Fraud Risk Management in Ancient India

Presently, the Serious Fraud Investigation Office of India lacks sufficient powers to initiate investigations and prosecute. The Central Bureau of Intelligence isn’t independent due to which politicians escape prosecution for corruption and money laundering. Indian police force Economic Crime wing doesn’t have expertise in dealing with electronic and financial frauds. The legal system is pathetic and takes a long time to prosecute white-collar criminals. India has a shortfall of trained fraud investigators as it hardly has any courses for students in this line.

All these aspects may make you think that Indians are new to the concept of fraud risk management. This is far from the truth. Kautilya addressed financial fraud risks in 4th century BC and most of the concepts are still used presently. Let me narrate you some of the concepts he formulated in earlier times.

1.      Formation of a Central Investigation Agency

Kautilya proposed a central investigation agency for a kingdom to do espionage work. A network of spies located in different parts of the kingdom reported information to their handlers. The handlers in turn checked the authenticity of the information from three sources and if correct reported to the agency. The spies did not have direct contact with the agency to conceal true identities..

Spy selection depended on character and social position. Spies were recruited from all sections of society. Spies were positioned in all the departments and commercial ventures of the king to ensure that the head of the departments do not abuse their power or cheat the king. Women were considered particularly useful to penetrate wealthy households to get the inside story. In current India, there is a scarcity of female fraud investigators as it now considered a masculine job. However, in ancient India, women investigators and spies were quite common.

2.      Types of Financial Frauds

Kautilya identified 40 ways of embezzlement. Some of them are mentioned below:

  • Overpricing and under-pricing of goods
  • Incorrect recording of quantity of raw material and other stocks
  • Misappropriation of funds
  • Teaming and lading
  • Misrepresentation of sources of income
  • Incorrect recording of debtors and creditors
  • Incorrect valuing and distribution of gifts
  • Inconsistency in donations and distributions for charity
  • Misappropriating goods during barter exchange
  • Manipulating weights and tools for measurement
  • Misrepresentation of test marks or the standard of fineness (of gold and silver)

It is interesting to note that Kautilya mentioned most of the frauds that occur in accounting and preparation of financial statements. It shows human psychology has remained the same. However, in India the value system has deteriorated that has resulted in increased fraud and corruption. In olden times, the value of honour was held high. For example, the prime thought in Hindi was - “prann jiye pur vachan na jiye.” (meaning – it is better to lose one’s life rather than go back on a verbal promise given)

3.      Mechanism for Investigation and Punishment

The investigation process was quite similar to the current process followed. Information was initially gathered regarding the fraud from informants, spies, whistle blowers and audits. Background information of the suspects was gathered by sending spies to their residence and business premises.

Subsequently, the people involved, the suspects and witnesses were interrogated. Kautilya suggested separately examining ” the treasurer (nidháyaka), the prescriber (nibandhaka), the receiver (pratigráhaka), the payer (dáyaka), the person who caused the payment (dápaka), the ministerial servants of the officer (mantri-vaiyávrityakara)” for financial frauds. If any person lied, s/he received the same punishment as the main culprit.

Another fascinating aspect is that India doesn’t not have any law similar to the whistle blower provisions of Dodd Frank Act. However, Kautilya proposed -  “Any informant (súchaka) who supplies information about embezzlement just under perpetration shall, if he succeeds in proving it, get as reward one-sixth of the amount in question; if he happens to be a government servant (bhritaka), he shall get for the same act one-twelfth of the amount.”

The punishment for fraud depended on the nature and value of fraud. It ranged from nominal fines to death penalty. The victim was compensated for the losses suffered.

Closing Thoughts

The processes proposed by Kautilya for fraud detection were followed even until the Moghul rule. However, these were dismantled during the time of British Rule as the Indian Penal Code was formulated.  The difference between Mogul rule was that Moguls settled in India, marriages took place between Indian royalty and Mogul rulers and the culture got integrated over time.

The British came to rule for economic purposes. They wished to take advantage of India’s natural resources and vibrant economy. They levied their own rules and did not integrate them with the Indian culture. Hence, over time the Indian value system was lost or kept for namesake only. Overtime, as even after independence the British education system was used, a split ethical value system developed between personal values and business ethics. Therefore, corruption increased in the business environment till it became all-pervasive in the society. It is going to take a lot of effort to change the system now. No short-term solutions  will work.

Retaliation faced by Risk Managers and Auditors in India

Washington Post article “Maryland parks agency demotes auditor after spending questions, sources say” again brought to the forefront the retaliation auditors and risk managers face while doing their job. According to the article – “Abinet Y. Belachew was placed in a staff auditing position and his $124,000 salary was cut by more than $30,000, according to records from the agency after he questioned spending by top agency officials“. This is nothing new, the Ethics Resource Center survey of 2011 of US companies states that – “Almost one-fourth of those reporting bad behavior said they experienced some form of retaliation, up from 15% in 2009 and only 12% in 2007.”

The most surprising bit is, that there are hardly any such cases reported by Indian media. At most, media reports if a bureaucrat is fired or transferred from a critical position after a damaging disclosure of government wrongdoing. In respect to retaliation on risk managers and auditors in private sector, there is no coverage.

One can presume either that there is no retaliation or Indian auditing institutes haven’t lobbied to protect their members from retaliation. Indian institutes, namely, Institute of Chartered Accountants of India, Institute of Company Secretaries of India, etc. are governed by Ministry of Corporate Affairs. That could be reason for lack of awareness and action in this field. Moreover, India doesn’t have a whistle-blower protection act and a number of activists have been shot dead in broad daylight. Though, the listing agreement has a clause for whistle-blower protection, it is more in name only. Additionally, law and enforcement agencies are not without corruption. Hence, the cumulative affect is that private sector auditors and risk managers are left without recourse when facing retaliation.

