“In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more independence. If the auditor is from the organisation, it is as good as being an employee of the organisation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organisation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasibility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overreaction to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

“More important [than outsourcing] is the communication between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the shortcomings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of communication between the Chief Audit Executive and the Audit Committee are direct and communications frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.

This comes after charges were laid on November 21 against the former Head of Internal Audit, VS Prabhakar Gupta, for the company, for “willful suppression of auditing irregularities.”

A lot of coverage in the blogs (primarily Dennis’ and Francine’s) thus far has focused on the role the external auditor PricewaterhouseCoopers played in the fraud, but Internal Audit arguably should’ve been better able to root out the fraud due to its closer familiarity with business processes.

It’s difficult to detect fraud in the best of circumstances, but when the charges involve suppression of irregularities discovered by internal audit, questions will be raised (and arrests made).

DNA (Daily News & Analysis), an Indian English language newspaper, provided additional detail on the arrest of the former Head of IA:

While the spokesman refused to divulge any further information about Gupta, sources in the agency claimed that the auditor had helped in falsifying accounts including inflating the overseas employees pay bill.

On top of this, the Internal Audit department received the Recognition of Commitment from the Institute of Internal Auditors in 2005, which according to the IIA was “available to all internal audit activities that submitted an application fee and met specific criteria in the areas of quality, outreach and professionalism, based on a point system.” The program was discontinued in 2006.

On the occasion, the now former Head of IA had this to say:

We are extremely happy with the recognition that our Internal Audit team has received on an international platform. Satyam is one of only 26 internal audit departments worldwide receiving this award in 2005 and it reinforces our commitment to meet the international standards in the concepts and approaches to audit function contributing to better corporate governance.

Satyam is now commonly referred to as India’s Enron.

Internal auditors answer to management and the non-executive directors… external audit reports to shareholders. Merging these two important functions has the potential to cause serious conflicts of interest and reduce the effectiveness of internal controls and the management of risk.

The statement was made in relation to the KPMG-Rentokil deal.

I think if the two parties gave us more details about the work performed around independence it was assuage many of the fears stakeholders are having.

KPMG has said they believe the provision of both functions “is perfectly feasible to do in the spirit and letter of the law.” If that’s so, how long before more of these arrangements are made by KPMG or other firms?

Monsanto recently acquired a US-based company with a Turkish subsidiary, and found during the due diligence the sub had made inappropriate payments to Turkish government officials. In 2005, Monsanto disclosed their own inappropriate payments made to Indonesian government officials and submitted to a three year monitoring program as a result, and Mr Avila talks about how their prior experience has affected policies going forward, including for this latest acquisition.

On the subject of codes of conduct:

Codes of conduct and compliance policies are important but are only the first step in assessing a compliance program. Monsanto believes that the biggest deterrent against unethical behavior is strong leadership.

I agree that codes of conduct are but the first step in ensuring compliance with the FCPA and other anti-corruption legislation. As an internal auditor, you want to assess whether the code of conduct has been read and signed by every relevant employee of the organization, and ensure that the code is complete and addresses issues covered by the FCPA. Typically new employees will receive the code of conduct when they join the company. Keeping the documentation to prove that everyone has agreed to the code is critical.

Assessing leadership is a much tougher job for an auditor. You will get a sense throughout your meetings and communications with senior management of their commitment to ethical business practices, and from there form an opinion. Of course if you already know there were past incidents of non-compliance, leadership is called into question and probably requires more substantive audit procedures to ensure compliance since the preceding events.

On the topic of embedding compliance into policies:

We had to reevaluate our policies for petty cash, travel and entertainment, inventory, delegation of authority and so forth from the perspective of the document trail. It made us formalize some practices into policies and reevaluate policies to make sure we captured enough detail so that an independent third party could find all his inquiries answered within the four corners of a document. That forced us to reconfigure policies and also reconfigure our expense recording so that our documentation captured more information. While this takes a little bit more time on the front end, it answers many more questions on the back end and contributes to creating a transparent culture.

Preparation and retention of documentation related to expenses is key to proving compliance with the FCPA. Any payments made to government officials, if they’re legitimate, will have appropriate evidence. I like the part at the end about creating a transparent culture because culture plays a huge role in establishing ethical traditions that can prevent situations like the ones experienced by Monsanto and their acquisition.

Read the full interview for more.

“This will help ease the burden on small firms and help encourage more small businesses to become public companies — while still ensuring transparency and honest accounting,” said Senator John Kerry (D-MA), chairman of the Senate Committee on Small Business and Entrepreneurship.

I see how this eases the regulatory burden on small entities, thereby indirectly encouraging small businesses to go public where they might otherwise not, but it remains to be seen how this “still ensures transparency and honest accounting”. How does not requiring companies to fully examine their systems of internal control and have management sign off on their effectiveness ensure anything?

It has been nearly five and a half years since Sarbanes-Oxley was implemented in the wake of the Enron meltdown and the delay applies to companies worth $75-million or less. When will smaller public companies be held to the same standard as larger ones?

Since the law was passed in 2002, the SEC has delayed compliance four times for small businesses. Currently, small companies … are expected to comply with the management guidance part of the law this year and the auditing section by 2009.

Legislators worked quickly to draft and pass Sarbanes-Oxley to protect investors in the aftermath of accounting scandals. Is it reasonable that it will be 7 years before it is in place for the smaller public companies in the US?

