Coffee & Conversation - 2020 Fraud Detection Guidance for Audit Committees
In this installment of Coffee & Conversation, Partners Jessica Magee and Michael Stockham are joined by Holly Tucker, a forensic partner at Deloitte, to discuss how audit committees should approach their year-end audits. 2020 was a year unlike any other, and the status quo simply will not suffice. The speakers cover several areas for audit committees to probe, from accounting policies to whistleblower complaints to communication with management, emphasizing that above all, audits need to dig deeper, ask more questions and obtain more data — and recognize that regulators will be doing the same.
Jessica Magee: Good morning, everyone. Welcome to another installment of Coffee & Conversation today with Holly Tucker, a forensic partner at Deloitte, who we are so excited to welcome. Holly, I'm sure a lot of people that are watching and listening today know you by experience, by strong reputation and hopefully having had some opportunity to work with you. For those that have haven't, I'll say you just have a wealth of experience, a ton of experience in the forensics practice, spent a good deal of your career helping think through, steward through, provide advice to clients on matters of anti-corruption, anti-fraud, fraud assessment, risk assessment and really all things related therewith. So we're so glad to have you today. Welcome to Coffee & Conversation.
Holly Tucker: Thanks so much. Glad to be here. I have coffee as well.
Jessica Magee: Good, good, good. Well, and as I often am, I'm joined this morning by my partner, Michael Stockham, a TK lifer with whom I started on my very first day of practice more years ago than I'm going to disclose. The thing that I am excited about most today is what we all three have in common. We've spent many years thinking about issues that boards think about and particularly audit committees. And today we're going to be talking about audit committee members, audit chairs, as they prepare for that year-end audit, engaging with management, with their other directors and with the outside auditors on year-end audit, and all things related thereto. But we're going to really focus on fraud inquiry, anti-fraud considerations and really understanding the environment of the company this year. So many companies, of course, are winding their year down now, their fiscal year, and there's just so much we could discuss. But I'm really excited to bring this installment forward because what we're going to focus on is really trying to help frame that series of conversations for audit committee members so that they feel ready to go into conversations in a year unlike any other. To say this was a year unlike any other is ridiculous at this point, we all know it. This was not a year of status quo, from a global pandemic to market volatility and in workplace, workforce disruption. So a status quo mindset going into audit committee work this year, just, I don't think, for the three of us, we feel like that would really do justice or cut the mustard as it were, to use a very specific legal term of art. So we're really going to focus in that area and hit three themes. I'm going to cover those themes, and I'd like the two of you to give me your views on them and sort of orient the audience to the conversation we're going to have. I think the three themes that I really want to cover are a call to action for audit committee members and audit chairs to really encourage them to dig in and bring their questioning minds to their work and understand how 2020 was different for their companies, positively or negatively, but in any event, how operations, financials, risk matrix were impacted this year. And we'll walk through, as our second theme, a series of focused topics and potential questions, just canned questions, that we think audit committee members can consider and use in their conversations to ensure that they're engaging appropriately, robustly and really meeting the company where it was and is at the end of this different year. And then lastly, bringing those first two themes together at that intersection for an audit committee member of how do I make sure that I am engaging in appropriate and robust oversight, but not stepping into or overstepping into management's day-to-day role, and just thinking through those issues for committee members. So I want to shut up for a second and ask you first Holly about those three themes, and it's a lot of work and subject area we're going to cover in this hour. What can you offer sort of to tie those three themes together or kick us off in terms of what audit committee members should be thinking about and bringing to their work in their companies this year?
A Call to Action for Audit Committees: Ask More Questions, Dig Deeper
Holly Tucker: Thanks, Jessica. There is, you're right, I mean, we could spend a whole day kind of talking about this stuff, but I love that you've kind of narrowed the focus a bit. But I think, I think across those three themes that you just kind of shared with us, I think that the one thing you said that really resonated with me, that I think audit committees need to kind of embrace and then figure out how they're going to pivot if they haven't already — and I think many, many are, we're now in the eighth month of this kind of current environment — was around that status quo is just not going to work. I had the opportunity to speak to some audit committee chairs and audit committees earlier this week, and this is a very similar topic. I think there was a few things that resonate for me. Number one is they've got to be asking more questions. And we're going to get to those specific things, but when we put it in the context of fraud and corruption and ethics and compliance, it is a year unlike any other. And asking questions, understanding management, what have you done different this year? What are the risks that exist right now that we didn't even maybe think about or that we had thought about but it really wasn't something that had risen to the level of concern in, let's say, March 1 of earlier this year? I mean, that's how much things have changed. And so I would really, for audit committees, now is that time to issue or to have enhanced professional skepticism, questioning mind. Don't ask just the first question and then kind of asked and answered. It's really digging. What have you done different? What are you continuing to do different? What are you doing to address the cultural changes or impacts that this environment is having and how that may impact the fraud risk management program of the organization? Where are we really focused on internal controls? How's our control environment changed? I mean, there's a whole host of questions that I know we'll get into some of these that I think audit committees really should, and based on what the discussions I've had, are focusing on. So let me pause there because I don't want to kind of go through all this stuff you're about to ask us, but there's just a whole host of things here that I think they're starting to consider.
Jessica Magee: Well, even that, I think, is part of the point, is that there is so much to be discussed and considered. It's incumbent really on a member of an audit committee to think about just what that statement alone means. So how are you going to organize and approach all of the things that really are encompassed by the duty of oversight this year? Michael, before we kick off, though, and get to some questions, you've had a lot of experience working with audit committees and boards of directors. A lot of times a conversation appropriately is the directors' role, the committee's role is one of oversight, and it's not their job to step in and do the day-to-day management of the company. And I would wager that some of the conversations we're going to be encouraging committees to have — as Holly said, don't just say asked and answered, dig deeper and ask more questions — that could feel sort of probing to a member of management or even maybe closer to adversarial or more skepticism than they're used to. Thematically, and we'll talk about this more, what would you say? How do you think it through in terms of balancing those issues or maybe forecasting them even for management so that it's not taken the wrong way, it's not a surprise or a shock.
