Future Students, Alumni & Visitors





Archive for the ‘Financial Reporting’ Category

Twenty Anti-Fraud and Corruption Governance Red Flags

The following reflect my work in assisting regulators and enforcement authorities, and research on governance in companies that have been accused of fraud, bribery, corruption, and other malfeasance such as harassment, nepotism, expense reporting, and excessive compensation. I also draw on my interactions with, and guest lectures by, fraudsters who are currently in prison or who have served time in prison, and experts such as forensic accountants.

Here are the red flags, as I see them, in problematic companies and boardrooms that may contribute to fraud and other malfeasance going undetected or undeterred. Drawing on a speech I gave this month to a bribery and foreign corruption conference, and an earlier speech to corporate directors, the red flags are, in no particular order:

  1. Independent oversight functions (audit, compliance, risk) either non-existent or reporting to senior or operating management.
  2. A board lacking in risk, international and relevant industry expertise, and paucity of audit committee know how of how fraud is or may be committed.
  3. A whistle blowing procedure that is neither anonymous nor protected.
  4. A board that does not believe it sets tone at the top. A tone that is not equal and consequential.
  5. A focus on rule and legal correctness, not spirit and intent. Failure to account for exogenous shock, stress, and a different frame of analysis. Directors not speaking up.
  6. Complex design being approved by directors. Directors approving when management does not fully tell them the counter-argument, and directors do not ask (know), or press.
  7. Captured, conflict-seeking, self-dealing, over-compensated, over-tenured directors and gatekeepers who are not objectively independent.
  8. Immature risk management, non-investment in information technology, and defective or non-existent controls, particularly non financial, reputational and behavioural.
  9. Defective, non-existent, or dominated internal audit function.
  10. Lack of culture and reputation control assurance to the Board. No understanding of tone in the middle, or toxic or bullying work culture.
  11. Non-audited compensation, and improper incentives (quantitative, financial, short-term) that incent risk-taking behaviour. Unconstrained risk-takers and a complacent board.
  12. Clawbacks not at correct threshold of ethics or risk. Lack of risk-adjusted compensation.
  13. Charismatic, dominating, and/or stretched CEOs and CFOs, including distracting external activities, personal issues, living beyond their means, not tasking vacations, and undue attention to accounting.
  14. Ethical code poorly designed, controlled, monitored, enforced, assured and reported to the board.
  15. Lack of documentation with explicit limitations and thresholds for material risks, cascading to emerging markets and key suppliers.
  16. Lack of executive sessions, with only independent directors, and with only internal oversight functions (audit, risk, compliance).
  17. Lack of due diligence and integrity controls at the hire or contract stage. Lack of integrity controls over senior management, and capacity for over-ride.
  18. Non-zero tolerance of facilitating payments. Mixed message sent by the board.
  19. Lack of independent, expert validation (board, risk, controls) reporting directly to the board.
  20. Weak or corrupt host country auditors not vetted or overseen by the audit committee, and lack of availability and translation of documents.

Do you recognize any of the above red flags? On a board or in a company of which you serve? Allegations of wrongdoing can put assets and reputation at risk. Regulators have enormous power, and are focusing their sights much more on the role a board plays, or does not play, in overseeing the affairs of the company.

Regulators turning up anti-bribery heat on corporate boards: But will practices change?

Russia is one of the most corrupt nations in the world (see a recent anti-corruption story on Russia by the New York Times). It ranks 143rd of all 182 countries on Transparency International’s corruption perception index, with a score of 2.4. Canada ranks the 10th least corrupt country in the world with a score of 8.7. New Zealand is the least corrupt country globally, ranking first with an overall score of 9.5. The US ranks 24th and the UK 16th, with scores of 7.1 and 7.8 respectively. See the “Full Table and Rankings,” where countries can be searched via the table. Lower rankings and higher scores mean the country is perceived as being less corrupt.

Prime Minister Harper visited China, India and Brazil to enhance trade with these countries, which are also some of the most corrupt nations in the world, ranking in at 95th, 75th and 73rd respectively. Libya, which involved the alleged Montreal-based SNC Lavalin bribes of some $56 million, comes in at 168. Within these countries, the governments themselves are the net beneficiaries of much of the corruption, so these politicians are far from motivated to impose reform.

Is it realistic to expect that Anglo-American nations, such as the US, UK and Canada, can impose “Western” will on the very way business is done, and has been done, in some countries for centuries? And if things will not or perhaps cannot change, should home country boards of directors be held responsible for systemic local corruption that may be beyond their control?

