CPAs could help help avert the next financial catastrophe by joining the new multi-disciplinary movement for governance, risk and compliance.
by Rick Telberg
Not too long ago, CPA Norman Marks was sitting through a conference on the emerging issues in governance, risk and compliance (GRC). He listened for two days as dozens of speakers and panelists — consultants, internal auditors, independent accountants, vendors, lawyers, and others — sought to define “GRC.” Marks counted 23 different definitions.
So what, exactly, is GRC? And why do corporate finance CPAs need to care?
You only need to go as far as the front pages of the newspaper to understand why GRC is surging as a new corporate discipline and professional practice. If the Wall Street crash taught us anything, it’s the importance of sound corporate governance, hard-nosed risk management and serious regulatory compliance.
To GRC proponents like Marks, it’s just a pity that it’s all coming too late. To be sure, some few companies are not waiting for new government regulation to avert a catastrophic failure on their watch. But most have yet to get the message. According to the “Report on the Current State of Enterprise Risk Oversight,” co-sponsored by North Carolina State University and the AICPA, 60 percent of companies still have no formal enterprise-wide approach to risk management, and three-quarters of the time, management is not informing the board of directors of the company’s risk exposures.
“If the financial crisis has taught us anything, it’s how critical it is to link a holistic, comprehensive view of risk management with management and strategy,” Marks was saying from his home office, where you’ll find on his wall a framed article from the November 1998 Journal of Accountancy featuring his ideas on internal auditing. Today Marks is vice president at SAP BusinessObjects as — using his own terminology — an “evangelist” for “the GRC market.” But really, he’s a man on mission. He maintains two blogs on the subject, one personal and the other for the Institute of Internal Auditors, where he’s also a member of the professional issues committee and a contributor to the association magazine. With his help, GRC is morphing from a market into a movement.
Insiders have yet to really agree on what GRC means. John H. Capobianco, president and CEO of Lumigent Technologies, a GRC business apps developer, says the term GRC has been kicked around so much that it “means nothing to everybody or everything to nobody.”
The questions abound:
- By “governance,” do we mean the role of the board, or also top management? With “risk,” how do we measure it and bring the issues to top decision-makers? In “compliance,” don’t we really mean the risk of “non-compliance?”
- Is GRC a legal discipline? Financial? Or actuarial? The answer, so far, is all of the above. A bank’s GRC program, for example, will look a lot different from a retailer’s.
- Some companies will need a chief governance officer; others already have a chief compliance officer, or a chief risk officer. But is the issue best tackled by a single executive office with direct access to the board and chief executive, or by a distributed system of specialists working in a flatter, matrix-like structure?
“Managing risk starts with an awareness of what the risks are, followed by an ability to prioritize them,” according to CPA Mike Bechara, a GRC consultant based in Brewster, N.Y.
Marks insists that, to truly benefit from GRC practices, an organization must commit to obtaining a holistic view of all the enterprise’s risks — legal or financial, operational or strategic, external or internal, environmental or technological and on and on.
“Fundamentally,” he says, “GRC is a way of thinking about management.”
It’s so basic you have to wonder why it’s taken so long for some to understand.
7 Responses to “How Three Little Letters Might Have Prevented the Global Financial Meltdown”
Clint Shinkle
When we learn that Goldman is on both sides of a transaction and allows others (in this case the short) to select the securities in the pool they are going to package and sell we think they must be very ethically challenged.
The accounting profession hasn’t caught a bubble yet and I would bet that the big auditing firms work both sides of the house when it comes to their clients.
Did they have knowledge that the big bust was coming? They audited the big banks, the investment houses etc. Maybe as part of their audit process they need to corroborate within their own firms and not only assess the risk to themselves but the risk to their clients. They just might be able to add a little value to the process and could maybe catch a bubble before it happened. Risk containment was what Sarbanes was all about, I thought. It didn’t work too well, did it?
I also don’t understand why things are so quiet regarding criticism of the big Audit Houses, although I have seen some discussion regarding Ernst.
Clint Shinkle
Seabeck Wa.
Thomas E
How about the Partner at E & Y for Lehman Brothers.
