Internal audit failure leads to corporate governance failure

Toshiba - a case of internal audit failure:

Toshiba, a 140-year-old pillar of Japan Inc, is caught up in the country's biggest accounting scandal since 2011. In 2011, Olympus Corp was embroiled in a scandal. In July 2015, Toshiba Corp president Hisao Tanaka and his two predecessors quit after investigators found that the company inflated earnings by at least $1.2 billion during the period 2009-2014. Toshiba is one of the early adopters of the corporate governance reforms initiated in Japan. The corporate governance structure met corporate governance standards. Time and again cases of corporate governance failures have provided evidence that good corporate governance structure does not necessarily lead to good corporate governance. Organisation culture is a critical determinant of the quality of corporate governance.

Some of the observations of the independent investigation committee of the company on internal audit demand discussion and debate.

The investigation committee observes, "According to the division of duties rules of Toshiba, the corporate audit division is in charge of auditing the corporate divisions, the companies, branch companies, and affiliated companies. However, in reality the corporate audit division mainly provided consultation services for the 'management' being carried out at each of the companies, etc (as part of the business operations audit), and it rarely conducted any services from the perspective of an accounting audit into whether or not an accounting treatment was appropriate."

The observations of the committee give the impression that the fault of the internal audit in Toshiba was that it focused on consultation service rather than assurance service. Should internal audit avoid providing consultation service? I do not think so. It was not the fault of the internal audit that it provided consultation service. The fault was that it did not pay attention to accounting audit.

In Toshiba, the top management used to set targets that are unachievable. There was excessive pressure from the top management to achieve those targets.

The variable pay is a significant portion of the total pay. The compensation of executive officers comprises a base compensation based on title and a role compensation based on work content. Forty per cent to 45 per cent of the role compensation is based on performance of the overall company or business department. 'Challenge' to achieve unachievable targets and performance-based pay provide enough motivation to manage earnings. Therefore, accounting audit should have been a focus area for internal audit.

Internal audit can function independently only if the audit committee is capable, independent and effective, and the internal auditor reports to the audit committee.

In Toshiba, the audit committee was neither capable nor independent. The three external members of the audit committee had no knowledge of finance and accounting. An ex-Chief Financial Officer (CFO), who was the CFO during the timeframe when accounting irregularities occurred, was the only whole time member of the audit committee. Therefore, the internal audit was not independent of the management. Earnings management had the tacit approval of the top management. Therefore, it is not surprising that accounting audit was excluded from the scope of internal audit. It is incorrect to infer that the accounting audit did not receive the attention of the internal audit because its focus was on providing consultation service.

Contemporary literature defines internal audit as 'assurance and consulting service'. The issue is of balancing between consultation service and assurance service. Problem arises when the internal auditor forgets that the internal audit is primarily an assurance function. The consultation service flows from the assurance service. Although, the primary objective of operation audit is to obtain assurance that the internal control that is installed to achieve operation objectives is adequate and operating effectively, the auditees look to the internal auditor for suggestions and consultancy. Such consultation service is a by-product of the assurance service. Auditees should not be denied the benefits of internal auditor's understanding of the industry and the business, and the challenges before the auditees in achieving operation objectives. Exclusion of consultation service from the scope of internal audit would result in sub-optimal utilisation of internal audit resources.

Organisation culture also determines the effectiveness of internal audit. The investigation committee observes, "A corporate culture existed at Toshiba whereby employees could not act contrary to the intent of their superiors". In such a culture an upright internal auditor cannot survive, particularly if he is not independent of the management. Perhaps, it is the reason that the internal audit in Toshiba had chosen the easy path of focusing on 'consultation service' only without reporting internal control weaknesses.

Internal auditor is the 'eyes and ears' and 'go-to man' of the audit committee. Therefore, internal audit failure leads to corporate governance failure.

www.gmsisuccess.com

Risk of Internal Controls Failures

Risk of Internal Controls Failures

www.gmsisuccess.com

Last week’s announcement by the Securities and Exchange Commission (SEC) of the resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company continues to resonate and provide lessons for the compliance practitioner. [Full disclosure – I am a Halliburton shareholder] I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.

In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise.

According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period.

However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton.

In each of these attempts, the company bumped up against its own internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent”. In this initial attempt, the internal control held as the business folks abandoned their efforts to contract with the Angolan agent.

The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria).

Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t]his is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.”” In other words, the internal controls held and were not circumvented or over-ridden.

The Angolan agent was then moved from commercial agent status to that of a supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team was able to contract with the Angolan agent for these services in September 2009 and increase the contract price, all without the Angolan agent going through the procurement internal controls.

A second internal control which was over-ridden was the procurement requirement that the supplier procurement process begin with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backwards, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, there was a separate internal control that required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or over-ridden.

