Call for Nominations: 6th Annual Internal Audit Beacon Awards
October 15, 2024In her iconic book, Extraordinary Circumstances, former WorldCom chief audit executive (CAE) Cynthia Cooper recounts her challenge of bringing to the audit committee’s attention more than $3.8 billion in fraudulent financial reporting transactions that internal audit had discovered. Following initial delays, the audit committee finally confronted the CFO only to be assured that the transactions were appropriate. He followed up with a white paper explaining his reasoning. The audit committee correctly rejected the attempt to justify the transactions, and the “rest is history.”
The circumstances at WorldCom were black and white. The audit committee recognized it was being misinformed and “brought the hammer down.” The misinformation provided to WorldCom’s audit committee was an act of “commission” on the part of management. Based on my experience, efforts to deceive audit committees by intentional deception (commission) are not very common. Instead, audit committees are far more likely to be deceived by acts of “omission.” In other words, “we don’t need to tell them everything!”
In conducting research for this article, I interviewed a few CAE acquaintances (some active and some retired) to glean their insights and experiences. Their observations were eye-opening. Almost all of them had observed instances when audit committees were not fully informed about risks or issues they should have been aware of. The severity of the deception ranged from minor acts of omission to more egregious acts bordering on commission. The following were some examples of instances where management chose to downplay or outright failed to disclose issues to the audit committee:
- The results of an enterprise employee satisfaction survey that signaled current or emerging risks in corporate culture
- Whistleblower complaints alleging sexual harassment or misconduct against one or more senior executives
- Emerging risks, especially those that had not yet materialized but could have serious consequences for the company going forward
- Internal control deficiencies, particularly when management believes they’re manageable or in the process of being corrected
- Actual or potential litigation risks — especially if they aren’t yet confirmed or management believes the risk is low
- Nondisclosure or selective disclosure about major vendor reliability, performance, or ethical practices, especially when management feels it might reflect poorly on their oversight
- Financial adjustments or reclassifications because management perceived them as non-material or unlikely to affect the committee’s view of financial health
- Delayed or minimized discussions on strategic decisions or risky ventures (including expansion plans, M&A activities, or entry into high-risk markets)
The CAEs with whom I spoke frequently used the word “rationalized” when describing management’s motives. For example, management would justify not disclosing certain risks because they thought doing so would be premature — often indicating they would disclose the risk at the appropriate time. They also rationalized limiting disclosure because they didn’t want to overburden the audit committee by adding additional information to already voluminous board packs.
If you are like me when reading the foregoing, you’re probably asking yourself why the CAEs didn’t speak up or disclose these issues to the audit committee themselves. The answer is complicated, but points to an inconvenient truth: CAEs often lack the independence or courage to override implicit or explicit direction from the CEO on what they can disclose. Some CAEs I spoke with said they had to run everything they sent or disclosed to the audit committee past the CEO or CFO. Others said it was just understood that internal audit would “stick to the facts.” If the facts weren’t spelled out in an audit report, the CAE would be “out of bounds” bringing it up. Naturally, I cringed when hearing those words.
I am also mindful that some CAEs are in their roles as part of rotational assignments. Their corporate careers could well hang in the balance if they are perceived as contradicting the will of senior executives when communicating with the audit committee. In some companies, CAEs struggle to maintain the objectivity needed to be effective. As I wrote in a blog several years ago:
Objectivity or perception of objectivity is frequently a challenge for rotational CAEs. They fully expect to move back into the business in a senior management position at the conclusion of their CAE rotation. As the rotation date approaches, they are frequently apprehensive about issuing critical audit reports of areas controlled by senior executives on whom they are dependent for their next assignment. It is evident to me that the objectivity of the CAEs in such situations is often compromised, and CAEs in such circumstances have often privately confided to me as much.
Some CAEs I spoke with in researching this article were creative in getting embargoed information to the audit committee. One CAE told me that he would whisper in the audit committee chair’s ear, “You ought to ask about a specific risk.” Another demonstrated courage by telling the CFO, “If you don’t tell the audit committee, I will.” Another pushed back by informing the CFO, “I understand your desire for me to limit my communication with the audit committee on this issue, but I work for the audit committee.”
So, what should audit committees do to ensure that they are not being kept in the dark through acts of omission? Having chaired audit committees myself, here are some words of advice:
- Promote strong governance structure: Ensure that audit committee members are independent from management. Independence reduces the risk of bias or undue influence from company executives.
- Set a clear expectation of full disclosure. Make it clear to the CEO, CAE, and others that the audit committee fully expects transparent disclosure of risks that warrant their knowledge. Set an expectation of “no surprises.”
- Encourage open dialogue during audit committee meetings. Some audit committee members may be more introverted than others. Encourage full participation and leave time in the agenda for open discussion with executives.
- Ensure unfiltered access to the CAE. The committee should insist on direct access to the CAE without management filtering information. There must be a trust-based relationship between the CAE and individual members of the audit committee which requires more than a group meeting 4-5 times a year.
- Schedule periodic updates from other key individuals. Meetings with the external auditors, internal auditors, and CFO team are common audit committee agenda items. However, the audit committee should also receive periodic updates from others, including the chief risk officer, general counsel, head of corporate ethics (if separate), head of HR, and corporate investigations (if separate).
- Ensure a robust whistleblower mechanism is in place. The audit committee should ensure there is a strong whistleblower policy where employees can report potential wrongdoing anonymously. The audit committee should oversee the whistleblower program via internal audit or the general counsel, and ensure reports are investigated.
- Exercise skepticism. Challenge management’s assumptions — don’t accept management’s explanations at face value. Ask probing questions, especially on complex or judgmental areas such as revenue recognition, reserves, and contingencies.
- Remain alert for conflicts of interest. Ensure that management’s compensation is not overly tied to financial performance metrics that could encourage manipulation. Review related-party transactions and any potential conflicts of interest.
In addition to the advice outlined above, there are important steps the CAE should take to ensure the audit committee is kept fully and currently informed of appropriate matters. I’ll explore those steps further in an upcoming blog.
I welcome your thoughts on this important topic.
I welcome your comments via LinkedIn or Twitter (@rfchambers).