Listen to Donald J. Rebovitch, a professor of criminal justice and Director of the Economic Crime and Justice Studies Department at Utica College, and Scott Moritz, a leader of Protiviti’s Fraud Risk Management practice and former FBI special agent, discuss results of the joint Protiviti-Utica College survey and other topics in this informative podcast.
It was a good kickoff of the new year, with more than 1,500 forward-looking directors and executives logging on to our January 7th webinar, Setting the 2016 Audit Committee Agenda. Hosted by Protiviti’s Brian Christensen and David Brand and me, the webinar was based on our latest issue of The Bulletin, which I’ve tweeted about, but have not previously addressed here.
Given the high attendance and rapid-fire Q&A (we will be covering some of these questions on this blog soon), I want to recap Protiviti’s ten Mandates for Audit Committees in 2016 that shaped the discussion. These mandates are intended to augment the normal, ongoing operations of the committee. The first five address issues pertaining to enterprise, process and technology risk issues. The rest focus on financial reporting issues.
- Ensure the risk profile reflects current business realities. Historically, boards have looked at their risk profiles annually. That was the case for more than half of webinar participants (51.5 percent). Given the increasing economic, political and global risk volatility, it is critical that boards ensure that the risk profile remains current and that emerging risks are identified timely as the risk landscape changes. The audit committee has either a direct or indirect interest in having a current view of the organization’s risks, depending on the risks’ impact on public and financial reporting.
- Understand the technology-related risks that present threats to the business model. Whether your company is creating the disruption or reacting to it, audit committees need to stay abreast of these changes. For example, the United States Securities and Exchange Commission (SEC) requires listed companies to disclose significant cybersecurity breaches and other related matters.
- Pay attention to risk culture and the tone of the organization. Recent catastrophic risk management failures have one thing in common: The tone at the top was not as strong as it could have been. A resounding majority of webinar participants (86.5 percent) said maintaining a robust risk culture is important to leaders in their organization. I hope this is true for your organization, as well.
- Consider the need for expanded capabilities of the finance organization. Big data, business intelligence, reporting enhancements – all of these changes, along with the increasing regulatory/compliance burden, are increasing demands on the finance organization, particularly in the areas of automation and information technology. Make sure your organization has allocated adequate resources to this critical and growing area.
- Consider the need for expanded capabilities of the internal audit function. As risk management matures, internal audit’s role as the third line of defense changes. Every year, technology-enabled auditing and data analytics rank as top challenges in our Internal Audit Capabilities and Needs Survey – which means we’re not making the progress that needs to be made. And the list of internal audit priorities continues to grow. The audit committee needs to ensure that internal audit is sufficiently resourced to execute its risk-based audit plan.
- Make the necessary process adjustments to enable the new revenue recognition standard. It’s common knowledge that public companies must comply with new Financial Accounting Standards Board (FASB) revenue recognition standards beginning with calendar year 2018. The task here is to make sure that your company gets started. There’s a lot of work entailed, even if it’s just in determining how the new rules affect your organization – and yet, less than 40 percent of organizations have even started.
- Review the Public Company Accounting Oversight Board (PCAOB) inspection report on the audit firm and understand how it impacts the audit process. As the PCAOB increasingly holds audit firms accountable for the quality of their audits, it could affect what auditors are looking for when they audit your organization. Audit committee members should review the PCAOB inspection report on the company’s audit firm and determine whether there are any implications for the organization. Also, the PCAOB is seeking public comment on a draft of 28 audit quality indicators, and audit committees need to keep an eye on that development.
- Consider the PCAOB-audit committee dialogue. Both the PCAOB and the SEC have increased their outreach to audit committees. We encourage audit committee members to obtain an understanding of what these organizations expect in a quality audit.
- Pay attention to developments on the lease accounting front. There’s a new standard on leases coming out in early 2016 that will have a significant effect on so-called “off balance sheet” financing. Going forward, both operating and capital leases will have to be accounted for on balance sheets. If this impact is significant, the company may need to start thinking about the related implications to contractual agreements, loan covenants and capital ratios, among other things.
- Ascertain the implications of the SEC’s concept release on audit committee disclosures. The SEC wants more transparency into audit committee activities. In 2015, the agency issued a concept draft of new audit committee disclosures. If you haven’t reviewed these already, you need to.
As 2016 builds a full head of steam, it promises to be a wild ride. As always, we’ll be here at The Protiviti View to help you find the signal amid the noise. If your audit committee has other priorities that aren’t on this list, I’d love to hear them. Feel free to weigh in, in the comment section below.
Nobody wants to believe that their company is losing significant revenue to fraud. And, understandably, organizations don’t want to spend scarce resources managing risks they don’t consider legitimate. With regulators and prosecutors increasingly holding executives accountable for fraud prevention, however, there’s a strong incentive to replace the old refrain of “no fraud here” with the more proactive “not on my watch.”