Regulators are taking corruption and the role of boards and senior management very seriously. The Securities and Exchange Commission and Department of Justice recently released 130 pages of guidance (see the PDF and other coverage here and here) on the Foreign Corrupt Practices Act (“FCPA”). The US has had the FCPA since 1977. Enforcement and penalties have gone up dramatically in recent years. The UK Bribery Act, from 2010, has some of the most stringent bribery laws in the world. In Canada, we have The Corruption of Foreign Officials Act (since 1999) and the recent guideline from the OSC for issuers operating in emerging markets (see the PDF).

Emerging economies are future markets for Canadian companies. The Prime Minister has a vision for Canada to be an energy supplier superpower. For this to happen, Canada will shift its trade to markets with 100s of millions or billions of consumers and much higher growth rates than our current major trade partner, the US, which could be coping with austerity due to its debt for years to come. Harper was in India last week to boost trade.

What is clear is that there is an enormous disconnect between the home country regulations now being imposed, and host country actual practices on the ground.

What should boards that have operations in emerging market jurisdictions do? Six things. First, if you are doing business in such a market, you need a director with extensive on-the-ground experience at the board table, who can tell you and management what the hotspots are. You should move a board meeting to the jurisdiction once a year so directors can get a first hand look. Second, boards must make it crystal clear to management that if the company is not going to bribe, management must walk away from certain business. And the board must support this and not have incentives that promote bribery. Third, the internal controls over financial reporting must be as strong in the emerging market as it is in the home market. Investment and resource commitments need to be made. Fourth, boards must have their own experts to scrutinize off-balance sheet and related-party transactions and complex structures; validate and assure internal controls; and provide foreign language document translation. Fifth, local auditors should have the same oversight, scrutiny, and as necessary direct contact with the audit committee that the home auditors have. Lastly, there needs to be zero tolerance by the board communicated to each employee and supplier. The UK is even banning facilitating payments, which are regarded as a “tip,” as these may be bribes in disguise.

Companies and politicians are feeling the pain, including on Canadian shores. The Wal-Mart bribery probe has widened beyond Mexico to include China, Brazil and India. The RCMP is investigating the SNC Lavalin bribery allegations, on which I advised a law firm suing the company. I blogged about Sino-Forest, a case of alleged Chinese fraud by a Canadian-listed company. In Quebec, the corruption inquiry has cost the Mayors of Montreal and Laval their jobs and this is only the beginning. There are allegations of kickbacks in cash that may reach other more senior politicians. And Ontario is not immune either. A senior Canadian director remarked that Ontario has a reputation for being “the best place to carry out a stock fraud in the industrialized world.”

Clearly, more work needs to be done. Canada’s corruption ranking on Transparency International may go down in 2012 instead of up.

New financial services governance guidelines for Canada: Analysis & summary

The proposed OSFI corporate governance guidelines have been criticized for blurring the line between the board and management and for adopting a ‘one sized fits all’ approach. This is hardly surprising, and is the criticism to many governance regulations over the last twenty years, along with cost, as boards have become more active.

The OSFI guidelines have not changed in almost 10 years. In full disclosure, I was asked by OSFI to a) conduct a review and assessment of OSFI’s 2003 Corporate Governance Guideline and the Board Assessment Criteria against other international financial regulatory practices and recent developments or recommendations, and b) provide suggestions for future revisions after taking into consideration current global governance developments, including those related to financial institutions.

I reviewed 57 codes in total for OSFI, carefully tracking developments globally since the financial crisis. There are four major changes (among others) since the 2003 guidelines as follows:

1.         Boards of federally-regulated financial institutions (FRFIs) will need to have risk and relevant financial industry expertise represented in their board. This is entirely reasonable and codifies what good boards already do in their competency matrix approach that I recommended to the OSC in 2005. The notion that a board such as JPMorgan should have no independent directors with banking experience, for example, can have dire consequences when approving complex products and risks that directors do not understand for want of expertise. OSFI is not being overly prescriptive, only saying it desires “reasonable representation” of risk and financial industry expertise, leaving it to FRFIs to define and determine. It is not unreasonable to have risk and industry expertise on the board of a financial institution.

2.         Second, independent third parties should be retained to assess the board, risk management and oversight functions. This does not mean the board is “managing,” but rather the board gets to see an objective view other than from management. Management is conflicted in assuring its own work and the board should not be beholden to this. The board should be free at any time to commission an independent review of any material risks or internal controls. This puts the heat on management, as a third party will be reviewing at some point. If management is doing its job, it should welcome this input. This proposal can be criticized for “offloading” oversight to outsiders, but with 100s of FRFIs that carry deposits and insurance of Canadians, independent reviews from time to time are a fail safe.

