A Panel discussion :Neeraj KumarSridhar RamamoortiMohammed Siddiqui

International Association of Airline Internal Auditors 10 – 13 Oct 2010, Istanbul, Turkey

Over 25 years of Internal Audit and Risk Management experienceSenior Manager , Director Deloitte , Jefferson Wells - 2004 - 2005 Senior Vice President Internal Audit – Emirates Group 1998 - 2004Chartered Accountant and Certified Internal Auditor.Canadian Representative on IIA’s Value Proposition Task Force Past Vice Chair of Canadian Council and Chair of Education Com.Past President of the IIA Dubai Chapter.Past member of the IIA Global Board of DirectorsMember of the Board Audit Committee of a major carrier

2

Which is more important ?You can select only one.

3

The governance failures, corporate collapses, the “2008 Wall Street melt down,” the Great Recession. Recently – BP, HP, Microsoft…FCPA investigationsRamifications for the economy, the community and the world. Global linkages and interdependencies of the situation

4

55

6

Corporate “stress” points

• What could take the organization to the pinnacle of success? Leadership

• What could bring the organization crashing down? Leaders in power

……ALL ABOUT …PEOPLE………….6

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada 7

The Creation …

The End ......the riserebirth of the new and better race:

Is the corporate world following the inevitable cycle of life and death ?

8InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

PeopleShareholder

Board Executive

VP Directors /

Management Supervisors

All Employees

Behaviors

Arrogance Anger

Passion

DishonestyGreed

Incompetence 9

10

Company Ethics Greed Competence

Arrogance

External

EarthQuake?

Barings No

Enron No

WorldCom Maybe No

FnM&FrM No

Societe G No

Arthur A No

Satyam C No

What went wrong..?

11

Company Fraud Greed BadMngmnt

Fashion Cafe

The Hit FactoryBre-X Minerals

Tucker Automobiles

Madoff

What went wrong

Were these avoidable….? Did someone know about these impending disasters?

•AICPA, CA, •CGA

• Suppliers• Customers

•External Auditors

•Regulators•Legislation

Owners,

ShareholdersBoard/Audit Committee

IA , ERM Compliance

Executive (C Suite)

12 12

• What -Greed, Arrogance, Dishonesty, Passion -root causes of corporate catastrophes?

• Why nothing has stopped the disasters?• Who can detect bad behavior before it is

too late?• What role can Internal Audit play?

Key discussion points

13International Association of Airline Internal Auditors

10 – 13 Oct 2010, Istanbul, Turkey

1. What could have caused businesses to fail in the recent past ?

2. Why are these issues continuing to create disasters in the Corporate World?

3. Is it possible to “detect” and “predict” bad behavior before it can cause huge damage?

4. Who among the “stakeholders” should be accountable for identifying behavioral issues at the C suite before these cause damage to the organization?

5. What could be done to prevent such corporate disasters?

14

12.5%

75.0%

5.5% 7.0%

Incompetence Dishonesty External Factors Other

What could have caused businesses to fail in recent years?

15

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

9.7% 4.7%

79.7%

6.0%

Board and Audit Committee

External Auditors Internal Auditors Other

Who would be most effective in identifying issues before its too late?

16

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

17

◦ Chairman, Enterprise One Consulting Services• Former Partner, Corporate Governance, Grant Thornton LLP• Ernst & Young, Thought Leader/Sarbanes Oxley Advisor • Arthur Andersen, Assurance Professional Standards Group • Backgrounds in Accounting & Psychology (The Ohio State University)• Accountancy faculty, University of Illinois at Urbana-Champaign• Chairman, Academy for Government Accountability, 2005-2008• Board Member: IIC, Ascend, IBPE; VP-Practice, 2 AAA Sections• Co-Chair, 2010 CBOK Global Study for IIA Research Foundation• COSO/ISACA Monitoring Guidance, IIA Textbook, The Audit Committee

Handbook, SOX 404 for Small, Publicly-Held Companies• ACA, CPA/CITP/CFF, CIA, CFE, CFFA, CFSA, CRP, CGAP, CGFM, CICA, FC