1. Nature of Retaliation

Auditors and risk managers in India, therefore, have far tougher choices to make than their counterparts in the Western world. Doing the right thing and reporting against management, can cause more than just a job loss. In India, following methods are employed for retaliation against risk managers, auditors and whistle-blowers. These sometimes continue even after termination of the employee for a number of years :

a) Downgrade or transfer the individual from the position.

b) Isolate the person, turn the team against the person and bosses give threats of job loss.

c) Spread rumors about personal life of the person. For instance – if a person is married they inform the spouse about an affair, or if the person is single, they spread rumors on sex life and sexual orientation. Take photographs in compromising positions to blackmail the individual.

d) Spread rumors in professional circles to destroy the person’s credibility. The person is told that previous employers will be asked to do a negative background verification. After terminating the employee, organizations still do and even inform head hunters not to process the candidates papers.

e) Use detectives to tap phones, including mobile phones;  hack personal systems to monitor correspondence and internet activity. Inform individual’s contacts not to respond to phones and emails, and threaten if they do so.

f) Enter employee homes without authorization, install bugs and cameras to watch personal activities. Even steal items to make employee feel more vulnerable.

h) Pay relatives, friends and neighbors to stalk the person – physically, on phone and internet - to cause a psychological breakdown. The person is isolated and humiliated publicly on every occasion to instill fear in others.

i) Threaten the person with murder and rape to ensure that they do not go to law enforcement agencies or media. Bribe law enforcement agencies, attorneys and media to not accept the complaint and report the same.

j) Ensure all other sources of income are stopped as the person becomes financially liable and cannot fight back.

k) Try and make the person physically sick, by food poisoning and other means. Deny medical aid or ask doctors to provide incorrect medicines for treatment.

l) Lastly, in rare cases the person is murdered.

Considering the risks of retaliation and the unwritten rule that reports should be published according to management directives, auditors and risk managers deal with internal conflict at multiple levels. It is at one level, between doing the right thing and progress within the organization. At another level, it is about passion for auditing and risk management versus fear of endangering career and life. Overall, the choice is between following an ethical path for the benefit of society versus the option of compromising them for self-interest. With the high-level corruption in Indian society, it appears to be losing battle as a lone person battles mighty organizations.

2. Some Suggestions

The choices would be simpler if institutes provided mentoring and support in dealing with such cases. The institutes ensure that all members sign of on a code of ethics; however, do not provide the training and support on dealing with ethical dilemmas and protection against retaliation.  In this aspect, Indian institutes would do well to adopt practices of international institutes.

Moreover, international institutes have a stake in developing these practices in India. Not only Indians are members of the institutes, a number of multinationals operate in India. As multinationals are aware that it is easier to break the law and rules in India, due to high-level corruption and limited education on risk management areas, they are more prone to undertake unethical behavior and accounting practices in Indian and other emerging countries. Indian employees of multinationals are unlikely to whistle-blow on international law enforcement agencies websites as most don’t know where to report and the risks of reporting are high. Without support at local level, it is difficult to report at international level.

Closing Thoughts

In the end, the decision each risk manager and auditor needs to take is based on the reason for joining the profession. In India, chartered accountants earn equivalent to doctors, engineers and MBA’s. If they joined the profession to earn well and climb the corporate ladder, they may willingly compromise ethical standards. On the other hand, if they joined because they were passionate about the subject and wished to make a difference, they may compromise their own self interest for the betterment of society.

Overall, retaliation is tough to deal with and a higher level can make many buckle down in fear. Auditors and risk managers have a lot of power in their hands to ensure good practices are adopted by the corporate world, it is best to use it wisely. People need to be educated that by retaliating against risk managers and auditors, they are playing in the hands of people using unethical practices, thereby risking their own investments and well-being. The institutes should build the public awareness about the same.

References:

  1.  Maryland parks agency demotes auditor after spending questions, sources say – Washington Post
  2.  Ethics Resource Center 2011 Survey

Recruitment in Dysfunctional Organizations

Six months back you landed your dream job, the pay was great with an incredible job profile and a company brand name to match. Now you are not sure what you have gotten yourself into. You are perpetually asking yourself – should you continue or quit? You are asked to compromise personal values on a daily basis for showing loyalty to your boss and company. The situation that you are in, is not out of the best practices of human resource management or ethical culture, you have joined a dysfunctional organization. Putting it another way, an organization with a deviant corporate culture.

Employees face incredible personal and professional risks on joining an organization with a deviant culture. On the face of it, initially, everything looks unbelievably good. As the layers are peeled off, the employees feel they are in a sinister environment and are swallowed in quicksand. The walls of silence maintained ensure that employees do not discuss these concerns openly and fear of retaliation forces them to comply. Employees deceive themselves into believing that these unethical activities they are doing are just for a short time, and the situation will improve in a short while. A cold hard look is required in such circumstances, to understand the symptoms and take a decision.

The paper “Organi-cultural Deviance: Socialization of Individuals into Deviant Culture”, describes the process of individual indoctrination into the culture. A new employee goes through five stages of socialization into the workplace according to Wanous research. These are:

a) confront the reality of the new job –newcomers adjust their expectations to the reality of the job;

b) achieve role clarity-newcomers learn and negotiate the expectations and requirements of their roles in the organization;

c) locate oneself in the organization-newcomers learn how their work contributes to the work of the organization;

d) assess success-newcomers assess the value of their contributions to the organization; and

e) during the stages of socialization, the individual learns the language of the organization.

The above mentioned process is adopted by employees in a regular organization in the probation period, that varies from 3-6 months in most companies. In a deviant organization culture, the employee starts feeling the social pressure to comply to unethical practices and lose individual identity in this period. The process of indoctrination describes how the individual “self” is socialized into a deviant organization culture. The stages are as follows:

1) Stage I - In normal course of action, an individual has various separate identities, that they maintain to lead a fulfilling life. For instance, the employee has a work identity, a social identity, a family identity etc. In a deviant organization, these identities are slowly stripped away, and the employee is completely dependent on the organization identity. The employee is lured by big rewards to compromise their individual identity for the organization.

Since, the employee is still in probationary period, the fear of job loss makes them succumb to group think. The organization or group attempts to brain wash the individual by giving justification of the behavior for altruistic purposes. For instance, they will ask to humiliate or harass another person or employee, to improve the harassed person’s behavior. The justification given will be that it is for the betterment of the victim, rather than accepting that they are indulging in socially unacceptable behavior. Further on, they are asked to indulge in degrading activity for the sake of fun. In the book “The Wolf of Wall Street” Jordon Belfort describes activities at Stratton. He mentioned that seniors in the company had free for all sex discussion in the morning meetings and to boost morale arranged depraved acts. For example, in one case, they cut hair of female employee with her agreement in the conference room. Women employees especially have a tough time as they are mostly treated as sex objects.

