Unless you’ve been on another planet, the Satyam affair has become front and center among the Indian business news fraternity. There is no other story. Everything from speculation about its survivial, the Indian government’s reaction through to genuine concern about India as the IT-BPO destination of choice are coming under the microscope.
I suppose it is inevitable that enterprising individuals will see this as an opportunity to extol the virtues of GRC. One person went so far as to claim that GRC could have saved Satyam. Such thoughts are entirely inappropriate and as I said elsewhere, are wholly irresponsible.
It is understandable that Indian IT under scanner but no-one can know that for certain. I have my doubts. Based on recent conversations with colleagues who know way more than I do about outsourcing to India, it is hard to believe that Satyam is alone. In fact we already know that Wipro, Satyam and Megasoft have received sanctions from the World Bank on account of corrupt practices.
From my days in forensic accounting, I know only too well that where there is corruption in business practices, it is one small step for that to escalate to the company accounts themselves.
The burning question is not whether GRC could help but more important what of its future? We have to consider this in a global context. Corruption is but one cancer on the business world. We know that the US in particular is reeling after the financial crisis that has seen marquee names like Lehman Brothers fall by the wayside. Governance? What governance you might ask given the scale of meltdown and the variety of actors implicated in the debacle.
We have no idea what this means for regulation, whether we will see a modified form of SOX, additional regulation or a complete reshaping of the regulatory framework. Without that context, the best that GRC can offer is a set of sticking plasters that beef up internal controls and provide a layer that should give some level of investor assurance.
Even when those controls are put in place they will never prevent fraud on the scale that Satyam represents. It is unrealistic to assume that C-level officers will commit to the kind of oversight that implies. Unless there is regulation in place that provides the enforcement framework and capability. That was what SOX was meant to do yet week after week we see a continuing stream of cases involving some regulatory fraud or another.
The Big Four accounting companies like KPMG, PwC, Ernst & Young and Deloitte have shown time and again that despite their own best efforts, they do not have the global systems and processes in place that allow for a uniform, standard audit. That means quality is bound to vary. In the Satyam case, it seems that PwC HQ had almost no control over its Hyderabad office, despite that the PCAOB had made an inspection last year. Whether Satyam’s audit working papers were examined is pure speculation but it is known that concerns had been expressed about at least one of PwC’s partners.
Let’s be clear – when there is a broken ecosystem, no amount of GRC can realistically guarantee that things will not go wrong. Yes, some assurances can be rightly given but we should not kid ourselves that SAP (or any other GRC provider) has a magic bullet.
Indian IT under scanner claims that:
Properly defined roles and access control over key information assets are the most effective safeguards against fraud and mistakes. These are prerequisites for a sound corporate oversight and are also required by various regulatory mandates around the world, such as the Sarbanes-Oxley Act.
I respectfully disagree. IT does not solve problems, it merely acts as the tooling for problem soving. In GRC the prime requirement is a culture of excellence and a desire to do the right thing. That is what in audit terms we call ‘the tone from the top.’ Without the right tone, IT cannot help.
As we have seen in the Satyam case, the CFO was ordered not to look at deposts that were under the sole control of the CEO. That should have been a red flag but apparently went undetected or was ignored. Whether by accident or design, with or without the collusion of the auditors has yet to be determined. However you cut it, the problem was not one that GRC can adequately address when people can override stated control mechanisms.
I have seen this kind of thing happen in the past. Anywhere there is an authoritarian leader who prevents people from inquiring into transactions has something to hide. Most often it reveals itself as a corrupt practice, In Satyam’s case, it meant wholesale fraud.
SAP has a responsibiity to provide customers with the best solutions it can for the problems those customes wish to solve. It publicly states that it wishes to uphold the highest standards. There are plenty of SAP Mentors who believe that well run businesses not only espouse best practice but are seen to turn words into action.
In promoting GRC solutions, now is a time for pause. Now is a time when consultants should be enquiring the extent to which the companies they speak with really want GRC to matter. They should be helping their customers think about the ramifications and the extent to which they may need to impose cultural change before buying into any solution. This cannot be limited to management but include a consideration of all stakeholders. Right now, that would be the appropriate response in a world where, quite frankly, governance is itself in tatters.