change, should home country boards of directors be held responsible for systemic local corruption that may be beyond their control?

Regulators are taking corruption and the role of boards and senior management very seriously. The Securities and Exchange Commission and Department of Justice recently released 130 pages of guidance (see the PDF and other coverage here and here) on the Foreign Corrupt Practices Act (“FCPA”). The US has had the FCPA since 1977. Enforcement and penalties have gone up dramatically in recent years. The UK Bribery Act, from 2010, has some of the most stringent bribery laws in the world. In Canada, we have The Corruption of Foreign Officials Act (since 1999) and the recent guideline from the OSC for issuers operating in emerging markets (see the PDF).

Emerging economies are future markets for Canadian companies. The Prime Minister has a vision for Canada to be an energy supplier superpower. For this to happen, Canada will shift its trade to markets with 100s of millions or billions of consumers and much higher growth rates than our current major trade partner, the US, which could be coping with austerity due to its debt for years to come. Harper was in India last week to boost trade.

What is clear is that there is an enormous disconnect between the home country regulations now being imposed, and host country actual practices on the ground.

What should boards that have operations in emerging market jurisdictions do? Six things. First, if you are doing business in such a market, you need a director with extensive on-the-ground experience at the board table, who can tell you and management what the hotspots are. You should move a board meeting to the jurisdiction once a year so directors can get a first hand look. Second, boards must make it crystal clear to management that if the company is not going to bribe, management must walk away from certain business. And the board must support this and not have incentives that promote bribery. Third, the internal controls over financial reporting must be as strong in the emerging market as it is in the home market. Investment and resource commitments need to be made. Fourth, boards must have their own experts to scrutinize off-balance sheet and related-party transactions and complex structures; validate and assure internal controls; and provide foreign language document translation. Fifth, local auditors should have the same oversight, scrutiny, and as necessary direct contact with the audit committee that the home auditors have. Lastly, there needs to be zero tolerance by the board communicated to each employee and supplier. The UK is even banning facilitating payments, which are regarded as a “tip,” as these may be bribes in disguise.

Companies and politicians are feeling the pain, including on Canadian shores. The Wal-Mart bribery probe has widened beyond Mexico to include China, Brazil and India. The RCMP is investigating the SNC Lavalin bribery allegations, on which I advised a law firm suing the company. I blogged about Sino-Forest, a case of alleged Chinese fraud by a Canadian-listed company. In Quebec, the corruption inquiry has cost the Mayors of Montreal and Laval their jobs and this is only the beginning. There are allegations of kickbacks in cash that may reach other more senior politicians. And Ontario is not immune either. A senior Canadian director remarked that Ontario has a reputation for being “the best place to carry out a stock fraud in the industrialized world.”

Clearly, more work needs to be done. Canada’s corruption ranking on Transparency International may go down in 2012 instead of up.

Bribery, Cyber-Security and Derivatives: Is Internal Audit up to the Task?

Do internal auditors have the resources, skills and authority necessary to do their job? I wonder. I was asked recently to be an expert witness in an alleged bribery case. Internal audit is one of the first places I look to when assessing governance failure because they are the eyes and ears of the board.

I asked a question recently at two auditing conferences I spoke at. How many auditors use Twitter? In both cases, only one hand went up. Yet we know cybercrime is widespread, is under-reported, and management may not even know it is happening. It is a top concern of boards. How can internal auditors assure internal controls – not only over cyber-security but social media – when they themselves may be technically illiterate? IT literacy and data mining were two of the top skills required by internal auditors in a recent survey.

What about derivatives used by traders? How many auditors understand the use of derivative products such that they can attest to the internal controls over their use? The responses I received from my audiences were not encouraging.

What about corruption risk? How do auditors treat working notes, delegation to foreign auditors, language barriers, and do they even understand foreign practices? Do they visit the jurisdiction or audit from an office in Canada? The OSC came out with a scathing report recently about emerging market risks, chastising not just boards but the audit and underwriting professions.