2) Stage II -  In this phase the employee becomes dependent on the organization and the psychological chains tighten. The idea initially sold to the individual is that the group has an altruistic purpose and is for the benefit of the society.  The individual is forced into thinking that the rules of the group must be obeyed at all personal costs and no dissenting views are permitted. Employees are rewarded amply for complete compliance and punished severely for disagreement and disobedience. The individual is encouraged to share vulnerabilities and weaknesses with the group, and these are used to exact compliance to group. Simultaneously, fear and threat are used if an individual wishes to leave the group. The group follows its own code of conduct and uses loaded language and signs to communicate.

In this situation, the individual is indirectly commanded to put his/her personal and family needs over the group or organization. An article of Vanity Fair titled “Lehman’s Desperate Housewives”  narrates the situation from Vicky Ward’s book -”The Devil’s Casino: Friendship, Betrayal, and the High Stakes Games Played Inside Lehman Brothers” at Lehman before collapse. It says -

Lehman Brothers C.E.O. Dick Fuld expected his top executives to get married, and stay married. For their wives, the firm was both fishbowl and shark tank, with unwritten rules about the clothes they wore, the charities they supported, and the hikes they took at the company’s Sun Valley retreats.

One of the senior executives wife described her child delivery with these words -

“I was in labor with our daughter and had to lie there without him … but I wouldn’t get mad at him—he had called the entire Hong Kong office in for a meeting. We knew that it would have been used against him. If you made a personal choice that hurt Lehman, it was over for you.

Stage III – In the last stage, the indoctrination is complete. The individual’s motivation, judgments and perceptions are transformed as the person becomes a member. The individual derives his identity from the group or organization and opinions from outside the group are completely discarded. Any information that contradicts  the groups perception is considered harmful for group unity and the sender/ giver of the information is attacked. The individual has no freedom of action and blindly obeys instructions of the group. Unfortunately, the leaders and existing members of the group have so ingrained the thought pattern of socially and psychologically harmful behavior that they lose insight of right versus wrong.

For instance, as in the case of Enron or the more recent “News of the World” phone hacking scandal, seniors knew of the unethical and fraudulent activities being conducted in the organization. Some even know the details but will not take any concrete action to bring change.

Whether this culture sets in large organizations or small social groups, the psychological pattern is established for deviant behavior. The longer the person is a member of the group, the less probability exists of the person being able to see a true reflection of themselves. All inputs from group outsiders of logical, rational and socially acceptable behavior are disregarded and members adopt a posture of willful blindness. The members continue to compromise their morals for financial, physical and social security.

Closing Thoughts

Deviant cultures are set up by leaders in powerful positions with derailment attributes. However, once the culture is established in a social or corporate organization, it is hard to re-establish normal behavior patterns. People have a choice to either comply or be isolated. To avoid the social, physical and financial threats most compromise their morals and show unquestioning alliance to the more powerful people. Either an internal revolution by the members or  intervention from external parties can break the psychic trap established in such organizations. An individual’s best option is not to join such a group or organization, and if they have mistakenly joined it, leave at the earliest possible point. Else, the life course for unethical and criminal behavior is established without a return ticket.
References:

A Philosophical Discussion on Murder of Whistle Blowers

This Sunday, Anna Hazare is fasting in Delhi in support of Whistle Blower Protection Act. Indian laws don’t provide for whistle-blower protection and the damage is evident. Over the years, numerous whistle-blowers have lost their life. A few cases are covered up as personal dispute due to the high level corruption in the system.

Corruption benefits the majority, so does it make it acceptable? Legally, public will say – of course not. But even Hazare’s big protests in 2011 have lost public support. The government used delay tactics and maligned the name of key leaders of his team. Most state leaders didn’t want a Lokayukta in their states. There is no political will among the politicians, bureaucrats and business to pass a strong bill against corruption.

Then it isn’t surprising, that even on  witnessing the death of whistle blowers, public doesn’t protest about it. On the other hand, most keep quiet, lest they become the target. In such circumstances, majority of the people have given implicit consent to murder for their own self-interest. Of course readers would be outraged by this suggestion and claim they were no way involved in the murder. They didn’t give implicit consent!

Let us discuss this from a philosophical lens. Micheal Sandel, the Havard professor discusses this point in his video lectures : Justice – The Moral Side of Murder and The Case of Cannibalism. In the episode “Moral Side of Murder” he discusses a hypothetical case:

“Suppose you were driving a trolley on a rail track and its breaks failed. Five workers are ahead on the track, if you continue to drive straight, all five will die. On the other hand, in a diverging track, there is just one worker.  If you change track, that one worker will die but the other five will live. What is the right thing to do?”

Most students responded that they will swerve to the diverging track and chose to kill one to save five. At a psychological level, they have given moral justification of murder. Then Mr. Sandel gives another example :

“Suppose you are standing on a bridge with the track below, and you see this trolley hurtling without breaks. There are five workers on the track. There is a fat man standing next to you. If you push the fat man over the bridge, on the track, the lives of five workers would be saved. Would you do it?”

Majority of the students said – “No, they wouldn’t do it”. The reason is that it would involve explicitly murdering a person. Can we conclude from these examples, that human race is fine with implicit consent to murder however have qualms on explicitly murdering?

Some whistle blowers due to the psychological torture have committed suicide. That is an indirect attempt to murder. The rich and middle class gain from corruption, hence they give an implicit consent to murder of whistle-blowers. Does this statement hold true, or would you debate it?

Mr. Sandel discusses this in the next part of the lecture on cannibalism. He discusses The Queen v. Dudley and Stephens case, and the facts are as follows:

“At the trial of an indictment for murder it appeared, upon a special verdict, that the prisoners D. and S., seamen, and the deceased, a boy between seventeen and eighteen, were cast away in a storm on the high seas, and compelled to put into an open boat; that the boat was drifting on the ocean, and was probably more than 1000 miles from land; that on the eighteenth day, when they had been seven days without food and five without water, D. proposed to S. that lots should be cast who should be put to death to save the rest, and that they afterwards thought it would be better to kill the boy that their lives should be saved; that on the twentieth day D., with the assent of S., killed the boy, and both D. and S. fed on his flesh for four days; that at the time of the act there was no sail in sight nor any reasonable prospect of relief; that under these circumstances there appeared to the prisoners every probability that unless they then or very soon fed upon the boy, or one of themselves, they would die of starvation.”

