Question

Oxalite Inc: A Cautionary Tail (Which is a fictional company)

For discussion purposes, treat Oxalite, Inc. as a public company. Based on this assumption, reflect on the following:

a. What were some internal control deficiencies and even material weaknesses? How would they have been discovered? What would be the implications for Sarbanes-Oxley Section 404 compliance?

b. Analyze this case using the COSO Fraud Risk Management Guide Principles 1,2 and 5 relating to the COSO internal control components of control environment, risk assessment, and monitoring.

2. How could the external auditors have helped avoid this adverse corporate governance outcome?

3. How could the internal audit function have helped evaluate the design and operating effectiveness of internal controls?

4.mr. n.g shankar, cae of the aditya birla group, a large conglomerate in india and a former member of the internal audit standards board of the IIA, has remarked,"Poor culture leads to organizational disaster." In what way was his observation justified in the case of Oxalite, Inc?

Answer 1

1(a): Some internal Control deficiencies and material weaknesses

Promotions were based on loyalty rather than competence.

Employees did not feel safe bringing bad news forward.

Furthermore, skepticism was discouraged; questions frowned upon.

Employees were simply provided with a web link to the code upon hire and few had ever accessed or read it.

The Asian office came under particular pressure, as hopes for ever-higher earnings were pinned on rapid-growth markets. Executives struggled to hit targets but learned to manipulate the books to make it appear they had.

The board of directors and audit committee met regularly but rarely availed themselves of the opportunity to engage internal or external auditors, or the company’s ethics and compliance personnel.

Board meetings discouraged two-way discussion, and the board frequently ran out of time before ethics and compliance issues could be discussed.

The audit committee rarely met with executives or middle management, and when they did, failed to ask questions whose answers might have raised red flags.

The participants in the financial reporting supply chain were insufficiently inquisitive or skeptical. They assumed all was well. It was not.

How would they have been discovered?

The vigilance and engagement of all who have a role in preparing or reviewing an organization’s financial statements can act as a protective mechanism, so frauds are more often deterred and more easily detected.

Implication for SOX Section 404 Compliance

Section 404 compliance projects must encompass the company’s overall control environment as well as every key process related to financial reporting throughout the organization, in all business units, divisions, and functions. Moreover, companies must annually repeat the section 404 assessment processes, making it critical for this year’s compliance project to lay the foundation for sustained compliance in the future. And because executive oversight of internal control is fundamental to COSO’s concept of strong internal control, company leaders should take explicit responsibility for managing internal control over financial reporting in all areas of the organization.

Absence of an enterprise-wide internal control management program casts serious doubt on executives’ commitment to effective internal control. If an organization cannot show that such a program exists, its board of directors or independent auditors may suspect that the company’s leaders lack the necessary focus and initiative to foster an effective control environment.

Without an internal control management program to drive the enterprise-wide effort, a company may not only fail to detect a material weakness, which would result in an adverse opinion on the effectiveness of internal control over financial reporting from its independent auditors, but also jeopardize its ability to sustain compliance in future years.

One of the key functions of an internal control management program is to inform executive management of the state of a company’s internal control and the status of its section 404 compliance efforts. Executives who cannot demonstrate their knowledge of this information risk being unable to make the appropriate disclosures regarding changes to internal control over financial reporting required by section 302 of Sarbanes-Oxley.

1(b): COSO’s Fraud Risk Management Guide Principles

Principle 1: Control Environment: The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

A fraud risk assessment is a dynamic and iterative process for identifying and assessing fraud risks relevant to the organization. Fraud risk assessment addresses the risk of fraudulent financial reporting, fraudulent non-financial reporting, asset misappropriation, and illegal acts (including corruption). Organizations can tailor this approach to meet their individual needs, complexities, and goals. Fraud risk assessment is not only an integral component of risk assessment and internal control, it also is specifically linked to 2013 COSO Framework principle 8.

Principle 2: Risk Assessment: The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

A fraud control activity is an action established through policies and procedures that helps ensure that management’s directives to mitigate fraud risks are carried out. A fraud control activity is a specific procedure or process intended either to prevent fraud from occurring or to detect fraud quickly in the event that it occurs. Fraud control activities are generally classified as either preventive (designed to avoid a fraudulent event or transaction at the time of initial occurrence) or detective (designed to discover a fraudulent event or transaction after the initial processing has occurred). The selection, development, implementation, and monitoring of fraud preventive and fraud detective control activities are crucial elements of managing fraud risk. Fraud control activities are documented with descriptions of the identified fraud risk and scheme, the fraud control activity that is designed to mitigate the fraud risk, and the identification of those responsible for the fraud control activity. Fraud control activities are integral to the ongoing fraud risk assessment component of internal control.