What about fraud? Evidence from the conference board is that many whistle-blowing programs don’t work and aren’t used. Now whistle-blowers can go directly to the SEC in Washington, completely by-passing possible retaliation, flawed investigations or toxic workplaces.

Auditors cannot choose which internal controls they validate. Regulatory authorities are clear: every activity of every entity should fall within the scope of the internal audit function. This includes compensation structure of risk-takers. Combined assurance over all material risks should be undertaken.

Management may have vested interest in starving internal audit or compromising their objectivity with management responsibilities. Regulators have been clear here also: auditors, both internal and external, must maintain their independence from audited activities. They cannot assess their own work.

If the internal audit function is weak, or the chief audit executive does not have the experience or stature, or management disregards internal audit findings, this is the fault of the audit committee and the board. The audit committee should approve the head of internal audit, his/her compensation structure, the budget, work-plan and most of all the independence of the internal audit function. If the audit committee and ultimately the board does not ensure this, it is not doing its job. When or if governance failure happens, scrutiny will follow.

Derivatives May be Ungovernable

The recent loss of 2Billion dollars by JPMorgan confirms what is now a blindingly obvious governance reality. Board of directors do not understand derivatives and cannot control management’s use of them. The same may be said for regulators.

One job of a board is to identify risks and ensure a proper system of risk management. If you cannot do this, you should not be on a board. This means that a director needs to assess the adequacy of the design and effectiveness of internal controls to mitigate the risks. Of the over 300 interviews I have undertaken in my research, including directors of large banks, only one director claimed to understand complex derivatives. How can directors assess internal controls when they do not understand the very instrument itself?

Other than Jamie Dimon, CEO of JPMorgan, not a single director of the board has any experience in banking. See the roster of directors here. Even if some directors were from the sector, it is debatable whether they would still understand the complexities of these products. For a basic explanation of what derivatives are, see here. U of T Rotman professor John Hull, a derivatives expert, has stated in an email to me “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products.” Unless bank boards that oversee derivatives are prepared to have subject matter experts on their board who can effectively question management and insist on proper risk controls, other governance or oversight structures are needed.

Not only are boards incapable of controlling derivatives, but regulators may not be any better. Warren Buffett has said “Central banks and governments have so far found no effective way to control, or even monitor, the risks posed by these contracts. In my view, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.” See Warren Buffett on Derivatives.

The question is what have we learned from 2008? Banks are bigger than ever, with most American mortgages concentrated in only a handful of banks, yet the risky bets and use of complex derivatives continue. Harvard law professor Elizabeth Warren yesterday called for a new version of the Glass Steagall Act. Yet independent Senator Bernie Saunders pronounced that Wall Street “runs” the Senate, implying that any attempt at further regulation would be forestalled. Mitt Romney has vowed to unwind Dodd-Frank on his first day as President. Look at the long list of political donations made by JPMorgan in 2011, here. And this is just one bank.

If derivatives are going to continue, regulatory conflicts of interest need to be addressed and boards need to have the directors with the expertise to oversee them.

Does Canada have a White Collar Crime Problem? A Red Flag Checklist for Directors

“This city, this province, this country has a reputation of being the best location to carry out white collar crime, corporate fraud, in the industrialized world.”

These public words are not from some scholarly journal but from a hard-hitting, no-nonsense corporate director, Spencer Lanthier, (PDF profile) as he received his award at the annual Institute of Corporate Directors dinner last year – a sort life-time achievement award for a select few directors. Guests at my table were shocked to hear this, as was I, so I followed up to interview Mr. Lanthier for an illuminating interview. I also went for lunch with former colleague Al Rosen who wrote the book “Swindlers,” which I am now reading and equally eye-opening.

Flash-forward to 2012 where the Nortel trial is now underway to examine what role directors or officers might have played in that alleged fraud. See a headline from last week: “Toronto lost nearly $1M to fraud in 2011, auditor-general reveals”and the twelve cases identified by the auditor general. See this excellent report (PDF), courtesy of Tim Leech in my LinkedIn group Audit Committee.

