Nonprofit Risks 2019 – From Protiviti Top Risks 2019

Below I have inserted a nonprofit and governmental organization focused chart from a Protiviti paper – Executive Perspectives on Top Risks 2019.

Of course every entity is different and has different risks. And I would list and evaluate nonprofit entities separate from governmental entities, but it is not a purpose of this post to question or criticize the chart format.

Instead, from a nonprofit perspective I found the first and fifth listed risks interesting, and the second through fourth listed risks not surprising. For example, I would expect privacy, security, and top talent retention risks to be listed.

But the first and fifth listed risks identify broad and important organization culture and governance wide risks which would really concern me if I was a nonprofit board member, including: that resistance to change may restrict the organization from making necessary adjustments to the business model and core operations; and that the organization’s culture may not sufficiently encourage the timely identification of risk issues that have the potential to significantly affect core operations and achieve strategic objectives. If I’m sitting on a board and I don’t feel comfortable that the entity can timely identify risks that have the potential to significantly affect core operations, or that the organization’s culture and governance will allow it to make necessary changes to the business model and core operations, I would be feeling pretty exposed to criticism that board efforts, including my efforts, to oversee the governance and risk management of the organization are lacking or are ineffective.

Two additional comments: (1) as the chart also applies to governmental entities, I have to add that my above-stated concerns in the context of a nonprofit definitely also apply equally for governmental entities, and (2) I was surprised to not see on the list for nonprofits the risk that the organization might not have, or be able to maintain, or be able to develop sufficient funding sources to meet operational needs or for sustainability, and that important current funding sources might be reduced or lost in the future.

Immediately below you will find the chart from Protiviti, and below the Protiviti chart you will find a summary risk management framework chart that I prepared and which you might find useful.

Thank you for reading this post. If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.

Every case situation is different. You do need to consult with professionals about your particular situation. This post is not a solicitation for services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

Confidential and Fiduciary Relationships – Overview

There are a lot of cases and statutes on these topics. However, in general, a confidential relationship is a relationship where one party has placed confidence in the integrity and fidelity of another person to act for the first party’s benefit, and the other party voluntarily accepts that role.

In this context, “confidential” doesn’t mean secrecy – it refers to the confidence that someone places in another person to take action for the first person’s benefit.

A confidential relationship can be founded on a moral, social, domestic, personal, or legal relationship or duty (including, for example, pursuant to statute, case law, or contractual agreement). See, for example, Richelle L. Roman Catholic Archbishop of San Francisco (2003).

Unfortunately, the above general definition is very broad and, thus, is not very helpful.

Whether or not a relationship is a confidential relationship is a question of fact. See, for example, O’Neil v. Spillane (1975). But a confidential relationship doesn’t necessarily create a fiduciary relationship and duty. See, City of Hope National Medical Center v. Genentech, Inc. (2008). A fiduciary duty is one of the highest duties established by law. In Richelle for example, in which the court denied the existence of a fiduciary relationship, the court held that in the circumstance of a confidential relationship, fiduciary duties nevertheless only arise when the following are present: (1) the vulnerability of one party to the other which (2) results in the empowerment of the stronger party by the weaker party which (3) empowerment has been solicited or accepted by the stronger party and (4) prevents the weaker party from protecting herself or himself. See also, for example, Marriage of Bonds (2000), holding that a confidential relationship can arise between family members and friends when substantive or procedural deficiencies in a transaction are combined with great age, weakness of mind, sickness or other incapacity of one party to the transaction.

In other words, confidential and fiduciary relationships require more than simply trust and confidence – they also require that the party who is claiming the confidential or fiduciary relationship to also prove not only trust and confidence, which exists in a lot of relationships and is relatively easy to simply claim, but also weakness of mind, or inability to take action and to protect oneself, and evidence of justifiable reliance.

You should note that the issue of whether or not there is a confidential or fiduciary relationship also can be, but is not necessarily, related to issues pertaining to possible fraud (intentional or negligent misrepresentation, concealment, or promise without intent to perform) or undue influence.

Thank you for reading this post. If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.

Every case situation is different. You do need to consult with professionals about your particular situation. This post is not a solicitation for services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

Forwarding a post by Eugene Fram – Nonprofit & Business Directors Must Be Vigilant – Board Liability Costs Could be $2.2 Million!

