Discussions About The New COSO ERM Framework And Related Topics

By: David Tate, Esq., Royse Law Firm, Northern and Southern California (Silicon Valley/Menlo Park Office) http://rroyselaw.com/

I have pasted below four links in which the authors discuss enterprise risk management (ERM) and risk management, the new COSO ERM framework, and some aspects of internal audit.

I appreciate what the authors are discussing; however, my preference would have been to have more defined tasks or requirements in the new COSO ERM framework (I use the word “requirements” broadly because generally there is no mandated risk management framework that must be followed, although for some industries and businesses there are some risk management requirements that are mandated by law and which must be followed).

It is clear that whatever risk management framework or process a business uses will remain largely discretionary based on the business judgment of management and the board, and that in fact might be better for possible liability purposes; however, it is my belief that people and businesses usually will implement policies or processes or procedures (other than, for example, for how to design, develop and manufacturer a product or service that they provide) if they are required to follow or adopt certain specific requirements by law, statute, regulation, or rule, or perhaps as required by the expectations of the community or stakeholders. That having been said, we are where we are on this. And it is now also generally accepted (and in some instances mandated) that a business will adopt and implement risk management, the board will oversee risk management, sometimes audit committees and/or risk committees are required to be involved in or oversee risk management, and in some businesses the board will delegate risk management oversight to a committee of the board, to the extent that risk oversight can be delegated (I would maintain that the board still must oversee risk management with the help of the committee and that the board cannot delegate its overall responsibility to oversee risk management).

In my view, the components and principles outlined in the new COSO ERM framework are essentially only broad in nature, which allows for each business to decide how to design and implement, etc., enterprise risk management based on the business judgment of management and the board of that particular business, in light of the business’ mission, core values, business objectives, strategies, and views and evaluations of related risks.

Let me also say this, I do appreciate that the first of the five core components in the new COSO ERM framework is Governance and Culture, and that the fifth of the five components is Information, Communication, and Reporting which also includes principle 19 (Communicates Risk Information) and principle 20 (Reports on Risk, Culture, and Performance). I believe that including governance, culture, communication and reporting (if they are adopted – remember, no specific framework is mandated) will help to move ERM and risk management to a more visible position. And, it is my belief, based on recent business, nonprofit, and governmental entity shortcomings and failures, that governance, culture, communication and reporting need to be moved more front and center. In fact, COSO listed governance and culture as the first of the five core components because governance and culture can be central to the entirety of the entity’s ERM.

The following are the links to the four enterprise risk management, etc., discussions that I mentioned at the beginning of this post, and below those links I have copied and pasted from my September 7, 2017, post in which I discussed the new COSO ERM framework and which you can also read at http://wp.me/p75iWX-aQ 

The following are the links to the four additional discussions:

https://wordpress.com/read/feeds/254243/posts/1619082863

https://iaonline.theiia.org/2017/Pages/COSO-ERM-Getting-Risk-Management-Right.aspx

https://normanmarks.wordpress.com/2017/09/29/should-you-adopt-the-updated-coso-erm-framework-my-assessment/

https://www.protiviti.com/US-en/insights/bulletin-vol6-issue8?utm_medium=social&utm_source=ProSocial

COSO ERM Framework – Enterprise Risk Management – Integrating with Strategy and Performance (five components, and twenty principles)

I.  Governance and Culture Component:

Supporting Principles:

  1. Exercises Board Risk Oversight
  2. Establishes Operating Structures
  3. Defines Desired Culture
  4. Demonstrates Commitment to Core Values
  5. Attracts, Develops, and Retains Capable Individuals

II.  Strategy and Objective-Setting Component:

  1. Analyzes Business Context
  2. Defines Risk Appetite
  3. Evaluates Alternative Strategies
  4. Formulates Business Objectives

III.  Performance Component:

  1. Identifies Risk
  2. Assesses Severity of Risk
  3. Prioritizes Risks
  4. Implements Risk Responses
  5. Develops Portfolio View

IV.  Review and Revision Component:

  1. Assesses Substantial Change
  2. Reviews Risk and Performance
  3. Pursues Improvement in Enterprise Risk Management

V.  Information, Communication, and Reporting Component:

  1. Leverages Information and Technology
  2. Communicates Risk Information
  3. Reports on Risk, Culture, and Performance

Enterprise Risk Management (ERM) and internal controls work together and should complement each other. The following is the broad outline of the COSO 2013 Internal Control Framework.

