Norman Marks on Governance, Risk Management, and Internal Audit

Last year, the Independent Casino Commission (in New South Wales, Australia) appointed Adam Bell, SC (an attorney) to lead an independent inquiry into The Star Pty Ltd. (Star Entertainment Group).

The stated objective was to “assess The Star’s suitability to hold a casino licence and to examine compliance with its legal obligations. In September 2021”.

This month, the results of the review (the “Bell report”) were released by the Commission. This is part of what ABC News reported:

The Star Entertainment Group has been found unsuitable to operate its casino in Sydney after a damning inquiry into the company.

The inquiry, led by Adam Bell SC, was held earlier this year and heard allegations of money laundering, organised crime links and fraud at its casino in Pyrmont.

Philip Crawford, the NSW Independent Casino Commission chief, said the report made for “sad reading” and detailed Star’s “scant regard” for harm minimisation.

“The institutional arrogance of this company has been breathtaking,” he said.

“And their willingness to take risks in pursuit of financial goals has been appalling.

“Our major concern with regard to the Star remains its culture. There doesn’t seem to be any short-term fix.”

Mr Crawford said Star had allowed money laundering and organised crime to infiltrate the casino, and took “deliberate steps” to cover their tracks.

He said some of that conduct continued even after the public inquiry began.

“They tended to ignore the risk inherent in all of their conduct, and then they tried to hide their conduct,” he said.

“Financial goals seemed to have been the main driver of their conduct.”

Key points:

• The report says the casino’s protections against money laundering were unsatisfactory
• The inquiry also heard about links to organised crime and fraud
• Philip Crawford says senior executives “didn’t have a clue” what was going on at the company

The Guardian filled in a few details in their report.

Among the management failures was one that has relevance for all organizations, especially audit and risk practitioners. This is from Inside Asian Gambling (see the highlighted section):

…the Bell Report details a wide range of reasons for finding The Star unsuitable – among them the illegal use of China UnionPay cards to fund gambling at The Star Sydney, Star’s dealing with Asian junket operator Suncity Group and the company’s response to independent audits of its anti-money laundering (AML) and counter terrorism financing (CTF) controls.

The Financial Review picked up on this in their reporting:

The Star Entertainment Group’s “clear failings” in responding to its internal auditors’ concerns are symptomatic of a wider attitude by companies to ignore or water down negative reports by these teams despite the “serious” risks of doing so, their professional body says.

A NSW regulatory inquiry into Star last week declared it unsuitable to hold a casino licence and found serious failures of corporate governance and culture at the company.

Several of these failures – such as rejecting and then trying to hide an explosive report by KPMG into issues with the company’s anti-money laundering measures, which was commissioned by its internal audit team – showed “clear failings in how the internal audit process was handled”, CEO of the Institute of Internal Auditors (IIA) Peter Jones said.

The inquiry heard that Star’s then-CEO, Matt Bekier, was “hostile” and “sulky” about the report, originally claiming it was wrong, and that its internal audit team were “put under a lot of pressure for putting up a report that the directors took such exception to”.

But commissioning the KPMG report “was in line with best practice” for internal auditors, Mr Jones said, and Star’s directors ignored it “at their peril”.

He said this attitude to internal audit was “by no means unique” to Star, however, pointing to similar failings found by financial services companies investigated by the Hayne royal commission and Crown Resorts in separate government inquiries.

A recent IIA survey found that 45 per cent of members believed their recommendations in internal audit reports were not always acted on in a timely way, while one in 10 of the professionals say they have been sanctioned after giving their employers’ management or audit committees an unfavourable report.

“Internal audit is all about contributing to and protecting organisational value … ignored recommendations have serious implications,” Mr Jones warned.

“They often flag major cultural flaws within an organisation. If systemic issues cannot be addressed, it’s a major issue for directors as they have a fiduciary responsibility for the organisation’s welfare.”

Directors ignoring internal audit recommendation may also be “found negligent and legally accountable for issues identified”, he added, suggesting that “regulators will demand retribution to save face and accountability with the public”.

“The bottom line for directors is to ignore the advice of internal auditors at their peril.”

While Star’s board eventually accepted and acted upon the KPMG recommendations, Mr Jones said that “as it was some time before this occurred, much damage had already been done”.

“In any organisation, the first line of assurance is line management; the second compliance and risk; and the third and final is internal audit,” he said.

“A commitment to robust internal audit practices is essential for any organisation that holds a position of responsibility and privilege, such as a casino.”

Accountants Daily carried further comments by Peter Jones, including:

“A commitment to robust internal audit practices is essential for any organisation that holds a position of responsibility and privilege, such as a casino.”

He said the Bell report highlighted a number of clear failings into how the internal audit process was handled within the organisation.

He said: “According to the report, the in-house internal audit team engaged KPMG to carry out an independent review of the Anti-Money Laundering and Counter-Terrorism Financing program, as part of its licence obligations.

“This is in line with our best practice recommendations and we believe was an appropriate step by the internal audit team.”

However, the failures came in senior management’s reaction.

