Category Archives: Governance

Stone

Hunger strikes and supporting documentation

One of the bigger news stories in Canada of late is the ongoing hunger strike of a First Nations chief, osten­sibly being carried out to force a meeting with the Prime Minister to discuss condi­tions on the remote northern Ontario Attawapiskat reservation.

The legacy of the “discovery” and settlement of North America by Europeans and their subse­quent relationship with natives is a topic far too complex for this blog, but the story took on an element of particular interest with the “leak” of a Deloitte audit report on the admin­is­tration of the community.

That report has been posted online in its entirety.

Deloitte sampled 400 trans­ac­tions from the G/L across the 6⅔ years in scope. Sixty per year and 40 for the eight month period ending November 30, 2011. Slightly less than 20% of the 400 had no issues. No supporting documen­tation was available for just over 60% of the sample, and the other 20% was either incom­plete or the occur­rence of the under­lying event was questionable. It should be noted though that in the most recent 20 months reviewed, only for 31 of the 100 samples was there no supporting documentation.

What the audit didn’t do (and wasn’t designed to) was determine whether $104M over that time period is adequate for the population on the reserve. It’d be an inter­esting analysis to look at the number of house­holds, average people per household, repairs and mainte­nance funding per household and per person, and figure out whether there is enough funding to support their needs or not. That’s the heart of the issue.

Outsource internal audit for greater objectivity

That’s the recom­men­dation from the Institute of Chartered Accoun­tants of India (ICAI), as reported by The India Express:

In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more indepen­dence. If the auditor is from the organ­i­sation, it is as good as being an employee of the organ­i­sation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organ­i­sation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasi­bility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overre­action to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

More important [than outsourcing] is the commu­ni­cation between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the short­comings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of commu­ni­cation between the Chief Audit Executive and the Audit Committee are direct and commu­ni­ca­tions frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.

Internal audit at Satyam

New charges in the Satyam scandal were laid by India’s Central Bureau of Inves­ti­gation, for “creating fake invoices to inflate revenues by US$94 million and forging company board resolu­tions to obtain unautho­rised loans worth US$265 million” according to this story in Accoun­tancy Age.

This comes after charges were laid on November 21 against the former Head of Internal Audit, VS Prabhakar Gupta, for the company, for “willful suppression of auditing irregularities.”

A lot of coverage in the blogs (primarily Dennis’ and Francine’s) thus far has focused on the role the external auditor Price­wa­ter­house­C­oopers played in the fraud, but Internal Audit arguably should’ve been better able to root out the fraud due to its closer famil­iarity with business processes.

It’s difficult to detect fraud in the best of circum­stances, but when the charges involve suppression of irreg­u­lar­ities discovered by internal audit, questions will be raised (and arrests made).

DNA (Daily News & Analysis), an Indian English language newspaper, provided additional detail on the arrest of the former Head of IA:

While the spokesman refused to divulge any further infor­mation about Gupta, sources in the agency claimed that the auditor had helped in falsi­fying accounts including inflating the overseas employees pay bill.

On top of this, the Internal Audit department received the Recog­nition of Commitment from the Institute of Internal Auditors in 2005, which according to the IIA was “available to all internal audit activ­ities that submitted an appli­cation fee and met specific criteria in the areas of quality, outreach and profes­sion­alism, based on a point system.” The program was discon­tinued in 2006.

On the occasion, the now former Head of IA had this to say:

We are extremely happy with the recog­nition that our Internal Audit team has received on an inter­na­tional platform. Satyam is one of only 26 internal audit depart­ments worldwide receiving this award in 2005 and it reinforces our commitment to meet the inter­na­tional standards in the concepts and approaches to audit function contributing to better corporate governance.

Satyam is now commonly referred to as India’s Enron.

IIA: Keep internal and external audit separate

Accoun­tan­cyAge is reporting that the UK and Ireland IIA’s chief executive Ian Peters recently made a statement on the contentious issue of having external auditors provide internal audit services:

Internal auditors answer to management and the non-executive directors… external audit reports to share­holders. Merging these two important functions has the potential to cause serious conflicts of interest and reduce the effec­tiveness of internal controls and the management of risk.

The statement was made in relation to the KPMG-Rentokil deal.

I think if the two parties gave us more details about the work performed around indepen­dence it was assuage many of the fears stake­holders are having.

KPMG has said they believe the provision of both functions “is perfectly feasible to do in the spirit and letter of the law.” If that’s so, how long before more of these arrange­ments are made by KPMG or other firms?

Foreign acquisitions and the FCPA

The Metro­politan Corporate Counsel, a publi­cation dedicated to legal issues relevant to corporate lawyers, recently inter­viewed Alfredo Avila, Assistant General Counsel at Monsanto about how they approach FCPA compliance for acquisitions.

Monsanto recently acquired a US-based company with a Turkish subsidiary, and found during the due diligence the sub had made inappro­priate payments to Turkish government officials. In 2005, Monsanto disclosed their own inappro­priate payments made to Indonesian government officials and submitted to a three year monitoring program as a result, and Mr Avila talks about how their prior experience has affected policies going forward, including for this latest acquisition.

On the subject of codes of conduct:

Codes of conduct and compliance policies are important but are only the first step in assessing a compliance program. Monsanto believes that the biggest deterrent against unethical behavior is strong leadership.

I agree that codes of conduct are but the first step in ensuring compliance with the FCPA and other anti-corruption legis­lation. As an internal auditor, you want to assess whether the code of conduct has been read and signed by every relevant employee of the organi­zation, and ensure that the code is complete and addresses issues covered by the FCPA. Typically new employees will receive the code of conduct when they join the company. Keeping the documen­tation to prove that everyone has agreed to the code is critical.

Assessing leadership is a much tougher job for an auditor. You will get a sense throughout your meetings and commu­ni­ca­tions with senior management of their commitment to ethical business practices, and from there form an opinion. Of course if you already know there were past incidents of non-compliance, leadership is called into question and probably requires more substantive audit proce­dures to ensure compliance since the preceding events.

On the topic of embedding compliance into policies:

We had to reevaluate our policies for petty cash, travel and enter­tainment, inventory, delegation of authority and so forth from the perspective of the document trail. It made us formalize some practices into policies and reevaluate policies to make sure we captured enough detail so that an independent third party could find all his inquiries answered within the four corners of a document. That forced us to recon­figure policies and also recon­figure our expense recording so that our documen­tation captured more infor­mation. While this takes a little bit more time on the front end, it answers many more questions on the back end and contributes to creating a trans­parent culture.

Prepa­ration and retention of documen­tation related to expenses is key to proving compliance with the FCPA. Any payments made to government officials, if they’re legit­imate, will have appro­priate evidence. I like the part at the end about creating a trans­parent culture because culture plays a huge role in estab­lishing ethical tradi­tions that can prevent situa­tions like the ones experi­enced by Monsanto and their acquisition.

Read the full interview for more.