Despite more attention to and certainly much more money spent by corporations on internal controls resulting from the Sarbanes-Oxley Law, the numerous cyber-security breaches, stepped up investigations and enforcement by the US under the FCPA and similar enforcement actions by the European Union; the number of corporate scandals continues to pile up. Numerous firms paid the price (and some did not) of their malfeasance related to actions that led to the 2008 financial crisis. The recent Volkswagen (VW) emissions scandal and the Wells Fargo “fake account” scandal are two more recent examples of the continuing cycle of wrongdoing. What’s missing? Can internal controls help avoid corporate scandals?
The main purpose of internal controls is to assure the achievement of objectives set by management and the Board. Perhaps VW management set an objective to defeat the US emissions test and perhaps Wells Fargo set objectives to expand the number of accounts held by their customers irrespective of laws and/or proper customer service. While some in these organizations obviously had such objectives, I doubt that these objectives were formally stated. The question is, for example, why hadn’t VW management and their compliance professionals stated objectives for the company to comply with emissions standards? VW previously settled an EPA action related to excessive exhaust from a defective exhaust system part. VW paid a fine of $1.1 million to the EPA and recalled 329,000 vehicles to make the repairs at a cost of $26 million. In a consent decree related to this action VW agreed to “Enhance its system for monitoring and reporting emissions-related defects” (p. 5). This commitment should have been captured as an objective with related risks identified and mitigating controls that are subject to ongoing and separate assessments. Certainly the EPA considered VW’s failure to honor this consent decree in the severe, and justified, actions they are taking related to the current emissions scandal.
Wells Fargo has a reputation in the industry of being a very aggressive bank. Compliance professionals at such a company need to consider such a reputation when setting compliance objectives and identifying risks. The oversight of the revenue-generating processes at an aggressive bank deserves a much higher degree of scrutiny than the same process at a conservative bank. The Wells Fargo Rap Sheet should have informed the objective setting and risk identification process at the company. Perhaps compliance professionals can be excused for missing Black Swan events but there is no excuse for missing activities/events/behaviors leading to continuing scandals.
Organizations must develop processes to identify objectives to prevent re-occurrence of past issues. Such a process should include review of enforcement actions, lawsuits, warranty claims, and accidents leading to lost property or injured workers/customers. Issues occurring in your industry or at your competitors should also come under consideration. Certainly, all of the “Risk Factors” disclosed in the SEC Form 10K should come under consideration. In addition, to reduce the risk that the action of vendors or agents lead to scandal, review all agreements and develop objectives inclusive of each clause that protects your organization along with risks and controls that lead to ongoing or separate reviews of these business partners to ensure compliance. Recall the 2007 scandal Mattel faced due to vendor factories in China using lead-tainted paint on toys. This vendor factory caused significant brand and financial damage to Mattel.
Capturing objectives provides an inventory of issues of concern to the organization. Monitoring ongoing or periodic activities targeted at addressing related risks to achievement of these objectives provides management insight into the intensity and frequency of resources devoted to mitigating these potential issues. Scheduling separate reviews provides management with further insight into the quality of the ongoing or periodic activities. A comprehensive objective-setting process with monitoring will significantly reduce the risk of a corporate scandal. Including all aspects of objectives and related risks within the internal control framework at your organization is an excellent way to leveraging compliance to protect your organization from scandal.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting LLC, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications, and the “Leverage Compliance” blog. Glenn provides licensee compliance audits in conjunction with Licensing Compliance Group and Penetration Tests/SOC for Cyber/SOC 2/3 Assessments in conjunction with Ra Security Systems. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/, follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/