Hunger strikes and supporting documentation

One of the bigger news stories in Canada of late is the ongoing hunger strike of a First Nations chief, ostensibly being carried out to force a meeting with the Prime Minister to discuss conditions on the remote northern Ontario Attawapiskat reservation.

The legacy of the “discovery” and settlement of North America by Europeans and their subsequent relationship with natives is a topic far too complex for this blog, but the story took on an element of particular interest with the “leak” of a Deloitte audit report on the administration of the community.

That report has been posted online in its entirety.

Deloitte sampled 400 transactions from the G/L across the 6â…” years in scope. Sixty per year and 40 for the eight month period ending November 30, 2011. Slightly less than 20% of the 400 had no issues. No supporting documentation was available for just over 60% of the sample, and the other 20% was either incomplete or the occurrence of the underlying event was questionable. It should be noted though that in the most recent 20 months reviewed, only for 31 of the 100 samples was there no supporting documentation.

What the audit didn’t do (and wasn’t designed to) was determine whether $104M over that time period is adequate for the population on the reserve. It’d be an interesting analysis to look at the number of households, average people per household, repairs and maintenance funding per household and per person, and figure out whether there is enough funding to support their needs or not. That’s the heart of the issue.

Outsource internal audit for greater objectivity

That’s the recommendation from the Institute of Chartered Accountants of India (ICAI), as reported by The India Express:

“In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more independence. If the auditor is from the organisation, it is as good as being an employee of the organisation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organisation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasibility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overreaction to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

“More important [than outsourcing] is the communication between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the shortcomings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of communication between the Chief Audit Executive and the Audit Committee are direct and communications frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.

Internal audit at Satyam

New charges in the Satyam scandal were laid by India’s Central Bureau of Investigation, for “creating fake invoices to inflate revenues by US$94 million and forging company board resolutions to obtain unauthorised loans worth US$265 million” according to this story in Accountancy Age.

This comes after charges were laid on November 21 against the former Head of Internal Audit, VS Prabhakar Gupta, for the company, for “willful suppression of auditing irregularities.”

A lot of coverage in the blogs (primarily Dennis’ and Francine’s) thus far has focused on the role the external auditor PricewaterhouseCoopers played in the fraud, but Internal Audit arguably should’ve been better able to root out the fraud due to its closer familiarity with business processes.

It’s difficult to detect fraud in the best of circumstances, but when the charges involve suppression of irregularities discovered by internal audit, questions will be raised (and arrests made).

DNA (Daily News & Analysis), an Indian English language newspaper, provided additional detail on the arrest of the former Head of IA:

While the spokesman refused to divulge any further information about Gupta, sources in the agency claimed that the auditor had helped in falsifying accounts including inflating the overseas employees pay bill.

On top of this, the Internal Audit department received the Recognition of Commitment from the Institute of Internal Auditors in 2005, which according to the IIA was “available to all internal audit activities that submitted an application fee and met specific criteria in the areas of quality, outreach and professionalism, based on a point system.” The program was discontinued in 2006.

On the occasion, the now former Head of IA had this to say:

We are extremely happy with the recognition that our Internal Audit team has received on an international platform. Satyam is one of only 26 internal audit departments worldwide receiving this award in 2005 and it reinforces our commitment to meet the international standards in the concepts and approaches to audit function contributing to better corporate governance.

Satyam is now commonly referred to as India’s Enron.

IIA: Keep internal and external audit separate

AccountancyAge is reporting that the UK and Ireland IIA’s chief executive Ian Peters recently made a statement on the contentious issue of having external auditors provide internal audit services:

Internal auditors answer to management and the non-executive directors… external audit reports to shareholders. Merging these two important functions has the potential to cause serious conflicts of interest and reduce the effectiveness of internal controls and the management of risk.

The statement was made in relation to the KPMG-Rentokil deal.

I think if the two parties gave us more details about the work performed around independence it was assuage many of the fears stakeholders are having.

KPMG has said they believe the provision of both functions “is perfectly feasible to do in the spirit and letter of the law.” If that’s so, how long before more of these arrangements are made by KPMG or other firms?

Foreign acquisitions and the FCPA

The Metropolitan Corporate Counsel, a publication dedicated to legal issues relevant to corporate lawyers, recently interviewed Alfredo Avila, Assistant General Counsel at Monsanto about how they approach FCPA compliance for acquisitions.

Monsanto recently acquired a US-based company with a Turkish subsidiary, and found during the due diligence the sub had made inappropriate payments to Turkish government officials. In 2005, Monsanto disclosed their own inappropriate payments made to Indonesian government officials and submitted to a three year monitoring program as a result, and Mr Avila talks about how their prior experience has affected policies going forward, including for this latest acquisition.

On the subject of codes of conduct:

Codes of conduct and compliance policies are important but are only the first step in assessing a compliance program. Monsanto believes that the biggest deterrent against unethical behavior is strong leadership.

I agree that codes of conduct are but the first step in ensuring compliance with the FCPA and other anti-corruption legislation. As an internal auditor, you want to assess whether the code of conduct has been read and signed by every relevant employee of the organization, and ensure that the code is complete and addresses issues covered by the FCPA. Typically new employees will receive the code of conduct when they join the company. Keeping the documentation to prove that everyone has agreed to the code is critical.

Assessing leadership is a much tougher job for an auditor. You will get a sense throughout your meetings and communications with senior management of their commitment to ethical business practices, and from there form an opinion. Of course if you already know there were past incidents of non-compliance, leadership is called into question and probably requires more substantive audit procedures to ensure compliance since the preceding events.

On the topic of embedding compliance into policies:

We had to reevaluate our policies for petty cash, travel and entertainment, inventory, delegation of authority and so forth from the perspective of the document trail. It made us formalize some practices into policies and reevaluate policies to make sure we captured enough detail so that an independent third party could find all his inquiries answered within the four corners of a document. That forced us to reconfigure policies and also reconfigure our expense recording so that our documentation captured more information. While this takes a little bit more time on the front end, it answers many more questions on the back end and contributes to creating a transparent culture.

Preparation and retention of documentation related to expenses is key to proving compliance with the FCPA. Any payments made to government officials, if they’re legitimate, will have appropriate evidence. I like the part at the end about creating a transparent culture because culture plays a huge role in establishing ethical traditions that can prevent situations like the ones experienced by Monsanto and their acquisition.

Read the full interview for more.