Michael Stockham: Yeah, I think the way to look at it is just to be prepared for that second and third question. I mean, management is, they've been picked to lead this company because they have a certain skill set, they have a certain strength, bravado, they can withstand the questions. And there is a difference. I know we want, the board of directors is there for advisory, it's there for strategic reasons, it's not the day-to-day running. But to break it down into an analogy, the board isn't going to drive the car day-to-day, but the board has the right to ask a lot of questions about the car. What's under the hood, how it works, when was the last maintenance, what do we need to do in the future? And those aren't really taking over the province of management. And so, they can probe everywhere that they want, and they need to ask those questions. And I think when they're preparing for the board meeting, it's a good thing to think about, well, what is that second- or third-layer question, and sometimes it may be as simple as "why" or "how do you know that," "where is the data." Get to the more descriptive or, we even use them in depositions, the idea of "describe that to me," "tell me that more," get management to talk a little bit more instead of sort of, more perfunctory or short prepared canned answers. And it's not an issue of being adversarial. It's just everybody's in the same situation now, with it being completely unique and new paradigms shifting with offsite workforces, all kinds of new cyber threats. There's a lot in motion, and when you have that much in motion, it really behooves everybody to sort of start thinking wider, broader, deeper so that they get to the answers they need, especially as they come around the corner, because I don't think in the future we're going to see any sort of a relaxation of regulation or questioning from the SEC or other interested parties.
Proactive Communication with Management
Jessica Magee: Do you both think — and Holly I'll ask you first — do you both think it's OK for an audit chair to, if they interface mostly with the CFO or GC, whomever in the company, to forecast the management, "Hey, we're going to ask more questions this year. Here's why, don't want you to be surprised. We're all in the car together. We want to make sure that we understand what the potholes were that we either hit or were able to drive around." You think that's OK to do, Holly?
Holly Tucker: I think so. I think that transparency is really critical. I mean, always, but I think that now more than ever. And so I think kind of setting those expectations and laying the foundation to let them know, "Hey, we're going to be digging a little bit more, and it's not because we think you've done anything wrong. We really want to understand what you have done, hopefully right, to address the situation." And there's certain risks that are, that are really escalating. There's some around the corner that quite honestly, organizations don't even know about yet. I mean, it's kind of, unfortunately, I think we kind of wake up in a new world, not almost every day, but it seems like it. But yeah, I think it's absolutely OK. And you know, again, I referenced this earlier discussion I had this week, and I will tell you the chair of the audit committee very specifically on this discussion said, be transparent. Let management know that these additional questions are likely coming. Let, there may be additional sessions. We may have some one-off sessions, and that's OK. Be prepared and be transparent. And so I absolutely think it's probably a good practice.
Jessica Magee: What about you, Michael?
Michael Stockham: Yeah, I mean, even think of it from just the human dynamic. So anybody that is going to, in a conversation where it's going to be question and answer, that can come off feeling very adversarial. And it doesn't have to be if you set expectations first. If you set that out and tell them what the paradigm for the conversation is, you're going to set them at ease that they're not, once you start questioning people that the first — I mean, I think it's just a human instinct to start thinking, well, what did we do wrong, what are they looking for, where are they going with these questions. And that's not what this activity is. This activity is, in an ever-shifting world right now, we're trying to make sure all the balls, which have now magnified exponentially, are still in the air and we understand how it's working. So if you tell management in front that we're going to do this, this is what we're expecting, they'll be prepared for it.
And when someone's prepared both mentally for the exercise that's going to happen, as well as with the facts and the data, then it shouldn't be antagonistic at all.
It should be actually a very robust conversation and might lead to a new interaction between the audit committee and the company going forward, all to the benefit of the business and to the shareholders.
Jessica Magee: I mean, I completely agree with that, and I think anyone that knows any of the three of us has probably heard us say, and I'll say it again, we really encourage not just now, but always, healthy engagement, healthy conversation, transparency, engagement, sort of that continuing buy-in and reinvestment that we're all in the same boat, we're all rowing in the same direction. We'll make these forecasts of, it's going to be a more question-answer year, but here's why that's OK. But I would say to those, I'd say, fewer companies out there where maybe the experience of a committee member or a chair asking those questions is that the person on the other side does have a problem answering them, or they can't present information, they can't put the right people or facts in front of you. That should start to really raise more questions in one's mind. Is there a reason they're having difficulty answering these questions? Am I asking the right person? And not necessarily even suggesting, OK, my "fraud flags" are flying now, but did we miss something? Were they maybe not thinking about the things that, hindsight being 20/20, they might have been thinking about on April 1, but we're just now talking about on December 1? So our encouragement really is, we're not suggesting that people assume something went wrong, but go in knowing and embracing the fact that this is a challenging and first-of-its-kind year for essentially every company, and it's OK to ask newer, more probing series of questions. And if something doesn't sound right, something doesn't feel right, listen to that sense, trust your judgment as a committee member and ask that next question. Talk to your other committee members until you get to a level of comfort. And of course, as is always the case, if you've got questions about what we're talking about today, some of the questions we're going to suggest you as committee members pose when you're working with management, email us, call us. We're happy to talk through these things because, in a sense, it's easy for us on the outside to say, here's what you go and do. It's a harder thing to be the person in the moment having to ask the question, having to sit on a Zoom or sit on a phone call or maybe in a room, and ask a question that you've never asked before, and maybe even as a new audit committee member or of a newer member of management. So we recognize that we have advice, but it can be hard to apply in the real world, so we're here for any questions about that.