To protect oneself or the majority, is murdering someone else justified? The students raised interesting aspects :

1) Some said if selection was done by lottery, then maybe it is illegal but more acceptable. Reason given was they would consider it that all participants on the boat knew the risks of losing.

2) A few students stated that if the boy would have volunteered to die for the benefit of others, it would be acceptable. The boy was an orphan and all others had family responsibilities.

In case of whistle-blower murders, the person dies without have consented to die or being made aware of the decision of the most. The majority votes behind his/her back for murder to safeguard themselves. Does that make majority behavior acceptable?

Watch the hour-long video, and share your thoughts.

In whistle blowing, most feel threatened about the repercussions from people in power and say that they have family responsibilities and cannot expose themselves to the risk. Hence, it is better to go against the whistle-blower attempting to do the right thing, than the person who is doing the wrong thing. Do the same psychological reasons as given in the above mentioned case apply when society goes against whistle blowers?

References:

Harvard University – Justice with Michael Sandel

Shattering Perceptions About Audit Committees

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently?  Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1.  Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations.  The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

 Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were  insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable.  I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations,  in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

 2.  Selection & Appointment of External Auditors

 The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee.  .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

  • In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
  • 85% of the companies in EU are audited by big four.
  • 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
  • Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

 3.  Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee?  Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into  procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

 4.  Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

  “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5.  Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board.  Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

  • Compliance with accounting standards and changes in accounting policies and practices;
  • Major accounting entries involving estimates based on exercise of judgment by Management;
  • Audit Qualifications and significant adjustments arising out of audit;
  • Analysis of the effects of alternative GAAP methods on the financial statements;
  • Compliance with listing and other legal requirements concerning financial statements;
  • Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
  • Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
  • Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

  • Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
  • Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
  • Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
  • Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
  • Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
  • Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
  • Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports.  From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

 6.  Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

  • The market value of shares increases. Velocity of share trading is also higher than other companies.
  • Financial institutions show more propensities to invest.
  • Foreign investors – institutional and individual – are open to trading in the shares.
  • The companies have lower legal and regulatory costs as regulators are comfortable.
  • Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance,  Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting.  To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7.  Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest,  cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

  • Obtain strategy and implementation plans.
  • Review key performance indicators – financial and non-financial with status
  • Interact with external and internal auditors of subsidiary companies directly
  • Hold discussions with senior and middle managers were required of various business units
  • Discuss with company secretary all legal and compliance challenges
  • Discuss with ethics officer the key issues on maintaining code of conduct
  • Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
  • Review in detail all documentation relating to material transactions, acquisitions and mergers.
  • Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8.  Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

  • Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
  • Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
  • Risk managers do not strong relationships with business teams
  • Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

  • Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
  • Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
  • AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

 9.  Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing.  The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

  •  Remuneration of key personnel, including the bonus component linked to performance.
  • Code of business ethics adopted and implemented by the company
  • Analyzing the extent of reputation and regulatory risks the organization is facing
  • Reviewing reported ethical breaches
  • The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
  • The processes implemented to monitor risk appetite and key risk indicators
  • Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

 10.  Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls.  Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making  and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

  • The right financial and operational areas were selected for internal controls review
  • Procedures and practices followed for assessing internal controls was sufficient.
  • Any areas require further review.
  • The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

  1.  Economic Times article – “Can the big four survive a break-up attempt”
  2. Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
  3. Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
  4. Grant Thornton 2010 Report on UK
  5. Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
  6. Tata Motors 2010 Corporate Governance Report
  7. KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010

India Country Risks in 2012

Indian organizations are in for a rocky ride in 2012 as darkening clouds hang over India growth story. In some ways it is a make or break year for India’s continuing successful journey for economic growth and power. The world is watching and India cannot afford to flounder. However, the risks in the economic environment are acting as tsunamis and volcanoes, wiping out past efforts swiftly. This year Indian organizations need to watch out for external risks and triggers carefully, as they can have huge impact on the bottom line of the company.

The prophets of gloom and doom predict that India’s GDP in 2012-2013 financial year will be between 6-7%. In light of prevailing political and economic environment this statement is a conservative realistic assessment. Hence, organizations to sustain and grow in 2012 need to conduct strategic risk assessment of India country risks. I am giving below my top four.

1. Political Paralysis

In 2011, Prime Minster Manmohan Singh’s reputation has nose-dived as the country was engulfed in corruption scandals. His continuance as Prime Minster till the end of term is widely debated in political circles. The Congress party is facing another crises due to Sonia Gandhi’s ill-health. Public is speculating that she has undergone surgery to treat cancer in USA. Hence, rumors are rife about Rahul Gandhi  taking over the reigns of the party. Moreover, senior Congress party leaders are having spats in public.

Last but not the least, Anna Hazare’s fight against corruption has awakened the middle class. Finally, they have lost their apathy and are demanding better governance.

Considering all aspects, there is little likelihood of a strong national party leading India in 2012. Moreover, political commentators are hinting about mid-term polls due to fishers in Congress party and it’s deteriorating credibility. Therefore, large organizations must manage political risks at national and local state level. Keep in mind sensitivities of various political parties otherwise their is a probability of getting caught in a tug of war. Also, adjust the growth plans for government ineffectiveness.

2. Financial Market Turmoil

Indian markets in 2011 have done badly on financial indicators. There is slowdown in growth and in October 2011 industrial output contracted by 5.1%. Fiscal and current deficit are expected to cross 3% and 5% of the GDP respectively in 2011-2012. The GDP growth forecast for the year was reduced to 7.5% on 10 Dec 2011.

Sensex on 16 December 2011 closed at 15,491, a 25 month low. Stock brokers predict that the market is not going to rise in a hurry.

Business Standard reported in its weekly report on 16 December that “The WPI inflation for the month of November came in at 9.11 per cent compared to 9.73 per cent in October. The market was looking at an inflation of below 9 per cent for November. Inflation for November 2010 stood at 8.2%. India’s food inflation eased to 4.35% in the year to December 3 — its lowest reading since late February 2008 — from an annual 6.60% rise in the previous week, government data showed today.

