Tag Archives: Corporate Governance

Sniffing it Out

The first Virginia governor I worked for directly was John Dalton, who was fond of saying that his personal gauge for ethically challenged behavior was the smell test, i.e., did any proposed action (and its follow-on implications) have the odor of appropriateness. Philosophical theories provide the bases for most useful practical decision approaches and aids, although a majority of seasoned executives are unaware of how and why this is so. Whatever the foundation of the phenomena may be, most experienced directors, executives, professional accountants (and governors) appear to have developed tests and commonly used rules of thumb that can be used to assess the ethicality of decisions on a preliminary basis.

If these preliminary tests give rise to concerns, most think a more thorough analysis should be performed. It is often appropriate (and quite common in practice) for subordinate managers and other employees to be asked to check a proposed decision in a quick, preliminary manner to see if an additional full-blown ethical or practicality analysis is required. These quick tests are often referred to as sniff tests. If any of these quick tests are negative, employees are asked to seek out someone like the corporate counsel or an ethics officer (if there is one) for consultation, or to personally perform a full-blown analysis of the proposed action. This analysis is usually retained, and perhaps even reviewed by upper management.

Some of the more common sniff tests employed by managers with whom I’ve worked are:

–Would I be comfortable if this action or decision were to appear on the front page of a national newspaper tomorrow morning?
Will I be proud of this decision?
Will my mother and father be proud of this decision?
Is this action or decision in accord with the corporation’s mission and code?
Does this feel right to me?

Unfortunately, although sniff tests and commonly used ethical rules of thumb are based on ethical principles as popularly conceived and are often useful, they rarely, by themselves, represent anything approaching a comprehensive examination of the confronting decision and therefore can leave the individuals and organization(s) involved vulnerable to making a challengeable choice. For this reason, experts advise that more comprehensive techniques of evaluation should be employed whenever a proposed decision is questionable or likely to have significant consequences. Analysis of specific sniff tests and the related heuristics reveals that they usually focus on a fraction of the comprehensive set of criteria that more complete forms of analysis examine.

Traditionally, an accepted business school case approach to the assessment of a corporate decision and the resulting action has been to evaluate the end results or consequences of the action. To most businesspeople, this evaluation has traditionally been based on the decision’s impact on the interests of the company’s owners or shareholders.

Usually these impacts have been measured in terms of the profit or loss involved, because net profit has been the measure of well-being that shareholders have wanted to maximize. This traditional view of corporate accountability has been modified over the last two decades in two ways. First, the assumption that all shareholders want to maximize only short-term profit appears to represent too narrow a focus. Second, the rights and claims of many non-shareholder groups, such as employees, consumers/clients, suppliers, lenders, environmentalists, host communities, and governments that have a stake or interest in the outcome of the decision, or in the company itself, are being accorded an increased status in corporate decision making.

Modern corporations are increasingly declaring that they are holding themselves self -accountable to shareholders and to non-shareholder groups alike, both of which form the set of stakeholders to which the company pledges to respond. It has become evident (look at the Enron example) that a company cannot reach its full potential, and may even perish, if it loses the support of even one of a select set of its stakeholders known as primary stakeholders.

The assumption of a monolithic shareholder group interested only in short-term profit is undergoing modification primarily because modem corporations are finding their shareholders are to an increasing degree made up of persons and institutional investors who are interested in longer-term time horizons and in how ethically individual businesses are conducted. The latter, who are referred to as ethical investors, apply two screens to investments: Do the investee companies make a profit in excess of appropriate hurdle rates, and do they strive to earn that profit in a demonstrably ethical manner?

Because of the size of the shareholdings of mutual and pension funds, and of other types of institutional investors involved, corporate directors and executives have found that the wishes of ethical investors can be ignored only at their peril. Ethical investors have developed informal and formal networks through which they inform themselves about corporate activity, decide how to vote proxies, and how to approach boards of directors to get them to pay attention to their concerns in such areas as environmental protection, excessive executive compensation, and human rights activities in specific countries and regions. Ethical investors as well as other stakeholder groups, tend to be increasingly unwilling to squeeze the last ounce of profit out of the current year if it means damaging the environment or the privacy rights of other stakeholders. They believe in managing the corporation on a broader basis than short-term profit only. Usually the maximization of profit in a longer than one-year time frame requires harmonious relationships with most stakeholder groups based on the recognition of the interests of those groups.

A negative public relations experience can be a significant and embarrassing price to pay for a decision making process that fails to take the. wishes of stakeholder groups into account. Whether or not special interest groups of private citizens are also shareholders, their capacity to make corporations accountable through social media is evident and growing. The farsighted executive and director will want these concerns taken into account before offended stakeholders have to remind them.

Taking the concerns or interests of stakeholders into account when making decisions, by considering the potential impact of decisions on each stakeholder, is therefore a wise practice if executives want to maintain stakeholder support. However, the multiplicity of stakeholders and stakeholder groups makes this a complex task. To simplify the process, it is desirable to identify and consider a set of commonly held or fundamental stakeholder interests to help focus analyses and decision making on ethical dimensions; stakeholder interests such as the following:

1.Their interest(s) should be better off as a result of the decision.
2. The decision should result in a fair distribution of benefits and burdens.
3. The decision should not offend any of the rights of any stakeholder, including the decision maker, and ..
4. The resulting behavior should demonstrate duties owed as virtuously as expected.

To some extent, these fundamental interests have to be tempered by the realities facing decision makers. For example, although a proposed decision should maximize the betterment of all stakeholders, trade-offs often have to be made between stakeholders’ interests. Consequently, the incurrence of pollution control costs may be counter to the interests of short-term profits that are of interest to some current shareholders and managers. Similarly, there are times when all stakeholders will find a decision acceptable even though one or more of them, or the groups they represent, may be worse off as a result.

In recognition of the requirement for trade-offs and for the understanding that a decision can advance the well-being of all stakeholders as a group, even if some individuals are personally worse off, this fundamental interest should be modified to focus on the well-being of stakeholders rather than only on their betterment. This modification represents a shift from utilitarianism to consequentialism. Once the focus on betterment is relaxed to shift to well-being, the need to analyze the impact of a decision in terms of all four fundamental interests becomes apparent. It is possible, for example, to find that a proposed decision may produce an overall benefit, but the distribution of the burden of producing that decision may be so debilitating to the interests of one or more stakeholder groups that it may be considered grossly unfair. Alternatively, a decision may result in an overall net benefit and be fair, but may offend the rights of a stakeholder and therefore be considered not right. For example, deciding not to recall a marginally flawed product may be cost effective, but would not be considered to be right if users could be seriously injured. Similarly, a decision that does not demonstrate the character, integrity, or courage expected will be considered ethically suspect by stakeholders.

A professional CFE can use an assessment of our client organization’s stakeholder ethical concerns in making pro-active recommendations about fraud detection and prevention strategies and in conducting investigations and should be ready to prepare or assist in such assessments for employers or clients just as they currently do in other fraud deterrence related business processes.

Although many hard-numbers-oriented investigators will be wary of becoming involved with the soft risk assessment of management’s tone-at-the-top ethically shaped decisions, they should bear in mind that the world is changing to put a much higher value on the quality and impact of management’s whole governance structure, the posture of which cannot failure to negatively or positively affect the design of the client’s fraud control and prevention programs.

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.