Comments re post by Norman Marks – internal audit and ERM accused of failing to hit the mark – discussion about management, boards and audit committees – David Tate, Esq., Royse Law Firm

I have provided below a link to a post by Norman Marks, in which Norman discusses and in part compares or contrasts internal audit and ERM. Norman’s post is a good, worthwhile read.

There are many good writers on these topics – you will also note that there are disagreements between knowledgeable professionals. Just for example, as Norman notes, ERM or enterprise risk management is a management function (I would say a management, board and audit committee function) whereas internal audit is independent; however, there has been for sometime considerable discussion about the role of internal audit and whether it can be or should be or has been expanded in ways that could make it less independent or less of an audit function and more of an advisory function in some circumstances – internal audit endeavors to make itself more valuable and needed as a function and department.

I don’t get into the discussions about whether internal audit should or should not be less independent or more advisory – instead, if internal audit is not being sufficiently utilized I primarily attribute that to one or both of two reasons which can be interrelated: (1) either internal audit needs to do a better job selling to management, the board and the audit committee how internal audit can help, or (2) particularly the board and the audit committee need to be more educated or convinced about how internal audit can help them to satisfy their oversight duties and responsibilities (I can help you with reason (2)).

If you are interested in risk management and enterprise risk management you are aware that COSO is still updating its ERM framework. If you aren’t interested in risk management or ERM but you are a board and/or audit committee member you definitely should be interested as it or parts of it are part of your oversight duties and responsibilities.

COSO has said that its updated ERM function should be out mid-2017, in other words, soon. This is a big deal. Whereas risk management professionals will extensively evaluate and comment about the new framework from an ERM perspective, and although I am also a CPA, I will primarily evaluate the framework from a legal perspective and what the new framework will or may require of management, the board and the audit committee in satisfaction of their duties and responsibilities. Add to this the COSO 2013 updated internal control framework, and the changes that are being made to audit procedures and the audit report, in addition to increasing disclosures about events, practices and procedures not just numbers, and you have a significantly changing environment in terms of management, board and audit committee duties and responsibilities.

That’s all for now. Below is the link to Norman Marks’ new blog post – read his post – it covers more about internal audit and ERM than the title indicates. David Tate, Esq., Royse Law Firm (see below for firm practice areas), Menlo Park, California office, with offices in northern and southern California. The following is a link to my other blog, about trust, estate, and elder, etc., disputes, litigation and difficult or contentious administrations: http://californiaestatetrust.com.

Here is the link to Norman’s post:  https://normanmarks.wordpress.com/2017/07/15/internal-audit-and-erm-accused-of-failing-to-hit-the-mark/

David Tate, Esq. (and CPA, California inactive). Royse Law Firm, Menlo Park Office, California (with offices in both northern and southern California).

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin, http://rroyselaw.com/

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Disputes and Litigation (I broke out these areas because they are my primary areas of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Financial & Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Lender/Debtor, Etc.
  •             Insurance Coverage and Bad Faith
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, Etc., and Contentious Administrations
  •             Dispute Resolution and Mediation
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

New COSO Updated ERM Framework – Coming Soon – End of June, Perhaps – Could Be Very Important

Just a heads up, a source has suggested that the new long-anticipated COSO (Committee of Sponsoring Organizations of the Treadway Commission) ERM update might finally be out at the end of June. COSO is spending a very long time (since October 2014) preparing and vetting this “update” of the 2004 Enterprise Risk Management — Integrated Framework. COSO’s sponsoring organizations are the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]), and the Commission includes representatives from industry, public accounting, investment firms, and SROs (exchanges).

We’ll have to wait and see what we get with this “update,” which will either simply be a relatively unimpressive or vague tweak, or a useful, modernized, sufficiently detailed guide which might become the standard to achieve, or somewhere in between. I’m hopeful for the useful version – ERM needs a big boost – this “update” is important. I find that there really are only three ways to provide this type of boost: sponsorship and push by large or influential organizations and people, mandatory (i.e., by law, regulation or rule) adoption, or, sometimes, push and expectancy by the public.