That’s the conclusion of a new study from Protiviti and the Economic Crime and Justice Studies Department at Utica College, released yesterday. The study, titled “Taking the Best Route to Managing Fraud and Corruption Risk,” is based on a 2015 survey of board members, C-suite executives, general counsel and chief audit executives.
Our survey corresponded with a September memorandum from the U.S. Department of Justice – The Yates Memo – instructing prosecutors not to give corporate defendants cooperation credit unless they identified the individuals responsible for illegal conduct. The memo is named for its author, Deputy Attorney General Sally Quillian Yates, who subsequently elaborated: “We are not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.”
Against that backdrop, it was distressing to see, in the survey results, how few companies are living up to the fraud risk assessment provisions of COSO 2013, Principle 8, and remain in reactive response mode “putting out fires.” Only 17 percent of respondents described their organization’s fraud risk strategy as “well defined,” and only 57 and 35 percent of large and mid-size companies, respectively, had a fraud detection program in place. In addition, third-party fraud and corruption risk is barely on the radar of most organizations. Less than one in 10 respondents reported a high level of confidence in their organization’s vendor fraud and corruption risk oversight. A lack of internal resources was cited as the biggest challenge to proactive fraud risk assessment.
Other notable findings that emerged from our research:
- Few companies are availing themselves of the tools and best practices for mitigating fraud risk, e.g., less than one in five utilize ongoing forensic data analysis to identify potential red flags and fraud indicators.
- Just over one-third of the respondents reported their organizations do not conduct due diligence on business intermediaries (third parties) prior to onboarding.
- Organizations without strong fraud detection and reporting programs face a higher risk of whistleblower disclosures.
And a cautionary note: As much the internal audit profession is to be applauded for reaching beyond its accounting roots to strengthen interdepartmental relationships through “soft” skills, such as interpersonal communication, it is critical to maintain a clear line between improving communication and compromising assurance. Our report refers to the trend toward “consultative” audits, stressing that while surprise audits may sometimes be seen as running counter to an organization’s culture, they are an effective fraud deterrent when used in a targeted manner and focused on perceived problem areas or intransigent business units or geographies. That’s not to say such audits can’t be handled with dignity and respect, merely that we need to ensure that in adding the soft skills, we don’t lose our edge.
Staunch champions of corporate governance and fair financial reporting lost a friend over the holidays with the passing of former U.S. Rep. Michael Oxley on January 1. The Ohio Republican, co-author, with Democratic Senator Paul Sarbanes, of the landmark Sarbanes-Oxley Act of 2002 (SOX), was an ethical stalwart and strong advocate and warrior for corporate oversight and accounting reform.
SOX, drafted in response to a spate of high-profile corporate frauds around the turn of the century, significantly impacted the modern corporate governance landscape by elevating internal control over financial reporting to a top corporate priority. For anyone who entered the professions of accounting, finance, internal auditing and consulting after 2002, SOX has always been the law of the land. But those of us who remember the scandals of the Enron era can attest to the enormous problem placed on the doorstep of Congress at the time.
There are those who argue that SOX is excessively burdensome and overdone and, in essence, an overreaction to the acts of a few. But here’s the skinny: There were too many examples of egregious abuses. As a result of the bad behavior of an unscrupulous minority of executives, shareholders suffered significant losses, people lost their life savings and overall confidence in the capital markets waned dangerously. In the United States, a situation like this gives Congress a strong political will to act. And act they did. SOX is a compendium of the abuses of the Enron era. The law reads as if Mr. Oxley, Mr. Sarbanes and their authorship team listed all of the high-profile abuses on a whiteboard and then designed mechanisms to address each one. They did what they had to do to solve the problem they were faced with. In doing so, they sent a powerful message of accountability for fair public and financial reporting.
SOX certainly isn’t perfect, but it has stood the test of time. After an initial period of adjustment and the pains of a very messy learning curve following the law’s enactment, the increased emphasis on internal controls has resulted in a precipitous decline in restatements of financial statements. According to studies by Audit Analytics, the number of restatements has declined significantly since its 2006 peak. More importantly, the number and severity of accounting issues underlying each restatement also have declined. That’s good news.
SOX also created the Public Company Accounting Oversight Board (PCAOB) and popularized the COSO Internal Control – Integrated Framework. That Framework had been around since 1992 but it wasn’t used widely. When SOX Section 404 required an evaluation of the effectiveness of internal control over financial reporting, the Securities and Exchange Commission required “a suitable framework” to support that assessment. All heads turned to the COSO Framework, treating it as the only game in town. Today, the Framework is used by almost all issuers and their external auditors as a basis for their SOX Section 404 evaluations.