Sarbanes-Oxley section 404 requires public company management and its external auditors to attest to the design and operating effectiveness of a company’s internal control over external financial reporting. Internal controls should also be designed and implemented for private company, nonprofit and governmental entities.

COSO 2013 Internal Control Framework – 5 Components, and 17 Principles

1.  Control Environment Component:

Mandatory Principles

  1. Demonstrate commitment to integrity and ethical values.
  2. Board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes, with board oversight, structures and reporting lines and appropriate authorities and responsibilities in the pursuit of objectives.
  4. Demonstrate commitment to attract, develop and retain competent individuals in alignment with objectives.
  5. Hold individuals accountable for their internal control responsibilities in the pursuit of objectives.

2.  Risk Assessment Component:

Mandatory Principles

  1. Specify objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
  2. Identify risks to the achievement of its objectives across the entity and analyze risks as a basis for determining how the risks should be managed.
  3. Consider the potential for fraud in assessing risks to the achievement of objectives.
  4. Identify and assess changes that could significantly impact the system of internal control.

3.  Control Activities Component:

Mandatory Principles

  1. Select and develop control activities that contribute to the mitigation of risks to the achievement of objectives and acceptable levels.
  2. Select and develop general control activities over technology to support the achievement of objectives.
  3. Deploy control activities through policies that establish what is expected and procedures that put policies into action.

4.  Information & Communication Component:

Mandatory Principles

  1. Obtain or generate and use relevant, quality information to support the functioning of internal control.
  2. Internally communicate information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
  3. Communicate with external parties regarding matters affecting the functioning of internal control.

5.  Monitoring Activities Component:

Mandatory Principles

  1. Select, develop and perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
  2. Evaluate and communicate internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

The Business Judgment Rule

The business judgment rule also is relevant on these topics (from Tate’s Excellent Audit Committee Guide). The business judgment rule provides a director with a defense to personal liability, holding that as a general principle of law, a director, including a director who serves as a member of a board committee, who satisfies the business judgment rule has satisfied his or her duties. Thus, the business judgment rule provides one standard of care, although other standards may very well also apply to specific tasks and responsibilities. The business judgment rule provides a very good overall approach for directors and audit committee members to follow, although the rule itself is lacking in specific detail. In some states the business judgment rule is codified by statute while in other states the rule is established by case law (see, i.e., Cal. Corp. Code §309 for California corporations, Del. Gen. Corp. Law §141 for Delaware corporations, in addition to relevant case law). The rule also applies to directors as board committee members.

The Business Judgment Rule

In summary, as a general principle the business judgment rule provides that a director should undertake his or her duties:

-In good faith, with honesty and without self-dealing, conflict or improper personal benefit;

-In a manner that the director reasonably believes to be in the best interests of the corporation and its shareholders; and

-With the care, including reasonable inquiry, that an ordinarily prudent person in a like position with like expertise would use under similar circumstances. The rule itself doesn’t require a particular level of expertise, knowledge or understanding; however, as you might be aware, public company audit committee members do have such a requirement, and you can at least argue that, depending on the facts and circumstances, a board or committee member should have or should obtain a certain unspecified level of knowledge or understanding to be sufficiently prepared to ask questions, evaluate information provided, and make decisions.