PA

+ Acting CFO for FlyDubaiCFO of Sri Lankan Airline for over 5 yearsChartered Accountant and Certified Internal AuditorFounder-President of the IIA Dubai ChapterFounder-President of ISACA’s UAE chapterEx-Chairman & Founder Member of the International Association of Airline Internal Auditors (IAAIA)Recipient of IIA UAE’s first-ever Lifetime Contribution Award Believes that understanding human nature is at the very heart of risk management

20

Sunbeam Fannie Mae/Freddie Mac Waste Management Cendant AZ Baptist Foundation HealthSouthEnron AIG WorldComAhold Adelphia VivendiTyco Parmalat XeroxSatyam Computer Global Crossing Societe Generale

Stock Options Backdating, Financial Statement Re-Statements, Wall Street Financial Meltdown = Lehmann, Goldman Sachs;Madoff, Stanford scams, etc.

(a disturbing sample!)

21

how to grant managers enormous discretionary power over the conduct of the business while stopping them from misusing that power…..

Result : The Boards, C-Level Suite, Professional Gatekeepers, Politicians, Legislators, Regulators, Standard-Setters, Financial Analysts, Media, Academics, Public…

How is this working……? Governance in good times produces a “halo effect”…

22

• Recent tales of Fraud, CG Failure and Folly–

• To the extent that:excessive risk taking (e.g., subprime crisis) can lead to massive losses, business failure or bankruptcy (no one knew, it’s someone else’s fault)executive stock options seem to be perversely implemented (i.e., we’re paid like rock stars and we’re worth it) it is difficult to assign culpability, hence no accountability (didn’t know or understand, can’t remember except to take the Fifth!, plausible deniability)a corporate governance issue arises in that ineffective Board oversight of management can be inferred (“money for nothing”)

KEY QUESTIONDo internal auditors recognize that almost all these

matters involve behavioral and integrity risks?

• Poor ERM/Governance Linkage: “The 'quants' knew of the risk, and [they] calculated it, but the businesses are more powerful than the quants…the good times were going and the commissions were flowing, even if [financial] models were showing risk.” (C. Marrison of Risk Integrated, 2008)

• Financial models can’t catch poor underwriting! "Lenders were making loans without documentation, without verification of income and on data sets that had no performance history behind them…Often, the underwriting did not correspond to the model”(Pam Martin, Risk Management Association, Philadelphia, 2008)

“Where is that moral compass that you need to hold back?" (Pradyot Samanta, S&P)

“It is hard to make a man understand something when his living depends on his not understanding it”

(Upton Sinclair, 1903)

Understanding Perfect Storms: Whole host of inter-dependent risks materialize in concert at the same time…all “checks and balances” failIt’s not Just the Auditors: Auditing profession was blamed when Enron/ WorldCom happened, but what about other capital market participants?Congressional interference with option expensing rules, conflicted legislators, financial analysts and rating agencies, Board audit and compensation committees, poor ERM linkage to governance within enterprises, non-existent and weak regulatory oversight, FASB standards allowed non-consolidation of SIVs, VIEs, QSPEs (e.g., FIN 46R as amended), media hype, and a fickle, indifferent public… “What’s not on the balance sheet is not usually audited!” (Who audits executive compensation? Esp. stock options) “On the Folly of Rewarding X While Hoping for Y” (Kerr, 1985)

"Board culture is an important component of board failure. The great emphasis on politeness and courtesy at the expense of truth and frankness in boardrooms is both a symptom and cause of failure in the control system. CEOs have the same insecurities and defense mechanisms as other human beings; few will accept, much less seek, the monitoring and criticism of an active and attentive board."

(Michael Jensen, 1993)

Solutions to the problem of fraud may not be found in economics, but in psychology…hence the rise of behavioral economics and behavioral finance (cf. Daniel Kahneman, a Princeton University psychologist, won the Nobel Prize for Economics in 2002)…”auditing behavior” with focus on “cooking-the-books” controls is the way forward!

So, how do we do it? Let’s turn to the panel…

Dr. Gene C. Barger

• Healthy vs. Unhealthy Narcissism

• Traits and Characteristics of Leaders with Unhealthy Narcissism

A preoccupation with one’s status and powerA need to “stand out” with little tolerance for true teamwork and power sharingAn often charismatic style that can be inspiring, manipulative, and intimidatingA need to assemble around them individuals who provide adorationImpulsive risk taking

• An ability to psychologically employ “rationalizations” that excuse their transgressions.

