http://www.ft.com/cms/s/0/a71451e6-d008-11dc-9309-0000779fd2ac.html By Francis Hounnongandji FT.com January 31 2008 The lax internal controls revealed at Societe Generale are not specific to that bank, or even to the financial services industry, but are endemic throughout the corporate world. The best cure is better education and a stronger culture of internal controls among board members, senior management and the financial analysts who assess the value of companies. Scandals at companies such as Enron, Barings, WorldCom and Parmalat have highlighted the huge losses that can occur through frauds or the breakdown of internal controls. At SocGen, the activities of a rogue trader triggered a sequence of events that cost the bank 4.9bn ($7.2bn) and this does not account for soft costs including the diversion of senior managements focus from the day-to-day business, the negative impact on the franchise and the blow to employee morale. In view of such huge losses, it is unbelievable how little interest there is in the subject of internal controls among financial analysts, shareholders and bondholders, unions and employee organisations, board members and senior management. Too many leaders underestimate the risks of fraud to their organisations and to the economy. It is common for internal audit and control teams in many organisations to be composed of junior people who are less familiar with complex transactions than those they are in charge of scrutinising. Despite anti-fraud laws and regulations such as Sarbanes-Oxley in the US, fraud risks have actually increased. The absence in Sarbanes-Oxley, the Loi de la Scurit Financire in France and their equivalent in other countries of specific guidelines and standards for anti-fraud controls and the lack of guidance for measuring their effectiveness render the exercise fuzzy. Companies have a cosmetic interest in complying with these regulations, as nobody wants to be seen to have failed to obtain the required certification. However, while the costs of the internal controls and anti-fraud systems are visible to most organisations management, the benefits are less obvious. Incoherent and sub-optimal internal control systems implemented by many companies have left loopholes that fraudsters can exploit. The imposition of so many laws and regulations has created its own problem, as this has led to a string of audit visits and inspections and a mountain of paperwork that has come to be seen as an administrative burden. Little has been done to explain to businesses why effective internal controls and anti-fraud programmes add value to organisations by improving productivity and providing a competitive edge. In the meantime, technologies and information systems are more complex, as are the companies transactions. At the same time, loyalty between employees and employers is in decline, increasing the chances of fraud. In the heat of the debate, there are demands for more and tougher regulations on the financial services industry. With the shock provoked by the losses at SocGen, it would be easy, at least in France, to push hasty laws and regulations on to an industry on the defensive. But the cure is not extra laws and regulations, but more sensible ones with specific guidance and measurement standards, better understood and consistently applied by organisations. How to make existing laws and regulations more practical should be the primary focus. In due course, mandatory awareness of internal controls should be required for board members, senior management and financial analysts. A minimum level of knowledge of internal controls should be required for all audit committee members. Whenever possible, knowledgeable internal control and anti-fraud experts should be hired by companies to implement risk-assessment and fraud prevention measures. Anti-fraud processes and tools implemented to prevent management overriding internal control systems should be disclosed in the annual report, as a clarification to the requirements of Sarbanes-Oxley laws, the Loi de Scurit Financire in France and their equivalents. We must avoid an overreaction. What organisations require are smarter controls, integrated into the culture and the business model of the organisations and commensurate with their risk profiles. We need to be consistently proactive. This, not more regulation, is the way to plug the holes in the corporate armour. -=- The writer is president of the French chapter of the Association of Certified Fraud Examiners. He is also chief executive of Allied Business Controls, the corporate governance and financial advisory firm Copyright The Financial Times Limited 2008 ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 00:09:37 PST