From the last debacle of Enron and the like, which gave us Sarbanes-Oxley, This PARTNER chose not to inform the AUDIT COMMITTEE what a WHISTLEBLOWER said to him and a collegue during an interview regarding the Balance sheet manipulation going on there with the Repo 105 crap.
After reading the Bank Examiners report, Lehman did have internal controls on the amount of risk they could take. However, senior management also had the authority not to follow that…. So until we start putting some of these greedy people away, nothing will happen GER or ABC or anything. Two numbers will: 5 to 10. Jail time!
John Branch
I do not know where to start. First, I believe the corporate governance issue is a joke. Why, because it has no teeth and thus people pay lip service to it but that is all.
I spent 10 years with Arthur Andersen (77 to 87), two Fortune 500 companies, 3 CFO for public companies and consulting on my own for 9 years. I have assisted approximately 12 companies with SOX implementations and I have to tell you as time has progressed I have just found companies pushing the envelope further and further.
Now, a big part of this starts at the top and I mean the very top in Washington DC and NYC. As you see people come out with bald faced lies right on TV and nothing happens then people start thinking it is acceptable. The large media companies how keep the problem going by never calling someone on the carpet.
Quite obviously, fraud was through out most of the banking system but have we seen one executive sent to jail for it. No. Hey, at the bare minimum you could have gotten them on violation of Sarbanes Oxley. Then there are the various people like Greenscam who should have been thoroughly disgraced.
Just a couple of months ago I was engaged through a consulting firm to assist a company with SOX. This company’s stock was up 2000% in the last year and has since gone up another 40%. The CFO was also the CAO and she had no concept of US GAAP (as you can probably tell ran by people outside of the US). Just looking at the financials there were serious accounting issues. Controls were nonexistent. Speaking to the CFO she is kind of like, we book no expenses this month. We will maybe book next quarter or next year. We do not want to hurt earnings this year.
The FASB is weak by not sticking to Mark to Market so we have a bunch of zombie companies walking around.
The SEC is beyond weak.
We can see the audits of the BIG Four are jokes. How much liquidity warning did shareholders have on GM, Bear, Lehman and Merrill. None.
A couple of years ago I was at a meeting of CFO’s and I asked how many people think that CEO’s want a weak CFO and about 70% raise their hands.
In general the system is corrupted and all of this GRC is a waste of time until it fixed top down.
There is the rant. Sorry, it is all just a joke and waste of money.
Best regards,
John
Los Angeles
Ed Herbst
I feel compelled to comment on this one. While its wonderful that some CPAs are able to distill some of the core ethos of the profession and provide that insight (or innoculation) as a service is a positive spin on the financial meltdown story. I want to speak to the risk evaluation, limited to the scope of the risk of poor oversight/ governance or compliance, not to the larger, almost infinite risk management evaluation.
To quote a line in the article: “It’s so basic you have to wonder why it’s taken so long for some to understand.”
I think that is really the essence of the problem. Somewhere along the line, those engaged in the financial meltdown businesses simply lost their ethical compass. The AICPA publishes a great framework which embodies the ethics needed to conduct business and evaluate results. I won’t belabor the specifics of auditor’s ethics that we are all familiar with – but in essence, the financial meltdown was due to ethical failures often through rationalizations in many places – from businesses to CPA firms. It was not the failure to have a good framework available- it was the failure to follow it. So now we have an Accounting oversight board, and companies are paying to ensure they are compliant with GRC.
It starts with personal ethics, which are the foundation for the execution of the framework of professional ethics. Corporations have cultures – and the tone is set at the top – by actions, not by words. Whether those actions comply within reasonable standards of GRC can certainly be measured. But if companies are really concerned that someone should be teaching, assessing and evaluating their core ethics – I think that’s an indicator of a company that is unsure of the calibration of its moral compass.
What we as professionals must demand of ourselves, our fellow CPAs, and the business and communities we serve – is our duty first to the public and the shareholders and not to self-serving interests that affect next quarters bonus or lucrative consulting contracts. That should be so basic – everyone should easily and quicklu understand it!
