Today, I visit with noted fraud examiner, Jonathan Marks, a partner at Marcum LLP on the relationship of the internal auditor, fraud good governance and board governance. Marks began by noting that an organization which has in place a strategically integrated governance risk management structure at the Board level has an ethical and operational backbone against which an entire business can be managed. While doing significant fraud investigations he has found that when one considers the governance, it often has a key role in the overall determination. He went on to note that corporate government is the systems and processes and organization has in place to protect the interests of the first diverse stakeholder group. Good corporate governance consists of the Board of Directors, its committees managing the legal and regulatory environment where business practices intersect all around transparently monitoring enterprise risk management. 

The Board has a key role in any organization helping determine their risk profile through its oversight of management. He believes it is the Board which has ultimate responsibility of risk parameters and setting the risk profile. Moreover, from an oversight perspective the Board should be ensuring that management is not doing things which put the organization at risk. Marks stated, “We all know from the various frauds that have already occurred and have been in the newspapers and in the public eye are looked at from a siloed perspective and not looked at in the aggregate.” 

A Board should ensure that management does not overstep its boundaries when management is looking at certain transactions. It is important the Board take an active role. They need to ensure that management is doing risk assessments on a regular basis. If one considers the Hewlett-Packard acquisition of Autonomy to see how the Board failed in its oversight role in the merger context by not asking the right questions or seeking enough relevant information from the CEO. More recently is the Telia FCPA enforcement action, where the Board allowed senior management, literally right up to the CEO, engage in bribery and corruption to do business in Uzbekistan. 

Marks emphasized the Board’s role should be looking “at this from a fresh set of eyes and really understanding what the risks of the organization might be to help the organization better manage their risks. And the other thing the board can do is ensure that management is constantly thinking about the ways that things can actually go wrong.” This is critical when considering internal controls around fraud or even financial reporting and disclosure required under SOX.

One of the most asked questions is how much information should a fraud examiner or other provide to a Board. Marks considered it from another perspective saying, “I'm less concerned about the quantity I'm more concerned about the quality of information. For me, it is about getting the right information to the Board. A Board book filled with white noise does the Board no good. You would hope that it would not be the case but it often is.” He believes the key is to put together information that is almost surgical in approach, with very detailed information allowing Board members to assess for themselves. 

It is all about good communication. From an information perspective, Marks would provide the Board the information it needs to properly assess the risk of the business. This should lead to a dialogue with them. The Board should be actively engaged and ideally would have questions back to the fraud examiner. Marks emphasized that communication includes feedback you know so you know they have not only reviewed but thought about the information you have presented.