3.         Third, the board may need to have a dedicated risk committee and reporting function (e.g., CRO); and should approve a risk appetite framework (RAF) with cascading tolerance limits and implementation. This puts the heat on boards to know and understand the risks of their institution, and on management to translate that into thresholds complied with throughout the organization. OSFI set out at pages 19-20 of the draft guideline guidance on what the RAF should contain with areas and examples of best practices. It is not unreasonable for the board to approve risk, but with examples of what this actually entails. The OSC 2005 guideline (NP 58-201) is now out of date because risk is only a few lines: namely that the board should identify the principal risks and ensure implementation of appropriate systems to manage these risks – which is vague at best and wholly inadequate at worst.

4.         Lastly, the CFO, head of internal audit and appointed actuary (for insurance companies) should have a direct reporting line to the audit committee; and the audit committee should approve the external audit fees and scope. Not only is this best practice, internationally, but I would also add, as OSFI similarly goes on to write, that the audit committee should have private sessions with the internal audit, external audit and appointed actuary at every audit committee meeting. The audit committee should also approve the internal audit work plan, budget, independence, person and compensation.

Overall the draft OSFI guidelines are proportionate, pragmatic and reflect leading practices (e.g., G30, Walker and OECD reports and Basel principles). Canada has a very well regulated financial services sector, that some say is the envy of the world. These new corporate governance guidelines will help ensure that this fiscal prudence and stewardship continues.

Derivatives May be Ungovernable

The recent loss of 2Billion dollars by JPMorgan confirms what is now a blindingly obvious governance reality. Board of directors do not understand derivatives and cannot control management’s use of them. The same may be said for regulators.

One job of a board is to identify risks and ensure a proper system of risk management. If you cannot do this, you should not be on a board. This means that a director needs to assess the adequacy of the design and effectiveness of internal controls to mitigate the risks. Of the over 300 interviews I have undertaken in my research, including directors of large banks, only one director claimed to understand complex derivatives. How can directors assess internal controls when they do not understand the very instrument itself?

Other than Jamie Dimon, CEO of JPMorgan, not a single director of the board has any experience in banking. See the roster of directors here. Even if some directors were from the sector, it is debatable whether they would still understand the complexities of these products. For a basic explanation of what derivatives are, see here. U of T Rotman professor John Hull, a derivatives expert, has stated in an email to me “There is no question in my mind that a large financial institution should have on its board people (perhaps 2 or 3) who understand derivatives and other complex financial products.” Unless bank boards that oversee derivatives are prepared to have subject matter experts on their board who can effectively question management and insist on proper risk controls, other governance or oversight structures are needed.

Not only are boards incapable of controlling derivatives, but regulators may not be any better. Warren Buffett has said “Central banks and governments have so far found no effective way to control, or even monitor, the risks posed by these contracts. In my view, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.” See Warren Buffett on Derivatives.

The question is what have we learned from 2008? Banks are bigger than ever, with most American mortgages concentrated in only a handful of banks, yet the risky bets and use of complex derivatives continue. Harvard law professor Elizabeth Warren yesterday called for a new version of the Glass Steagall Act. Yet independent Senator Bernie Saunders pronounced that Wall Street “runs” the Senate, implying that any attempt at further regulation would be forestalled. Mitt Romney has vowed to unwind Dodd-Frank on his first day as President. Look at the long list of political donations made by JPMorgan in 2011, here. And this is just one bank.

If derivatives are going to continue, regulatory conflicts of interest need to be addressed and boards need to have the directors with the expertise to oversee them.

Alleged Fraud at York University

A few questions:
1. When Navigant was retained in 2009, was this firm retained by, and accountable to, a Special Committee of only independent Governors of York U, or by Management? Best practice, generally, would be that an independent committee of a board would directly oversee an investigation of a significant matter involving potential fraud and reputational impairment, generally, as internal audit and control procedures over financial reporting may need to be strengthened, and management would not be overseeing the assessment of its own work, potentially.

2. Why is it that York U, to the best of my knowledge, information & belief, does not have a code of conduct that all employees and key suppliers must sign off on annually, as well as an established whistle-blowing procedure? (These are also common best practices, since S-Ox in 2002, including for not-for-profit institutions. Potential fraud often does not occur in a vacuum and a code and whistle-blowing are effective deterrents, for a board to oversee potential fraud within an institution. Code compliance and whistle-blowing reporting should also reach directly an audit committee of a board, or its equivalent. The SEC also implemented a new rule that potential whistleblowing can now go directly to the regulator, as an indication of where best practices are emerging in terms of codes and whistle-blowing practices.)