• Deeply felt insecurities that are often masked by expressions of bravado and strong self-confidence.

• A very low tolerance for others challenging their decisions and behavior.

• A perspective that rules are made to be bent.• Support from a system of lawyers, the media and others who

can be “persuaded” with the right amount of money• Aura of a “victimless crime,” “criminals with clean

fingernails,” who can “steal without a gun”

29

1. Culture of Obedience to Authority – Boss is Always Right!2. Lack of expertise and/or assertiveness with those providing

governance and oversight3. Cozy multiple relationships at the top – internal & external4. Information tightly held by those at the top.5. Those who challenge are punished. 6. Collusion and vested interests7. Huge incentive for “demonstrating success”

30

Superiority: I deserve this. My success is my evidence.Potency/Invincibility: I am going to beat them—the

competitors, regulators, auditors.Derogation of Victims: They are too stupid and naive to figure

me out.Externalization of Blame: I have no choice. People and

Circumstances are to blame.Emotional Discounting: “They will get over it. They can find a

job somewhere else.”Temporal Discounting: “Act now. A bird in hand. Take it while

it’s there for the taking.”

[Possible “psychopathic” tendencies –see “Snakes in Suits” by Babiak & Hare, 2006]

31

Normalization - “This is common practice in other companies.” “Everybody else is doing it.”

Altruism - “We can’t share this information because it will make them culpable as well.”

Optimistic Self-Correction - “They are good, smart people and will figure out what they need to do.”

Self-Preservation - “I am in favor of blowing the whistle as long as someone else does it.”

Consistent and unwarranted breach of tolerance limits

Unauthorized, Indiscriminate and excessive asset disposals, acquisitions or mergers

False, unreliable and fraudulent production of vital information

Unauthorized/inaccurate disclosure of classified, vital information

Failures in technology / IT security

Gross negligence in managing operations

Fraud and Misappropriation

Excessive loans and/or withdrawals

33

34

1. One-Man Rule

2. Non-Participating Board

3. Unbalanced Top Team

4. Lack of Management Depth

5. Weak Finance Function

6. Combined Chairman and Chief Executive Officer

[See also book by Prof. Marianne Jennings on the

“Seven Signs of Ethical Collapse”]

Acting CFO, FLY DUBAI

35

Upon

A Time

In a land of Milk & Honey

Each king harvested huge amounts of money

Kenneth LayEnron

$1 billion

Bernie EbbersWorldCom$3.8 billion

Bernie MadoffMadoff & Co.

$50 billion

Ramalinga RajuSatyam Computers

$ 1 billion

What's WRONG

With our world?

Ethics …is at the very heart of “...effective risk management, control, and

governance processes”

The bright Light of “Ethical Guidelines”:

“Our clients' interests always come first. Our experience shows that IF we serve our clients well, our own success will follow.”

“Our assets are people, capital, and reputation. If any of these are ever lost, the last (REPUTATION) is the most difficult to regain.”

John Whitehead, Goldman Sachs former co-chairman

When Pluto himself violates…

• Unbridled Risk Appetite• Controls don’t work• Brink of failure• Situation:

RED HOT

YES!!! IA IS BETTER PLACEDto detect (and even deter)

management fraud

Provided...SkillAccess Independence (no fear)

Flawed Risk Evaluation process related to Audit Priority/Scope determination

Absence of risk assessment toolsOutdated risk assessmentsInadequate or no interaction with line and senior management for risk identification

Skill-gaps in information gathering & analysis.

Absence of Continuous Monitoring tools and techniques.

Compromised independence in conducting appropriate investigations and reporting.

When to the Top Cat we report, functionally or administratively

Our freedom is compromised,effectively and completely

When the Bosses are at play,No one can have their say

Should IA attempt to speak,We will be made to squeak

Because our toes WILL be stepped on, or no

52

53

1. Can Internal Auditors audit Ethics and Behavior?

2. Should internal auditors be trained to conduct "behavioral auditing"?

54

47%

80%

61%

86%

Atlanta Before Atlanta After Quebec Before Qubec After

Can internal Auditors audit ethics and behaviour? (YES)

55

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

9.7% 4.7%

79.7%

6.0%

Board and Audit Committee

External Auditors Internal Auditors Other

Who would be most effective in identifying issues before its too late?