Reliance Upon Other People Under the Business Judgment Rule

In the course and scope of performing his or her duties, a director must necessarily obtain information from and rely upon other people. An independent director is not involved in the day-to-day operations of the business. The director provides an oversight function. Pursuant to the business judgment rule, a director is entitled to rely on information, opinions, reports or statements, including financial statements and other financial data, prepared or presented by any of the following:

-Officers or employees of the corporation whom the director reasonably believes to be reliable and competent in the relevant matters;

-Legal counsel, independent accountants or other persons as to matters that the director reasonably believes are within the person’s professional or expert competence; or

-A committee of the board on which the director does not serve, as to matters within that committee’s designated authority, so long as the director acts in good faith, after reasonable inquiry as warranted by the circumstances, and without knowledge that would cause reliance to be unwarranted.

David Tate, Esq., Royse Law Firm, California (Silicon Valley/Menlo Park office), with additional offices in San Francisco, Los Angeles and Orange County, http://rroyselaw.com/

* * * * *

Advertisements

Criminal negligence by corporate officers – a good read from Woodruff Sawyer

Passing this along (click the link below) – a good discussion by Woodruff Sawyer about corporate officer liability for criminal negligence (and in a subsequent post I’ll attach an article that I have written which in part discusses this issue). Although corporate officers and board members are not usually prosecuted for criminal wrongdoing, this is an area in which officers and directors can have liability exposure, particularly, for example, in some situations such as environmental contamination, personal consumer or community safety and injury, and with respect to select statutes. Prudent risk and safety management can go a long way to protect officers and directors from liability. Click on the link below to read the Woodruff Sawyer article.

David Tate, Esq. (and CPA, California inactive), litigation, Royse Law Firm, Menlo Park, California office, with offices in northern and southern California).

Here is the Woodruff Sawyer article link:  https://wsandco.com/do-notebook/criminal-negligence-corporate-officer-doctrine/

NEW NINTH CIRCUIT CASE – PLAINTIFF CANNOT BRING A SECURITIES CASE FOR BREACH OF THE CORPORATE CODE OF ETHICS . . . WELL, NOT SO FAST . . . .

On January 19, 2017, the Ninth Circuit dismissed a securities fraud case holding that the claim could not legally be brought where shareholders of Hewlett-Packard Company (“HP”) alleged that the Company CEO and Chairman violated Hewlett-Packard’s Corporate Code of Ethics after publicly touting the Company’s high standards for ethics and compliance while at the same time himself violating the provisions in the Code of Ethics. The case is Retail Wholesale & Department Store Union Local 338 Retirement Fund v. Hewlett-Packard Co. and Mark A. Hurd, Ninth Circuit Case No. 14-16433 and District Court Case No. 3:12-cv-04115-JST (Northern District of California) and you can view the case at http://cdn.ca9.uscourts.gov/datastore/opinions/2017/01/19/14-16433.pdf.

Plaintiffs’ claim was brought under §10 and Rule 10–b of the Securities Exchange Act of 1934. The Court’s decision is helpful from a defense viewpoint, but the decision shouldn’t be viewed too broadly. In summary, the Court held as follows (note: the below quotes from the case are not necessarily in the exact order in which they appeared in the Court’s decision):

“Retail Wholesale argues that the SBC [HP’s Standards of Business Conduct], bolstered by Defendants’ express promotion of corporate ethics, gives rise to a finding of material misrepresentation. Its claim is based in three factual allegations: (1) HP and Hurd actively promoted the SBC and stated that HP had zero tolerance for SBC violations; (2) Hurd’s SBC violations led to his resignation; and (3) Hurd’s resignation caused HP’s stock price to drop. The Court cannot agree that, under the facts alleged in the complaint, Defendants’ representations about ethics were materially misleading.”

“Defendants made no objectively verifiable statements during the Class Period. As one court has aptly written, a code of conduct is “inherently aspirational.” Andropolis, 505 F. Supp. 2d at 686. Such a code expresses opinions as to what actions are preferable, as opposed to implying that all staff, directors, and officers always adhere to its aspirations. See id.”

“Similarly, Hurd’s comments prefacing the SBC are not objectively verifiable. In the 2008 preface to the SBC, Hurd stated, in part,

We want to be a company known for its ethical leadership . . . .