Holly Tucker: And Jessica, I just want to, you brought up a really good point, and I think you're spot on, that kind of this proactive communication with management. This is the sorts of things, these are the sorts of things we're going to be looking at. We are going to be asking more questions. There's many different risks that are coming up, and certainly those impact the financial statements. Really kind of risk all at some point, there's more likely than not some kind of a dollar value impact. But I think the one thing you said that really resonated as we think about it from a fraud perspective in this current environment, and we'll get into this, we do, the risk of fraud has increased. And so I think if you've laid the foundation with management and then you start to ask some of those questions, and they don't have a good response or they haven't considered certain things, they knew, they may not know your questions in advance and you're not doing a probing interview. But I think you're absolutely right that if, I would also say, again, that's where we really want to kind of put on that skepticism hat a little bit and just ask the next question. Because if management knows it's coming and they're not prepared and/or haven't addressed it, haven't thought about it, it doesn't mean there's fraud occurring, necessarily. But it could mean that management maybe needs to do a little bit more as far as risk sensing and kind of figuring out what's happening to the organization so they can share that with the audit committee.
Jessica Magee: I agree entirely, and I think that's a good moment for us to transition into sort of some brass tacks. I mean, it's one thing for us to say, ask more questions, be, take your already high level of engagement and take it up even another notch, recognizing that people on audit committees are dealing with their own lives. They're fatigued from nearly a year of COVID as everybody else is. They're remote, they're dealing with their own issues. We know we're asking and encouraging a lot, so let's make it a little easier for people and turn to some actual questions that we think are worth having in the can, considering to ask, modified to fit whatever your circumstances are. But Michael, why don't you — we're going to go through a series of questions, talk about them a little bit and we'll flash them up here on the screen for folks. And at the end, we'll put the whole list there together. But Michael, why don't you take us through the first, and this is really sort of a macro level setting question that you would encourage audit committees to be asking.
Workforce Disruptions, Employee Fatigue and the Fraud Triangle
Michael Stockham: Yeah, absolutely. So let's turn first towards what one of the biggest disruptions for all companies right now, which has been the workforce. I mean, a ton of companies have gone to work at home, distance, working distance, communications, we've all become Zoom fatigued, all that kind of thing. So, Holly, I mean, the first kind of question and scope would be how did the company address any issues raised by fatigue or offsite work? I mean, how would you suggest that audit committees start probing into that related to their employees and how this has impacted the people that actually are touching the business and the books?
Holly Tucker: Yeah, so I think it's a great question that definitely needs to be asked, which is, how has the workforce disruption and displacement impacted our operational capacity, impacted the well-being, quite honestly, comes into play, of our employees. And so I think it's really understanding, from management, where have we been impacted from an employee perspective? Have we had furloughs? Did we have significant layoffs? Have we had, and in many industries, the answer is duh, of course we have. But really understanding, where are those areas where we've asked, where management has had to make the decisions, and employees are now being asked to do more with less, what have been the impacts on the control environment? Have we seen specific areas where we've had concerns, either because some of our key controls, like segregation of duties between employees, is gone because of, or areas where we've just been impacted from some people being remote and some people being, I don't know where they are. And so it's not so much, I don't expect necessarily the audit committee to get way into the weeds on that, but I do think it's a fair question for them to be asking, what have we done, management, what have you done to assess and address the workforce issue? Now I would add one thing, too, and Jessica, you mentioned this earlier. Not all organizations are suffering. We have some that are thriving. And so it's also understanding, what are we doing to address — Michael, you mentioned this — the fatigue? The Zoom fatigue, the mental fatigue. If you've got people on the front lines that have been working through this whole thing, they've got family members that could be at home sick. Maybe they have people that have been, they've been impacted, but they're still working. There's a whole host of questions to really, I think, start to ask around that. Yes, specific to the control environment and how that impacts the organization's financial records, but also just some broader kind of workforce-related issues, whether your company is thriving or whether they are just really trying to stay afloat.
Jessica Magee: Yeah, and it makes me, it brings to mind for me another question that I would suggest, which is, maybe even broader stroke, starting with, what, how is this year different than last year? We were talking earlier about how this was not a year of status quo and how did it change. Are we just thriving and we're having a record-setting year, or are we sort of on the ropes? And in what do we mean when we look back and say, "How was this year different?" And so, it's really that age-old funneling technique where you start broad and get down. And I completely agree. We're not asking or encouraging, and it's not really meant to be the job of the audit committee to understand every granular question, to redo anybody's job. You're really just trying to get a sense of what was the company's experience in this year that's being audited. And I think one of the major responses is going to be this workforce fatigue. That we had so many people be remote, even if we had people coming in through all of it, more than likely, there was some segment of people that had to be gone, or certainly they were impacted by having to be virtual, by having family members going through issues, family members that are essential workers. And I think to some, that might sound like, well, why are you asking me to sort of engage in bedside manner, sort of squishy questions, but even -
Holly Tucker: The people side of things.
Jessica Magee: Yeah. But I mean, I think you nailed it, Holly. Companies are their people, and when people are tired, when there are fewer people to do the job because maybe there's been a riff or natural attrition or any number of things, as people become tired, if they're not in their offices, if their systems are functioning a little differently, that can absolutely, that ball can bounce to actual impact on your operations, your financials. And so, I recognize — I think we all three do — that these are maybe some broader and different questions that sound more in terms of taking temperature on mood or even culture. But they're purposeful because — I think the three of us agree — they really can drive to words and numbers on paper for a public company's public reporting, for instance.
Holly Tucker: Well, and I think that absolutely, I mean, culture is one of, I would call it, it's a front line mitigating factor when we think about the risk of fraud and corruption and employee misconduct. And when you've got these, these forces, that we're seeing now. The workforce has been disrupted. People are working, I think, a lot. Other people are not working at all. We're doing it virtual. There is a pressure, right? It's almost people start to work and feel like they're working in this pressure cooker, and we can even look at the fraud triangle. Pressure, rationalization opportunity. I think all of those components and elements of it are elevated in this sort of environment. And so I think culture is really important, and that is why I think if audit committee, if you're thinking, well, how do I correlate that to my responsibility from a governance and an oversight and how that impacts the financials, I think the correlation is that when we see this pressure environment and we see the financial environment and all the other things that are happening around us, this current environment is not just pandemic. There's all sorts of things happening, and that pressure cooker is, I think, really kind of starting to, people are feeling it. And that is when really good people may start to make some really bad choices. That's when we start to rationalize it. That's when we realize, hey, there's an opportunity, because no one, everyone is so busy over here, no one's going to notice what Holly's doing over here. And that's kind of that rationalization. And so I think we think culture, we think people, we think well-being. The reason that I think those are important in today's environment is because there is a correlation. There's a correlation to people's behavior and activity, and then that typically is a direct impact on the financials or could be.
