Navigating Risk and Control in Challenging Times

GUEST BLOG
Instituting and maintaining effective control systems is costly and challenging in even the best of times. Add in the instability that results from such difficulties as financial crises, regional political instability, pandemics, and others crises, and the costs and challenges are magnified.

Effective control systems are costly because they require significant investments in know-how, training and technology, and thousands of hours each year to manage them and related emerging risks. They are challenging because they require collaboration with stakeholders and striking the right balance between cost, risk, and control. The entire organization needs to be engaged as everyone has a role to play. The corporate board and the executive team set the tone; middle management institutes policies, procedures, and review mechanisms; and front line employees operate controls.

Corporate instability can arise from disruption of supply chain, industry consolidation, rapid technological changes, loss of top customers and many other scenarios. Financial distress, becoming acquisition target and operating in a corporate culture dominated by aggressive senior managers are conditions found quite frequently and have devastating impact on risk and control because they can cause corporate instability.

Financial Distress
Financial distress is a condition during which companies are unable to service their financial commitments. In early stages, financial distress is generally attributed to mismanagement, while in later stages it is generally attributed to declining revenue, negative cash flow, heavy indebtedness, or other exogenous pressures. U.S. statistics show that hundreds of companies file bankruptcy protection with the courts each year, and the current coronavirus pandemic and resulting economic difficulties have greatly increased filings.

When this condition is present, companies generally restructure to reduce costs and improve cash flow, while other become privately held. This leads to significant employee turnover and employee disengagement due to uncertainty and restructuring. During these situations, its often true that little attention is paid to risk and control as revenue generation, cost reduction, raising capital, spending freeze become top priorities.

The risk of fraud and abuse is also heightened as fraudsters identify opportunities due to lack of control, lack of care, and lack of oversight. Fraudsters rationalize their actions because they believe that they have been taken advantage of or are not valued by the company. Motivations for frauds in this category include attempts to conceal deteriorating financial conditions, desire to increase the stock price, and personal gain through asset misappropriation schemes such as theft, skimming, fraudulent disbursements, and larceny.

In August 2016, the SEC charged Ener1 Inc, a public company that manufactured rechargeable lithium-ion batteries for energy storage, with financial fraud. The SEC accused the company of materially overstating revenues and assets in 2010 and in Q1 2011. The company had failed to impair investments and receivables related to one of its biggest customers, an electric car manufacturer. The former CEO and chairman of the board, chief financial officer, and former chief accounting officer all agreed to pay penalties. The SEC also found that the PwC audit partner assigned to the company had violated PCAOB and professional auditing standards when he failed to perform sufficient procedures to support his audit conclusions. The SEC suspended the PwC partner from participating in the financial reporting or audits of public companies for at least two years.

The company filed for bankruptcy in January 2012 and restructured its debt.

Acquisition Target
There is a significant time lag (estimated at 16 to 36 months) from the time companies announce a strategic initiative to closing a deal. Studies show that during this time, and in the first 12 months post deal closing, about half of the employees will leave companies and those who stay do not remain focused due to uncertainty and anxiety. Those employees who become disgruntled may look for opportunities to commit fraud and will be able to rationalize it because they don’t feel valued.

This is a highly volatile period for companies targeted for acquisition during which there is little attention to risk and control. The risk of fraud and abuse is greater due to lack of focus and supervision. Fraudsters may also attempt to bolster financial performance in light of a due diligence review or the desire to increase compensation for those involved in the transaction. Others may just take advantage of the company for personal gain using traditional financial statement fraud, asset misappropriation, and corruption schemes.

Several years ago a client requested help with a suspected fraud investigation. The public company had just been acquired by a much larger target after completing a strategic review that lasted a little less than a year. When the examination was completed, it was revealed that two disgruntled employees, a human resources manager and a payroll accountant, had colluded and had inserted several fictitious employees in the payroll master. The manager and the accountant had paid themselves approximately two hundred thousand dollars over the year when the strategic review was being conducted. The root cause was lack of oversight and ineffective controls while the strategic review was ongoing.

Aggressive Management Team
Several recent accounting scandals were perpetrated by aggressive leaders who promoted a “win-at-all cost” culture, excessive pressure, and even intimidation. Aggressive leaders prefer a corporate culture that shows no appreciation for internal controls. They view controls as a burden and provide very little resources to risk and control functions. In some extreme cases, domineering leaders will access the accounting records directly or indirectly and override internal control systems.

Jeff Skilling rendered Enron’s controls ineffective and instituted an aggressive organizational culture that demanded “win-at-all cost.” After Enron went bankrupt in 2001, shareholders lost $74 billion, and thousands of employees lost their savings, pensions, and eventually their jobs.

