For many executives, the topic of internal control conjures up images of details deep in the corporate infrastructure best left to staff with green eyeshades and pocket protectors (if such gear actually still exists). Unfortunately, misunderstandings persist regarding what internal control is all about and its relevance to achieving critical business objectives.
We focus here first on how misunderstandings at the board of directors' level can cause oversight to be woefully lacking, and then take a look at what can and does happen to companies when controls fail to protect.
What We Have Is a Failure to Communicate
As a Compliance Week reader, you probably know well that internal control over financial reporting addresses only one of a company's major categories of objectives; the others are effectiveness and efficiency of operations, and compliance with laws and regulations. Understanding that distinction is essential but sometimes overlooked, even by smart and capable people. More fascinating is that some accomplished business people believe that because their companies comply with Section 404 of the Sarbanes-Oxley Act, which specifically addresses internal control over financial reporting, they have done what's needed to address the entirety of internal control and even risk management. Not true.
Working recently with a large multi-national company, I spent time with each of the board members—one of whom is a nationally known and highly regarded educator and business adviser. His explicit message to me was that since the company already complies with SOX 404, including the auditor's attestation therein, all categories of internal control are therefore well addressed in the organization, as is the broader scope of risk management. Accordingly, he argued, the board has no need to look any further into those processes.
Working to maintain my composure, and using all the tact I could muster, I asked whether he had considered that the SOX 404 rule focuses only on internal control over financial reporting—and does not address internal control over either operations or compliance objectives. And while SOX 404 does include an element of risk identification and analysis, it doesn't extend to a company's broader risk-management processes. After much discussion this director better understood that the company's and auditor's compliance with SOX 404 does not provide comfort regarding operational or compliance objectives and their related risks and controls. And no, the board cannot take a hands-off approach.
The moral is simple. With this kind of misunderstanding and lack of board oversight, a critical element of a company's internal control system is woefully lacking. Is this important? Unfortunately, we see too many instances of companies suffering badly by lack of effective internal control over their operations.
Devastating Losses
If we want examples of how operational controls failed big time, we need look no further than loan generators, banks, and other financial institutions that precipitated the financial system's near-meltdown and cost billions in shareholder value. And more recently we find that their controls failed in maintaining adequate records and procedures and locations of mortgage notes, likely to cost billions more. We can look at failings of production processes at Johnson & Johnson, where its brand name products made people sick, and the problems Toyota encountered with faulty steering mechanisms, accelerators sticking, and brakes not working properly. And we know all too well the result of control failures at Société Générale enabling “rogue trader” Jerome Kerviel to make his unauthorized bets. The costs, in terms of billions of dollars, loss of market share and reputational damage, are enormous. (If you're interested in more in-depth analysis, you can look back to my columns on these companies. Sadly, there is plenty of material to review.)
Unfortunately, we see too many instances of companies suffering badly by lack of effective internal control over their operations.
Now we see reports of other control failures at another prominent industry, adding to the list of problems in banking, auto manufacturing, and pharmaceuticals. These occurred at major oil companies, and are certainly worth a look. No, we're not talking about obvious problems with deepwater drilling, oil spills, and related damage, but rather about protecting critically sensitive corporate information. You may have seen the media coverage; a recent New York Times headline phrased it, “Hackers Breach Tech Systems of Multinational Oil Companies.”
Now, we've long known the importance of identifying and analyzing risks related to corporate information (both financial and operational information) and of establishing relevant controls to keep that information secure. IT managers and security executives, internal auditors, and others in many companies have worked diligently to provide assurance that specified sensitive information is available internally on a need-to-know basis, and that valued trade secrets remain as such. And we've known the risks of hackers getting inside the secret vault of information, with the potential to wreak havoc. Certainly we would like to think the largest corporations have well-designed and up-to-date control systems to achieve these important operational objectives.
Back to the oil industry: cyber attacks apparently emanating from somewhere in China hit what might be viewed as a corporate jackpot. According to media reports, experts at IT security firm McAfee said systems at five (unnamed) multinational oil companies were breached, with the intrusions aimed at corporate espionage. What did the hackers get? Apparently a mother lode: a haul no less than “oil and gas field production systems and financial documents related to field exploration and bidding for new oil and gas leases,” as well as information related to industrial control systems. Talk about high-value information!
How did the hackers do it? Information is sketchy, but it points to hackers operating out of Beijing who set up servers in the United States and the Netherlands to break into computers in a number of countries, including the United States. According to the McAfee report, “The intruders used widely available attack methods known as SQL injection and spear phishing to compromise their targets. Once they gained access to computers on internal company networks, they installed remote administration software that gave them complete control of those systems. That enabled the intruders to search for documents as well as stage attacks on other computers connected to corporate networks.”
Now, we recognize that hackers are becoming ever more sophisticated (although the report says these attacks were less sophisticated than successful ones against Google a little more than a year ago) and staying ahead of evolving methods to break into corporate computers is challenging. With that said, however, one wonders how large oil companies wouldn't do everything necessary to prevent cyber attacks, knowing they're occurring with increasingly frequency.
Mundane?
For those who continue to play down the “mundane” matter of internal controls, and question whether they really matter, or only apply to crafting reliable financial reports, we can only say—you darn well bet they do! And not only should senior executives take note; boards of directors carrying out their oversight responsibilities must recognize the risks and the critical importance of relevant controls over company operations, and be sure effective controls are well designed, in place, and operating effectively. Too much is at stake to do anything less.
No comments yet