I’m surprised that someone has not asked the most ludicrous question, yet. Why was the auditor not driving a Volkswagen diesel car? If so, he should have known that the software was fraudulent and blown the whistle! Leaving that thought aside, I thought of using the VW story to explain governance activities that may prevent similar issues.
Volkswagen was found to have falsified U.S. pollution tests on 500,000 diesel engine vehicles, by installing software (“defeat devices”) to make them appear cleaner than they were when being tested. Many questions come to mind, when I think of how this kind of act could’ve been prevented through a good governance process. Who is responsible for the scandal, What is the Board’s responsibility, Is there anything an Audit Committee could do in a similar situation that would prevent such occurrence? Etc.
My take is that the Board should have an appropriate enterprise risk management process that identifies all key risks and monitor them through a process. Further, governance activities in the company should ensure that critical management information reaching the Board is sufficiently complete, accurate and timely to enable appropriate decision making, and provide the control mechanisms to ensure that strategies, directions and instructions are carried out systematically and effectively. In the event emissions were identified as a risk area, the mitigating actions should’ve gone through a review process. If it did then the Board which approved the software fix should be held responsible.
If the CEO approved the fraudulent method without the knowledge of the Board, it means that the enterprise risk management process was not robust to identify key risks that would have a significant impact on the company. There is a fine line between innovative ideas and illegal ideas. Most of the time you find out too late.
The audit committee of VW had the following two responsibilities on its TOR:
(n) Identifying the principal financial risks of the Company;
(o) Overseeing reporting on internal controls of management and ensuring that management has designed and implemented an effective system of internal controls;
It’s one thing to list out roles and responsibilities and another to perform them. The emissions risk became a financial risk to VW, post the investigations by the authorities.
This is a good lesson to all audit committees who nod their head for any risk matrix or heat maps presented by management without adequately challenging the risk points. Some audit committees do not have any idea on how to oversee internal controls. They can get advice from many professionals but don’t understand that you’ve got to pay for good advice. “Bad advice comes free!” If the level of knowledge of the audit committee members is not good and if the tone at the top and culture of the organization is “profit at any cost”, it’s a VW formula for scandals. Even the best auditor in the world is not gonna help!