Here are some questions: Do directors on boards play a role in detecting and deterring fraud? Can they be held responsible or even liable if they do not fulfill this role properly? Increasingly the answers are “yes,” especially given UK and US legislation since the financial crisis. I remember one of my very first board meetings I observed. It was of a bank. At the break, a director got up and shook my hand. He leaned over and whispered in my ear that the number one role of a director was to watch for fraud. I never forgot this.

Here is a list of 10 red flags and suggestions I have compiled based on my work recommending governance enhancements for companies accused of fraud or other malfeasance, including very well known Canadian companies.

1. The Audit Committee must fully understand how the company’s business model, estimates and judgmental choices by management give rise to potential manipulation of financial reporting by that management. Audit Committee members should be selected and educated on this basis. Financial literacy is a low bar and is not enough. Educate yourself on how fraud happens if you are a director or audit committee member. If necessary, hire an expert to report to you individually or in closed session with the Audit Committee without any member of management present.

2. If your organization does not have an internal audit function, install one appropriate for your organization. The head of Internal Audit must report directly and confidentially to the Audit Committee and cannot be over-ridden by any company officer. If necessary, Internal Audit should report directly to the board.

3. The Audit Committee must approve the independence, budget, work-plan and succession of the head of Internal Audit. The board should direct the CEO and CFO to commit resources for further design and test of internal controls whenever necessary.

4. As a director, you are entitled to any piece of information and access to any personnel in fulfilling your duties under any circumstance. If any manager blocks you from doing your job, this is a red flag. Go on unscripted company tours unaccompanied by management to test for tone and culture whenever you can.

5. Direct management to conduct a survey on company culture, assisted by an independent firm, with results reported directly to the board. Act on the results. You may have a toxic workplace with undue influence, internal control override and bullying and not even know it.

6. The independent whistle-blowing hotline must have a protected mechanism for people to come forward. When fraud happens, fellow employees know and are your best source of defense. If employees do not have confidence they can come forward and have a proper investigation conducted, they won’t and fraud will fester. Whistleblowers can go to regulators directly (in the US) now and participate in a monetary reward. If they don’t have confidence in the hotline, they will quit, acquiesce or go directly to the regulator.

7. Direct independent advisors (consultants, and now auditors) to conduct a risk assessment of all management compensation packages to ensure compensation is not driving potential fraud, such as bonuses awarded on profit.

8. If any company officer is not 100% transparent with you, this is a red flag. You should meet in executive session without management in the room to discuss your concern, which is likely shared by other directors. If the CEO or CFO lack integrity, the tone at the top is broken and you have a serious problem. You do not need a reason to fire your CEO.

9. Your responsibility as a director is to direct if and when necessary. Legislation gives you this power but protocols enable it. If management has undue influence and keeps you at bay, your protocols are likely deficient. Boards, committees, chairs and directors all need terms of reference now. Don’t let management draft these important documents as they have an interest in not giving you the power you are entitled to by law. Draft your own protocols or have someone independent do it if you have a concern or want best practices.

10. Above all, be vigilant and assertive if or when necessary. No amount of compensation can ever make you whole for the reputational damage inflicted and protracted litigation that could follow allegations of fraud or other misfeasance for a company of which you are or were a director. The number one regret directors have is not speaking or acting when they could have or should have. Don’t let this happen to you and follow the above steps.


Audit Committee and Risk Management Oversight Questions for Boards

Many of the questions below are based on hypothetical and disguised but plausible scenarios that I researched, or upon which I directly advised.

Let’s say a worker is responsible for maintenance of a machine, but because of time pressures, cuts corners and does not address fatigue (or wear and tear) in the machine, and no one oversees this person’s omission. The machine fails and affects the failure of other machines nearby. The company is in an industry where, if that machine fails, 300+ customers will likely die.

Or let’s say it is another machine where, if it is not treated properly, the company’s product can be poisonous. Or another machine where, if procedures are inadequate or not followed, property destruction and death can result. Or another process in an institution, where if internal controls are inadequate or not implemented, millions of dollars of losses can result.

Aside from senior management, is it fair to hold the board responsible for the above failures in risk management and internal controls, in the above hypotheticals? Is it fair to hold the committee chair or committee overseeing this risk responsible, in part?

I am not sure. It would depend on the actions (or inactions) vis-à-vis best practices and legal tests. One thing I can say however, is that I have had the good fortune of interviewing and seeing how one or two excellent board or committee chairs, or directors on a board, can completely reform and turn around risk management of an entire large, complex organization by pressing management and holding them accountable. This is a pleasure to watch and see, how effective a strong board and strong directors can be. This is how boards should be.

I recently interviewed directors and senior management of an important organization, along with nine leading Canadian directors and audit committee chairs. Here are some questions that address the above scenarios and incorporate learning I have developed from my research and assessing audit committees.

  1. Risk Management Coverage and Assurance Mapping

    Is each material financial and non-financial risk (no more than 12-15) covered (via explicit mapping) through identification, treatment, independent assurance and upward reporting? Do board guidelines and committee charters cover off all material risks so none slip through the cracks?

  2. Whistle blowing and Code Compliance

    Employees may now go directly to regulators without utilizing the company’s internal investigation procedures, and participate in a monetary reward. Does the company code of conduct have fair, impartial, credible investigation procedures that employees trust and actually use? Does effective oversight occur of ethical reporting by the Audit Committee

  3. Internal Audit

    Does the Audit Committee approve the appointment, compensation, work-plan, independence and accountability of this function? If not, why not? This person should report directly to the Audit Committee.

  4. IT Governance

    Is IT risk and opportunity management adequately overseen by the board (or a committee), including over IT investment, cloud computing, social media, security of information, privacy, business interruption and crisis planning? Does management (and the board) have competencies in these areas?

  5. Stress and Scenario Testing

    Is the capital structure, quality of earnings and revenue tested under various adverse conditions (including regulatory, competitor and contagion), such as “what if” or “when”?

  6. Audit Committee Bench Strength

    Does the Audit Committee have the competence and courage to understand and constructively challenge the basis and rationale for management’s estimates, assumptions, judgments and forecasts, both in terms of potential manipulation by management, and the fairness, balance and quality of financial disclosure?

  7. Chair Reporting to the full Board

    Does the Audit Committee Chair (and other committee chairs overseeing non-financial risk) submit a written report that enables non-committee members to understand the deliberations, recommendations and reporting, and ask questions and receive satisfactory answers?

  8. Auditor and Financial Management Bench Strength

    Does the board have confidence in the quality of finance and risk management, and external and internal audit (including integrity, competence, responsiveness and reporting)? The board should oversee all of these positions, subject to shareholder approval for the external auditor.

  9. Internal Controls over Non-Financial Reporting

    This area may be a weakness for many boards. Has the regime for financial reporting and assurance been adopted for the most important non-financial reporting risks of the organization (e.g., operations, compliance, environmental, social, reputation)? Has the effectiveness of the design and implementation of internal controls been tested on and reported to the board or relevant committee, for these areas? Boards should press management for this reporting and obtain independent (outside) assurance for risks of concern, to put the heat on management.

  10. Undue Influence / Reliance, Integrity and Fraud Risk

    Are there any pockets within the organization or executives who may have the opportunity, pressure or incentive to take inappropriate risks, or engage in potential fraud, that may be exacerbated during an economic downturn? As two audit committee directors said, the systems must be “person-proofed” and run on “auto pilot.” Can the board demonstrate that it has taken reasonable steps to satisfy itself that executive officers possess integrity? (The board is responsible for satisfying itself that executive officers have integrity under NP 58-201.)


Back to our original hypothetical scenarios. Directors have said to me, “we missed it,” or that you cannot protect yourself against a “rogue” or someone who is intent on committing fraud. I am not sure these answers are entirely satisfactory.

It seems to me that if the above steps are followed, and a culture of risk management and tone-at-the top is set by the board, there is a much lesser likelihood that “we missed it” will occur.

Back to top