90% believed that IT oversight deserved more time at audit committee meetings. By constrast, 80% of committee members were satisfied with audit committee oversight of management judgments and estimates and 60% felt that committees were spending sufficient time on these issues.

Good to see audit committees are looking into this area with greater scrutiny. IT is often an area where firms of all sizes could benefit from increased focus and constantly thinking of ways to improve their controls and processes.

But what about the 20% that is satisfied with audit committee oversight of management judgments and estimates, but do not believe sufficient time is being spent on the issue? How can you feel an area needs more time and yet be satisfied with the oversight? This is why looking at surveys is fun.

“The ACI survey findings demonstrate a huge gap between the importance that audit committees place on IT risk and how much time they spend focused on it during their already busy meetings,” Smith said. “Since audit committees generally have only basic IT experience, there may be a reluctance to invite chief information officers and chief technology officers to their meetings, in part, because there is a lack of common vocabulary.”

Audit committees need to have at least one member who has a high level of knowledge in IT as it relates to financial reporting. There is no excuse for lacking someone with a good grasp on the IT risks the organization faces. And CIOs and CTOs aren’t enough — CFOs need to have a more than basic understanding, and even lower down in the accounting department.

I’m really pleased that the CICA has been so proactive towards training CAs on this topic. IT is one of the six topics covered in the professional exam process. (The others are audit/assurance, performance measurement, tax, finance, and organizational effectiveness, control and risk management.) Clearly there is some overlap between the last competency and IT.

An in-depth discussion of the six CA competencies is published by the Institute and available here (pdf).

Testifying at the trial of former Hollinger chairman Conrad Black, a former member of the company’s audit committee has testified that it kept watch over company finances for four years without any financial experts.

Economist Marie-Josee Kravis, sat on the committee during the time that Black allegedly helped steal $60m (£30m) from the company.

She said that no one on the audit committee between May 1999 and May 2003 had the financial experience required by its governing charter.

Kravis is referring in part (I’m assuming) to the best practices of an audit committee as outlined by the AICPA, which stipulate at least one member of the audit committee be designated a financial expert. The decision tree to determine whether a member qualifies as a financial expert can be found here (PDF).

Basically a financial expert is someone who is an accountant or auditor, has taken an accounting or auditing program or course, has experience in auditing or as a controller or financial officer of a company, has experience assessing a company’s financial statements, or has experience supervising the accounting function in a company.

On top of that, they must be familiar with GAAP, the function of an audit committee, internal controls, and how those apply to the company in question.

My question is: Why would you want anyone who doesn’t meet those standards on the audit committee?

Alberta Premier Ed Stelmach poured cold water yesterday on federal Finance Minister Jim Flaherty’s push for a nationwide securities regulator, saying he has no interest in moving beyond an alternative system provinces have set up.

He said he’s content to stick with the “passport system” — arranged by all provinces except Ontario — that synchronizes securities approvals but allows 13 separate securities commissions to remain.

That’s right — thirteen separate securities commissions for Canada, each one a fiefdom unto itself in terms of enforcing securities legislation. Restricting the flow of capital through a country quickly falling behind its core G8 competitors.

Alberta’s support is considered crucial to forming a single securities regulator because companies headquartered in the province have the second-biggest market capitalization of any jurisdiction in Canada.

Ontario is the largest in terms of market cap, but Alberta is growing quickly on the strength of oil sands development.

According to Canada’s Department of Finance:

In December 2003 the Wise Persons’ Committee presented its report recommending that the federal and provincial governments collaborate to establish a single securities regulator in Canada. The federal government continues to work with the provinces towards the development of a single securities regulator to promote greater efficiency in Canada’s capital markets.

C’mon guys, they don’t call them wise persons for nothing!

What do you think? Is there any hope for a single regulator in Canada to rival the SEC in the US and the FSA in the UK?

Conrad Black has vowed in a court filing to regain control of what remains of his business empire, but he’s also worried there might not be much left.

This struck me as a bit strange. I have to admit my experience with court filings isn’t extensive, but I just assumed they were pretty formal, standard documents. I didn’t think they could be used for vengeful, rhetorical purposes by the filer, but somehow Conrad made it happen. I wish they’d give the direct quote from the filings where he vows to get it all back.

But I digress. What really interested me once I read further:

Last week, Lord Black filed a motion in an Ontario court asking a judge to compel Ravelston’s receiver, RSM Richter Inc., to explain how it is protecting the firm’s assets. Lord Black alleged Richter and new managers at Hollinger International and Hollinger Inc. have spent $250-million over the past three years on professional fees. He also alleged the firms have lacked focus and devoted their time to “examining the past to see if there are litigation ‘assets’ that can be pursued.”

Basically, Hollinger is going after Black for misappropriating the company’s assets, and by doing so, Black believes they are paying too many legal and consulting fees. The litigation assets, I would imagine, are Black’s thievings, and the lawyers have probably been hired to figure out how Hollinger can get some of it back! Oh what a tangled web.

The move has been hailed as a signal of future partnership between Google and Apple in their joint fights against Microsoft. I have to admit it basically looks that way to me too. I would even go so far as to say a Google-Apple alliance poses the biggest threat to Microsoft’s continued dominance on the desktop, ever.

I’ve always wondered why some Boards have an even number of members, what with the possibility of vote tying. They must have some other method of resolving those situations when they inevitably crop up.

Steve Jobs is obviously an exception to most rules, but it’s rare to see someone in management on the Board in a public company, because of the inherent conflict of interest. I think Jobs is invested in Apple long-term though, so that’s no doubt why he gets away with it.