All audit committees want strong internal controls over financial reporting, and a strong ethical culture where employees who suspect impropriety feel unafraid to speak about what they see. What is sometimes less understood are the connections between those two things — how corporate culture and internal controls should complement each other, to further the goal of strong, reliable financial reporting. Design them well, and the organization has a powerful buttress against executive misconduct. Don’t, and the opposite is just as true.
A fascinating example of this point comes from Bankrate.com, which paid $28.5 million to the U.S. Justice Department earlier this year to settle long-running financial fraud charges. Back in 2011, Bankrate’s then-Chief Financial Officer Ed DiMaria concocted a cushion-accounting scheme to manipulate quarterly earnings. He and others fabricated expenses on a bogus spreadsheet, while hiding the true numbers from Bankrate’s audit firm. When the U.S. Securities and Exchange Commission (SEC) began inquiring about the company’s finances, DiMaria directed others to reply with material not responsive to the SEC’s document requests.
Of course this all unraveled eventually. Bankrate announced a restatement in 2014. DiMaria was dismissed, indicted, and sentenced to 10 years in prison. The company hired new outside counsel, and its audit committee cooperated fully with the SEC.
Think about what happened here. First, the company used technology and business processes that gave DiMaria the ability to fabricate financial data while concealing true information. Second, nobody raised alarms about DiMaria’s misconduct — not when he lied to the audit firm, not when he misled the audit committee, and not when he had others mislead the SEC.
The issue, really, is about transparency and freedom. Internal audit needs to be able to roam freely through the enterprise to assess risks, and it needs to be able to see real data, rather than whatever report management provides. Or, as Debi Roth, chair of the Audit Advisory Committee for Orange County Public Schools in Florida, puts it: “Can the audit department get it, and pull it themselves?”
That might seem like a straightforward part of governance. In the real world, however, Bankrate is by no means alone. For example, when Polycom Corp. agreed last year to pay $16 million to settle U.S. Foreign Corrupt Practices Act charges, the misconduct was fundamentally similar. Executives in China recorded false information on bogus spreadsheets to hide bribery violations from Polycom’s global managers, while masterminding a payoff scheme to Chinese government officials.
Technology and business processes that allow executives to create a false narrative; plus a corporate culture that allows them to spread the false narrative — if those are the ingredients for an audit committee’s nightmare, what’s the antidote? It comes in two parts: strong control activities over financial reporting, and strong corporate culture that encourages everyone to sound the alarms about misconduct.
Ingredient 1: Control Activities
The first ingredient is unimpeded access to the company’s transactional data. Access should include not just whatever reports someone might provide to internal audit or the audit committee, but also the actual data about payments, due diligence checks, beneficial ownership, contracts, or whatever else the audit team might want to see.
That’s partly a question of technology. Accounting systems should rely on a single data source to make frauds like bogus spreadsheets and false transaction entries harder to accomplish. In an ideal world, auditors should be able to drill down from balance sheet, to line-item accounts, to transactions within those accounts, to supporting documentation for those transactions.
As an audit committee chair, Roth wants to hear the chief audit executive (CAE) explain how the process for gathering data works, and whether there are any concerns about potential interference. For example, does the audit team depend on the IT department to generate reports? That’s a risk, no matter how well-intentioned the IT department might be. “I’m looking for the internal audit function to have a good process in place that addresses internal controls, and that they’re able to go out and do their job and do it well,” she says.
Once upon a time, when companies used data warehouses, the audit team could have access to them, too, and pull whatever information it needed. Today’s systems are more complicated, as many firms rely on cloud-based applications that might store data in different locations, or employees might use cloud-based applications but not tell IT about it.
Audit and accounting teams need to think about the design of financial reporting systems and transparency into the data, so that suspicious transactions stick out like a sore thumb.
Ingredient 2: The Control Environment
Even when suspicious transactions are more visible, someone still needs to point them out. After all, at organizations of any appreciable size, many fraudulent activities won’t be spotted by the audit team — especially if more than one person is involved in the misconduct, as happened at Bankrate, Polycom, and many others. The organization needs to foster an environment where employees feel comfortable raising concerns about misconduct. “That’s always top of mind as an audit committee member,” says Raoul Ménès, who serves on the audit committee of the Salt River Pima-Maricopa Indian Community in suburban Phoenix.
“The bad perception to have is, ‘Don’t worry, internal audit will get it,’” Ménès says. “Well, internal audit cannot see everything. They’ll show up for two weeks to do an audit, and then they’re gone.”
Ménès encourages audit committee members to spend more time at their organizations, getting to know employees casually. Show up early for a committee meeting, for example, and chat with the employees. (That’s in addition to any executive sessions at the committee meeting, or any conversations the committee chair has with the CAE between meetings.)
“Meet the audit team, or talk to the controller. Just see how things are going,” Ménès says. “When you’re able to connect with folks, to work with them and talk with them, they’ll open up.”
Fair enough, but how else can the audit function identify warning signs about corporate culture? “Auditing culture” is a lofty idea, but a bit vague. Instead, audit teams need to design tests for traits or behaviors that suggest the culture is wrong. Ménès, for example, once worked with a firm where employees received a three-question quiz about the code of conduct shortly after they had certified that they’d read it. The goal wasn’t to see how well they memorized the answers; it was to see whether the enterprise had high failure rates as a whole — which would suggest that employees weren’t taking the code seriously, a big culture risk.
Roth, meanwhile, wants to hear about managers who try to interfere with auditors’ ability to talk to other employees. “If someone is telling the auditor, ‘You can’t work with anyone else, you have to go through me’ — that’s an automatic red flag,” she says.
Shutting Down Abuse
The truth is, an organization can’t achieve strong financial reporting without both elements present: systems that provide clear visibility into transactions and a corporate culture that encourages internal audit — or other parts of the enterprise — to put that visibility to good use.
That’s the buttress organizations need to thwart executives who might abuse their power to override controls or lie to the board. It can be tough to build in the modern enterprise, with complex IT systems and a globalized workforce. Build it right, however, and that buttress can be pretty powerful.