Here is the link to the COSO website https://www.coso.org/Pages/default.aspx

Best to you, David Tate, Esq., Litigation, D&O, audit committees, etc., Royse Law Firm http://rroyselaw.com/

Important – SEC v. United – Administrative Proceeding Relating to United’s Internal Accounting Controls to Prevent Violation of United’s Policies

On December 2, 2016, the SEC issued an Accounting and Auditing Enforcement, Administrative Proceeding Order against United Continental Holdings, Inc. Here is a link to the Order, CLICK HERE

Why is this Order important – because the SEC found that “United failed to design and maintain a system of internal accounting controls that was sufficient to prevent its officers from approving the use of United’s assets in connection with the South Carolina Route in violation of United’s Policies, which prohibited the use of assets for corrupt purposes.” This isn’t a Foreign Corrupt Practices Act case – the alleged corruption or impropriety occurred in the United States. The SEC alleged that United “instituted the South Carolina Route following pressure from David Samson (“Samson”), then the Chairman of he Board of Commissioners of the Port Authority of New York and New Jersey (“Port Authority”). The route provided Samson – who exercised authority and influence as a Port Authority official in matters affecting United’s business interests – with a more direct route to his house in South Carolina.”

The scenario in this case could occur at any time that a public company (1) allegedly acts improperly, and (2) it is alleged that the act was allowed or able to occur because of insufficient internal controls (resulting in a violation of the books and records and internal accounting controls provisions of the Securities Exchange Act, which is automatically alleged in a great number of cases because it is easy in most situations to allege that something unexpected occurred because of inadequate internal controls), and (3) the alleged improper act also allegedly violates some policy or procedure of the public company (i.e., in this case to not use corporate assets for an allegedly corrupt or improper purpose).

What can a company (and the audit committee) do about these possible situations? Review the company’s policies and procedures, and adopt and enact sufficient internal controls, monitored and updated regularly, to ensure that the policies and procedures are followed. But, of course, it is difficult and probably impossible to ensure 100% compliance. I have previously written that the books and records and internal accounting controls provision in the Securities Exchange Act should be amended to include a standard of conduct provision (such as negligence) because it is unreasonable to expect that internal controls, no matter how good, will stop all alleged wrongful conduct.

Below is a screenshot of some of the SEC v. United Order, providing a summary of some of the facts, and I have also included below a link to Tate’s Excellent Audit Committee Guide. Dave Tate, Esq., San Francisco and California

sec-v-united-continental-holdings

The following is a link to Tate’s Excellent Audit Committee Guide (updated October 20, 2016), Click Here

The following is a link to my trust, estate, conservatorship and elder abuse litigation blog, http://californiaestatetrust.com

Audit Committee 5 Lines of Defense 07182016

 

Gretchen Carlson – Harassment & Discrimination – Culture – A Task For The Board – And Internal Audit?

I have provided below a link to a short article about Gretchen Carlson, an interview that she is giving, possible legislative efforts, and sexual harassment and discrimination. We all know, or should know, that this is an important topic. Not only sexual harassment and discrimination, but harassment, discrimination, retaliation, bullying, and hostile environments, and not only male harassment and discrimination of females, but also female v. male, male v. male, female v. female, and including race, color, ancestry and national origin, religion and creed, age and elder, mental and physical disability, sex and gender, sexual orientation, gender identity, and more.

This is or should become an area of oversight for your board, and it also relates to the culture of the organization, and tone at the top, at the middle, and at the lower employee levels, including an environment that encourages people to report harassment and discrimination without fear of retribution, anonymously if the desired, with the knowledge that the reported conduct will be timely, fairly and fully investigated, and that appropriate action will be taken.

This really isn’t new stuff from legal and governance perspectives. Are your board, and the board’s committees, on top of this issue and the culture of the organization?