Jessica Magee: And Michael, I know you and I have seen it, Holly as well. I mean, it's such a great point about choices and pressure, because if you think about it, in my mind, I sort of think of it as a stair step, but it's just really fact-driven decisions that people make. Because if, maybe there's an instance where a person's like, everyone's focus is over here, they're not going to see me doing this bad thing over here. And maybe they're motivated, incentivized by some sort of personal benefit that's going to come from that. But also in a pressured environment like we're in, it's easier to cut a control. It's easier to just do something differently than you did before, or you just don't realize you've done something wrong. You've inadvertently busted through a control, or you've unreasonably or negligently failed to do or consider something that you needed to. And so, there's just a whole spectrum of how things can "go wrong" that looking back, stockholders or regulators or law enforcement or whomever might say, that didn't, that wasn't the right judgment, that wasn't the right oversight. And so I think these again, wellness questions, are just absolutely critical. Michael, anything to add there?
Michael Stockham: Yeah, I think you guys hit it. The single greatest difference, I think, between 2019 and 2020 is just the amount of pressure that comes both in people's personal lives and in the business. And to give you an example, we've all had the opportunity to have a child or a loved one have to go to the emergency room. And when we're in that crisis situation, when we're under that pressure, we'll make, we will not really pay attention to the details as to what the cost is or what the, what might happen five or six weeks down the line. We're in the moment trying to deal with it. And so, the pressure can get to the thought process, it can get to the rationalization — "we'll worry about it later." And I think just so many companies are in that particular environment right now, both those that are growing leaps and bounds and beyond, perhaps, their current control structure, as well as those that are undertake, having to undergo incredible changes. Anything that's an onsite business, movie theaters, restaurant chains, anything that has people coming in, all of those things have changed now for them, and they have for an extended period of time. And so I think that pressure in 2020 is just ratcheting up. And I think it's what we talk about when we talk about COVID fatigue, is people under pressure for a long time will, some of them will make judgments that they wouldn't might otherwise if they were less fatigued, less overburdened, perhaps as well.
Jessica Magee: So, Michael. Go ahead, Holly.
Messaging from Management and Understanding the Ethics Hotline
Holly Tucker: I was just going to say, I think, you may, I think you're probably headed this way, Jessica, but you know, and I'll throw this out there. It's, some people say it's an overused term, but I actually think it's very relevant. For an audit committee, I would really want to understand the messaging and the communication that management is putting out to the organization to encourage, even in the midst of a crisis, appropriate behavior, good choices, continuing to promote the whistleblower hotline. Those are the sorts of things, too, I would be asking, what are you doing to encourage and communicate a sustained tone at the top, and are you doing anything to address kind of that message in the middle and the buzz at the bottom? Are these three layers of the organization aligned as far as the expectations? Because that's the other piece of pressure, is the employees making bad choices. But the other side of that, unfortunately, is management making bad choices and setting that tone that we need to do this at all costs, or willful, just get it done. I'm going to, I don't really care how it gets done, get it done, we have to make the numbers. And then kind of stepping back. And so I think that goes along with culture and those specific questions that audit committees can be asking, is, what are you doing to enforce and reinforce and communicate your tone, your expectations, etc., in this environment?
Jessica Magee: So let's talk about that for a minute, and I'm going to steal Michael's thunder because I know he wanted to ask this question. It's a conversation he and I have a lot, and I'm always, we are always encouraging people, one of the easiest things you can do is say, is our ethics hotline functioning? Do we understand what happens when a complaint comes in? Is it going to the right people? Do we understand how we're processing reports or complaints? And I think a lot of audit committee, sort of as their normal cadence, get reports from compliance or of counsel of, here's how many complaints we got, here's how many reports. We're encouraging this year, and really, maybe going forward, a little more deep digging there. And so I think that takes us to a good next question to sort of put in your mind when you're going into these conversations is, is our ethics hotline functioning appropriately? Have we made any notable changes to our systems for employees or others to report concerns or complaints? Have we observed material changes in the type of complaints or concerns, the frequency, the content of concerns being reported by employees or others? And I think those are very good questions to ask. And when you are, when you are inquiring about the frequency, have we noticed an uptick? I think personally, it's also noticeable if you're noticing a drop in complaints. People may feel a ton of pressure and a lack of comfort in reporting that pressure or concerns. It's interesting. Those of us that follow whistleblower activity at the SEC, for instance, we've seen record whistleblower awards coming out of the agency. We know that the likelihood for increased whistleblowing exists, especially because by being remote, people that might feel unsafe or unsure about reporting a complaint when they go to the office every day might feel better about doing it remotely, but that's not necessarily the case. And so whatever the answer is to these questions, if it's, we've had a ton more complaints, OK, you need to understand why and what those are and how the company is addressing them. Or gosh, we're not seeing many complaints at all. Why do we think that is? Is it because we're running a perfect ship, or maybe is there something else going on? Again, we're not saying you need to get down and understand every granular detail, but good governance, we think, warrants that questioning mind here, and it absolutely goes to culture, tone at the top, buzz at the bottom, as you've said. Michael, could you give us a few thoughts on the impact of, even in a system where maybe there's a lot of pressure and you don't have a person explicitly saying, just get it done, but that sentiment exists, that I am responsible for just getting it done. The company's outcomes rest on my shoulders. I got to get this contract, and I got to get this deal done. I got to recognize that revenue.
