AuditNet
Resource List
Audit
Programs
AuditNet Virtual
Library
AuditNet
Newsletter
Ask
the Auditor
AuditNet
Mailing Lists
Audit
Jobs
Travel
Career Links
Partner
Discounts
Search
Sign Guestbook
AuditNet Sponsors
Advertising
Opportunities
About AuditNet
About Jim
Kaplan
AuditNet Seminars
AuditNet
Home Page
The Need For Corporate Governance
Dr. George Matyjewicz
Dr. Sarah Blackburn
Remember these headlines…
“Retirement funds lost! Thousands of workers lose their pension funds!”
“Multiplying layers of entities and hidden movement of capital and goods causes collapse of...”
“Shell corporations and bank confidentiality and secrecy havens discovered at...”
“Executives investments and illegal actions...”
“Government levies a record fine on accounting firm”
That’s the Enron and related scandals that led to the Sarbanes-Oxley Act of 2002, right? Wrong! Those were the hot topics in the news in the 1980s and 1990s with the U.K. high-profile scandals and collapse of BCCI, Robert Maxwell and Nick Leeson and Barings.
BCCI was a global bank, made up of multiplying layers of entities, related to one another through an impenetrable series of holding companies, affiliates, subsidiaries, banks-within-banks, insider dealings and shareholder (nominee) relationships. With this corporate structure BCCI and shoddy record keeping, regulatory review, and audits, the complex BCCI family of entities created was able to evade ordinary legal restrictions on the movement of capital and goods as a matter of daily practice and routine. Since BCCI was a vehicle fundamentally free of government control, it was an ideal mechanism for facilitating illicit activity by others, including such activity by officials of many of the governments whose laws BCCI was breaking.
Barings was Britain's oldest merchant bank. It had financed the Napoleonic wars, the Louisiana Purchase, and the Erie Canal. Barings was the Queen's bank. What really grabbed the world's attention was the fact that the failure was caused by the actions of a single trader based at a small office in Singapore – Nick Leeson.
Media mogul Robert Maxwell borrowed from employees’ pension funds and from banks as he tried to keep his empire alive. Eventually it failed and pensioners lost half of their pensions. Coopers and Lybrand, now part of Pricewaterhouse Coopers was the auditor at the time, and PWC has already paid out £67m for shortcomings in auditing the accounts and has been fined a record £3.3m by a British accounting watchdog for "losing the plot".
Corporate governance has had a history of reacting to scandal and abuse rather than proactively setting standards before corporate failures and losses to stakeholders crystallize.
Cadbury and Turnbull Reports.
The first committee on corporate governance was set up in 1991, when Sir Adrian Cadbury was asked to chair the Committee on the Financial Aspects of Corporate Governance. The subsequent report, known as the Cadbury Report, was published in 1992. It drew heavily on the work of the Treadway Commission in the USA. The report focused on internal controls, the need for effective audit committees and a recommendation that the roles of chairman and chief executive should be separate. Cadbury recommended that there should be a strong independent element to the board to prevent chief executives from becoming too powerful. Cadbury felt that the chairman was pivotal in allowing non-executive directors to carry out their function, "It is for chairman to make certain that their non-executive directors receive timely, relevant information tailored to their needs, that they are properly briefed on issues arising at board meetings, and that they make an effective contribution as board members in practice".
In 1999 the Turnbull Report was produced focusing on internal control. Turnbull focused on how companies manage their risks, for example the risk of corporate fraud.
The key proposals, which will affect directors:
- The introduction of a legislative statement of directors' duties.
- The introduction of a new general duty of “promotion of the company objectives.”
- A requirement that directors are pro-active in providing auditors with all the information that they require to carry out their function. Failure to comply with this requirement, or knowingly or recklessly providing a misleading, false or materially deceptive statement will constitute an offence under the new law (sounds like Section 303 of Sarbanes-Oxley).
- The introduction of a mandatory Operating and Financial Review which public companies and very large private companies will have to submit annually. It is envisioned that this will not only cover purely financial aspects of companies’ operations but will also include information concerning, for example, strategy and relationships with employees as well as policies on corporate governance and risk issues (title IV of Sarbanes-Oxley?).
Enter Magique.
In 1997, a steering committee from Bank of Scotland, Bestfoods, John Lewis Partnership, Friends Provident, Lex Service and National Assembly for Wales met with Horwath Clark Whitehill, a UK National Partnership of accountants and business advisers, to discuss solutions for risk management and for complying with Cadbury/Turnbull. Members of this group were clients of HCW using the firm’s Galileo Audit Management solution, a system in operation since 1994.
The committee focused on specific issues that needed to be addressed:
· Preparing and updating annual and strategic assessments of risk
·
Performing detailed evaluations of
risks
considering
management responses in
the
form of
controls and assurances
· Recording risk events as they occur and feeding this into the evaluation
· Creating and tracking actions
· Creating Questionnaires for Business Units of relevant controls for confirmation and scoring
Over the next three years, HCW worked with this committee and others who joined the group, in developing a solution that would solve the current issues, and provide a framework for any future regulation that may come about – like Sarbanes-Oxley.
The development resulted in a couple of iterations and Beta tests, and the first public installation in July 2000.
Some of the lessons learned included:
- Scalable. Global companies need to have solutions that can traverse operating systems, networks, the Internet and be transparent to the users. After investigation, HCW decided on a groupware tool used by 90 million users worldwide -- Lotus Notes. And, as technology advances occur, the platform would need to change to accommodate their needs. Today, Magique is in Beta at some clients using Microsoft’s .NET platform.
