On November 17, President Barack Obama issued an executive order, establishing a financial fraud task force. The interagency body includes the SEC, Treasury Department, Justice Department, Federal Bureau of Investigation, Internal Revenue Service, Secret Service, Federal Reserve, Department of Homeland Security, and other federal, state, and local prosecutors. The following quote was released as part of this announcement.
“Many financial frauds are complicated puzzles that require painstaking efforts to piece together,” said SEC Chairman Mary Schapiro, in a statement issued by the White House with the executive order. “By formally coordinating our efforts, we will be better able to identify the pieces, assemble the puzzle and put an end to the fraud.”
Efforts to reduce fraudulent financial reporting have been under way for years. The National Commission on Fraudulent Financial Reporting, more commonly referred to as the Treadway Commission, was formed in 1985 to inspect, analyze, and make recommendations in what appeared at that time an alarming increase in fraudulent corporate financial reporting.
The Committee of Sponsoring Organizations (COSO) of the Treadway Committee picked up the torch in 1987. Sarbanes Oxley legislation and the creation of a new audit standard setting body, the PCAOB followed in 2002.
Is there any discernable evidence that financial fraud or catastrophic governance failures (with or without fraud) has improved over that time? No one in the GRC world seems to be counting, a telling revelation in itself. Anecdotally it is hard to make a case that things have improved.
SEC enforcement actions from 1987 through 1997, an 11 year period, covered financial statement fraud in 300 companies. In the 10 years ended in 2008, the total is 347 cases.
Is it humanly possible to reduce fraud and governance failures? Should they be considered random and unavoidable, just like the weather?
In a recent blog post, I compared airline safety statistics in the US over the same period to fraud and catastrophic governance failure. It was an unfair comparison. The (National Transportation Safety Board (NTSB) keeps detailed statistics on aviation incidents. But in the world of GRC there are no clear definitions, let alone statistics on fraud or what I will refer to as catastrophic governance failure. What is clear though is this: aviation is safe and getting safer, financial fraud and GRC failures appear to be bad and getting worse.
Whatever our professions and regulators come up with as a new regulatory framework, they should consider incorporating at least a few of the elements that work in improving aviation safety.
1. Mandatory Incident and Event Reporting: I recently sat beside a 747 pilot dead-heading to his destination. Reportable incidents are defined by his airline and he must log all such incidents. In other words, if he makes a mistake he must report it in writing. The only sanction he is subject to for a reported incident is the possibility of additional training. He would face much more severe sanctions for not reporting an incident. What is the value of this? Airlines learn from reported incidents. Knowing what can go wrong, understanding near misses prevents accidents. Incidents and events are not “deficiencies”. They are situations that have actually occurred.
Any regulatory framework seeking to drive down fraud and failure must define and incorporate mandatory incident and event reporting. Not just the Significant Deficiencies or Material Weaknesses that now get exposure through SOX, but all defined incidents and loss events. It is not possible to reduce the large failures without understanding the small ones.
2. Mandatory Root Cause Analysis: What happens after a plane crashes? Investigators virtually reconstruct it to find the cause of the accident. Mandatory root cause analysis is absent from most financial regulatory frameworks and professional standards. Without root cause analysis, improvement will not take place. In the world of fraudulent financial reporting and GRC failures, root cause analysis is almost totally absent. Virtually none of the reported deficiencies under SOX incorporate any kind of root cause analysis. No explanation is given or expected for the cause of failure.
3. Focus on Human Behavior: Existing audit and regulatory standards virtually ignore the role of human behavior in business. “Management override” of controls is considered a control failure, not unacceptable behavior. Few, if any reported SOX deficiencies have identified Boards, Audit Committees, CEO’s, CFO’s, internal auditors or any other individual or group as a reported deficiency. Automated controls are supposed to be more reliable and preferable to humans in the control environment. What’s missing in financial or regulatory frameworks is a clear, specific acknowledgement of the acceptable behaviors, specific accountabilities and skills required by key individuals and groups. Unacceptable behavior or insufficient skills get airline pilots grounded or fired immediately. Similar rules are needed for those that oversee our corporations. What are the behaviors, knowledge, and skills we need to be alert for in the world of business?
4. Robust Risk Assessments: Airline safety has improved because failure is considered to be systemic, predictable and avoidable. Airline accidents are seldom random events, and even random events can be predicted. Random birds might get randomly sucked into aircraft engines, but if individual bird incidents can’t be avoided, they can be predicted and managed. Robust risk assessment means assessing risk from at least three perspectives. Where can things go wrong and cause a serious incident? Identifying aircraft engines as critical and vulnerable is “context” risk assessment. What can go wrong? Identifying bird collisions as a cause of failure is “event” risk assessment. What, accountability, skills and knowledge do we need from our people? Identifying the skills and knowledge of the pilot to respond to engine failure cause by a bird collision is assessing “behavior” risk. PCAOB audit standards and guidance give us some “context” risk guidance. They help identify ‘significant” accounts. But they fall short on event and behavior risk and they leave a huge gap.
That’s why, once again, we see have new task force. It is true that financial fraud and catastrophic governance failure can be complicated. Are they more complicated than air disasters? You decide. My view is that if we approached fraud and governance failure as something that is predictable, systemic and avoidable, our regulatory frameworks and professional standard would look like what is used successfully by the airlines to drive down aviation failures.
Many thanks for that great blog posting! I really enjoyed reading it, you are a excellent author. I just bookmarked your blog and will come back soonto your blog. I want to encourage you to continue the marvelous job, have a great day!
Thanks for the comment. I’ll keep writing as long as people keep reading. I welcome all comments and suggested topics for future blogs.