Michael Stockham: Yeah. So I think you think about it as to what expectations people put on themselves and then what they might translate from the message that comes from management. And I think that is amplified in this environment because people are isolated and working at home and so there's not really any sort of level setting or balancing among some of the workforce when everybody's remote. And they may be thinking that they need to, as you said, get it done for the company in one way or the other. And the whistleblower activity, I think one of the things the audit committee wants to understand is what's the escalation process?
Because when we get in an internal investigation, when we're getting questioned by the auditor and ultimately maybe by the SEC, one of the things they really want to understand is how this process works. It's not an appended-on sort of thing that you buy and a process that somebody oversees. They want to understand how the complaint came in, who saw it first, how quickly it got escalated and how it got dealt with.
And when you think about some of the whistleblowers we've seen, Jessica, there's been anonymous letters dropped on a on a Chief Operating Officer's desk. There's been direct letters to the audit partner. There have been calls to the hotline. There have been people walking in orally. And so it's not just, it's not just having an ethics point to name one hotline where they go in and get triaged by somebody in risk management. You need to kind of understand, and the workforce needs to understand, how those come in or could come in and what they need to do when they do to get them escalated to the right person. Because if they deal with the numbers, that's a one-way ticket straight to the audit committee. They need to know that because if that bubbles up sideways somewhere else, that creates all kinds of suspicion or questions or other issues that can drive an investigation into a much deeper and more experienced area.
Jessica Magee: Holly, should audit committee members, audit chairs, be encouraging or at least inquiring about the level of, like you said earlier, messaging? What did the company do, what is the company doing, to message down and out, a "see something, say something" atmosphere, a collaborative, compliance first atmosphere? Is that something that is within their role?
Holly Tucker: I mean, I think so. I think it kind of gets to that, there is an expected level of oversight as part of their governance responsibilities related to kind of fraud and the fraud program, and a big piece of that — and of course, other things — and a big piece of that is understanding what management is doing. I think it's a fair question, especially in the current environment. Quite honestly, we should be asking this, I think, all the time. We should have a sense of, what are we doing to communicate to our employees? How often do they have training? Are we doing risk-based and tailored training based upon what we're seeing come out of a hotline or based upon, potentially, if we've seen one, two, three, four, five similar cases, do we have a pervasive risk that we need to go out and address? And so I think it's a fair question for them to be asking, what is our messaging? What are we doing specifically to address risk? How are you communicating that down, and how are you, management, taking the pulse of the organization? Or are you? Are we asking employees, do they have the ability to do a climate survey or a culture survey? What are you doing to kind of get that feedback and input from the organization, and then how does that correlate to your ethics and compliance program? I would say the other thing that you mentioned that I think is really important, and we're definitely seeing a paradigm shift — and I think we'd it honestly anyways, but it's been kind of elevated, again, in this current environment — is the need for not just metric-based reporting coming out of a hotline. We have this many number of cases, they were in this Category, X amount days to close. That's really, I think, relevant information and kind of metric-based, but that where we're seeing a bit of a shift is really, chief compliance officers and others wanting to be able to present more data-driven insights. Really diving into the data and then aggregating data, not just stuff coming from the hotline, per se, but looking at training data, looking investigative, looking at what is internal audit seeing from a controls perspective if you're a public company on SOX, have we had any SDs or deficiencies, any material weaknesses, how does all that correlate? So that when you're presenting, you can say, here's the metrics, but here's actually the trends that we're seeing. And then take it a step further, here's what we've actually done about it. And so we are seeing a shift in the amount of — and I still think it has to be a tight presentation. You can't go super into the weeds. You've only got a little bit of time in this session if it's internal audit or it's compliance that's sitting with you on their session. But I do think that there's a kind of a craving for that additional information to say, great, we had 100 cases. What do we do about it? How are we going to mitigate that?
Jessica Magee: It's spot on, and it brings to mind a couple of other points I'd like to make on that same topic, which is the questions around risk and getting a little bit more than just raw data to understand trends and maybe how that communicates company risk, how risk is changing, rebalancing. Just where the rubber meets the road for public companies, of course, is risk factor disclosures. We're hearing a lot about the review of a company's risk factors, the description of a company's risk factors. Are you describing things that may be risks when, in fact, you realized those risks this year and they had impact on your operations, impact on your numbers? So, those are, that's one way that these questions really can flow all the way through to words you are saying to the public that people really, really care about. And then, we're asking and encouraging a lot of audit committee and their work with management, I think, Holly, early on, you talked about there may be an extra session, that you may have a longer meeting, you may have a follow up. That's OK, especially if you are proactively thinking about the timeline, the cadence. You're having the right conversation with those stakeholders to say, here's what we think that's going to look like. And then really, good governance. Making sure that you're documenting that thoughtfully, intentionally and appropriately because perfection is not the goal. That's not reality. There are always going to be things that happen in a human life and in a corporation, but if you can show we're reasonable, we are thoughtful, and here's how we were especially reasonable and thoughtful this year and how we tried to really get at the content and the substance of the year that we had, that you're establishing credibility and goodwill and you're reinforcing those good governance principles that you really want to be able to demonstrate if anybody ever asks or has a concern. So, those are good comments you guys offer. And I know they'll be applicable by people watching today. Michael, you are a certified fraud examiner. You, of course, are a lawyer by trade but have spent a lot of your time studying accounting. You do a lot of work around GAAP, a lot of investigative work around that. So I'm curious, with that background but through your lawyer lens, what would you encourage in terms of questioning around accounting policies, accounting controls, things that can hit the numbers, disclosure, that might be additional considerations for audit committee members in their discussions this year end?
