Why else do you think there was a need to protect the interests of shareholders and now a multiverse of stakeholders, through a barrage of regulations, stipulations, codes, compliance and reporting requirements? The corporate world was never expected to be fully transparent and it sure as hell delivered on those expectations by being even muddier than the slew of regulations meant to keep it trustworthy and thus afloat!
And this isn’t the work of some ‘con’ artists (read con entrepreneurs) who have always been hell bent upon making money come what may. They have always been ‘lucky’ to find con collaborators at every level to get them through the regulations, stipulations and compliances with absolute perfection.
Let me get to those levels and collaborators in a while, because something else comes to my mind here to emphasize and elaborate what I’m trying to say here. For me it’s now an adage of sorts; “what’s not documented is not done”. This was part of my training when I was being groomed for stepping into the corporate world and I’ve lived by it by being on the right side of it! I’ll explain how, later in this space.
The problem is what to do if everything is indeed documented, and yet it’s not done? That’s essentially the problem with regulations, stipulations, standards, codes, compliance and reporting requirements. One can easily fake their fulfillment and report these as complied with! In a world where we could have ghost entities (entities on paper) with a number of transactions to their credit, faking compliances is hardly a job to do!
ENTER: THE WATCHDOGS!
Unfortunately, in this case, regulators even become accomplices in crime, because by lacking the will to go beyond the paperwork to the situation on the ground and the capacity to even go beyond what’s reported and verify its veracity, they’re complicit. And if will and capacity can be somehow substantiated, regulators might cut a deal instead of imposing penalties for failing or worse people at the regulator might try to cut some slack for themselves and earn some easy money!
One might wonder if lack of will, capacity, cutting deals or making easy money could be Third World problems. Well, it isn’t because the regulations, stipulations, codes, standards originated from the First World. And ethics or the lack thereof is certainly not region specific. Thus, the opaqueness of the corporate world is a global phenomenon.
And this begs the question, what are the watchdogs (regulators) watching? Just papers? Reports? Compliance dashboards? Portals? Is that what a watchdog should be watching? Should the watchdog be confined to the comforts of its office or be out in the field? Is the environment conservation watchdog providing service (or disservice!) by watching compliance reports / data from a factory instead of testing the effluent water being discharged in the close by water channel?
Similarly, is it befitting for the Corporate Regulator to get statements of compliances on adherence to corporate governance code requirements, when each and every entity required to conform adherence can simply do so by fudging the underlying records, for instance number of meetings of the board or its committees, minutes and what actually transpired, attendance at meetings, board’s performance appraisal and the Company’s performance or exhibiting its code of ethics or safety records, without referring to any actual incidents and their disposition?
WHISTLEBLOWING & COMPLAINT SYSTEMS ARE WORTH WHAT?
Or are the regulators satisfied that the other mechanisms they have in place through regulations and stipulations, like whistleblowing process, complaint system, feedback system are doing a great job? And that these mechanisms provide a viable basis for substantiating the corporate entities’ reported adherence to requirements?
To believe this to be true, one must be living in a fool’s paradise. Because:
- Corporate entities would do everything possible to avoid stakeholders being educated about such mechanisms.
- No one likes people who complain, so entities tend to shoot down the messengers by burdening the complainants through additional work, or transfers or by giving an illusion that their complaints are being heard and processed.
- Delaying action until the complaint is no longer valid.
- Restricting access to or removing records substantiating wrongdoing is also possible.
- Making complaints is an arduous process and there’s hardly any protection guaranteed for complainants.
- Costs of compliance are high.
- It’s always good to be a better version of yourself on paper.
- Business entity’s actions are always good for economics!
And finally allowing the compliance verification process to come to the level of having or not having complaints for the purpose of substantiation says all about the intent of regulations and stipulations!
Since this is like running the equipment to failure and not bothering about preventive maintenance.
A fractured governance structure in an entity, an ethically impaired tone at the top, can always have the best records attesting allegiance to the regulator’s requirements. Because these can be two distinct things conveniently and this is what entities have learnt overtime following these requirements.
Maybe that’s the intent of the regulations as well, entities should ‘manage; as far as possible to avoid complaints being reported to the watchdog. And that’s what entities got as well, do whatever it is you want to do, just don’t get caught!