56

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

81.0%

6.0% 4.5% 8.5%

Yes No, this is something which internal auditors

have or they don't

Yes, if this training is integrated into

the undergraduate curriculum

Not sure

Can Internal Auditors be trained to conduct "behavioural auditing"?

57

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada

58

Chief Internal Auditors Dilemma

• What about CEO ,CFO , Top brass?• How to balance the “science” with the

art? Just gut feel not good enough• How to develop skills to monitor

“behavior” before it is too late• Whom to report to and when….?• How to develop formal and informal

comm. lines with CEO,CFO, Board

58

Acting CFO, FLY DUBAI

59

Get Going…

IIA to rise to the new expectation

Learn new Skills, DIY style

meeeaaaaoownnThe Persian Cat

all purrrr and fluffy,

Not for catching the Fat Rats

Profiling the Chief players (identify the potential Psychopaths)

Faster data gathering and analysis

CONTACT (Continuous Tracking & Analysis of Critical Transactions)

Ring fencing (including the Rule Makers)

Broadcasting your “new” skills & successes

Art of “close-but-formal” relationships

The Top Cat

Dances in Delight!!!

The “King” is the Supremo.

Most will respond with indifference:

“We already know about this...”

“Don’t worry, this is:approved/discussed/agreed/decided/being looked

into/too confidential etc...” OR

“What utter rubbish; you are wasting your time; you have no idea of the business.”

Go BEYOND...

The Big Boss?

The AUDIT COMMITTEE?

Become the Whistle blower?

No where else to go?

Dark as night…

Nothing in sight?

Hugely Debatable

Very Controversial

Let’s be truly Free… to go

Where NO Internal Auditor has ever dared to go before,

Officially

Direct Access to The Statutory Authority that deals with Compliance & Financial Reporting Regulations in the country.

- Access to be USED ONLY when “serious fraud or extreme RISK-taking” is suspected and stakeholders’ interests are involved.

- In the US, it is the SEC (Securities & Exchange Commission).

- In most countries, a similar body exists.

If you were required by Law to adopt “The IA Charter” in its full glory

If you were to have “Direct Access” to not only a truly independent Audit Committee, but also to

the State’s “Regulatory Authority”, and,

If you were able to provide, fearlessly: “Enterprise-wide Risk Assurance & Consultancy Services”

“Only then, will you be an Internal Auditor, my son!”

71

1. Do you know who has the power and the authority to make or break?◦ By Mandate◦ By Default

2. Do you know the extent of damage that can be caused by the ones holding the power and the authority?

P

R

O

C

E

S

S

Profiling Risk Identification

Upfront Mitigation

73

Monitoring

Response

InterGovenmental Conference on Risk Management , 14,15 Sept 2010 - Conference Board of Canada

•People with Authority & Power, Attitudes •Personality preferences, Conflicts•Career chart, Social pressures, Values

Profiling, Risk Identification

Upfront mitigation

Monitoring

Response

74

Back Checks, Governance, Controls, Segregation, Compensation modelIndependent oversight,Regulatory regimes

Compliance, Performance results, Swings in financials, Compliance Record, Disclosure failures, Audits, Reviews, Hotlines, lifestyle

Informal/formal, exploratory, suggestive, phased…..?

Behaviourissues of

Membersof Board CEO, CFO Executive Senior Mng Operations

/Dealers Who would

know

Shareholder

Board

Executives

External Auditors

Regulators

Chief Risk Officer NO

Chief InternalAuditor NO

75

1. Can Internal Auditors audit Ethics and Behavior?

2. Is it possible to “detect” and “predict” bad behavior before it can cause huge damage?

3. Who among the “stakeholders” should be accountable for identifying behavioral issues at the C suite before these cause damage to the organization?

4. What could be done to prevent such corporate disasters?

76

77

InterGovenmental Conference on Risk Management , 14,15 Sept

2010 - Conference Board of Canada