Accounting Policies and Controls
Michael Stockham: Yeah, absolutely. So one area we get in discussion a lot with, both with the auditor when we're doing investigations as well as the SEC, is areas of judgment. That's almost always where sort of these issues go. Did they push judgment so far as to be unreasonable? And we always think of it or try to analogize it to a golf or a fairway. The fairway is relatively wide, and it's pretty, and so judgment can go either down the center or off to either side a little bit, but not be in the rough. And the SEC may have a different judgment, the auditors may have a different judgment, but it may still be reasonable and something that can be defended. So I think if audit committees kind of step back and think, OK, well, what exactly are the areas that affect our numbers the most that we're relying on judgment calls for? Contingent liabilities or accruals, reserves or even things such as revenue recognition. Maybe percentage of completion accounting is part of what your business is. That's, that's, the core of that is judgment, how much of the contract is done. And so there's going to be some pushback and also some desire to make that, those judgments in favor of the company where they might get pushback other places. And some of that is going to, if you loop it back even a little bit to tone at the top and style, if you have management that is one of those hard charge - lots of boards love hard charging, get it done management that are great operators, and those folks are, they're brilliant at running companies. You have to think sometimes about how that message is going to be received by the workforce. If they are hard charging, if they are just get it done, is that coming off as aggressive? Is that coming off as something that might push somebody to bend a rule a little bit? So I think when you look at it that way, it's really sort of the judgment, and Holly can chime in on this, it's those areas that are specific as well as, when you go back to the fraud triangle on pressure, where are they going to, where is somebody that is concerned or isolated or feeling pressure? Where are they going to likely buckle? And it may be very well pushing that judgment from the fairway to the rough.
Holly Tucker: I might just chime in there. I think you're absolutely right, and I think auditors are going to be asking, are going to be looking at those areas that have more subjectivity. And looking at it for both companies that are doing really well and those that are struggling. You mentioned reserves, Michael. Another one is impairment. Are we are we taking impairment when we should, are we going to wait? Are we moving expenses, pushing them back to the next period, pulling revenue forward? Any of those subjective areas. And I think you're right, if you think about the pressure that certain organizations may be under — and there could be pressure points within the organization — as really kind of correlating and trying to figure out, we've got these subjective areas and we also know that this particular — I'm making something up — business unit has really been kind of struggling. And so is there a correlation there? I would say, the other specific question would be, have we had significant changes in accounting policies? And the answer of yes, no is not enough. It's that next question. What are they? Why? Was what was the timing? I mean, is it just because, is there a benefit to having done that in this current environment? So I think, again, to use your car analogy earlier, it's really looking under the hood. It's OK. You can have changes in accounting methodology and still be on the fairway. But why did we do it and what was the impact, I think, are some questions that definitely could be kind of in the list of considerations. And quite honestly, I think those are questions that are likely being asked anyways. Again, in a year like this, it's probably elevated just a little bit as far as kind of where it goes on the list.
What the Regulators Will Ask, SEC's Increased Use of Data Analytics
Michael Stockham: Yeah, Jessica, I want you to talk from your SEC experience a little bit about that, because the questions that are going to come from regulators when there is a change in methodology or something, the way you get to the number changed this year, I think, is going to be very suspect. And so in that regulator mindset, put back on your government hat and think a little bit about what the quiz would be, I guess, because those are going to be very, those are going to be unique areas this year, and they're going to be fraught with peril, I think, for a lot of companies.
Jessica Magee: Well, I'm glad you asked. It's funny because I was going to ask Holly, OK, let's go out to the narrative and you be the forensics partner that's sort of shadowing an internal investigation Michael and I are leading. Similar, right? Those questions are not the same, but they're in the same family. So, Holly, chime in and tell me if you disagree or if you have shades or contours on what I'd say. But you know, I completely agree. It is perfectly appropriate and non-controversial for companies to make decisions that they're going to change a policy, they're going to, they're going to reconsider a methodology, a key accounting principle, what have you. But it's the newspaper facts. How? Why? When? Who? What? It's understanding the purposefulness for it. And as a regulator, I think, a Division of Enforcement attorney or accountant looking at this after the fact, either because they've seen something come through in a filing, they've had a whistleblower submission, they've had just a normal what they call TCR, a tips, a complaint, a report, they're necessarily looking at it after the fact, and they're reading limited information. A public filing, a complaint in a legal proceeding. So they don't have the benefit of understanding the undercurrent of judgment, thoughtfulness and what was happening day to day to lead to those decisions. So the questions are going to be, was that reasonable? Were they doing something at a time where they felt like they had no choice but to do this? Because if they didn't change it from X principle to Y principle or X methodology to Y methodology, or if they didn't tinker with assumptions that they'd used all along, would they have had a bad outcome? Would they have missed consensus? Would they have taken a hit in the market somehow? What sometimes you hear regulators called diving catches. Were they engaging in things to save numbers, to manage earnings, to hide a problem or even prevent the disclosure of a problem to a later period because they thought they could fix it in that period of time?
Just like it's completely reasonable for a company to pivot, it's completely reasonable for a regulator to ask those questions, and they will. And I think going forward in 2021, they're going to ask them a lot.
And frankly, there's, if you think of fraud in phases, there's fraud that's already, there's fraud always going on, and there's fraud that's going to be happening. And if we think about it in the year of 2020, those tough calls, those questionable decisions, if they're, if you can't demonstrate reasonableness, thoughtfulness, and the right stakeholders were having the same conversation at the same time and on the same page about why this was appropriate, you may have headaches and questions, at least in the form of an investigative inquiry from a regulator. Holly, from your view, though, do you disagree? Do you think I'm wrong? And you could tell me if you do. What's different from a perspective of sort of shadowing it, an internal investigation that company is conducting?