- Database Design. Global companies have large databases and need fast access to data. And different people access different parts of a database. Hence security and separation of duties was a key element in development. The consensus of the committee was to use separate databases for risks, actions and questionnaires, with transparent links among the files.
- Best Practices. Since Cadbury/Turnbull was new, it launched a new practice - sharing lessons learned from your peers – best practices. People wanted to know what others were doing and how they were handling particular issues, much like U.S. companies today with Sarbanes-Oxley. So, a best practices or knowledge database was incorporated in the system.
- Reporting Tools. Companies didn’t want to learn new tools to present their reports. They were using common office tools like Microsoft Word and Excel, or Crystal Reports, which are now the most commonly used office tools on the market. And they wanted to continue with these standard tools for management reporting and graphs. HCW agreed, and decided to provide seamless links to those tools, rather than reinvent the wheel with new reporting tools.
- Frameworks/Principles. Many companies decided on different frameworks in managing their risks, quite often dependent on the industry. Some examples include Turnbull, Basle II, COSO, COCO, FDICIA, ISO-9000 and the new Sarbanes-Oxley. Magique was designed to accommodate virtually any risk framework/principle and performance frameworks like Balanced Scorecard and Sigma Six.
- Replication. It was very important that users work offline at their desktop, at home or on a laptop. And the system needed to be kept up-to-date with little conflicts when more than one person works on a file. Lotus Notes does a great job on controlling conflicts with its replication facility. At the time, the replication was to the document level. HCW went further and managed conflicts down to the field level (Notes 5.0 now manages to the field level).
- Work Collaboratively. It was important that information can be entered and retrieved and is available to the entire risk group anywhere in the world at any time of the day or night.
- Support. A critical element in any application is support, especially when the system was first installed. Since this was a global issue, HCW decided to create a targeted global development and support network. The logic is to have major support/development centers strategically placed worldwide, with ancillary services coming from associated offices. Today there are five major support/development centers in London, New York, Sydney, Moscow and Cyprus, which can support the growing client base and global implementation groups.
- User Conferences. The steering committee worked so well, that it was decided to continue with the advisory group and to conduct frequent user conferences to get input from users worldwide. Today, there are semi-annual conferences and more frequent workshops where users gather to discuss common issues, learn about new developments and make recommendations for future enhancements.
The steering committee also helped with the database structure, presentation of data and navigation. With risk management they wanted to see both judgmental and statistical scoring systems as well as an alignment of objectives, risks, controls, events, causes and assurances. The system needed to produce automatic alerts of significant risks and changes. And, consolidation of risks (roll ups), e.g. to business unit, process, department, region, organization was mandatory.
The system had to track actions and findings at detail level along with the status and progress of tracking.
Just identifying risks and controls is not enough. Companies need to have assurance that the systems to reduce and control risks are actually working. Linking Magique to the earlier product, Galileo, has given users the power to align all their internal audit work with the greatest risks, both operational and strategic, facing their businesses.
With risk management it was critical to get a buy in from business units and process owners. Hence they built a questionnaire system, which automatically generated questionnaires from controls with related analytical information. And the questionnaires needed full tracking and follow up procedures. The users needed to have multiple-choice answers with comments.
Today.
With over 5,000 users and growing, Magique is probably the largest risk management solution on the market today. Magique is now at release 3.1. New releases are implemented each year, with enhancements occurring frequently through the year. The enhancements are generated as a result of feedback from our clients through the user group meetings, the tracking database and/or user input.
The Sarbanes-Oxley Act of 2002 has forced publicly traded companies in the U.S. to implement a risk management solution. Hence more and more companies are joining the Magique family of satisfied users.
Future.
Many companies are not implementing the Microsoft .NET platform with SQL servers to run their applications. Magique will be offered on that platform in July, 2003 when it comes out of Beta testing at a couple of clients.
And, as regulations and corporate risk and performance frameworks/principles change, so too will Magique. Feedback from our advisory committees and our users will direct the future development of Magique.
Visit http://www.sarbanes-oxley2002.com/ for more information.
###
About the authors.
George Matyjewicz, PhD is Global Strategist of GAP Enterprises, Ltd. and Managing Director of D’Arcangelo Software Services, distributors of Magique in the Americas. His dissertation “Just In Time Payments And The New Global Currency For Conducting Business In A Global Economy” was compiled from 3+ decades experience in the business world. He was formerly President/General Manager of a global digital currency company with customers in 190 countries and Chief E-Commerce Officer for a global giftware company where he experienced risk management issues first hand. He was a Principal/Partner at a top 20 U.S. CPA/Consulting firm. He is regularly published as an expert on global business, finance, technology and implementation and writes and publishes E-Tailer’s Digest online and in print, which reaches 50,000 retailers worldwide.
Dr Sarah Blackburn, MA, MBA, DBA, FCA, CISA, AdipC, ADipCM, PGCE, MAPM is chief executive of the Wayside Network, a consultancy which develops organisations and individuals to expertise in internal auditing, risk management and consultancy skills. A former audit director in several top 100 UK listed companies, she is chairman of the Technical Development Committee of the IIA UK and Ireland, a member of the Commission for Healthcare Audit and Inspection, the Internal Audit Committee of the Institute of Chartered Accountants in England and Wales and the Audit Committee of the Open University. She is also the author of A Practical Guide to Internal Auditing.