While debate on the relative costs and benefits of SOX Section 404 continues, there is empirical evidence that the capital markets place significant value on strong internal control. An earlier study released in May of 2006 by Lord & Benoit reported that shareholders benefit when companies have effective internal control over financial reporting. To illustrate, for the period from March 31, 2004 to March 31, 2006, the Russell 3000 share index increased by 17.7 percent. The Lord & Benoit study found that companies reporting no material weaknesses for either 2004 or 2005 enjoyed a 27.7 percent increase in share price. Companies reporting material weaknesses in 2004 but no material weaknesses in 2005 experienced a 25.7 percent increase in share price. However, companies reporting material weaknesses in both 2004 and 2005 suffered a 5.7 percent decline in share price. Therefore, the companies that reported that their internal control over financial reporting was ineffective both years experienced poorer performance in their stock price relative to the companies that did not.
Some have questioned the value of SOX, arguing that it did not prevent the financial crisis. The truth is that SOX wasn’t designed to prevent a crisis of this nature. The financial crisis was a systemic breakdown on a number of fronts involving an entire industry – a virtual “perfect storm.” To elaborate further on whether or not SOX could have prevented such a storm would detract from the message of this post. Suffice it to say that SOX doesn’t mandate how financial institutions are run, how risks are managed and when CEOs and their boards need to take a fresh look at the validity of the critical assumptions underlying their corporate strategy and business model.
SOX continues to fulfill its purpose, and Michael Oxley should be credited for the cultural change he enabled with this landmark legislation. He was a true statesman, a Republican who reached across the aisle to work with his fellow Democratic legislative partner, Paul Sarbanes, to enhance corporate management accountability to shareholders at a time when the reliability of public financial statements was called into question. These two men stepped into the arena as their country watched, with everyone knowing that something had to be done. Today, with forward progress in Washington D.C. so often hamstrung by partisan gridlock and intransigence, Sarbanes-Oxley shines as an example of what can be done when our elected officials come together to work for the common good.
Michael Oxley performed admirably when he had his moment in the legislative arena. He will be missed.
Despite the signs of economic growth in 2015 – including the Federal Reserve’s recent decision to raise interest rates for the first time in almost a decade – U.S.-based companies are laying up stores against the potential of hard times, cutting costs and favoring healthy profit margins over increased market share.
We first reported the “margin over market share” finding here on The Protiviti View in November, as one of the key findings of the 2016 Finance Priorities Survey report from Protiviti and the Financial Executives Research Foundation. Now that folks have had a month or more to digest those findings, I wanted to take a deeper dive and offer insight into the undercurrents I see driving the corporate finance function in the year ahead.
As previously reported, margin and earnings performance was the highest-ranked priority in the entire survey, with an overall score of 7.3 on a 10-point scale. Finance executives gave it an even higher priority of 8.2. This increased focus on protecting organizational value suggests a growing wariness in the marketplace, a nesting behavior, similar to the way some animals lay up extra stores in expectation of a hard winter.
Surveys are great at showing us the “what”; it falls to readers and analysts, however, to deduce the “why.” In this case, it is important to note that the survey was conducted in the third quarter of 2015, on the heels of the Greek debt crisis and amid ongoing discussions of Greece withdrawing from the Eurozone. China’s slowing economy was top of the news, and the world was grappling with the rise of ISIL and the growing threat of terrorism. Finally, add to that the usual agitation that accompanies any presidential election. Against this backdrop of uncertainty, it makes sense that companies might favor building a financial fortress over conquering new territory.
Wariness permeated priorities, with planning, forecasting and budgeting rounding out the list. Cash forecasting, at 6.6, was the highest-ranked process priority in the study. Working capital management remains a high priority, as finance functions continue to develop this capability in a highly coordinated manner. Such capabilities will take on additional importance as global market volatility increases.
Underlying this need for better business performance and strategic planning is a growing desire for a single, real-time version of the truth. Finance functions want to develop better, more accurate and timelier data collection, data analysis, reporting, budgeting and forecasting capabilities. These corporate performance management processes are used to perform profitability analyses tied to customers, products, operating units and geographies.
The climate of concern extends beyond purely financial matters. Cybersecurity ranked as the second priority for finance executives at 8.1, only slightly below profit concerns. While IT functions often take the lead in addressing this risk, cybersecurity is now a top boardroom issue, and also draws considerable time and attention with finance. Effective cybersecurity requires strong board engagement, the right policies, and an understanding of the enterprise’s most valuable and sensitive data.
Regulatory matters weighed heavily among the emerging issues, particularly in the financial services sector, and included cybersecurity, partner relationships and new revenue recognition standards in the top five.
Wrapping up on a high note, we see in the survey responses evidence that finance executives are adapting, or at least trying to adapt, at the speed of change. Leadership skills and training ranked high on the list of priorities, suggesting that CFOs and finance teams are looking for opportunities to hone their analytical capabilities and communicate effectively with stakeholders.
That’s my take on things. I hope you will join the discussion by adding your comments in the comment field below. If you have not read the survey yet, I recommend it. I also highly recommend the additional insights and discussion from our archived November 11, 2015 webinar.