Companies are required to maintain and assess the effectiveness of Internal Controls over Financial Reporting (ICFR).

Teledoc, Inc., an emerging growth company, disclosed a material weakness in their ICFR in the risk factors section, but was not required to issue either a Management or Auditor’s Report on Internal Control Over Financial Reporting.

In connection with our December 31, 2015 and 2014 audits, we identified a material weakness in our internal control over financial reporting. A material weakness is defined as a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of our annual or interim financial statements will not be prevented or detected on a timely basis.

The material weakness pertains to the breadth of our internal accounting team. Specifically, we do not have a sufficient number of accounting personnel to effectively design and operate proper internal controls over financial reporting. We are working to remediate the material weakness. We have begun taking steps and plan to take additional measures to remediate the underlying causes of the material weakness, primarily through the continued hiring of additional accounting personnel. In addition, we are in the process of documenting and assessing our internal controls over financial reporting and once complete, we will test these controls. The actions that we are taking are subject to ongoing senior management review, as well as audit committee oversight. Although we plan to complete this remediation process as quickly as possible, we cannot at this time estimate how long it will take to fully remediate the material weakness. If our remedial measures are insufficient to address the material weakness, or if significant deficiencies or material weaknesses in our internal control over financial reporting are discovered or occur in the future, it may adversely affect the results of our management evaluations and, when required, annual auditor attestation reports regarding the effectiveness of our internal control over financial reporting required by Section 404 of the Sarbanes‑Oxley Act. In addition, if we are unable to successfully remediate the material weakness and if we are unable to produce accurate and timely financial statements or we are required to restate our financial results, our common stock price may be adversely affected and we may be unable to maintain compliance with the NYSE listing requirements.

 How often does your organization complete a detailed 

review of its internal controls? How many changes have occurred within your organization since the internal controls were designed? Have there been employee changes, process changes, new information systems, growth, or other changes that could have impacted those internal controls?

Every organization develops internal controls to achieve the following objectives:

• Reliability of financial reporting
• Safeguarding of assets
• Complying with laws and regulations
• Effectiveness and efficiency of operations

These controls should be re-evaluated on a routine basis to ensure that they are operating properly and still meet their objectives. When designing internal control policies, there are some common risks that every organization should consider, including:

1. Management Override of Controls – Management is primarily responsible for the design, implementation, and maintenance of internal control and therefore, there is the inherent potential for management to override these controls. If an executive has the ability and an incentive – such as earnings targets or personal financial issues – to override controls and commit fraud, it is a risk not easily overcome. It requires those charged with governance, such as the shareholders, Board of Directors, or Audit Committee, to take an active approach in evaluating the possibility of fraud occurring at the organization and developing additional steps to control the risk of management override if these fraud risks are identified. In addition, setting the proper tone at the top can help the organization and its employees maintain their integrity.
2. Limited Segregation of Duties – No single person should be responsible for the authorization of transactions, recording of transactions, and custody of the impacted assets of transactions. Smaller organizations may have difficulties implementing proper segregation of duties due to limited staffing, although larger companies can also have issues if the segregation is not properly designed. Smaller organizations need to implement compensating controls to help ensure the objectives are met, such as oversight, supervision, and monitoring by management or those charged with governance.
3. Overreliance on Detective Controls vs. Preventative Controls – Although detective controls will identify whether something is wrong, it may be too late and the damage may have already been done. A good internal control system not only has detective controls, but also has preventative controls. Preventive controls can include things such as ongoing training of policies and procedures, implementing user names and passwords to limit access to the system or modules within the system, requiring dual signatures on disbursements, or conducting a review and approval of purchase requests prior to purchase.
4. Informal vs. Formal Controls –Smaller organizations may have key controls that are performed at the entity level vs. at the activity level. These entity level controls are typically less formal and performed by one or two key individuals, such as the owner or manager. Regardless of whether controls are informal or formal, they need to be actively monitored to ensure they are being performed.
5. Overly Trusting – When we hear stories of fraud, quite often the perpetrator is described as being honest, trustworthy, and a great employee whom you never suspected. An organization should trust its employees to be good employees and do their job to the best of their ability, but this trust should not reduce its internal controls. In the words of Ronald Reagan, “Trust, but verify.”

Internal controls serve as the first line of defense in preventing fraud and ensuring the viability of your organization. Even organizations with existing controls in place need to reevaluate them from time to time to ensure the objectives are still being met and identify any areas of weakness or new risks.  Consider the internal controls risks outlined above when evaluating your organization’s existing internal controls. It’s important to be proactive in assessing what risks need to be addressed, designing the controls necessary to mitigate those risks, and implementing those controls successfully.