By Francis Hounnongandji
January 31 2008
The lax internal controls revealed at Societe Generale are not specific
to that bank, or even to the financial services industry, but are
endemic throughout the corporate world. The best cure is better
education and a stronger culture of internal controls among board
members, senior management and the financial analysts who assess the
value of companies.
Scandals at companies such as Enron, Barings, WorldCom and Parmalat have
highlighted the huge losses that can occur through frauds or the
breakdown of internal controls. At SocGen, the activities of a rogue
trader triggered a sequence of events that cost the bank 4.9bn ($7.2bn)
and this does not account for soft costs including the diversion of
senior managements focus from the day-to-day business, the negative
impact on the franchise and the blow to employee morale.
In view of such huge losses, it is unbelievable how little interest
there is in the subject of internal controls among financial analysts,
shareholders and bondholders, unions and employee organisations, board
members and senior management. Too many leaders underestimate the risks
of fraud to their organisations and to the economy.
It is common for internal audit and control teams in many organisations
to be composed of junior people who are less familiar with complex
transactions than those they are in charge of scrutinising. Despite
anti-fraud laws and regulations such as Sarbanes-Oxley in the US, fraud
risks have actually increased. The absence in Sarbanes-Oxley, the Loi de
la Scurit Financire in France and their equivalent in other countries of
specific guidelines and standards for anti-fraud controls and the lack
of guidance for measuring their effectiveness render the exercise fuzzy.
Companies have a cosmetic interest in complying with these regulations,
as nobody wants to be seen to have failed to obtain the required
certification. However, while the costs of the internal controls and
anti-fraud systems are visible to most organisations management, the
benefits are less obvious. Incoherent and sub-optimal internal control
systems implemented by many companies have left loopholes that
fraudsters can exploit.
The imposition of so many laws and regulations has created its own
problem, as this has led to a string of audit visits and inspections and
a mountain of paperwork that has come to be seen as an administrative
burden. Little has been done to explain to businesses why effective
internal controls and anti-fraud programmes add value to organisations
by improving productivity and providing a competitive edge. In the
meantime, technologies and information systems are more complex, as are
the companies transactions. At the same time, loyalty between employees
and employers is in decline, increasing the chances of fraud.
In the heat of the debate, there are demands for more and tougher
regulations on the financial services industry. With the shock provoked
by the losses at SocGen, it would be easy, at least in France, to push
hasty laws and regulations on to an industry on the defensive. But the
cure is not extra laws and regulations, but more sensible ones with
specific guidance and measurement standards, better understood and
consistently applied by organisations.
How to make existing laws and regulations more practical should be the
primary focus. In due course, mandatory awareness of internal controls
should be required for board members, senior management and financial
analysts. A minimum level of knowledge of internal controls should be
required for all audit committee members. Whenever possible,
knowledgeable internal control and anti-fraud experts should be hired by
companies to implement risk-assessment and fraud prevention measures.
Anti-fraud processes and tools implemented to prevent management
overriding internal control systems should be disclosed in the annual
report, as a clarification to the requirements of Sarbanes-Oxley laws,
the Loi de Scurit Financire in France and their equivalents.
We must avoid an overreaction. What organisations require are smarter
controls, integrated into the culture and the business model of the
organisations and commensurate with their risk profiles. We need to be
consistently proactive. This, not more regulation, is the way to plug
the holes in the corporate armour.
The writer is president of the French chapter of the Association of
Certified Fraud Examiners. He is also chief executive of Allied Business
Controls, the corporate governance and financial advisory firm
Copyright The Financial Times Limited 2008
Subscribe to InfoSec News