The WorldCom scandal in 2002 was a combination of a company in distress and a corporate culture that did not value internal controls. According to Cynthia Cooper, CEO Bernie Ebbers wanted the internal auditors not to use the term “internal controls” because he did not understand what it meant and it aggravated him. In the end, 30,000 jobs were lost and $180 billion was lost by investors.

The Toshiba (2015) scandal highlights the role corporate culture can play in contributing to wrongdoing. Toshiba’s own investigative panel concluded that its corporate culture, which demanded obedience to superiors, played a key role in enabling the emergence of fraudulent accounting practices. The panel also attributed the failure to weak corporate governance and ineffective internal controls. When Toshiba’s senior management set unrealistic profit targets, company managers executed without questioning their practices, and using “win-at-all-cost” methods. The accounting scandal amounted to about $1.2 billion in overstated operating profits.

The Valeant scandal in 2015 also showcases the impact leaders can have in shaping a cut-throat culture. Vanity Fair’s 2016 article “The Valeant Meltdown and Wall Street’s Major Drug Problem” says that “…people took some pride in a culture that was ‘We’re the bad boys, we’re successful, we can do whatever we want,’ as one former Valeant executive puts it. It was a tough place. Pearson -the CEO at the time- had no qualms about firing employees who disappointed him. ‘In business you are supposed to make money,’ he explained to investors, in a meeting which was taped. ‘We expect everyone to make money. If a business does not make money, we either exit that business or we fire the person running that business. Usually we fire the person running that business.’ Senior executives came and went with astounding rapidity, because it was Mike’s way or the highway. (The board did not do exit interviews.)”

Impact on Risk and Controls
Compliance professionals, those tasked with the stewardship of risk management and controls, and auditors (both internal and external) working for companies in such conditions face significant headwinds. They are unable to rely on the company’s control environment, protect the organization and the shareholders, and provide effective support to the board. Companies in these conditions experience high employee turnover, employee dissatisfaction and disengagement, and ineffective management supervision. The probability of fraud and abuse increases exponentially as the control environment is rendered ineffective.

It is paramount for auditors and compliance professionals to remain skeptical and vigilant during difficult times so that they may identify red flags and collect reliable information on what is going on at the company. Detecting early warning signs is also important because it will help make early decisions and mitigate exposure.

Once warning signs are detected, they should be shared and discussed with the appropriate leaders. For example, company internal audit leaders should discuss the matter with the corporate board to formulate an action plan to maintain effective controls and help the board with oversight. External auditors should discuss with the engagement team leaders and partners to assess how it may impact the audit engagement and audit fees. Important questions need to be considered, for example: Are the conditions so severe that the auditor may consider disclaiming an opinion? Are audit and fraud risks present requiring the need for alternate audit procedures and specialist support?

How Internal Auditors Can Protect Themselves
Compliance professionals and auditors should consider the following recommendations that may help mitigate risks, particularly during times of instability:

• Since tips are the most common method (ACFE 2018 Report to the Nations) to detect fraud schemes, ensure that a whistleblower reporting mechanism is in place and that it is communicated to employees, customers and vendors, who report more than 80% of occupational fraud.
• Ensure that all parties know that the tips are anonymous and should not fear retaliation. Finally ensure that information related to tips received and actions taken is periodically collected and considered.
• Work with senior management and the board to ensure that the company maintains effective internal controls, including anti-fraud controls. Controls should include code of conduct, accounting policies, periodic management reviews (e.g., balance sheet and profit & loss analytical reviews by the CFO or the Corporate Controller), external and internal (where applicable) audits, training, obtain information related to control testing results, etc.
• Minimize the risk of control override by performing segregation of duties and user access entitlement reviews for key financial and operational information technology systems. In addition, train and educate employees about the risk of management control override.
• Auditors (both internal and external) should maintain professional skepticism at all times, such as having a questioning mind, withholding judgment, investigating beyond the obvious, and recognition of motivations that may lead to fraud and abuse.
• Internal and external auditors should conduct fraud brainstorming sessions as required by AS 2401 “Consideration of Fraud in a Financial Statement Audit.” Special attention should be given to risk factors such as incentives and pressures, opportunities and attitudes and rationalizations.

Time of instability are difficult enough to manage through. Ensuring that risk and controls don’t get ignored for other priorities can ensure that management has the proper tools to navigate through the treacherous waters and bring the organization back to better days. 

Chris Dogas, CPA, CFE, CRMA is a principal at AudereSapere Management Consulting LLP, which provides corporate governance services. Contact him at chrisdogas@asmgtc.com.