Below I have provided a link to a blog post by Eugene Fram. Eugene writes good materials for nonprofits. There have been rumblings for some time now about the possibility that a couple of states might start more actively overseeing nonprofits and their operations. And a few of the big players in the nonprofit community have suggested that more robust nonprofit governance might be beneficial. I ask that you click on the link below to Eugene’s post – although state action is unusual, the example situations that Eugene describes are less unusual. I am also updating my materials for nonprofit audit committees, which I will post soon.

Here is the link to Eugene’s post:  https://non-profit-management-dr-fram.com/2019/01/27/nonprofit-business-directors-must-be-vigilant-board-liability-costs-could-be-2-2-million-3/

Thanks for reading this post. If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see below), and connect with me on LinkedIn and Twitter.

Every case situation is different. You do need to consult with professionals about your particular situation. This post is not a solicitation for services inside of or outside of California, and, of course, this post only is a summary of information that changes from time to time, and does not apply to any particular situation or to your specific situation. So . . . you cannot rely on this post for your situation.

Best to you, David Tate, Esq. (and inactive California CPA) – practicing in California only

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

Corporate, Business, Or Entity Culture – The Board’s Role And Knowledge About – From State Street

The following is a link to a January 2019, letter from State Street emphasizing and focusing on the business’s culture and how it adds value. The letter pertains to corporate culture because of the business in which State Street operates – but what we are really talking about is business or entity culture which includes public companies, private businesses, nonprofits, and governmental organizations and entities.

The letter is short and lacks detailed discussion about culture; however, I found interesting the attachment to the letter with possible questions that might be asked of the board members about the state of the business’s culture and the director’s knowledge thereof. I would assume that the majority of directors could not answer those questions with detail.

I also found interesting that the letter differentiates culture from values, and instead focus’ on culture’s impact on value. However, I would say that the business’s values drive and impact the business’s culture.

As culture has become a board topic (and apparently it might be here to stay), I would like to see additional, more specific discussions about how to evaluate and grade, and improve upon the organization or entity’s culture.

This definitely is a topic for the full board, but as it also falls into the category of risk management or ERM, this might also be on the plate of the risk management committee, if there is one, or on the plate of the audit committee to which risk management is often delegated (but let me also add, in my view, risk management is a topic for the entire board – if risk management is delegated to a committee, that committee should, nevertheless, report on risk management to the full board, for the full board’s consideration).

Here is the link to the State Street letter – be sure to read the attachment https://www.ssga.com/investment-topics/environmental-social-governance/2019/01/2019%20Proxy%20Letter-Aligning%20Corporate%20Culture%20with%20Long-Term%20Strategy.pdf

Best to you, David Tate, Esq. (and inactive California CPA)

Blogs: California trust, estate, and elder abuse litigation and contentious administrations http://californiaestatetrust.com; D&O, audit committee, governance and risk management http://auditcommitteeupdate.com

If you have found value in this post, I ask that you also pass it along to other people who would be interested as it is through collaboration that great things and success occur more quickly. And please also subscribe to this blog and my other blog (see above), and connect with me on LinkedIn or Twitter.

The following are a few additional materials for your consideration.

SEC Chief Accountant – Recommendations for Your Financial Reporting Role, Including Audit Committees – Forwarded From thecorporatecounsel.net

I am forwarding the below information from thecorporatecounsel.net (https://www.thecorporatecounsel.net/blog/), or you can also click on the following direct link Click HereI thank thecorporatecounsel.net for making this material available.

I have also inserted some of my comments into the materials below. My comments are marked “Tate: ____________.”

Best to you. David Tate, Esq. (and California inactive CPA) – my blogs: D&O, Corporate, and Audit Committees: http://auditcommitteeupdate.com; Trust, Estate and Elder and Dependent Adult Abuse Litigation: http://californiaestatetrust.com

SEC Chief Accountant: Recommendations for Your Financial Reporting Role

In connection with yesterday’s AICPA conference, SEC Chief Accountant Wes Bricker provided this statement on financial reporting & auditing issues that he’s been discussing with SEC Chair Jay Clayton and others. As you’d expect, a lot of the statement is aimed toward auditors – e.g. what they should be doing to improve quality. But the statement also emphasizes the role of companies in the financial reporting process – with plenty of recommendations for audit committees and management:

– Internal controls – particularly where there are close calls as to a significant deficiency or material weakness, audit committees should pay extra attention to the adequacy of & basis for the company’s ICFR assessment, and seek training if necessary (citing this enforcement action). It’s vital to focus not just on actual misstatements but also whether it’s reasonably possible that a material misstatement won’t be prevented or detected in a timely manner. 