Further, On Thursday, the Indian rupee touched a record low of 54.30 to the US dollar on the back of sustained foreign fund capital outflows in view of the fall in the equity markets, coupled with a stronger dollar in global markets.”

The Finance Minister Pranab Mukherjee recently commented in a meeting – “The present indicators show that both private consumption and investment sentiments have weakened and it is this weakening of sentiments that makes it necessary to shift our focus back to near term issues.

Moreover, Moody’s in November 2011, “downgraded the entire Indian banking system’s rating outlook from “stable” to “negative,” citing the likely deterioration in asset quality in the months ahead.” Additionally, aviation, telecom, commercial real estate and power utilities industries collectively owe banks Rs 5 lakh crore. These industries are most affected by the slow down.

The financial market situation is unlikely to improve in the short run. India will most probably not see a double-digit growth in GDP in 2012-2013. Companies need to risk adjust the financial growth numbers keeping in mind the prevailing situation. . Conservative estimates and cost control will steer the organizations in safe waters. Maintain good liquidity throughout the year as banks are not going to save organizations in a crunch.

3. Future Regulatory Reforms

The regulatory reforms came to a standstill in 2011. The business leaders came out strongly criticizing the political parties for hampering economic growth. The unhappiness of corporate world is evident that investments – domestic and foreign – are at an all time low.

The government in December 2011 parliament session had a list of 50 Bills for approval. Some of the Bills presented were Companies Bill 2011, Banking Laws Amendment Bill 2011,Prevention of Money Laundering (Amendment) Bill,  Direct Taxes Code Bill, 2010, Forward Contracts (Regulation) Amendment Bill, 2010; Pension Fund Regulatory and Development Authority Bill, 2011, Securities and Exchange Board of India (Amendment) Bill 2009; Insurance Laws (Amendment) Bill, 2008 and Regulation of Factor (Assignment of Receivables) Bill, 2011, among others.

This shows the pending backlog of bills requiring approval in the parliament. Business leaders are likely to lobby for approval of these bills in 2012. Hence, risk managers need to be geared to manage numerous regulatory changes in 2012.

4. Skyrocketing Corruption & Bribery

In light of various scams - telecom, mining, land, etc, – the corruption perception index in 2011 has fallen to 3.1 from 2010′s 3.3. India’s world ranking in corruption has gone lower to 95 from a total of 183 countries assessed. This is not surprising as Indian’s in 2011 saw well known politicians and business owners implicated in scam cases.

The recently released report of Global Financial Integrity - Illicit Financial Flows from Developing Countries Over the Decade Ending 2009 – states that trade mis-pricing accounts over 80% of the illicit financial flows in Asia. India in the last decade lost US $104 billions in illicit flows and is ranked 15th highest among developing countries with China topping at US $ 2467 billion. Though in comparison to China, India doesn’t appear to be doing badly, but that is distorted reality. A couple of activists and whistle blowers lost their lives during the year for uncovering corruption cases.

In 2011, Anna Hazare initiated public rallies to force government to pass Lok Pal Bill. Although, parliament is expected to pass it in December 2011 winter session, the implementation will take some time. The government’s sincerity in eradicating corruption is questionable as the various anti-graft bills are being used to play political football. The UPA government to counteract Hazare’s war cry has presented three additional anti-graft namely –  Judicial Accountability Bill,  Public Interest Disclosure Bill (Protection to Whistleblowers Bill) and the Citizens’ Charter – in the parliament in December 2011. A step in the right direction but the road ahead is tough. Passing bills and implementing them are different ball games.

In light of the fraud cases, high-level prosecutions and political games, the Indian corporate world has become vary. In 2012, organizations must focus on implementing a code of conduct for employees and provide training to them on business ethics. The legal and reputation risks will be extremely high if these aspects are ignored.  The situation becomes more tricky for US and UK multinationals as they are governed by FCPA of their respective countries.

Closing Thoughts

Political deadlock, inflation and corruption have taken the air out of India’s growth story. 2012 will be the decisive year in assessing whether India can surmount these obstacles and accelerate economic growth or  go on a downward spiral. Organizations must maintain a balance between growth and risks. The downside risks can cost heavily and there may be no quick ways to turn around numbers. Hence, doing proper planning, implementation and cost effective operational execution are key for success.

References:

  1. Illicit Financial Flows from Developing Countries Over the Decade Ending 2009 – By Global Financial Integrity
  2. Corruption Perception Index
  3. Weekly Report: Sensex, Nifty hit 2-yr lows on growth woes - Business Standard

Fraud Symptom 9 – Ineffective Internal Audit Function

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE mentions that 40% of the frauds are detected by anonymous tips from hotlines, 15% by management review and 14% by internal audit function. Secondly, the report categories fraud in three types. It states, “21% were caused by asset misappropriation schemes, 11% by corruption and 68% by fraudulent financial statements.” This clearly highlights the importance of internal audit function in preventing and detecting frauds especially financial statement frauds.

Additionally, the report states – “The median duration — the time period from when the fraud first occurred to when it was discovered — for all cases in our study was 18 months. Not surprisingly, cases involving financial statement fraud — the most costly form of fraud — lasted the longest, with a median duration of 27 months.” That is a long time, and during this period, an internal audit function would ideally have done at least a dozen audits on various aspects of financial statements. However, the question arises as to why the internal audit function fails to detect frauds.

1.    Organization Reporting Structure

 The internal audit head reports to the Chief Financial Officer (CFO). Now, in majority of the financial statement frauds the CFO is involved. Hence, in all probability even when internal auditors are aware of the wrongdoings they will not report the same to the CEO.

The second situation is that the internal audit head reports to another business head and not the CEO. In this case, a similar situation will arise, as the internal audit head is under control of a business head. If the business head is perpetuating frauds nothing will be reported. The ACFE reports states – “High-level perpetrators cause the greatest damage to their organizations. Frauds committed by owners/executives were more than three times as costly as frauds committed by managers, and more than nine times as costly as employee frauds. Executive-level frauds also took much longer to detect.”