He said: “Specifically (according to the Bell Report):

The report was not given to the Audit Committee until the day before their meeting in late May 2018.

The message from the CEO was that there were a number of problems and inaccuracies within the report.

As the Audit Committee did not have the time to thoroughly review the report at that time, management was given time to address the issues with KPMG.

KPMG was pressured by senior management to change a number of findings within the report. The internal audit team (and other management) was given a clear message “that bad news was unwelcome”.

The report was erroneously treated as legally privileged and was subsequently held back from the regulators (AUSTRAC) for around two years.”

One of the KPMG auditors, quoted in the Bell report, said Star chief executive at the time Matt Bekier was “hostile” and failed to greet the auditors or make eye contact shortly after the Audit Committee was given their findings.

“Mr Bekier was sat down, turning the pages of the report, essentially berating us for the whole entire time of that meeting,” he said.

Mr Jones said it was important to note that KPMG reviewed its report and stood by its original findings and in addition, its recommendations were all subsequently accepted by Star.

“However, as it was some time before this occurred, much damage had already been done,” Mr Jones said.

All the reporting focused on management failures.

But there were clear failures, from my reading, by internal audit.

1. The head of Star’s internal audit team (the CAE) is the person who should be ensuring the audit committee receives any audit report promptly, whoever performs the work. Instead, the report was not given to the audit committee until the day before their meeting.
2. It is not clear that the CAE took ownership of the audit and report.
3. The KPMG report included audit recommendations instead of agreed action items. This leaves the audit committee guessing: do they accept the opinion of the auditors or of management?
4. The CAE allowed the report to be issued before it was ready, before agreement had been reached with management. The reports say that the audit committee was unable to have a constructive discussion and asked KPMG and management to work it out. If the CAE knew that there was serious disagreement, especially if management tried to interfere with the integrity of the audit, he/she should have alerted the audit committee ahead of the audit committee meeting. I believe the CAE should not have allowed a dispute of this magnitude with management in front of the committee. One option would have been to tell them that KPMG had identified serious issues, but he/she was still reviewing them with the management team and the report would be issued shortly. If the report has to be issued without agreement, that should be stated front and center in the report – reluctantly.

When you issue a report with recommendations, requesting a management response, you are (IMHO) asking for trouble. It is infinitely better to sit down and talk to management, agreeing on the facts, their implications, whether anything should be done, and what actions should be taken by whom and when.

In this case, it is clear that management did not agree, only accepting the recommendations later.

I am not persuaded that the CAE made sure the disagreements were fully aired. I suspect that KPMG did their audit, wrote a report with recommendations, shared it with management, and left the scene – job anything but done.

Internal audit fails if they are unable to work with management to drive action when it is needed. Such discussions, especially listening to management, are hard and take time. They can delay the report significantly. But a report that doesn’t lead to action when it is needed has little value!

The IIA Australia executive who referred to the high percentage of recommendations not being accepted by management as a management failure is, IMHO, mistaken. It’s an internal audit failure.

We need to know how to communicate and, especially, listen.

If management doesn’t see the need to act, to accept a recommendation, it won’t get done.

We also need to be sufficiently humble and open to being shown that we are wrong. There may be mitigating factors and the risk may not be as high as we think.

Perhaps the risk is not sufficiently high that it merits the use of scarce management time and money to fix.

Perhaps there is a better solution than we were suggesting.

On the other hand, I have seen more cases than I care to mention where management did something because “the auditor told me to do it” – and what they did was not in the best interests of the organization.

Let’s discard the idea that audit reports should include recommendations.

Let’s replace it with the notion that we should add value by providing assurance and influencing appropriate change. Reports should include agreed action items instead of recommendations (even if there is also a management response).

I welcome your thoughts.

POSTSCRIPT:

This was just reported, today:

On September 13, 2022, the Central Bank of Ireland fined Danske Bank €1.82m for transaction monitoring failures in its anti-money laundering (AML) and terrorist financing systems. Pursuant to the Central Bank’s administrative sanctions procedure, Danske Bank was reprimanded by the Central Bank for multiple breaches of the Criminal Justice (Money Laundering & Terrorist Financing) Act 2010 (CJA) between 2010 and 2019.

During this time, Denmark’s Danske Bank failed to ensure its automated transaction monitoring system monitored the transactions of certain customer groups in its Dublin-based branch. This led to the exclusion of specific customer categories from the transaction monitoring process, including some customers rated by the bank as medium and high risk.

According to the enforcement action, the root cause of these failures was found in the out-of-date data filters applied within Danske’s automated transaction monitoring system, which had not been updated since being applied to the Irish branch in 2006. In failing to examine whether the data filters were appropriate within the system, Danske Bank did not consider the specific requirements of the CJA when it was brought into force in Ireland in 2010.

As a result of an internal audit in May 2015, Danske Bank became aware of the inadequacies in its transaction monitoring system and the nature of the risks it posed. However, the bank failed to notify the Irish branch of these issues and did not take appropriate action for nearly four years. Between August 31, 2015, and March 31, 2019, it is estimated that 348,321 transactions processed through the Irish branch were not monitored for money laundering and terrorist financing risk.