Also remember that it’s the company’s responsibility to develop, maintain & assess ICFR – and that the thresholds for auditor attestation don’t change these requirements (it’s not obvious whether this remark is intended to foreshadow a change to the attestation requirement, which was discussed as a future possibility when the SEC increased the smaller reporting company threshold and in today’s Senate testimony by SEC Chair Jay Clayton). This blog from Cooley’s Cydney Posner reports that several members of the OCA Staff also discussed internal controls issues at yesterday’s AICPA Conference – with tips on how to assess controls and how to adequately disclose a material weakness.

Tate: As you are aware, whether an item or situation is material can be based on quantitative or qualitative aspects, or both. Definitely be mindful not only of actual misstatements, but also the processes and procedures for the design, implementation, review and updating of internal controls, and whether it is reasonably possible that a material misstatement won’t be prevented. As an audit committee member of course you should be concerned if you cannot rule out that it is reasonably possible that a material misstatement won’t be prevented. Also note the comment: seek training if necessary – training or education should be automatic under the business judgment rule.  Yes, also click on the Cooley blog link. It is a useful list, and might lead to inquiries for audit committee’s to explore with executive management, internal audit, and the external auditor to gain assurance that all is in order.

– CAMs – conduct a “dry run” so that the auditors & audit committee can discuss issues. It’s also important to understand that CAMs aren’t intended to duplicate management’s MD&A disclosure of critical accounting estimates.

Tate: The CAMs will be interesting to watch and evaluate. I will be writing additional posts on this. Currently, the CAMs and guidance that I have seen suggest that the CAMs are not required to be as detailed as I had thought. However, one guidance comment also states that the audit committee members should be prepared to address the CAM issues in greater detail than the information that is contained in the CAM disclosure. And, in fact, I would assume and expect that the audit committee members will have more knowledge about the issues discussed in the CAM disclosure.  

– Continuing education for audit committees – audit committee members must have time, commitment and experience to do the job well. Just possessing financial literacy may not be enough to understand the financial reporting requirements fully or to challenge senior management on major, complex decisions. Audit committees must stay abreast of these issues through adequate, tailored, and ongoing education.

Tate: Absolutely. Audit committees are expected to deal with some pretty challenging accounting, auditing, internal control, governance, investigation, risk management, and legal issues.

– Audit committee agendas – must be balanced toward understanding accounting, ICFR and reporting requirements. For example, as business, technology, accounting, and reporting requirements change, it is crucial that the audit committee understand management’s approach for designing and maintaining effective internal controls.

Tate: Consider, who has input in and decides what will be included on the audit committee agenda? You can discuss this in your annual, or more often, Audit Committee self-evaluation.

– Voluntary disclosure – OCA Staff encourages audit committees for listed public companies of all sizes to communicate how the listing requirements related to the “appointment, compensation, and oversight of the work of any registered public accounting firm. . .” are carried out, especially among smaller companies. There are positive disclosure trends among S&P 1500 companies when it comes to disclosing considerations in appointing the audit firm, fee negotiations and evaluations – but there are opportunities for more progress among mid- and small-cap companies.

Tate: Yes, this is important.

– Company processes to ensure auditor independence – emphasizing the role of companies to promote compliance by regularly monitoring corporate structural changes or other operational events that may result in new affiliates or business relationships and timely communicating these changes to the auditor, as well as evaluating the sufficiency of these monitoring processes & practices. Also note that the OCA Staff is assessing comments on the auditor independence “loan” rule – final rulemaking is expected in 2019.

Tate: Yes, this is important.

– Auditor communications – to enhance oversight, audit committees should consider requesting additional voluntary information from the auditor to understand their level of investment in quality control functions, the connection of technology to audit quality and how audit firm performance compares to others.

