IN THIS ISSUE

According to Mike

Mike Pidzamecky, CMA is senior consultant, CSA, internal audit and security, at Imperial Life Financial in Toronto, Canada. Pidzamecky developed several CSA approaches while working for the Westcoast Energy Group. He teaches CSA courses for The IIA and has written questions for the CCSA exam.

I recently had the opportunity to review a new publication, Control Self Assessment: For Risk Management and Other Practical Applications by Keith Wade and Andy Wynne. A compilation of applications and experiences from CSA practitioners around the world, the book had one particularly interesting discussion about a major fraud in a large subsidiary that shook our thinking about corporate governance. Although the deception was perpetuated by top-level management, external auditors had audited the company each year and the company’s internal auditors had conducted regular audits. "Ironically," the passage reads, "one of the last audit reports issued by the internal auditor, contained the management comment ' … control systems are operating as intended by management.'" In addition, the Board was meeting its governance responsibilities, and the company was expanding and making money.

"Unfortunately," say Wade and Wynne, "senior management had created a number of contracts between the company and other companies they owned privately and caused the company to do business for many years on terms and conditions that were clearly not at arm’s length."

Even with the traditional controls firmly ensconced, the fraud lasted years. At the end of the passage, the authors rightly wonder, "While only a few employees at the top were involved, we could not believe that many more employees had not had suspicions or knowledge they were willing to live with and not disclose."

This may seem to be a perfect description of Enron or some of the currently famous "scandal" companies, but it is actually a description of Gulf Canada in 1985 as witnessed and written by Tim Leech and Bruce McCuaig. (Yes, as a Canadian, it breaks my heart to say we did it before the Americans.)

It is this event at Gulf Canada more than 17 years ago that laid the foundation for control self-assessment, or control and risk self-assessment. Leech and McCuaig don’t claim that CSA was created one day in 1985. Instead, they explain that what actually began was "…the development and reporting on internal control and risk. In short, the early recognition of the need for and development of criteria of control." It wasn’t long before auditors elected to involve company personnel, no matter their responsibility, in the continuous evaluation of controls and risks in their business units and departments.

When I read this passage during one of my recent IIA classes, one participant asked if CSA would have stopped the fraudulent financial reporting at the energy giant, Enron. That’s a good question. 

In my humble opinion, yes, I believe it would have, but only if someone had allowed CSA to truly take place. A recent Forbes magazine article revealed that over a year ago, dozens of former Enron employees gave statements for a class-action lawsuit against the company. They described sales orders that were booked twice, ancient receivables that were listed as assets, payments to suppliers delayed so that profits would look higher and expenses lower. They had lots of knowledge about the scope and the detail of the wrongs being committed. So, why didn’t anyone talk to them? 

CSA gives the employees the chance to speak about the proverbial good, bad, and ugly. Whatever form you use, the object is to provide a thorough assessment of the organization’s control environment and activities, risk assessment program, information and communication channels, and the monitoring systems. In its purest sense, CSA is a program of deep, probing analysis within an organization that insists on everyone’s participation, from the lowest staff member to the highest.

But, even with the greatest assessment and the highest standards, the most important requirement for a successful CSA program is a culture of high moral and ethical governance and business standards demonstrated from highest level of management to the newest employee. Without such standards we cannot expect an organization to embrace a process that will disclose all of its shortcomings — even the potential fraudulent ones. 

I have said in many of my classes that a good CSA program will enable every employee to bring up concerns and to have those concerns get addressed. But, this is only true if senior management supports such a program. If management is intent on misleading the public, shareholders, regulators, and the government about what is actually going on in the company, they will surely not want a successful CSA program that asks the staff what’s going on in the organization. 

That’s my opinion. Whether you agree or disagree, let me know at mpidzamecky@djfsc.com.