Compliance Systems That Fail (Part 2)
External Auditors
In the years following the 2007 engagement of Burr Pilger
& Mayer (BPM) engagement as its new auditors, HomeFirst’s risks
decreased, contracts continued, and communications with the auditors were
reasonably transparent. In our annual
management representation letter, Jenny and I attested that we had discussed
with the auditors everything that we should have done. A comfortable relationship developed between
BPM and management, audits ran smoothly, and the fees we paid decreased. But that comfortable arrangement also
increased the possibility that BPM would not investigate matters as closely as
others might.
Fear of losing revenue can sometimes lead auditors to yield
where they should not, intentionally or as a result of unconscious moral slippage. Aware
of that risk, audit committees often request that the audit partner in charge
rotate periodically, or they may replace the firm itself. BPM, however, was too small to easily
accommodate the rotation of the audit partner.
After five years together, the Audit Committee requested bids from
competing audit firms, all of whom were more expensive, and we renewed our
comfortable relationship with BPM.
In the standard language suggested by the AICPA, management
is responsible for preparing financial statements consistent with generally
accepted accounting principles and for maintaining a system of controls to
ensure the accuracy of the statements.
The auditor’s responsibility is to express an opinion on the statements
based on testing standards, but it declines to opine on the effectiveness of
the company’s controls. Despite these
intended responsibilities, a critical question for financial and operating management
is “will the auditors find it?” or, as Jenny asked about compliance issues,
“did someone else bring this up?”
Nonprofits that receive significant federal funding – more
than $500,000 in years through 2014 and $750,000 afterward – must have an
audit compliant with OMB
Circular A-133, “Audits
of State, Local Governments and Non-Profit Organizations.” For readers of BPM’s A-133 audit report, the
absence of findings of material weaknesses or significant deficiencies in its
controls and of questioned costs implied that the company complied with
whatever it needed to be compliant.
The reality of A-133 audits was less compelling. BPM reduced its charges to HomeFirst by
conducting risk-based audits, meaning that it focused on areas that were identified
as risky in past audits or in discussions with the Audit Committee or
management. Further, BPM was required to
perform testing only on selected major grants in excess of $300,000. In the 2014 audit, BPM’s two-person team
reviewed sampled client files and transactions with respect to 9 grants with
total revenue of $2.2 million, as representative of 30 government grants and
total revenue of $10.8 million. The
three days of field work were deemed sufficient under the circumstances.
Despite the oversight
structure mandated by the California Nonprofit Integrity Act, HomeFirst
committed its $1.2 million over-billing of HUD grants after the law was passed,
the Audit Committee was established, and an external auditor was hired. That egregious error arose from management’s
failure to correctly bill its contracts, HUD’s failure to effectively monitor
the company’s billings, and the auditors’ failure to effectively audit the
company’s accounts until the problem became clear during the 2006 audit.
Most of the HomeFirst wrongs that I alleged fell into a class
of violations that are not easily detected without a whistleblower’s
assistance. They were wrongs that
escaped detection by BPM’s audit procedures, on which readers of the financial
statements relied to judge our performance.
Limitations inherent in the external audit and the other layers of
formal compliance oversight can enable corporate culture to dominate the
ethical practices of the organization[1].
Even more than its formal policies and reporting structures,
an organization’s culture determines how it responds to ethical
challenges. Company culture is reflected
in the ways employees are recruited and trained, how they dress and present
themselves, how they interact with each other, and how business is conducted
and decisions are made[2]. More than just a set of behaviors, culture
represents “the way we do things around here” in order to solve problems and meet
organizational goals[3]. An organization’s ethical culture transcends
the personal values of its managers and the operational goals of growth and
profitability. Absent a culture of
positive ethical values, the organization can become unhinged during periods of
stress[4],
like the stress that afflicted HomeFirst in 2014.
In some company cultures, an apparently well-developed
compliance program is viewed as a get-out-of-jail card that reduces the risk of
indictment and minimizes the legal consequences of wrongdoing that is caught[5]. In the absence of agreed metrics for
determining the effectiveness of corporate compliance programs, managers and
board members can contend that they are highly ethical despite evidence to the
contrary. For a company that endeavors to
do good in the community, faith in its ethical purpose bleeds into a confidence
that its compliance initiatives are honestly implemented.
The presence of a compliance system can actually lead to the
occurrence of more unethical behavior[6]. Company managers may view penalties for
violations simply as another set of costs that is weighed against the cost of
compliance[7]. HomeFirst’s compliance program assured
managers they would always have an opportunity to fix their files prior to my
visits, they would be never disciplined for violations, and violations were
immaterial unless an external authority brought them forward. By doing so, it may have fostered violations
rather than compliance.
Like
more than 90% of similarly sized nonprofits[8],
HomeFirst possessed key governance policies.
It did not have a whistleblower hotline or an independent party to evaluate
complaints of complaints, but neither did many other small and medium sized
companies. Despite an impressive
compliance structure and an honorable passion to serve the needs of the
poor and change the world, HomeFirst, I believe, committed acts that should
have been handled much better and allowed its several reinforcing controls to
fail under the weight of its culture.
Whistleblowers attempt to work within a system of official
rules and with designated authorities.
They are defeated by multiple systemic failures, by people who do not
play fair, and by cultures that overwhelm control systems.
[1] Bazerman, Max H.
and Ann E. Tenbrunsel. Blind Spots: Why We Fail to Do What’s Right
and What to Do about It.
Princeton, N.J.: Princeton University Press. 2011
[2] Sims, Ronald R. and William I. Sauser. “Toward a Better Understanding of the
Relationships among Received Wisdom, Groupthink, and Organizational Ethical
Culture.” Journal of Management
Policy and Practice 14.4 (August 2013): 75-90
[3] Martin, M. Jason. ’’That’s the Way We Do Things Around Here’:
An Overview of Organizational Culture.” Electronic Journal of Academic
and Special Librarianship. 7.1 (Spring
2006)
[4] McCoy, Bowen H. “The
Parable of the Sadhu .” In Ethics in Practice: Managing the Moral
Corporation. Kenneth R. Andrews (ed.). Boston: Harvard
Business School Press. 1989
[5] Laufer, William S. Corporate
Bodies and Guilty Minds: The Failure of Corporate Criminal Liability.
Chicago: The University of Chicago Press. 2006
[6]
Ibid
[7] Tenbrunsel, Ann E.
and Kristin Smith-Crowe. “Ethical
Decision Making: Where We’ve Been and Where We’re Going.” The
Academy of Management Annals. 2.1 (2008): 545–607
[8] BoardSource. “Leading with Intent: A National Index of
Nonprofit Board Practices.” BoardSource 2015
No comments:
Post a Comment