Holly Tucker: No, I do agree with you, and I think that you're absolutely right. You touched on it earlier, there's been a record number of kind of whistleblower tips and things coming in. The SEC certainly is kind of ramping up their use of analytics to identify these sorts of things. So certainly that is happening, and I think that will continue to become more and more sophisticated. I think you're absolutely right, though. I think it's reasonable. You need to have sufficient documentation and evidence as to why you made the decision, as to why this was reported. Certainly for organizations, their auditors are going to be asking these questions as well. And so again, this is something that I would expect to see some pretty robust communication on within the organization. You touched on a couple of things that I think are really important. As I think about the kind of the increased areas or the areas where we expect to see increased risk of fraud. The three of us certainly have talked about this, I think you'd both agree. There's a bunch of different buckets where we think fraud is is going to go up. The financial reporting fraud, I think absolutely, it's happening right now, but we're not going to see it necessarily yet. For our 1231 filers, we're going to start to, I think, see the uptick in that in the inquiries coming in after the Ks are filed sometime in Q2. The disclosure piece, though, I think is really is an interesting area as well. Another area that I know we all agree that there may be an uptick in kind of disclosure related fraud. We know something is happening, but we're going to choose, for whatever reason, either to water down the message, maybe not include it in the MD&A, maybe not put it where we should, hold off on it. And then, of course, for our public companies, that is probably, can really increase the risk of some shareholder litigation. That's your area more than mine. I mean, I'm not a lawyer. But I do think we're going to expect to see that increase there, those two buckets. So I think to your earlier question, Jessica, I agree with you. I think the regulators are going to be looking at things. We know they're using enhanced analytics to really start to delve into this. There's going to be a lot of robust discussions, or there should be, between the audit committee and the auditors and management on where there are significant changes in accounting policies, and/or just where there is significant subjectivity within the financial statements. And this is the year, I think, to probe. Why would we have this reserve? What is this contingent liability? Do we really, did we meet the requirements? Did we meet the requirements for some that are actually not showing up on the books? Certain industries, I would expect to see quite a bit of accruals coming for certain things. And if we're not seeing those, things look great, but we know they're in an industry that has really suffered, that's a red flag.
Jessica Magee: I'm glad you touched on Enforcement's increased use of analytics. They have leveraged data analytics for many years now. We've certainly seen that in their cyber side, their ICO activity. In the last several weeks, Division of Enforcement has filed cases where they're, in their release language, they talk about risk-based data analytics to investigate harder-to-detect areas. So couple penny swings on earnings, earnings management, what they're calling EPS initiatives. They filed an executive perks case, which is an area that you see enforcement action from time to time. But it's something that a company, I could see saying, we need to get to that, but that's not the thing we can get to right now. So the list of things that need to be addressed is long, and it's always going to be long, and it's always, you're always going to have to make choices. But it's important to stay abreast of where they're focusing. Enforcement just issued its Fiscal 2020 Year in Review summary. Curious to see what priorities for 21 will be, but they, anyone that follows the commission knows they've not slowed down. They are, they filed some fewer actions, but they were in a pandemic. But they are investigating, and they are looking for not just obvious intentional fraud, but harder-to-detect issues that include unintentional control violations that still affect the company. And so those things matter, I would argue, just as much as overt sort of smash and grab fraud. You guys tell me if you disagree, but to me, those things are of equal importance and weight.
Michael Stockham: Yeah, I agree. And I'm glad that Holly brought up the disclosure issue. I mean, when you think a little bit of the human condition, lie by omission is easier than actually telling a true falsehood, and it's easier to rationalize to not tell the whole set of details or facts in order to make something accurate. And so those disclosures are going to be a key issue, and that's where I think all the follow-up questions from the audit committee is going to be a little bit, is, are we saying enough or too much? It's always a balancing act, but we see a lot of companies that just kind of roll the K forward. Start with what they did last year and edit it for what happened this year or the Q. And it may be a year in which a deeper dive, a harder edit, a closer eye, would be a good thought by the audit committee and those folks running the SEC disclosures.
Jessica Magee: And you know, I think that it's not unreasonable — in fact, I think it's probably exactly what a company needs to do — is say, what did we file last time? Let's bring it forward. We're not encouraging people to start from scratch. But one easy thing I would encourage companies to do is, OK, let's take last year's K. Let's look at it. Let's find every instance where we said, may. Is that still the case, or has this occurred? Is this occurring? Things where you can start to funnel down and really drill into, again, taking it all the way back to the top of the hour, what's different about this year and what changed, good, good or bad, Holly, you talked earlier. You mentioned significant deficiencies, material weaknesses, always something, again, to the golf analogy, in the fairway for audit committee discussion and inquiry. But I think another question that should be asked is what difficulties or differences are you/is the company facing in assessing the control environment this year? Relation to workforce disruption, operational disruption. Are we, do we have continuing significant deficiencies or material weaknesses from prior periods that haven't been remediated? Are there new ones? And how are we addressing these?
Assessing the Control Environment
Holly Tucker: Yeah, I think that's a, it's a definitely a question that I think the audit committee should be exploring, especially if you have prior year issues and there hasn't been remediation. And quite honestly, remediation could have been impacted by the pandemic. But I think the question of, how have you, management, what have you done to assess the changes in the control environment? How were you, kind of, understanding where you've had impact from controls? And it's just, it's certainly controls, obviously, internal controls over front, so ICFR, but the other area, too, is really thinking about it — and this would be covered in your controls from a SOX perspective — around IT controls. And so when we think about control environment, it's really kind of that robust analysis. How have we just shifted, or you, management, shifted really, maybe on a dime, an entire corporate workforce virtual? Everybody that used to work in the offices is now logging in to VPN. What have you done to assess that? Now, many organizations, I think, again, if I look back on previous conversations, cyber is top of mind. Fraud is top of mind. Culture's top of mind. Well-being. All the other things we're seeing. But that is one of the questions from the control environment, too, is from an IT perspective. I mean, that's a big area of risk. Certainly that is different. We did not have however many percent of the workforce virtual eight months ago. Didn't exist. And so a lot of these organizations that are not necessarily set up for that really had to pivot. So when we think about control environment. I think it's you've got to layer in and take it from kind of a multidimensional approach. How has our control environment been impacted from an IT perspective? So that gets to that workforce stuff we've talked about, Michael and Jessica. How has the control environment been impacted as it relates to our manual controls, as it relates to, have we have system issues. Have we had system integration or implementation in this current period? And we're, clients are doing it, everything hasn't stopped. And so it's really just kind of figuring out what are you, management, doing to really take a step back and consider impact to the control environment? I think it's a very fair question and probably one that's going to end up with some robust discussions.