We know actions speak louder than words. We must make decisions and behave in ways that we can be proud of, that reflect our commitment to doing the right thing . . . .

. . . . Let us commit together, as individuals and as a company, to build trust in everything we do by living our values and conducting business consistent with the high ethical standards within our SBC.”

“The aspirational nature of these statements is evident. They emphasize a desire to commit to certain “shared values” outlined in the SBC and provide a “vague statement[] of optimism,” not capable of objective verification. See Or. Pub. Emps., 774 F.3d at 606. A contrary interpretation—that statements such as, for example, the SBC’s “we make ethical decisions,” or Hurd’s prefatory statements, can be measured for compliance—is simply untenable, as it could turn all corporate wrongdoing into securities fraud.”

However, and equally important, the Court also stated:

“We note that the case may have been closer had Hurd’s sexual harassment and false expenses scandal involved facts remotely similar to those presented by the 2006 scandal [i.e., an earlier unrelated ethics problem at HP in which “A few years earlier, in 2006, a major scandal erupted when a whistleblower informed several government agencies that HP had hired detectives to monitor the phone records and email accounts of HP directors, HP employees, and journalists to find the sources of leaks of company information to the press”], as the ethical code could then have been understood as at least promising specifically not to do what had been done in 2006. Here, however, the context does not make HP’s promotion of business ethics any less subjective or vague. Further, Retail Wholesale cites to no case law suggesting that context may operate to allow a plaintiff to import an out-of-Class-Period statement into the Class Period. The strongest statement alleged in the complaint—the suggestion of a zero tolerance policy for SBC violations—was made outside of the Class Period.”

“In sum, we conclude that as there was no statement during the Class Period that was capable of being objectively false, there was no affirmative misrepresentation.”

It could be easy to read the case too broadly, and to conclude that a securities fraud claim cannot be brought for violation of the company’s code of ethics. Whether such a claim can be brought really depends on the facts and circumstances of the case. Further, and depending on the facts of each case, it might be possible that such a claim could be brought under a different legal theory such as, for example, the Foreign Corrupt Practices Act.

Thus, companies, and their officers, managing agents and directors still must be advised to know the company’s Code of Ethics, to follow the Code, and to be careful about making specific representations about following, satisfying or complying with the Code.

* * * * *

When should you take your internal accounting error/mistake or irregularity/fraud investigation outside?

Most every audit committee member, in-house counsel, other board member, CEO, CFO, risk officer, and chief internal auditor will at some time consider whether an accounting related investigation that is being done internally should be taken outside. The decision to stay inside or to go outside isn’t necessarily clear, and there certainly could be differing opinions depending on the facts and circumstances of the situation. The following isn’t a formal or legal discussion, but below are at least some of the factors that I would consider and that you might consider. Every situation is different at least to some extent.

  1. Is there really the expertise in-house to do the investigation? This is an important consideration that I will have more to say about in other posts – however, consider whether it is important for the primary investigator to not only have a legal background in the subject matter, but also accounting or auditing backgrounds. Whereas an accounting or auditing firm might also be retained to assist with the investigation, you might well also find that it would be helpful for the primary investigator to be able to understand the accounting, internal control and auditing or auditor issues, and that the primary investigator might need those backgrounds to better lead the investigation and make decisions or evaluations.
  2. Is there really the time availability to handle the investigation in-house?
  3. Is the dollar amount involved sufficiently large to warrant going outside for the investigation?
  4. Are the qualitative natures of the issues sufficiently important to warrant going outside, such as because of possible public relations, ethics, fraud, or other considerations?
  5. Does it warrant going outside because of the possible people who might be interviewed, questioned or involved including their office or stature in the organization, and their relationships with the people who are investigating, the board, the audit committee, the executive officers and other people?
  6. For whatever reasons, is it warranted or required that the investigation be independent, or more independent in nature.
  7. If the initial investigation began in-house (which is entirely possible), has it for whatever reason now become more prudent to go outside?

