You are currently browsing the tag archive for the ‘Governance’ tag.
In some parts of the world, bribing government officials is still considered a normal cost of doing business. Elsewhere there has been a growing trend over the past 40 years to make it illegal for a corporation to pay bribes. In the United States, Congress passed the Foreign Corrupt Practices Act (FCPA) in 1977 in the wake of a succession of revelations of companies paying off government officials to secure arms deals or favorable tax treatment. More recently other governments have implemented anticorruption statutes. The U.K., for instance, enacted the strict Bribery Act in 2010 to replace increasingly ineffective statutes dating back to 1879. The purpose of these actions is to enable ethical and law-abiding companies to compete on a level playing field with those that are neither. A cynic might wonder about the real, functional difference between, say, Wal-Mart’s recent payments to officials in Mexico to accelerate approval of building permits and the practice in New York City of having to engage expediters to ensure timely sign-offs on construction approval documents. No matter – the latter is legal (it’s a domestic issue, after all) while the former is not.
Moreover, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have increased their oversight of bribery. At the beginning of 2013 they jointly issued the Resource Guide to the U.S. Foreign Corrupt Practices Act. For its part, the SEC has stepped up enforcement using its own resources. Recently, it charged a group of bond traders with enabling a Venezuelan finance official to embezzle millions of dollars by disguising the money as fees paid to the broker/dealer to handle apparently legitimate transactions. Tellingly, though, there was another relatively recent bribery issue that involved Morgan Stanley where the SEC declined to include that company in an enforcement action because it had demonstrated diligence to prevent it.
Before anticorruption laws, it was expedient for corporations to pay government officials to close business, get preferred status or prevent punishment. Once the laws were established, that stopped being the case. However, from a management standpoint, compliance with the law became complicated because of the dual nature of the corporation, which is both an entity and a group of individuals. In the case of the latter, when an individual breaks the law, is that person at fault, is the corporation or are both? Regardless of how a case is decided, there can be severe reputational damage to a company found violating the law, and that will have repercussions for corporate boards and executives.
This question leads to the agency dilemma, an important consideration in enterprise risk management. Economists long ago recognized the agency dilemma when the modern corporation separated the roles of its principals (that is, the shareholders) from its management. The agency issue exists where the best interests of the principals are either not aligned or in conflict with the interests of the agents (the professional managers running the corporation). But agency issues also extend to the company’s executives and may be rife in any large-scale business. Within the management group, authority to act independently is delegated down through the hierarchy, and the interests of the lower-level managers may be in conflict with those of senior executives, the board of directors and shareholders. For example, suppose that a local manager believes his performance evaluation, compensation and prospects for promotion hinge on the timely opening of a new facility. Confronted with a culture of payoffs for permits, that manager may try to find a way to pay officials for expedited consideration, especially if he is local to the area. From that individual’s perspective, corrupt activity may be the norm, and he may believe himself to be clever enough to violate company policy without detection.
It was once acceptable for a company to claim that it had a stated policy prohibiting bribery and that executives were ignorant of an employee’s actions. Absent proof to the contrary, that often was enough. However, the FCPA changed this norm, imposing the need for diligence and affirmative actions on the part of companies to prevent employees from breaking the law as well as to detect and report any such violations that do occur (which is how the Wal-Mart situation came to light). Public standards, too, have changed since the 1970s. Despite its self-disclosure after the fact and the steps it took to address the corrupt behavior, Wal-Mart suffered severe reputational damage. Yet even with the likelihood potential consequences, our benchmark research reveals that just 6 percent of companies have effective controls for managing reputational risk.
We assert that the most effective control is to prevent illegal activity from taking place at all. Short of that, companies that can demonstrate that they have taken all reasonable steps to prevent a violation of the law are in a better position to claim that the individual, not the company, is at fault.
An organization should have clearly articulated and documented antibribery and corruption policies and procedures, institute mandatory training of and signed acknowledgements of having taken it by executives and managers, and put in place incentives and disciplinary measures. However, these required measures are increasingly insufficient to demonstrate diligence in preventing corrupt activities. Companies also must have a software-supported internal control system that flags suspicious activity immediately and triggers a rigorous remediation process that analyzes, investigates and documents the disposition of each incident. Incidents that are detected long after their commission are more difficult to cope with and pose much higher legal, financial and reputational risk.
Software is available that helps detect activities that violate anticorruption laws and regulations as they occur or shortly thereafter; this is far more effective than waiting for internal audits or (worse still) whistleblowers to uncover malfeasance. To prevent violations of the FCPA and other antibribery statues, corporations must be able to monitor their financial and other systems for warning signs. These applications take advantage of operational intelligence, a class of analytical capabilities built on event-focused information-gathering that can uncover suspicious actions as they occur. Our research on innovating with operational intelligence shows that companies use an array of systems (led by IT systems management and major enterprise applications such as ERP and CRM) to track events, analyze them, report results and create alerts when conditions warrant them, as detailed in the related chart. The research also shows that about half (53%) use 11 or more information sources in implementing their operational intelligence efforts. In the future, effective FCPA software increasingly will need to look at a wider range of internal data as well as information from external sources and social media to determine, for example, whether a consulting company that just received a finder’s fee is run by or employs a relative of a government official. Today, companies can utilize software from large vendors such as IBM, Oracle and SAP, as well as vendors with FCPA-specific software such as Compliancy and Oversight Systems.
Bribery and corruption are unlikely to disappear entirely. Regardless of anyone’s best intentions, corporate boards and executives can find themselves enmeshed in a scandal not of their own devising. The best defense in such cases is plain evidence that the organization has done everything reasonable to prevent its occurrence and has discovered and dealt with it promptly if it does. Policies and training are vital components, but software can be the extra component necessary to improve the effectiveness of monitoring and auditing to support anticorruption efforts.
Robert Kugel – SVP Research
A recent news release by Robert Half, a staffing company that specializes in accounting and finance personnel, covered what it sees as the most important attributes required for auditors in the 21st century. “7 Attributes of Highly Effective Internal Auditors” covers the people dimension of the profession and focuses on the non-technical requirements of the role, including relationship-building, teamwork, and diversity. No doubt these skills are a must for just about anybody working in a modern (Western) corporation. For me, though, the most important quality on the list is at the bottom: continuous learning. That’s because the role of internal and external auditors will be transformed radically by big data, in-memory processing and other advances in information technology that will make enterprise automated fraud discovery and mitigation a reality before the end of this decade.
A bit of history: Before computers took over, auditors used to examine paper accounting records for suspicious physical evidence, such as erasures, out of sequence entries, blank spaces and different-colored inks. When companies first adopted computer-based accounting systems, auditors lost access to these clues that might point to fraud. Worse, numerous computer-based accounting frauds in the 1960s and 1970s were hard for auditors to spot because the proprietary systems of the day were far from transparent. These frauds led to the formation of the Treadway Commission, which promulgated the COSO framework, which was the underpinning of the Sarbanes-Oxley Act’s Section 404 requirements.
Meanwhile, somewhat ironically, the computer-based accounting systems that once aided swindlers are about to make it much more difficult to successfully commit financial fraud. (I have too much respect for the criminal mind to think for a moment that fraud will be impossible.) Big data and in-memory processing techniques are about to give auditors a clearer and more comprehensive picture of what to audit, and even provide alerts that a fraud is being committed. These systems will provide a digital equivalent to the search for erasures, suspicious sequences and missing items.
Applying automated governance and control techniques to electronic financial systems is nothing new. Since the 1990s, enterprise systems such as ERP have become far more transparent, and this has enabled business to use software to make it more difficult to successfully perpetrate financial fraud. Identity and access controls are an important barrier that ensures only those with the proper credentials are able to perform specific tasks or view sensitive information. Vendors such as Oversight Systems and Infor Approva, for example, provide software that performs continuous monitoring to ensure that control-related processes and policies are being observed. I see these as precursors to more comprehensive enterprise systems that will continuously monitor and review a broader set of data that comes from all financial management systems, including accounting, consolidation, planning and analytics (to name four), as well as supply chain and warehouse management systems and, perhaps, machine data.
Being able to view a comprehensive set of corporate data is a prerequisite for effectively automating enterprise fraud discovery. A completely effective system would be one that gives no false negatives (that is, it doesn’t miss a suspicious indicator) and no false positives (which waste time sending auditors on what turn out to be wild goose chases). Taking an enterprise approach to managing fraud is potentially much more efficient. It is also likely to have a better chance at spotting sophisticated frauds sooner because it should be able to connect many more dots than is currently feasible. Of course, no system will ever be 100 percent effective, so business will still need to employ other, non-automated techniques, including relying on tips. While uncovering material financial fraud is critically important, decades of experience have made it clear that automated systems usually fail in practice because they do not reliably limit false positives. Justifying the investment in automated fraud detection, mitigation and management depends on those systems’ ability to ensure that the cost of uncovering fraud doesn’t exceed the cost of the fraud itself.
The most challenging aspects of implementing an enterprise fraud detection and prevention system involve identifying the things that need to be monitored and measured, creating algorithms or describing patterns that define suspicious events, items, values, ratios or relationships (to name five), and then defining the thresholds and conjoint conditions (to name two) that indicate a situation that is worth investigating. Many of these algorithms and techniques are likely to begin as generic constructs, freely available to all. The art of establishing an “auditor in a box” will be in determining how to apply these algorithms and techniques to an individual company’s situation, and the science will be in the way they are implemented, since every company’s specific IT environment and systems provisioning makes each one a unique set of permutations of the generic model.
Which brings me back to the initial point of this piece: Information technology will transform the role of the auditor radically over this decade. The focus of the Robert Half list on people skills is well-taken, because automation is likely to diminish the relative importance of applying an auditor’s purely technical skills. As a result of automation, the number of people employed in internal audit teams is likely to decline. One can also hope that the hours required to complete an external audit will decline as well, although I won’t argue with skeptics who expect the Big Four and other auditing companies will somehow manage to maintain the number of hours billed. Those who remain in the auditing profession are likely to be occupied in more interpersonal and analytical tasks, and they will need to have more knowledge of IT systems and analytics. Those studying accounting today would do well to ensure they have sufficient background in information technology systems to be able to compete in a future where IT and accounting are even more tightly linked. Those working in audit roles today must take the seventh and last recommendation, to engage in continuous learning, to heart. Otherwise, they’re likely to find themselves in the same position COBOL programmers found themselves in a decade ago, their skills made obsolete by the march of technology.
Robert Kugel – SVP Research