 Hence, in such scenarios the CEO/ Board and Audit Committee are unlikely to have fraud cases reported to them.

2.    Collusion with Business Teams

 Auditing is a thankless job and auditors rarely win a popularity contest. The audit report is a proverbial hot potato – too blistering to handle. On the flip side, if auditors are winning popularity contests then they do so by issuing nice and sweet reports with no serious observations.

In such situations, the audit teams compromise their ethics and independence to cater to business teams and their own personal agendas. Though the role of internal audit function is to inform senior management and audit committee about serious breaches and wrong doings, the auditors do not report such instances. The internal auditors’ job is to identify discrepancies and challenge business teams to provide appropriate explanations and evidence. Instead, they colluded with the business teams to hide the serious discrepancies and observations, and just report low category/ impact findings to senior management.  

 3.    Lack of Technical Skills

Auditing is a specialized skill and not everyone’s cup of tea. The learning curve to reach a reasonable proficiency level is steep. In India, experienced chartered accountants generally lead the internal audit function in organizations. However, the catch is that either the team or the head may not have sufficient experience in conducting highly technical audits or detecting frauds.

The issue is so critical that the US PCAOB “requires independent auditors to evaluate the fraud-related activities of an internal audit function on an annual basis. If this evaluation finds an internal audit function to be deficient, the independent auditor must, at a minimum, issue a finding of a significant deficiency to the audit committee. The auditors must issue an adverse opinion if they conclude that the deficiencies rise to a material weakness.”

 However, it is extremely rare for an external auditor to report the deficiency and/ or management to conduct an independent review of the function.

Recommendations

 a)            Management must evaluate their commitment to internal audit and overall risk management functions. To do so, they can do a quick run of the 15 points mentioned in the post “Senior management commitment to risk management functions.”

b)           Big 4 and other audit firms conduct a review of the internal audit function to determine its competency and effectiveness. It is advisable if management wishes to improve the function, they benchmark it against the best practices followed in the industry.

c)            The quality of the reports submitted by the internal audit function needs to be evaluated. Ideally, no news is good news. However, the same cannot be assumed for internal audit reports. Depending on the industry, each organization faces certain inherent risks. If these are not being reported to senior management, then the likelihood of internal audit function collaborating with business teams to hide facts is high.

References:

2010 Report to the Nations on Occupational Fraud and Abuse issued by ACFE

To read more of Fraud Symptoms series, click here.

Fraud Symptom 7- Ineffective Human Resources Function

Every organization wishes to be a great place to work as it can attract and retain the best talent. Every employee wishes to work in an organization, which has a good work culture as s/he get fair treatment, growth opportunities and remuneration. In this one aspect, management and employees are in complete agreement as it benefits both. The key player for achieving this goal is the human resource function. However, an ineffective human resource function can cause the most damage not only for achieving business targets but also for also increasing fraud risks.

As I had mentioned in the earlier post – “Employee Disengagement Risks” as per Blessing White Employee Engagement Report Survey 2011, in India 37% of employees are engaged and 12% are disengaged. According to surveys conducted by LSA Global Learning Solutions, “lower employee engagement scores result in: 12% lower profits, 19% lower operating income and 28% lower earnings per share.Kroll Global Fraud Report 2010 states that in India, in 48% of the cases, the key perpetrators were employees. Hence, the question that needs an answer is how does this increase fraud risks?

1.   Recruitment & Selection Process

Human resource department (HRD) along with the business teams is responsible for recruitment and selection of the resources. In India, this becomes especially critical as human resource survey reports indicate that 25%- 30% candidates submit fake or inaccurate resumes. The second aspect is that with the increase in financial crime and terrorist threats, the organization becomes more vulnerable. Organized crime groups infiltrate companies to give a cover to their sleeper agents. Financial institutions are the most vulnerable, as understanding the systems also helps the crime groups in money laundering and organizing funds for their activities.

Under such circumstances, the HRD role is critical. HRD is responsible for background checks of the candidates. Any lapses in the process can cause high risk to the organization. Here are some examples of what can go wrong-

a)   Hire people for critical positions without verification – For example, risk management functional heads and second-in-commands positions are critical. They are subject to stringent checks. Without background verification, they shouldn’t he hired. In one organization, my superior was hired without any verification whatsoever. When his name was announced, me being a nosey parker did an independent personal verification and was quite amazed that he was hired since his professional background didn’t fit. I decided to give benefit of doubt and see for myself. Within a week of his joining, I knew that he didn’t even have the fundamentals of the areas I was managing. I thought he knew about the other areas of the department. My colleagues in that area informed me that he was clueless about their area. There was absolute chaos in the function, because he refused to take responsibility for any work whatsoever.

b)  Hire people for critical position with insufficient verification – For example, an executive assistant was hired for a senior manager without checking criminal records. She was previously involved in a high profile data theft case. On investigation, it was found out the vendor who was conducting background verification for the organization, didn’t even have an office in the city. The vendor was just generating verification reports with superficial checks.

c) Hire people knowing they have submitted false information – For example, in a case I found out that the new candidate was a plant by someone, most probably with the knowledge of local HRD team. The employee was subsequently found to be involved in a huge fraud.

Hence, if HRD team looks the other way or doesn’t put in effective measures for background verification, things can really go wrong for the organization. The fraud risks increase quite significantly.

 2.   Working environment

As I repeatedly say, organization culture makes or breaks the organization. Employees work best in an environment, which is free and fair. Even perceived unfairness by senior managers can cause the work culture to deteriorate. UK and US studies show that nearly 50% of the employees reported being bullied. In Asia where focus on organization culture is still in nascent stage, the percentages are higher. Now HRD has the role to provide a safe working environment. Any lapses from its part can cause a chain reaction in the organization and give encouragement to others to show deviant behavior. Here are some examples of it.

A senior manager has better relationships with the HR team than the juniors do. I would say, in some context HR team is there to protect the senior managers. However, when it is apparent that a senior manager is unethical, and a junior is ethical, HR should ideally arbitrate disagreements fairly. However, if it knowingly supports the senior manager in forcing the employee to leave his/her job, then incorrect messages are sent across the organization.

The second problem arises when HRD commences, participates or encourages top end mobbing. The report –Women and Workplace Mobbing by Dr Jocelynne Scutt states –

The politics of ‘high end’ mobbing are important to fathom, because this type of bullying is generally directed at change makers or change agents. If change agents are halted in their tracks, change will be stultified and the hopes we have for a different world, where bullying, abuse, discrimination, prejudice and bias become of historical interest only will be stymied. The hopes we have for construction of a world where disadvantaged and dispossessed groups are elevated to equality, and the misuse and abuse of power is ended, will not be fulfilled”.  

In such a case, the target is being an effective change agent that certain senior managers do not wish to occur since it is against their personal or political agendas. The message is sent across to attack the target, the abusers will not be prevented or stopped and will be provided protection. In such situations, the victim does not have any recourse with the HRD department, as they themselves are supporting the mobbing.

In such situations, the organization culture becomes deviant and aggressive. Employees are concerned about their safety. They face a psychological battle on whether to report or not to others. Read the article “Whistleblowing – The Psychological Paradox” to understand more.

The target employee may leave the organization or maybe forced to leave. Situation worsens when the mobbing continues after leaving the organization. Employee can be stalked; his/her reputation ruined and/or is given negative references on prospective jobs. If other employees know of such instances (sometimes there are more than one) they are terrified of facing the same situation. Hence, the senior managers responsible for initiating mobbing keep control of the others from reporting to other seniors by way of threat and punishment. The target employee is basically the sacrificial goat to ensure silence of others.

This is kind of worst-case scenario and the organization has extremely high fraud, legal and reputation risks.

Recommendations

 a)    Organizations must implement policies, procedures and systems for proper background verification of employees.

b)    HRD function must build a healthy work culture within the organization and maintain impartiality.

c)    If HRD team is participating in damaging work culture or mobbing etc. the individuals must be terminated.

d)   Organization must implement internal whistle blowing system that is not directly dealt by HRD team.

e)    Senior management must review the whistle blowing information on a monthly basis and ask the audit committee to independently investigate the reported cases. Investigation reports must be reviewed by senior management.

To read more articles on Fraud Symptoms, click here

Risk Reporting – The Double Edged Sword

“To be, or not to be, that is the question:
Whether ’tis nobler in the mind to suffer
The slings and arrows of outrageous fortune,
Or to take arms against a sea of troubles,
And by opposing end them?”

 – By Shakespeare in Hamlet

Risk managers frequently contemplate on same lines as Hamlet when they are issuing risk reports. They shouldn’t be facing dilemmas when issuing reports, because it is a cut and dried subject. However, organization culture and politics play a deep role in ensuring effective risk reporting. The culture can either give the freedom and courage to honestly report, or cause fear of reporting bad news.

The problem is big. In just around 50% of the organizations risk reporting is effective. The Economist Intelligence Report – “Too Big To Fail? survey of financial institutions supports my point. The report states that:

  • 53% of boards have become more demanding about risk reporting.
  • 55% respondents state that chief risk officer has the mandate to report directly to the board.
  • Just 13% respondents say that risk reporting is very effective and 41% consider it effective.

This shows that though boards are demanding better reporting and giving support, risk reporting is still ineffective. Hence, the question is – in what conditions risk reporting is effective, and what is deterring risk managers from properly reporting? I am giving here three scenarios – good, bad and ugly – of risk reporting.

1.    The Ideal Situation

The tone at the top determines risk-reporting effectiveness. In such a scenario, senior managers encourage juniors to give negative feedback, maintain transparency with employees and set up a healthy organization culture. The board takes its risk management responsibilities seriously. Senior managers discuss risk reports and address negative observations. Key attributes are:

> The organization’s constructive culture ensures issues are systematically analyzed and solutions implemented. People do not become targets due to lapses identified in the report.

> The Chief Risk Officer (CRO) and/or Chief Audit Executive sits at board level, reports to the CEO, has adequate authority and political clout to drive risk management initiatives.

> The board/ senior managers accept CROs opinion contrary to their ideas and encourage constructive confrontation in the board.

> The organization has effective policies to prevent retaliation against risk managers and employees who report negative aspects to senior management.

In such a scenario, risk managers confidently issue accurate reports on a timely basis and present it to senior management.

2.    The Mixed Bag

An organizations internal politics and power structure affects the way management deals with a risk report. If culture is excessively aggressive and political, when a risk report is issued, a few business executives’ jobs are on the line. To save his/her own skin each executive gets a poodle in the fight. The board is somewhat focused on risk management but don’t have their total act right. Management implements some reports and pushes others under the carpet. Key attributes are:

> The politics in the organization is stronger and affects the outcome of the report. Sometimes employees of another senior managers group are targeted to settle personal agendas. The level of disengaged employees is high.

> The CRO is either not appointed or does not have board level visibility. Therefore, the CRO lacks authority and political power within the organization.

> Multiple stakeholders within the organization have different and conflicting perceptions of business benefits of risk management function.

> The CROs presence in board meetings is for namesake and he/she is not allowed to present contrary views to the board views. CROs are expected to toe the line of senior management.

> Risk managers ideas can be killed due to death-by-association, as risk management function is either not respected or perceived negatively. To some level, business executives gang up against risk managers and may retaliate if risk managers push them.

In such situations, risk managers do tight rope walking and may only submit partially accurate reports to senior management. Key issues that sometimes trigger political warfare may not be disclosed to protect themselves.

3.    The Horror Scene

The organization has a destructive or deviant organization culture where senior management and/or a group of employees are hell-bent on sabotaging the company for personal gains and revenge. The other executives become silent spectators and go along to get along with the destructive group. The destructive group exercises power through threats and punishment. Risk reporting in such situations is in name only and destructive group permission is sought before circulating the report.

>  Two situations can occur. First, senior management or a senior manager is leading the behavior and the tone is set at the top. Second, risk managers i.e. fraud investigators, information security officers and internal auditors turn deviant. They become stronger than the business executives by using their reports, skills (example – hacking threats) and company resources to damage business executives.

>  Risk management function heads do not directly report to the CEO. Various heads exist for different risk functions with each playing their own game. This reduces their responsibility and accountability to senior management.

>  A CRO hasn’t been appointed and risk management heads do not report to the board. The board as such does not consider risk management a useful function for business.

>  If senior management/ managers have inculcated the deviant culture, the retaliation against risk manager or business executive who refuses to conform is strong. The concerned employee will be harassed, bullied, threatened and terminated.

The situation becomes explosive and CEO/board may hear the bad news only when shit hits the roof. The legal and reputational risks are high, as risk managers do not submit authentic reports. Hence, CEO/board may be taken by surprise at anytime, especially if the organization is spread across different geographies.

A good indicator for CEO/ senior managers to check whether things are going wrong is when they hardly hear any bad news. All business and risk managers report that things are honky dory. This means that business and risk managers are in collusion to hide negative information from management. Most of the fraud symptoms prevail in the organization.

Closing Thoughts

While the first responsibility of risk reporting lies with risk managers, the circumstances surrounding them must be looked into to check for reasons for failure. The tone at the top matters a whole lot, and if perception exists that senior managers have a cavalier attitude towards risk management, the same will flow down the organization. In such situations, it will become difficult for risk managers to maintain their independence and integrity while reporting.

Reference:

The Economist Intelligence Report – Too Big To Fail?

Peacetime Vs Wartime Risk Managers

I read the article “Peacetime CEO/ Wartime CEO” on Ben’s Blog authored by Ben Horowitz describing the different attitudes and approaches required from a CEO during peacetime and wartime. It got me thinking whether this applies to risk managers too. Do risk managers need to have different traits and approaches during wartime and peacetime?

Then I read the post How to scope an audit of thingamajigson IIA Marks on Governance blog where Norman Marks is saying even in complex situations the regular approach to an assurance project can be applied. I beg to differ on it. In my view, a wartime risk manager needs to think differently.

Now the first question is do risk managers really face wartime situations? A definite yes, let us consider the Satyam example. The company was doing fine, until one day the CEO disclosed that he had defrauded the company to the tune of Rs 7000 crore or more. Now this is definitely a wartime situation for a risk manager to manage.

In normal course, a risk manager in an assurance or advisory role has the time to plan for an assignment, go in depth and then issue a report with findings. However, let us approach it from a fraud investigators viewpoint. Let us say, the fraud team discovered a one million dollar fraud and it suspects employee involvement. Now the approach of fraud investigator will be to determine the modus operandi of the fraud and identify suspects. As a prevention measure, the investigator needs to involve management to suspend the suspected employees. This is to ensure that suspected employees do not commit further frauds or destroy evidence. Simultaneously, the investigator needs to assess whether the fraud loss money can be recovered. These first three actions response time is 24-48 hours of discovering a fraud. After reporting preliminary investigation findings to management, the investigator has some time to do the detailed investigation, assess legal way forward and determine reputation damage when the case gets media attention.

A million dollar fraud in a large organization can start a small fire; however, the sky is not falling. Let us envisage a situation where roof is crashing over the heads of senior management then what does the risk manager do. As written by Ben Horowitz “In wartime, a company is fending off an imminent existential threat”. In such a situation, the wartime CEO is looking for support from risk managers to deal with the threats. Quoting Mr. Horowitz  again -“Wartime CEO is too busy fighting the enemy to read management books written by consultants who have never managed a fruit stand.” The point is in wartime CEOs are not interested in long drawn out reports, hence the risk managers need to be action oriented. Risk managers need to change their stance from recommendatory staff role to a leading line command role to manage risks.

Let us take here a scenario where the organization is in wartime and risk managers role becomes frontline. A CEO of a large multinational discovered that in one business unit extensive fraudulent activities are occurring. The business unit heads have established a deviant organization culture and are taking bribes, kickbacks and misappropriating funds. The value of fraud is not known and the CEO suspects that nearly 200 employees are involved in it. In such a case what advise should risk managers give to the CEO to manage this forest fire?

In my opinion, the following are some key aspects, which a risk manager should consider to manage the crises:

1.   If 200 employees are involved including senior members, can they be simultaneously suspended or terminated without affecting the business? Should the short-term replacements be from other business units or external temporary hires? Does the management have the political will and support to pull off this level of terminations? It is not a good idea to move the culprits in another part of the organization since they will contaminate the good units with destructive management practices.

2.   As frauds are occurring in the business unit, is it single or multi locations? If multi-locations, is it worthwhile to depute separate fraud investigation teams at different locations? These teams can simultaneously assess damage at multiple locations and defuse the situation. Investigating one location at a time may prolong the period, provide suspects to damage evidence and stress out the organization.

3.   Formulate a strategy for recovering the money from suspects or third parties beneficiaries of the fraud payments. Does the organization have a leverage to recover money from the suspected employees?

4.   Obtain a legal opinion on how law enforcement agencies can help the organization and the process of pursuing criminal case legally against the suspects. The organization might need to pay a heavy price for taking a legal course of action; however, a tough stance will act as a future deterrent to existing employees. The organization should also envisage that as a number of employees are involved they might put up a dirty fight to browbeat the organization into submission.  The organization should look for ways to distance itself from criminal and illegal behavior quickly.

5.   Develop a communications plan for internal circulation to employees and addressing the media. The employees’ morale will be negatively impacted and needs to be carefully managed to ensure minimum resignations. Secondly, external reputation damage from media coverage should be assessed.

6.   The organization should simultaneously start working towards establishing good corporate governance, business ethics and risk management practices. This will send out positive messages in the staff and customers and prevent a repeat occurrence. If whistle-blowing process is not working, this should be re-established promptly. Start focusing on building a constructive organization culture immediately to heal the organizational wounds.

In such wartime situations, sometimes management and risk managers are as the deer trapped in front of the headlights of a car. One is frozen in fear and indecision, not knowing which direction to move. However, this is dangerous since the cost of not doing anything is higher to the organization than the cost of legal actions and reputation damage. The following verse  by Abe Gubegna, Ethopia, circa 1974, aptly describes the wartime situation:   

Every day in Africa a gazelle wakes up.
It knows it must run faster than the fastest lion or it will be killed.
Every morning a lion wakes up. It knows that it must outrun the slowest gazelle or it will starve to death.
It doesn’t matter whether you are a lion or a gazelle.
When the sun comes up, you better be running.

Coming back to the beginning.  Do you think that wartime risk managers require a different skill set to address organization risks?