James Farrar kindly alerted me to this story about Greencore Group, an Irish business that is the UK’s largest sandwich maker. In 2007, it turned over a total of €1.3 billion but only had an operating profit of €91 million:
The Irish food group Greencore has sacked three senior managers after uncovering what it believes is a €21m (£17m) fraud at its Scottish mineral water business, Campsie Spring.
Greencore said its investigations were ongoing, but it warned that the “deliberate concealment of costs at its mineral water business” could slash its operating profit for the current year by €9m. It estimates that the investigation could lead to a restatement of its group operating profit by €4m in 2006 and €8m in 2007.
At one level the amounts involved are small but given the operating margin, they are huge. From an audit perspective, these figures are highly material, which begs the question: what went wrong that the alleged ‘fraud’ could continue over such a long period of time? While the exact nature of the fraud is not made clear, the regulatory statement filed by the company said:
1. June 6th: After a scheduled review by the internal audit function, a source of potential concern in the Mineral Water business was communicated to Group senior finance management.
2. June 9th: Following a meeting between the leadership of Group finance and the finance director of the Mineral Water business,an immediate investigation was instigated by the Group chief financial officer.
In other words and given the time period over which the fraud is said to have been perpetrated, there had been NO review for at least 30 months. Personally I find this astonishing, especially given that according to the company’s 2007 annual report on page 34:
Greencore has invested significant time and resources in identifying the specific risks and developing risk minimisation strategies through its system of risk management and internal controls.
Clearly those strategies are not working. Neither are the processes that underpin them. That leaves Greencore with a considerable amount of egg on its face as its annual report now looks like a glorified piece of PR rather than a statement of facts upon which investors can rely. Needless to say, the markets have punished Greencore, knocking some 30% off its market value in the last few days.
Without meandering down the obvious external audit issues, it is appropriate at this point to quote from a blog comment left at my personal weblog by Francine McKenna where she said that:
1)Current SOX testing on the ERP side focuses on configuration related to segregation of duties (roles and responsibility assignment) and access/approval controls. But what about business logic and business rules for example- either as delivered or as configured? How do transactions work? How many different charts of accounts are set up? How is the org structure set up so that dollars and pennies can be booked but booked off to the side or off-balance sheet?
2)While at PwC, i heard more than once that there was no external auditor review of policies and procedures regarding patch application and testing/promotion to production of new code from the vendor. Why? ‘If it’s Oracle or SAP, then it has to be bug free out of the box.” WTF? This was a handshake agreement amongst the firms that none of them would not call out these issues because if they started it would never end. Neither the firms nor their clients had enough staff to control this issue. Given the number of companies that would be called out on basic IT SDLC related and operations controls, everyone would look bad. Moratorium until companies could get a handle on it. Only best in class companies have tight procedures over these activities and if issues were found it would spill over all over the place. If the ERP software is buggy to begin with but you don’t know where it’s buggy and this is your GL, what comfort do you have that any financial reporting is right?
Francine speaks from experience and authority as someone steeped in risk management and controls at PwC (coincidentally Greencore’s auditors of record) around the time SAP acquired Versa and prior to that at BearingPoint. Whether her view on testing and controls would have made any difference is a moot point at this stage.
If my experience is anything to go by, a determined fraudster is always difficult to uncover and without more facts in this case, anything I say beyond the obvious is pure speculation. However, in almost all cases I have come across (other than direct cash theft in retail which is really hard to spot unless there is very close control over margin analysis), a fraudster was able to take advantage of a crucial weakness in the internal controls that operated at the time and which reflected a faulty systems approach. In this case, I imagine (here comes the speculation) that the fraud was perpetrated by the simple expedient of inserting bogus suppliers into the system who were then paid through routine AP procedures.
It is clear that businesses which don’t take the time to operate as best in class on issues around IT governance for example can easily get it horribly wrong. Similarly, if all a company has are documented policies but those are not backed up by process controls, then the whole exercise of creating those policies is a waste of time and money.
As the focus of GRC spreads from pure financial procedures to other aspects that directly impact IT, BPX’ers should actively consider the impact that their design decisions might have on the overall suitability of systems and to meet rigorous inspection. The more cases like Greencore that emerge (and they will), the more likely it is that the office of the CFO will at least raise the issues.
Given the expertise that GRC/BPX specialists can bring to bear on the problem, it represents an area that deserves closer attention as a way of not only helping companies and their external auditors, but also in providing board level assurance that risks are being addressed in a meaningful way.