Skip to Content

Satyam: putting GRC into perspective

Unless you’ve been on another planet, the Satyam affair has become front and center among the Indian business news fraternity. There is no other story. Everything from speculation about its survivial, the Indian government’s reaction through to genuine concern about India as the IT-BPO destination of choice are coming under the microscope.

I suppose it is inevitable that enterprising individuals will see this as an opportunity to extol the virtues of GRC. One person went so far as to claim that GRC could have saved Satyam. Such thoughts are entirely inappropriate and as I said elsewhere, are wholly irresponsible.

It is understandable that Indian IT under scanner but no-one can know that for certain. I have my doubts. Based on recent conversations with colleagues who know way more than I do about outsourcing to India, it is hard to believe that Satyam is alone. In fact we already know that Wipro, Satyam and Megasoft have received sanctions from the World Bank on account of corrupt practices

From my days in forensic accounting, I know only too well that where there is corruption in business practices, it is one small step for that to escalate to the company accounts themselves. 

The burning question is not whether GRC could help but more important what of its future? We have to consider this in a global context. Corruption is but one cancer on the business world. We know that the US in particular is reeling after the financial crisis that has seen marquee names like Lehman Brothers fall by the wayside. Governance? What governance you might ask given the scale of meltdown and the variety of actors implicated in the debacle.

We have no idea what this means for regulation, whether we will see a modified form of SOX, additional regulation or a complete reshaping of the regulatory framework. Without that context, the best that GRC can offer is a set of sticking plasters that beef up internal controls and provide a layer that should give some level of investor assurance. 

Even when those controls are put in place they will never prevent fraud on the scale that Satyam represents. It is unrealistic to assume that C-level officers will commit to the kind of oversight that implies. Unless there is regulation in place that provides the enforcement framework and capability. That was what SOX was meant to do yet week after week we see a continuing stream of cases involving some regulatory fraud or another.  

The Big Four accounting companies like KPMG, PwC, Ernst & Young and Deloitte have shown time and again that despite their own best efforts, they do not have the global systems and processes in place that allow for a uniform, standard audit. That means quality is bound to vary. In the Satyam case, it seems that PwC HQ had almost no control over its Hyderabad office, despite that the PCAOB had made an inspection last year. Whether Satyam’s audit working papers were examined is pure speculation but it is known that concerns had been expressed about at least one of PwC’s partners.

Let’s be clear – when there is a broken ecosystem, no amount of GRC can realistically guarantee that things will not go wrong. Yes, some assurances can be rightly given but we should not kid ourselves that SAP (or any other GRC provider) has a magic bullet.

Indian IT under scanner claims that:

Properly defined roles and access control over key information assets are the most effective safeguards against fraud and mistakes. These are prerequisites for a sound corporate oversight and are also required by various regulatory mandates around the world, such as the Sarbanes-Oxley Act.

I respectfully disagree. IT does not solve problems, it merely acts as the tooling for problem soving. In GRC the prime requirement is a culture of excellence and a desire to do the right thing. That is what in audit terms we call ‘the tone from the top.’ Without the right tone, IT cannot help.

As we have seen in the Satyam case, the CFO was ordered not to look at deposts that were under the sole control of the CEO. That should have been a red flag but apparently went undetected or was ignored. Whether by accident or design, with or without the collusion of the auditors has yet to be determined. However you cut it, the problem was not one that GRC can adequately address when people can override stated control mechanisms. 

I have seen this kind of thing happen in the past. Anywhere there is an authoritarian leader who prevents people from inquiring into transactions has something to hide. Most often it reveals itself as a corrupt practice, In Satyam’s case, it meant wholesale fraud. 

SAP has a responsibiity to provide customers with the best solutions it can for the problems those customes wish to solve. It publicly states that it wishes to uphold the highest standards. There are plenty of SAP Mentors who believe that well run businesses not only espouse best practice but are seen to turn words into action.

In promoting GRC solutions, now is a time for pause. Now is a time when consultants should be enquiring the extent to which the companies they speak with really want GRC to matter. They should be helping their customers think about the ramifications and the extent to which they may need to impose cultural change before buying into any solution. This cannot be limited to management but include a consideration of all stakeholders. Right now, that would be the appropriate response in a world where, quite frankly, governance is itself in tatters. 

You must be Logged on to comment or reply to a post.
  • Regulations are all world over…Unethical business practices are in every part of world.

    Some are caught while some are escaped being lucky or more smart…

    Regulations help keep a tab on this.

    • @ankur – as should be obvious, regulation as currently framed has failed. That’s why I argue that a radical approach to regulation going forward offers the best chance of providing the framework from which GRC can emerge. BUT – I cannot stress enough, it is a culture of excellence that determines.
      • GRC is practice and consultancy and it is not a statutory or mandatory service. this type of corporate governance issues would show their head now and then, until GRC is made as part of company’s policy and statutory body to oversee the operations.the issues in indian IT industry calls for statutory body for corporate governance.
        • @Srinath – I bow to your understanding of the Indian system of governance but there were ‘standards’ in place. PwC for example is meant to be governed by standards that are applied evenly around the world. There is PCAOB oversight, which has revealed issues.

          A combination of laxity, incompetence and determination is toxic and very difficult to overcome.

          My point is not whether GRC is something that should be undertaken but about *how* it can be articulated in what is increasingly looking like a chaotic environment.

          • Dennis..i agree to viewpoint of available standards and practice,but nevertheless my suggestion to corporates to appoint “CGO” corporate governance par with CXO’s. GRC as a practice,is mostly felt as management issue or IT intiative,the mindset of the corporates should really change atleast after this satyam fall off and take GRC more seriously.
  • As world is shoked by Satyam scam.
    Now government need to apply some legislative rules like sox & make it mandatory to have strong regulation & government should conduct the audit that stakeholder should have faith on the company.
    I think GRC can complete this task upto some extent.Because GRC has such framework nad capability that it can control internal frauds.
    • @Mohit – such thinking is dangerous. Internal controls, access controls and the like *can* assist but to claim they can ‘control internal frauds’ is a stretch. I’ve seen way too much invention in fraud arrangements to make that claim of any software.

      In the Satyam case it seems we are looking at (among other things) forgery. That’s incredibly difficult to overcome when someone is determined.

  • In organizational life, each one faces many first events during their career.
    Sometimes it even starts with the first contact with a company, may be through an advertisement, a letter, an e-mail, a visit, an interaction.
    There may be many happy ones.

    But some events have the potential to change our values once for all.
    Honesty is one such value which under goes change during one’s career.
    When insisted, in the beginning of one’s career, others would say, ‘Be practical’, ‘Do not be an idealist’, ‘Do not rock the boat’, ‘Be a Roman while in Rome’, ‘Go with the crowd’, ‘Change the sail, not the wind’, ‘ It is not a crime; every one does it’, and so on.

    At some point of time there would come up a moment making one think ‘Why not give honesty a chance!’ “If I do not define the moment, the moment would define me!” One may feel. 

    It is an important point to ponder personally, as to when actually one gets seeded to be ‘practical’, and to give honesty a go-by mildly, especially in organizational life.

    It may be the first time one makes some monetary claim based on official entitlement, though the actual amount spent may be lesser than the entitlement. The first time one makes the claim, it may be made with the help of some one who has already made such claims and got to know the way.
    One may be young at that time and assumes that it was smart to be practical and be with the group. Though the gain may be pea nuts, not a big fortune, it resets the value of honesty, in the person and slowly grows to bigger proportion.

    If only some one tells the correct way and what the usual way, leaving the choice to be made by the individual but prodding to take the right one, the value for honesty would remain the same and help to pursue it further without adulteration.

    It now appears that the First events are the events with opportunity to inculcate the eternal values in people, to be upheld in organizational life.
    Some one must guide the persons involved at such moments officially.

    There would be many such lessons to be learnt by people at all levels by this episode.
    But whether there would be a learning, I wonder!

    More rules would only become a source for ‘form filling’! The grains must change.

    Sam Anbazhagan

  • I agree that IT itself doesn’t solve problems and its just a tool which helps to provide framework based on best practices .
    And I disagree that promoting GRC solution should be paused. This is time to have greater insights from these incidents and  malpractices, the probable reasons and arm the GRC applications with controls that screens such kind of happenings during initial phase.

    A lot of effort on part of application developers will be needed for these developments but that is only the way to control these kind of incidents. Cultural changes may help to work in fairer manner but neither it is easy to change cultures with people from cross cultural backgrounds nor the depth of the changes can be measured to ensure satisfaction.

  • Well said “If you’re someone who make a statement about an experiment on the leading edge of something, be prepared for criticism” and I agree with that. But criticism should be positively industrious, constructive and inspirational not the way above. It’s a complete under estimation of what we can achieve with software automation and technology. I courteously disagree with my senior mentor’s off beam evaluation of my twitter post and the way he think about the software science in today’s digital era.

    In 1901 – Wright brothers were criticized for their vision of airplane, nobody ever imagined at that time that we would be flying with super sonic speed today. Likewise SAP GRC Applications are becoming unbelievably intelligent with hell a lot of capabilities.

    So, let’s don’t think small, let’s just put enough efforts with remarkable contributions and do not judge others with a single quote of line. This may turn out to be a boomerang.

  • This appeared on a leading Indian business paper today
    With more of the overall scam is getting unearthed its shuddering to think if GRC at all would have worked. With this level of fraud its quite easy to have a GRC system put in place but maintain two books of account (age old trick) to even fool the best of GRC (qualified guess). To me its nothing but plain greed that drives individual(s) to undertake such activities. While most of us are very angry with I-bankers and Hedge Fund Managers blaming them bringing down the world economy on its heels – lets not forget what they were doing was “legally correct” and “innovative products within regulations” but “ethically questionable”. The direct parties involved were playing a game of high risk hoping for a high gain. But sad to say the case in question here is neither legally or ethically correct in any way.
  • Very thought-provoking post. I think Dennis is correct that GRC would not necessarily have helped in the Satyam case. This is a situation where wholesale fraud was occurring in the office of the CEO – obviously no culture of compliance existed. GRC may have helped expose the fraud earlier, but to whom? The CFO? A whistleblower? This is where you reach the limits of the software. We really can only speculate but I have to think that any number of people in IT, FR and Finance already knew that something was very wrong with the payroll or other transactions, but no one felt empowered to question it. That’s a corporate culture issue that I just don’t believe would be solved by technology alone.