That’s it for now. Just some thoughts. I’m sure that you can come up with additional thoughts – the above discussion isn’t all encompassing.

Dave Tate, Esq. (San Francisco and California)

DTatePicture_Square

Audit Committee 5 Lines of Defense 07182016

tates-excellent-audit-committee-guide-10202016-final-with-appendix-a

sec-whistleblower-awards

Important – SEC v. United – Administrative Proceeding Relating to United’s Internal Accounting Controls to Prevent Violation of United’s Policies

On December 2, 2016, the SEC issued an Accounting and Auditing Enforcement, Administrative Proceeding Order against United Continental Holdings, Inc. Here is a link to the Order, CLICK HERE

Why is this Order important – because the SEC found that “United failed to design and maintain a system of internal accounting controls that was sufficient to prevent its officers from approving the use of United’s assets in connection with the South Carolina Route in violation of United’s Policies, which prohibited the use of assets for corrupt purposes.” This isn’t a Foreign Corrupt Practices Act case – the alleged corruption or impropriety occurred in the United States. The SEC alleged that United “instituted the South Carolina Route following pressure from David Samson (“Samson”), then the Chairman of he Board of Commissioners of the Port Authority of New York and New Jersey (“Port Authority”). The route provided Samson – who exercised authority and influence as a Port Authority official in matters affecting United’s business interests – with a more direct route to his house in South Carolina.”

The scenario in this case could occur at any time that a public company (1) allegedly acts improperly, and (2) it is alleged that the act was allowed or able to occur because of insufficient internal controls (resulting in a violation of the books and records and internal accounting controls provisions of the Securities Exchange Act, which is automatically alleged in a great number of cases because it is easy in most situations to allege that something unexpected occurred because of inadequate internal controls), and (3) the alleged improper act also allegedly violates some policy or procedure of the public company (i.e., in this case to not use corporate assets for an allegedly corrupt or improper purpose).

What can a company (and the audit committee) do about these possible situations? Review the company’s policies and procedures, and adopt and enact sufficient internal controls, monitored and updated regularly, to ensure that the policies and procedures are followed. But, of course, it is difficult and probably impossible to ensure 100% compliance. I have previously written that the books and records and internal accounting controls provision in the Securities Exchange Act should be amended to include a standard of conduct provision (such as negligence) because it is unreasonable to expect that internal controls, no matter how good, will stop all alleged wrongful conduct.

Below is a screenshot of some of the SEC v. United Order, providing a summary of some of the facts, and I have also included below a link to Tate’s Excellent Audit Committee Guide. Dave Tate, Esq., San Francisco and California

sec-v-united-continental-holdings

The following is a link to Tate’s Excellent Audit Committee Guide (updated October 20, 2016), Click Here

The following is a link to my trust, estate, conservatorship and elder abuse litigation blog, http://californiaestatetrust.com

Audit Committee 5 Lines of Defense 07182016

 

Why do so many practitioners misunderstand risk? Forwarding post by Norman Marks

The following is a link to a new post by Norman Marks, https://normanmarks.wordpress.com/2016/11/26/why-do-so-many-practitioners-misunderstand-risk/ , Why do so many practitioners misunderstand risk? See also the link to “A Revolution in Risk Management” which is provided in Norman’s post. This is a good, i.e., worthwhile, post and discussion – the point being, I believe, is to not be too singularly focused in your evaluation of risks and risk management. I also like Norman’s use of the tree to visually demonstrate the discussion.

Best to you, Dave Tate, Esq., San Francisco and California. Link for Tate’s Excellent Audit Committee Guide http://wp.me/p75iWX-6z

Lennox International discloses alleged $425 (no zeroes) Russia bribe – from the FCPA Blog

I just thought this was interesting because of the small dollar amount, it is a short read from the FCPA Blog, about Lennox International self-reporting a $425 bribe. Of course, depending on the status of the audit committee’s investigation, it is possible that they could find more. And, as we know, dollar amount is not the only criteria for determining materiality – qualitative criteria can also be important.

Click on the following link for the discussion, Click Here.