These can and often are difficult issues and situations.  Of course anyone accused is entitled to a defense, and to rebut the allegations. At law, in most situations, innocence is presumed. In recent past years there have also been stories involving allegations of harassment and discrimination reported in the news that turned out to be false or at least not sufficiently supported.

An investigation into situations involving these allegations often should be performed by outside legal counsel with a reputation for integrity and knowledge and experience in these practice areas.

But let me also suggest that the culture of the organization (but not an actual investigation of a specific situation) also could be an area for attention by internal audit, if the board or management puts it on internal audit’s agenda, and if internal audit is provided education and training about the critical elements, and investigation techniques, and help preparing an audit and reporting program. After all, internal audit also is looking to become more relevant in helping the organization to achieve its organizational objectives, goals and strategies.

The following is a link to one of the articles about Gretchen Carlson and what she is trying to do and accomplish: http://people.com/tv/gretchen-carlson-alleged-sexual-harassment-in-2020-interview/

 

New ISO Anti-Bribery Standard – Will It Give Companies An Absolute Defense?

ISO has published its new international anti-bribery standard, ISO 37001. You can find select information about the new standard HERE and at http://http://www.iso.org/iso/home/standards/management-standards/iso37001.htm .

The short PowerPoint presentation in part says:

The Standard benefits an organization by providing:

  • Minimum requirements and supporting guidance for implementing or benchmarking an anti-bribery management system
  • Assurance to management, investors, employees, customers, and other stakeholders that an organization is taking reasonable steps to prevent bribery
  • Evidence in the event of an investigation that an organization has taken reasonable steps to prevent bribery.

SO HERE’S AN INTERESTING QUESTION: will compliance with the standard give the company a free pass on bribery liability with the SEC and other state and federal entities and agencies if in fact a bribery occurs? I bet not. However, consider that generally liability does not result unless the person or entity charged has breached or failed to satisfy the applicable standard or duty of care (except in select situations, e.g., such as strict liability or products liability, etc.), and that breach or failure causes damages. Thus, if the applicable standard becomes ISO 37001, and if that standard is met or satisfied, it certainly is arguable that no fault or liability should result if a bribery occurs.

Best to you, Dave Tate, Esq., San Francisco and California. See also Tate’s Excellent Audit Committee Guide (updated October 2016), tates-excellent-audit-committee-guide-10202016-final-with-appendix-a

The Business Judgment Rule – a short animation (for fun, but also correct):

Audit Committee 5 Lines of Defense 07182016

DTatePicture_Square

Updated Tate’s Excellent Audit Committee Guide – Attached – Use It – Pass It Along – Free

Below is a link to my updated Tate’s Excellent Audit Committee Guide (updated October 20, 2016). Please use it, and pass it to other people who would be interested, such as audit committee members, directors, officers, accountants, internal and external auditors, in-house counsel, compliance professionals, and other people.

I do note that as I was updating these materials, and going through the entire Guide, it definitely hit me that all of the specifically enacted statutes, regulations, rules and pronouncements definitely could cause an audit committee member to not be able to see the forest for the tress. So let’s also not forget to look at the situation as a whole.

Although the Guide is 186 pages, I do expect some significant updates soon, and perhaps prior to the end of 2016. Many of the updates will be posted to this blog first, and then to the Guide. I am looking forward to the COSO enterprise risk management (ERM) updated framework.

Best to you. Dave Tate, Esq., San Francisco and California.

Here is a link to the updated Tate’s Excellent Audit Committee Guide (updated October 20, 2016), tates-excellent-audit-committee-guide-10202016-final-with-appendix-a

Audit Committee 5 Lines of Defense 07182016

The business judgment rule – an animated video:

 

DTatePicture_Square

Trade Secrets And How To Protect Them – Royse Law Firm Webinar – Very Important For Every Business

Below is a link to a detailed and very useful webinar from my friends at the Royse Law Firm discussing trade secrets and how to protect them – this is a very important topic for every business and entity. Click on the following link for the discussion: