Corporate Governance: A Case Study
By Marc Loupé, CA and Robert Hirth, Protiviti
“The business world has run off the rails, mistaking wealth for success and image for leadership. We’re in danger of wrecking the very concept of the corporation.”
Strong words. Firm belief. Important warning.
They come from Bill George, chief executive at Medtronic Inc., a world leader in medical technology. George’s worried view of the business world stems from the litany of corporate scandals and financial embarrassments that have roiled corporations in a range of industries in recent years.
The poor corporate governance that so bothers George is the reason millions of people recognize the names Jeffrey Skilling, Bernie Ebbers and Dennis Kozlowski, and the names of the companies they once ran: Enron, WorldCom and Tyco. These former chief executives, now convicted criminals, are in prison paying the price for their poor corporate conduct.
In each instance, proper corporate governance could have mitigated or eliminated the problems these executives, and others in their organizations, created. Unfortunately for investors, customers and the general public, bad corporate governance continues, as evidenced by the ongoing prosecutions of individuals allegedly involved in corporate wrongdoing.
Even where criminal prosecutions do not occur, headlines have been discouraging. The number of restatements of corporate financial results of public companies in the United States has more than doubled since 2003, climbing from nearly 500 in 2003 to 1,070 in 2006, though not all restatements are related to poor corporate governance.
When we talk about public company corporate governance, we mean a process, carried out by a company’s board of directors, management and other personnel, to provide reasonable assurance regarding the achievement of entity objectives in the following categories:
- Transparency and reliability of all public reporting
- Compliance with applicable laws and regulations
The governance process must be applied in a strategy setting and across the enterprise to be effective.
Learning from its mistakes
We know this from hard experience. At CA (formerly Computer Associates), failure to properly apply corporate governance nearly sank the company. Many of the problems discovered at CA exist in varying degrees at many, and perhaps most, other companies. The approaches now taken by CA to strengthen corporate governance can be a model for other companies to follow.
In 2004 federal prosecutors indicted Sanjay Kumar, CA’s then CEO, and other executives on a variety of charges including obstruction of justice and federal securities violations. Among the charges: that CA executives had systematically backdated huge sales contracts after the ends of quarters to hit revenue targets. The company later admitted to improperly booking more than $2 billion of revenue. Executives
also were charged with lying about the existence of certain documents that had been subpoenaed by investigators. Rather than shut down the company, killing thousands of jobs and harming thousands more customers and investors, the government allowed CA to transform itself and pay a $225 million penalty.
CA remains under federal oversight of the Department of Justice (DOJ) and Securities and Exchange Commission. At least monthly, the company’s internal audit department and other departments’ personnel communicate with DOJ representatives about the company’s ongoing corporate governance overhaul, including the activities of the company’s new compliance/business practices office.
Part of the company’s transformation includes the hiring of co-author (Marc Loupé) in 2005 as senior vice president of internal audit. Other new executives including CEO, CFO, COO, CCO and CIO also have been hired. In several instances, CA is already on its second round of new hires in key executive positions.
Recognizing the priorities
Though the many new CA executives have different backgrounds and work experience, they all see the benefits of good corporate governance and regulatory compliance. Each person in the C-suite understands that Job One is getting rid of the cloud that darkened CA’s reputation after the indictments were announced.
Representatives of each major entity within the organization now work together to make sure they avoid oversight fatigue, a real possibility considering the pressure the company is under. They have done this, in part, by placing businesspeople within the compliance function. These people understand the need to balance business needs with compliance requirements.
The company has also created governance partnerships involving people in the legal, compliance, internal audit, financial control, security, IT and external audit functions. These people communicate with each other, listen, take suggestions seriously and become coordinators to make sure the company avoids problems and proper practices are in place and are being followed.
Internal audit ensures follow-through with professional requirements. A compliance officer promotes new business practices that enhance corporate governance and compliance. Internal audit also has strong support from a new board of directors and audit committee made up of individuals with more independence and business know-how. The corporate governance environment includes the adoption of best practices recommended for an engaged board of directors: strong committees, independence, avoidance of related-party transactions, etc.
When CA representatives discuss the company’s experience with internal auditors in other organizations, they are often shocked to learn the company’s prior audit department was deemed, by the government, to be ineffective. They are shocked because no one wants to be told their job, or the practices they follow in their job, are not in compliance with professional standards or industry norms.
This really is not an indictment of the prior internal audit administration. It is more of an indictment of the company’s tone-at-the-top and corporate culture, thus impacting internal audit’s activities. CA is moving from a founder-led company to one that is more governance-oriented, with proper delegation of authority. There is no longer one executive who makes all the important decisions.
Putting new people, who are committed to good corporate governance and compliance, into important decision-making and oversight positions is only one part of a larger transformation.
Refocusing the business
CA’s business has also been refocused, with a new vision, mission and strategy, and new deployments of corporate resources in research and development, marketing, sales and other functions. The company is implementing SAP Worldwide to improve systems and processes (including business process re-engineering). An enterprise risk management (ERM) system is being implemented with the full support of the board.
The ERM system embraces the COSO-2 standards. Strategic risk assessments are embedded in the strategic planning process. Other features of the system include operational risk assessment (weekly orientation), IT risk assessments, compliance risk assessments and improved discipline in financial reporting.
The audit department has mobilized CA’s IT infrastructure and has been able to establish credible non-U.S. audit structures.
Still, there is a lot left to do. One challenge is to live the theme, “Good governance is good business.” Change management is an evolution, not an event. The company needs to drive toward sustainability.
Another challenge is in the area of forensic audits. CA has been using outside resources for this activity more than it would like. Right now, this reliance on outside resources is necessary because the field is new and people with the required skills are scarce.
Above all, the CA experience shows the need to:
- Be extremely diligent in knowing laws and regulations wherever in the world operations are located. Make sure you know what you don’t know.
- Understand the business and the ideal tone-at-the-top. Embed good corporate governance principles in the business.
- Educate people and inspire them to act ethically. There is never a long-term reward for doing business in an unethical way.
- Invest in people to help them stay apprised of changes in the business and in the world of corporate governance. Some people are operating with an approach to corporate governance that is 10 years out of date. The rules of the game change and people need to keep up with those changes.
Marc Loupé is senior vice president - internal audit at Computer Associates. Robert Hirth is managing director in Protiviti’s San Francisco office.
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