Very Respectfully, Ed Herbst
Matt Kranz
May I ask how many times can we re-circulate the same topic using different terminology? The use of the terms governance, risk and compliance themselves acknowledges the failure of corporate management and boards of directors to accomplish the noble effort of ethical and responsible management. I imagine that it is the hope that this new terminology will persuade corporate executives and boards to address ethical and responsibility issues without feeling that the current poor practices are not their fault. So be it. Despite its huge cost and the loss of very many corporations from our stock exchanges, SOX did work to make corporate executives feel the heat of watchful eyes. Auditors finally perform compliance testing which was practically absent prior to SOX. It is interesting how effective requiring an executive to acknowledge he/she is fully aware of the financial and accounting decisions can be on curbing their unethical behavior. Unfortunately SOX wasn’t sufficient to prevent our US Congress from threatening to legislate accounting practices in order to force the FASB to accept poor valuation techniques for MBS and CMBS securities. This is a current ongoing scandal which has banks stating they are solvent when in fact they may not be. Where is the governance, risk assessment and compliance here?
Also, the current push for acceptance of IFRS and IAS is a scandal in the making. The foreign corporations that decided to leave our domestic stock exchanges in order to avoid the SOX requirements are now seeking to re-enter the US through the back-door slight-of-hand trickery of adoption of IFRS. The IFRS rules are so broad and vague that companies within the same countries and same industries adopt very different accounting methods. The financial statements required by IFRS are laughable and do not succeed in better describing and reporting the financial condition of the company. IFRS rules do a fine job of enabling unethical management and reporting of corporations. It causes me to wonder what set of terms will be in vogue after the scandals brought about by the congressional override of US GAAP and the adoption of IFRS occur?
Good governance is dependent on good ethical practices by all corporate executives and a sense of personal responsibility to one’s colleagues and shareholders. Risk? The advent of risk assessment came on the heels of poor ethical behavior of corporate executives. Let me understand, risk assessment determines to what degree the corporation is fiscally threatened by the decisions of its executives? Interesting concept. Compliance? This is the concept of holding corporate executives to their word, right? Compliance means they are doing what they said they would do in the way they agreed a thing would be done. Thank you.
Matthew Kranz, CPA
Controller
Dave Dillwood
As a profession, we have a responsibility to get involved in trying to rectify the problems that have come to the fore in the last couple of decades. How that will take place is a mystery to me, because we are still compensated by the same entities that we are expected to critically evaluate. Do we really think that Arthur Andersen was unaware of the building problems in Enron, or were they willing to turn away and make excuses because of the compensatory pressure of our fee based relationship with the clients? If there is a willingness to restructure transactions to take advantage of apparent loopholes, and enough money to convince the CPAs that it will be okay, we will risk
repeating the past.
Perhaps it is time to explore a different system which does not rely on the CPA client relationship alone to ensure compliance with both the written and implied rules. Perhaps a system like France has for CPA oversight is something to consider.
Been there, done that
Let me relate our experience to you as I think it is relevant. We were a CMBS conduit from 1998 through 2008 until the market shut down. We were audited by EY for several years then DT. In all of that time we ran across maybe two or three people that had a reasonably good understanding of what we did. We hired one of them. He worked his way though us in short order then off to HBS. During his time here he earned his CFA.
We also hire MBA graduates periodically and even when they have concentrated in “finance” their knowledge of the subject is woefully inadequate. To make a decent contribution to solving the problem you would need CPAs with incredibly greater levels of competence with financial products. The same goes for risk measurement, credit, market and operational, as well as good grounding in statistical methods.
I attended business school in the heyday of Fisher Black, Scholes and Fama at the school where they taught. I did receive the Accounting Research prize. That would not have been enough to have made much of a contribution. What would help, in my view, is to have accounting firms organized a little closer to law partnerships where the partner to associate ratio is much less like a factory. In the days of the big eight everyone could back into accounting firm partner earnings from their personnel ratios, with PW of course being at the top, even having two levels of partners. You need the people that know to stick around.
They need to focus on substance and not on supervision, scheduling, collection, client development and the like. They also need to be paid- partner-like pay. They need to stay in the trenches and for that the accounting body shop model needs to change.