NON-REGULATORY OVERSIGHT
I recently got to know that certain global research oriented organizations that work in the public interest domain also assess and rate corporate sector entities adherence with governance requirements. But guess what? They do it from the information that’s publicly available like company announcements, returns, annual reports, etc.
Though, it might seem to be a good and a unique effort in the sense that it allows for a review of Company’s information and the impact a regulator is making, it could hardly be an accurate one, since information for public consumption is the same that the entity wants to show the outside world and in many cases it could even be different from what has been reported to the Regulator. And that’s exactly what they mention in their disclaimers as part of their reports; they don’t assess the actual state of implementation.
For it to work, these oversight organizations actually need to review the work that regulators are doing and relate it with the before and after impacts of their actions (or inaction!) with or without complaints on the businesses. Maybe then such ratings and indices could be worth reading.
Stipulations, regulations and statute can force reporting but can’t enforce on the ground adherence and implementation.
The con-collaborators
Owing to their statutory and regulatory requirements, entities also learnt over time that it’s good to befriend their external assessors, validators and auditors. Since, it is these so called “independent’ third parties who are always preferred when it comes to reporting compliances.
But little do the regulators understand that independence also needs to be exhibited not just on paper but in the field and needs to be pretty obvious. Fat external audit / validation / assessment paychecks ensure that entities keep their external auditors in line with their ‘expectations’ and the external auditors are obliged to ack in kind.
Be it a Health & Safety, Environment auditor, a tax auditor, or an external auditor, good hospitality and an excellent business relationship measured in dollar value goes a long way in having adherences attested and certified.
A few days ago, I found out that a Company which already had its core business agreement and model terminated at least 3 months before the year end, reported its annual accounts on a going concern basis using its own interpretation of accounting standards. And within the subsequent to year end 3-month period, it was terminating employee contracts but keeping the plant in case the market dynamics change!
The external auditor, whose performance is also rated by at least 2 regulators within the corporate sector, had given an unqualified (clean) opinion on the use of going concern basis for preparation of accounts. So, what about investor confidence? Well, if something this big is possible, consider the magnitude with which creative accounting treatments under differing interpretations of accounting standards are possible and do happen!
TRANSPARENCY IN THE CORPORATE WORLD
The approach towards documents and reporting needs to be detailed-oriented, systematic and disciplined as expected and desired by an internal audit review. The documents and reports need to be verified and aligned with the situation on the ground, and to be reviewed against certain specific assertions to ensure these are credible and reliable.
For instance, even if I get hold of documents and data at the outset of an engagement, I never begin from there. Because we need to understand the nature of business, its objectives, risks and system first to make sense of the data. The data then needs to be verified through detailed examination of the processes (Manual and IS activities included) producing it and a corroboration of inferences drawn from data also need to be performed.
One might wonder why external auditors could not do this work diligently. It’s partly because of them being external to the entity thereby lacking the desired in-depth understanding of business and because of their audit fee, they never intend to offend a client and finally because owing to a lot of regulation, they’re more focused on checklists based review of compliances rather than on-the-ground compliance.
Reviews over statements of compliance with codes, standards, rules, regulations and stipulations need to come from internal rather than external auditors, because it’s not the external auditors who are aware of year round happenings at the entity, but internal auditors are. Also, it hardly matters to the internal auditors if clients get dismayed at their review findings, because their reporting, performance evaluation and compensation is to and decided by the Board.
In fact, the feedback, complaint and whistleblowing systems need to be a regular part of internal audit engagements so as to provide assurance if these are working as intended. I would also like to propose that it would serve the corporate world best if regulators have a direct line with the internal auditors of corporate entities under their purview.
Maybe because internal audit promotes self-governance and regulation through standards, the onus to be objective, independent, competent and honest also lies on us! And maybe that’s why we’re better off without regulations driving our conduct!
So, regulators, if your intent is really for the business world to navigate through murky waters, let the internal auditors be your partners. And clients, if you are wary of murky waters (that you didn’t create yourselves), let internal auditors be your sailors.
But when deciding to invest in internal auditors, remember to invest in professionally qualified internal auditors who have a history in not just being competent but have also been unrelenting on ethics and integrity!