Tate: ” . . . audit committees should consider requesting additional voluntary information from the auditor . . . . ” I would say, don’t just “consider requesting” – yes, absolutely audit committee members should ask anything that they believe they need to know in order to satisfy their oversight functions and duties. Audit committee members have to significantly rely upon other qualified and trustworthy people to provided them with information that they need so that they can prudently go about performing their responsibilities. And also ask, for example, “Is there anything else that you know that you believe that I should know.”

– New GAAP standards – continue to focus on implementing & refining compliance with new standards on revenue recognition, leases & current expected credit losses.

Tate: For audit committee members, and what is expected of them, there are significant and numerous ongoing changes occurring with respect to GAAP (generally accepted accounting principles), GAAS (generally accepted auditing standards), internal audit, risk management and ERM, compliance, reporting, governance, investigations, legal issues, and other matters. The list is too long to summarize. For example, CAMs now focus on any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee: and that:

     1. Relates to accounts or disclosures that are material to the financial statements; and

     2. Involved especially challenging, subjective, or complex auditor judgment.

As another example, for your business and the industry in which it operates, consider estimates that are used in the recognition of revenue, or in situations of possible asset impairment.  It is also interesting and relevant that generally accepted accounting principles (GAAP) are now turning away from a more rules-based approach toward a more principles-based  approach which is the approach that existed when I first became a CPA. It is arguable that with a more principles-based approach, decisions, including, for example, how to account for something, are based more on judgment instead of definitive rules.  And in 2018 “culture” became a hot “new” topic although culture already was and has been or should have been an issue or criteria relevant to financial fraud prevention, material misstatements, and compliance with laws.

* * * * *

 

 

 

 

Do Your Directors & Audit Committee Members Tour the Workplace?

Comments for thought:

Best to you, David Tate, Esq., and California inactive CPA

Blogs:

Audit committees, D&O, business, governance, compliance, investigations, litigation, responsibilities and rights, liability, and risk management http://auditcommitteeupdate.com

Trust, estate, and elder and dependent audit abuse disputes and litigation, and contentious administrations http://californiaestatetrust.com

Please also connect with me on Linkedin and Twitter.

Guidance for Investigations – Workplace, Business, Board, Audit Committee and Special Committee

By David Tate, Esq., California (and California inactive CPA)

The following is some guidance for business-related investigations. We are seeing ongoing news about situations where investigations either should be considered or are required – including situations in which investigations were conducted, or have been starting or are in progress, or have not occurred, or did not occur, and also situations where alleged possible unlawful activity occurred or might have occurred but was not reported (although in some such situations knowledge of possible unlawful activity might have been known or perhaps should have been known). These issues don’t simply reflect on the accuser and the accused, but reflect on the business, nonprofit, or governmental entity at issue, and, variously depending on the situation, elected representatives, executive officers, boards of directors and the board committees including the audit committee, general counsel, compliance and ethics professionals, HR, employees, perhaps internal audit and even the external auditor, etc., and throughout the entire organization or entity.

In the workplace setting, for example, an employer has a duty to take reasonable steps to prevent harassment, discrimination, and unlawful employment practices, and to correct inappropriate workplace behavior. See, e.g., California Gov. Code §12940(k); and 29 CFR 1604.11(d). An employer can be liable for the failure to investigate, at least if there was underlying unlawful activity. And a failure to investigate can be considered ratification of unlawful activity. In appropriate circumstances on a claim of wrongful termination, the question can become whether the employer acted appropriately and in good faith after conducting a reasonable investigation and based on a reasonable belief in that investigation – in other words, the reasonableness of the employer’s investigation can become the standard by which the employer is judged for alleged wrongful termination liability purposes.

At the board level, for example, audit committees and special committees can be required to conduct and to oversee investigations in a host of situations such as alleged executive officer wrongdoing; accounting error or impropriety, fraud and foreign corrupt practice allegations; transactions affecting corporate control; affiliate arrangements; liability and derivative claims and litigation; alleged shareholder insider trading; or alleged self-dealing.

The following are some of the issues and steps to consider or follow when determining whether the investigation of a serious situation or allegation of misconduct was reasonable, and whether a reasonable belief in the outcome of the investigation and its process is warranted:

  • Take the complaint of wrongdoing seriously;
  • Maintain confidentiality of the situation to the extent reasonably possible;
  • Conduct a timely investigation promptly after receiving the complaint of wrongdoing or becoming aware of the possible situation;
  • Decide and appoint an appropriate sufficiently independent and qualified person or committee to oversee the investigation, and for decision-making;
  • Consider whether the investigator will be someone in-house or from outside the entity, and how the investigator will be retained, such as through legal counsel;
  • Have the investigation performed by an investigator who is competent and knowledgeable about the relevant subject matter and issues (including for example, as necessary, claims, defenses, applicable law, burdens of proof, presumptions, gathering evidence and the showing required, etc.), and also how to conduct (and evaluate) investigations, investigation techniques, evidence (including, e.g., credibility, admissibility, whether the evidence or possible evidence is “A” or “B” or “C, ” examination, confirmation or support, cross-examination, rebuttal or debunking, and impeachment), writing reports and opinions, and oral communication and witness testimony experience and abilities. Also note issues that might be present if the investigation is performed by an attorney for whom attorney client or work product privileges might be claimed. In short, work these issues out before the investigator is selected;
  • Consider qualified legal counsel and possible additional specialty assistance needed (such as CPA or forensic accountant experts hired through counsel or possibly through the investigator); consider the issue of independence depending on the capacity in which the person, firm or entity is providing services; and also carefully consider any possible appearance of inappropriate conflict or bias, including as viewed by courts, legal authorities, third party stakeholders, and other people in general.
  • Follow appropriate complaint investigation procedures;
  • Listen to and treat the difference sides fairly and equally;
  • Obtain, evaluate and understand the claims that are being made and possible defenses – including, e.g., claims based on a statute or section of law, a regulation, or a rule, and also claims based on some other standard such as any applicable policy, handbook, code of conduct, contract, collective bargaining agreement, etc. that had been enacted or adopted;
  • Provide the accuser with ample opportunity to offer evidence of his or her claims including what occurred or not, documents that might be relevant, and the names of and information about witnesses who he or she believes can provide relevant comments about the alleged occurrence(s);
  • Give the alleged wrongdoer fair notice of the claims being made;
  • Provide the alleged wrongdoer with ample opportunity to offer evidence in his or her defense, including what occurred or not, documents that might be relevant, and the names of and information about witnesses who he or she believes can provide relevant comments about the alleged occurrence(s);
  • When appropriate, provide and communicate an appropriate means whereby third parties can provide information that is relevant to the issues and the investigation;
  • Have the investigator conduct a thorough investigation, under the circumstances (note that in some circumstances courts have held that the investigation need not necessarily be perfect, but it should be sufficient, reasonable and thorough under the exigencies and circumstances at hand without the benefit of full discovery or a trial);
  • Have the investigator prepare a well-reasoned report and conclusions, supported by and based on objective evidence;
  • Have the investigator report to the decision-making person or committee;
  • Have the decision-maker or committee prudently and appropriately evaluate the claims, defenses and investigation; and
  • Implement progressive discipline if appropriate?

Of course, each situation is different, and for some of the above points the courts and regulatory agencies have provided additional guidance.

Best to you,

David Tate, Esq., California (and California inactive CPA) – blogs: audit committees, D&O, governance, compliance, investigations, responsibilities and rights, liability, and risk management http://auditcommitteeupdate.com – trust, estate, and elder and dependent audit abuse litigation http://californiaestatetrust.com – please also connect with me on Linkedin and Twitter.

Disclaimer. This post is not a solicitation for legal or other services inside or outside of California, and also does not provide legal or other professional advice to you or to anyone else, or about a specific situation – remember that laws are always changing – and also remember and be aware that you need to consult with an appropriate lawyer or other professional about your situation. This post also is not intended to and does not apply to any particular situation or person, nor does it provide and is not intended to provide any opinion or any other comments that in any manner state, suggest or imply that anyone or any entity has done anything unlawful, wrong or wrongful – instead, each situation must be fully evaluated with all of the evidence, whereas this post only includes summary comments about information that may or may not be accurate and that most likely will change over time.