Michael Stockham: Yeah, I think you ought to think about it also from a workforce perspective. I mean, if you've laid off people in the financial reporting accounting or financial planning and analysis, do you now have one person doing the job that was done by two or three people earlier? And did that somehow merge a control, that is, jumped the fence from the segregation of duties? And if you have, you probably have somebody that is overburdened, overworked, now doing the job of two or three people. That increases your pressure, that increases your opportunity and that's one small step to rationalization. And you have all three sections of the fraud triangle.
Conclusion: Big Picture for 2021
Jessica Magee: And putting my old regulator hat back on, I mean, in a situation where you've got someone looking back at whether they think something went wrong and if so, whether it was intentional, unintentional, but albeit unreasonable. If you've got, like Michael says, at the human level, this policy, this control says you need Susie and Sally to agree on X before you do Y, and Susie was taking leave because she needed to care for a family member who fell ill, and so only one person ended up deciding for both, but they didn't modify the control, there was no discussion or memorialization, and something went wrong. It may be completely, at the time, it may have been completely reasonable and nothing nefarious occurred or resulted. But it's an area where someone could look back and go, OK, well, I'm going to hover over this for a while and I'm going to see if I can make something of it, or if really something did occur. So it can just cost later. It can cost time, it can cost money, it can cost distraction and resource drain, trying to explain why what happened then was OK. And I sort of pour that into the ounce of prevention bucket. Right now, we're really talking about looking back at the year that was, but use this time also to think about our planning for 2021. Nobody's going to wake up on January 1, it's going to be, all right, we're back to how it was, we can flush away all of the heightened question and scrutiny.
Use this as a time to think forward for 2021 of better or best practices, how you might do things differently, what you're going to encourage management to do.
One thing I would recommend and have been recommending is really do find time to encourage the right people to be in a conversation about risk ranking. Whether you do a heat map or you've got a risk committee that oversees this or management-level committee, what are our company's risks across all the different ways the company exists? People risks, operational risks, data risks. And what is the likelihood of that risk coming to fruition, and what's the impact on the company if it does? I would wager for many companies that has changed. There have been shifts where some risks, and Holly made a point about this earlier, that were sort of on the low end have really ticked up and are looming risks. And maybe they're going to slide back down as we move into the future, maybe not. So having that conversation and being able to say you had that conversation, even if maybe you were "wrong" or something was missed, you were still trying, you were still being reasonable and intentional, and that is ultimately a very good thing to be able to demonstrate.
Michael Stockham: Yeah, I think you bring in one good point. Excellent point, all of them, but that the time of the pandemic, the duration of the pandemic, the duration of the change, has gone so extended now that I think we're sort of getting past the period of forgiveness, if you will. I mean, had it lasted 60 or 90 days, then everybody would have been scrambling for that period of time, and there would have been more understanding, I think. But we've been in this nine months now. We're likely to go another three to six with impacts, and there will be lasting impacts. And so I think from the point of shadow teams or the auditor or the regulators, they're going to think, well, 90 to 120 days into it, you should have started to think about how you were going to put this together to go for the long haul. So I think we're in the period that we now need to understand that you're going to get a little bit of pushback if you're, if the reasons that you're going to put out that something went wrong in the books or the disclosures is that the pandemic was moving forward.
Holly Tucker: I would just say I absolutely agree, I think some of the lessons learned and things that they're dealing with now on audit committees and management, to your point, both of you, it's not going away, and/or I think there's, there are some good things that are going to, again, silver lining. Good practices that I do think will come from this. I mean, we've proven to be a very kind of agile society in many ways, and so I think some of that agility within organizations, I think will stay. But yeah, I think you're right. I mean, if you've got management coming back and say, "Well, we're just not sure what we're going to do or how we're going to deal with this," you've had now nine months, to your point, to think about it. And so I think looking forward, certainly, there's an expectation that you continue to deal with this proactively. And then I do think there'll be some things stick around that are good. But yeah.
Jessica Magee: Well, and you know, this isn't a process or a time where an audit chair or audit committee have to figure it out perfectly in a vacuum. You can have conversation among the committee. We've covered a lot today. Reach out to Michael. Reach out to me if you have questions. Holly, I know you have seen countless fact patterns, countless ways things have gone right, wrong and everything in between, Michael and I as well. And these are broad stroke issues that every company is facing, but we appreciate that those of you watching are dealing with them in a very specific, unique environment. Your company's culture, your people's wins, losses and fatigue. And it's an important responsibility and it's a responsibility that this year is more important maybe than ever before. And so we want you to know that we're here for any questions you have. Happy to walk through SEC cases on the point, the questions we've gone through today, which we'll certainly put up here for people. But this is an important undertaking and one we encourage you to lean into and reach out to us if you have any questions about it. My coffee cup is cold and empty, which means it must be time for us to wrap up Coffee & Conversation. We said at the beginning, I could just nerd out all day on fraud, fraud prevention and how to drive healthy conversations, and sometimes crucial conversations, with other directors and management and auditors and others about our company and where we've been and where we're going. But I can't think of two finer people to have had the conversation with. I'm so thankful for your time this morning. Holly, we are so lucky that you gave us an hour. I'm putting it on my things I'm grateful for in this month of Thanksgiving lists. Thank you so much for joining us.
Holly Tucker: Yeah, thanks for having me. It's been fun.
Jessica Magee: Michael, I'm going to send you back to your day of work. Thank you as always, and I'll be seeing you virtually. And I hope you both have a happy Thanksgiving and that you and yours stay well and healthy. Take care.
Holly Tucker: Thank you, Jessica. Thank you. Thanks, Michael.
Michael Stockham: Thank you.