Principle 5: Monitoring: The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

2. Role of External Auditors in avoiding this adverse corporate outcome

The external auditor would facilitate a situation whereby managers are encouraged or compelled to be held more accountable.

Through an appropriate application of accounting policies, the external auditor could help facilitate a position whereby creative accounting practices and hyperinflation/inflation of figures are discouraged.

Penalties could be imposed on managers and directors who intentionally or recklessly inflate or manipulate accounting figures and financial statements. Such penalties could arise in the form of a reduction of such managers’ (and directors’) annual bonuses, remuneration or even pensions.

The likelihood of a qualified audit opinion (as regards the auditor’s findings on the financial statements) is considered to be less effective as a deterrent to such managers – particularly where an individual manager or few managers are held responsible for fraudulent related acts. In such a case, a „scapegoat “or few scapegoats would be held to account for the negligent acts of others who should also have been brought to book for their actions.

Apportionment of liability on a proportionate basis would also produce a more equitable result – than is the case where a qualified opinion is issued by the auditor. The financial audit remains an important aspect of corporate governance that makes management accountable to shareholders for its stewardship of a company.

3. Role of Internal Audit function in evaluating the design and operating effectiveness of internal control

The internal audit function acts as the eyes and ears of an organization with respect to risk management, control, and governance processes. Taking a risk-based approach, internal auditors evaluate the effectiveness of these processes on a continual basis. In addition, they may monitor and evaluate results of whistle blower programs and collaborate across departments to help ensure that results are addressed and that applicable weaknesses in the governance, risk management, and internal control environment are remediated. In many cases, they also assess compliance with the code of ethics, conduct ethics surveys of employees, and analyse year-over-year changes in key metrics.

Internal audit should communicate, evaluate, and reinforce the ethical tone of an organization, as well as test compliance with anti-fraud programs and other controls. Skepticism must be employed in the examination of management’s fraud risk assessment, review of evidence supporting management’s assertions in the financial statements, and in the evaluation of controls intended to deter or detect fraud. Internal audit must operate with organizational independence, which usually means direct functional reporting to the audit committee and unrestricted access to both the board and audit committee in the event concerns arise.

Internal audit is “a function, while internal control is a system”, it means that “internal audit assesses the effectiveness of controls put in place to mitigate risks. Therefore, internal audit is not responsible for identifying risks or putting controls in place. However, internal audit can assist in this process by its consulting activities. It assesses the viability of solutions and processes that internal control has developed. It is a role of internal control to identify risks relevant to operations and development of reliable controls.

Internal audit function will also provide recommendations to the Senior Management to improve inaccurate processes or to fix errors.

The board of directors has a chance to monitor internal control through the function of internal audit.

The goal of internal control system is to “ensure that the Group’s operations are efficient and profitable, that its business risk management is adequate and appropriate, and that the information created is reliable. The control system also makes it possible to oversee that the determined operating principles, given instructions and possible related party transactions are followed.”

4. Poor Culture leads to organisational disaster

Financial reporting fraud remains a concern today, however, and research continues to explore conditions that were present in organizations where frauds were uncovered. A consistent finding from research is that the risk of financial reporting fraud tends to increase when the individuals who comprise the organization’s financial reporting supply chain—management, the board of directors, audit committee, and internal and external auditors— do not fully understand their responsibilities and/ or do not execute them appropriately. In such organizations, one or more of the following situations often are found:

• Lack of a strong “tone at the top” and an ethical culture;

• Insufficient skepticism on the part of all participants in the financial reporting supply chain; and

• Insufficient communication among financial reporting supply chain participants.

Global organizations face an array of additional challenges such as cultural and language differences that can confound efforts to deter and detect financial reporting fraud. Conversely, if all who have a role in the financial reporting supply chain understand their responsibilities, encourage a strong tone at the top and ethical culture through both word and deed, know how to exercise skepticism, and communicate consistently and effectively with all relevant parties across all geographic locations, an environment conducive to financial reporting fraud is less likely to occur.