Tuesday, January 20, 2004

Clarifications? 2

Back in 1943, when electric power was so important to the war effort, all the utilities were run by engineers. Serious money was pouring in to these monopolies and the engineer chiefs didn’t trust their finance men to resist temptation. So the utility heads formed an elite cadre of auditors to act as management’s agent to check that the internal control system was doing its job. This began the discipline known as internal auditing (IIA). Internal auditors were engaged by senior management and given unrestricted access to records, personnel and physical properties. The IIA men reported only to the executives that hired them. IIA men became an insurance policy for management that management goals, whatever they were, were driving corporate operations.

Over the decades, IIA developed a logical, coherent code of practice (the Red Book) proven to terrorize corpoman on behalf of management’s authority. The IIA standard of care makes the auditor of internal control management’s full-scope surrogate in all corporate governance affairs – defined as operations, compliance and internal controls. Management controlled goals, which controlled risk definitions, which regulated internal controls design and he could legally do so on whim. The IIA man, pontificating publicly about his independence, integrity and moral perfection, was the loyal and dependable front man for management. Unlike the CPA, with a duty to the public, the IIA man let management representations define his duty - engagement by engagement. The stakeholders never, to this day, caught on. The IIA man pleased the CEO that hired him because the CEO goals defined the purpose of the engagement itself. Think Pope and the Swiss guards at the Vatican.

The internal auditor is a participant in corporate governance as the fa├žade of watchdog for stakeholder interest, armed with objective practice, and blessed with ethical excellence. His job is to assess the effectiveness of internal controls as represented by management. The audit committee is permitted to, in part, rely on his report to draw conclusions. The axle is so-called risk management. Operationally, this means purchasing insurance to cover management “opinions” (legally sufficient) of corporate exposures. For reference, the design engineer is held by the same civil law to the opposite standard – no opinion allowed.

The venerable alliance of management with its so-called governance benchmark is captured in the record. The majority of directors (large NACD survey) indicate that no formal risk management process exists. IIA men find less than 4% of the corporate fraud exposed in the USA. This should be little surprise as management itself is committing the fraud in 65% of this $850B/yr industry. To be fair, special fraud auditors hired by management find no more than 8% of the annual take. Eliot Spitzer knows who knows the source of corporate fraud and he treats these essential tipsters like royalty. This is why Eliot Spitzer will drive corporate governance reform until it happens. He will never run out of “bad apples” and will remain years in advance of regulatory agencies.

The strategy of Congress to attenuate the scandal-ridden transfer of corporate wealth to its supreme commanders was formed, after the S&L scandals of the 1980s, by the Treadway Commission. The governance ideas were publicized and shelved after much contributing by management to political campaigns - until the WorldCom fiasco broke open so soon after Enron and Anderson fell. Sarbannes-Oxley was an editorial update of the already-debated, archived Treadway Commission plan, which is why it could run through Congress to Bush signature in 8 days flat.

The principal Treadway Commission strategy is to keep the IIA red book as is, but realign the IIA man loyalty with the Boards Finance Committee – now hoisted high in public view on the petard of non-transferable fiduciary responsibility to the stakeholders. The IIA man is hired by the independent finance committee and reports to it. In a great reversal, the IIA man doing the exact same job is now in control of the CEO’s destiny. What controls the IIA man is the SOX 404 requirement for contemporaneous evidence, which will be enforced ultimately by lawyers for the plaintiff in stakeholder actions under tort law. If the IIA man does not get his objective, data-driven act together contemporaneously, he is an offender along with the finance committee.

Excepting management, there is a presumption that an internal control system exists that actually controls something related to the financial reports. In truth only the illusion exists. This secret has not been exposed by the IIA man because its purpose was never to “control” finances, but cover management’s transfer of corporate wealth to itself (POSIWID). The job of IIA man was to assure management that his scheme was in place. Now that internal control has to be objective and coherent, meeting the legal rules of evidence, no one involved knows where to begin. How can they start being objective without revealing the truth about the monstrous incoherent mess they have been fibbing about for decades? Besides, who has done it right?

We now know the only way out for regulator and the regulated alike is evidence-driven governance, as you go, which means systems engineering practice. However, there is no precedent and zero chance corporations will get to this conclusion in a straight line. The real governor of internal control is control theory. To achieve control, the attributes of corporate operations require a design every bit as sophisticated as a modern industrial process being altered on a daily basis. IIA defines the discipline as: “using a systematic, disciplined approach to evaluate and report on the processes that are established within the organization (designed by management) to ensure that significant risk exposures are understood and managed appropriately within a context of continuous change.”

Two marketing directions come to the attention of my dotage. The first is generally promoting the fact that the situation is well understood, as in engineering, and that it has a rational, objective, coherent and proven solution. There must be no attempt to persuade management to embrace the only solution. Promotion must be limited to announcing to stakeholders that remedy exists. Our job is to inform and demonstrate, theirs to choose.

The second issue is to promote remedy to a target corporation in the style of professional inform/consent to an extent that, when the corporation refuses remedy, the refusal meets the bright line of law that escalates ordinary negligence to intentional. The evidence you have recorded via the targeted refusal, through the doctrine of deliberate ignorance, adds at least three zeroes to end of the amount defendant has to pay. You contact plaintiff lawyers, after the damage inflicted has resulted in civil law action, and negotiate your reward. You can also contact the defendant’s liability insurance company. Your evidence of intent, willful blindness, will allow it to rescind the policy. Thank you, John Stuart Mill.