This is interesting: An internal review at Canadian construction company SNC-Lavalin of certain payments approved by the CEO has resulted in that executive’s departure from the company.
The payments in question were approved directly by the CEO after the CFO rejected them. Documentation was apparently sketchy, as the review revealed that the projects they were attributed to were incorrect.
[The review] reveals payments to contracts that didn’t exist, mysterious agents whose identity “is without substance,†and staffers using emails and password-protected devices that the company couldn’t access.
They can’t be sure that the payments in question weren’t related to their controversial involvement with the former Gaddafi regime in Libya, since the recipients appear to be fictitious. They believe they weren’t, but there’s really no basis for that belief since the report is inconclusive.
SNC-Lavalin has operations in over 100 countries and earned over $7-billion in revenue last year.
The company said improper payments are a result of “management override, flawed design or ineffective enforcement of controls†in relation to hiring agents for two of its projects.
Design is one aspect of internal control, and operating effectiveness is the other. Add to that management’s ability override them, and they’ve pretty much covered all their bases!
Some former employees have conducted company affairs using non-corporate email addresses or had password protected devices to which the company does not have access.
This is incredibly suspicious, as what good reason could there be for using non-corporate email to conduct company business? Always a red flag, but tough to uncover. The article doesn’t discuss how it was in this case, unfortunately.
The original investigation, which was reported at the end of February, was over $35-million in payments which were undocumented. The reporting of this information resulted in a 20% decline in the company’s stock, which has since recovered only about ⅓ of the drop. Clearly, controls at the company are not strong enough and the market believes the environment may be such that more of these types of situations exist.
Now, with these recent developments, it seems that the “tone at the top,†a critical component of a strong control environment (see COSO Internal Control Framework), was not one of uncompromising integrity.
Depending on the nature of the payments, if it is ever determined satisfactorily, this could have implications related to the Corruption of Foreign Public Officials Act, Canada’s version of the Foreign Corrupt Practices Act in the US.
Easy answer to the non-corporate email question though: a security policy that doesn’t allow iPhones or other non-official devices. It’s not a GOOD reason for people to use an external/uncontrolled email account, but you’ll find that in all sorts of firms, Big Accounting or otherwise. This reason will fall over time as “consumerization of IT” makes this less of “a thing”, but in the 2000s with the advent of wirespread personal smartphones it became an issue.
Granted in this case things look much worse, but just putting that relatively innocuous reason out there.
I chafe on the constraints of a too-restrictive IT department as well, but that’s definitely not a good reason (as you noted).