The compliance and audit worlds like to rely on lingo such as “control environment” and “control activities” all the time. The scandal of Corporate America’s payments to Michael Cohen, personal lawyer and fixer to President Trump, reminds us what those words really mean, and why a bad control environment can sour all the control activities you might have.
First, let’s remember what the scandal is. Companies including AT&T and Novartis paid Cohen huge sums of money in 2017, claiming that they needed his insights into how President Trump might approach public policy issues important to them. Both paid Cohen well beyond what political consultants normally might receive. Both companies had important business in front of the Trump Administration.
Both also funneled the money to Cohen via Essential Consultants, the shell company he created in 2016 to pay off porn actress Stormy Daniels so she would keep quiet before the election about an alleged affair she had with Trump a decade earlier.
As I said in a previous post, this looks bad, period. If an employee at AT&T, Novartis, or any other large company had proposed a similar arrangement in a foreign country, the compliance function would raise every alarm it could over possible violations of the Foreign Corrupt Practices Act. Yet here in our own country, the deals proceeded.
Even worse for AT&T, the company received an award for corporate ethics on the same day news broke about its payments to Cohen. So we have a photo of AT&T’s chief compliance officer receiving the award, and a dozen AT&T employees at the event, I’m sure all of them having a good time — and then comes news of the Cohen scandal, trampling over their moment.
Activities vs. Environment
The AT&T award weighs on my mind because I know some compliance staff there. They’ve always struck me as smart, capable, and engaged. I’m sure running a compliance program at a company as large and highly regulated at AT&T is not easy, and I don’t doubt for a moment that they deserve the award for their hard work.
But the administration of a compliance program falls into that realm of control activities: developing policies, testing controls, running training programs, investigating complaints. The formal definition, as written by COSO, is this:
Control activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out… [They] may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews.
COSO wrote that definition more for internal control over financial reporting, but we can see how the concepts apply to ethics and compliance, too. When we talk about an organization having “strong compliance processes,” we’re talking about control activities.
All that effort, however, can be trampled by a poor control environment. COSO defines the control environment as:
Control environment is the set of standards, processes, and structures that provide the basis for carrying out internal control across the organization. The board of directors and senior management establish the tone at the top regarding the importance of internal control including expected standards of conduct.
The question for AT&T, Novartis, and others is how their decision to hire Cohen — including the inflated prices they paid him, and how those payments continued even after special counsel Robert Mueller contacted them about Cohen — squares with their public commitments to ethical behavior.
Enter the Fall Guys
The latest news is that both AT&T and Novartis have defenestrated senior executives somehow involved in the Cohen payments. AT&T sacked its head of regulatory affairs last week; Novartis broomed its general counsel on Wednesday.
If both men were responsible for hiring Cohen, it’s good that they’re gone. (COSO Principle 5: “The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.”) But we’re still left with plenty of questions about how they succeeded in hiring Cohen in the first place.
How did they conclude Cohen was a useful third party? How did they decide on the inflated amounts they paid him? Why did they continue to pay Cohen after being contacted by the Mueller probe, but stopped paying once the Wall Street Journal story broke?
Why did Novartis agree to a contract that didn’t allow for early termination, so they could cut Cohen loose after that first meeting when they realized he was a charlatan? How did they not realize he was a charlatan before signing any contract?
To those points, Novartis’ former CEO Joseph Jimenez gave an interview to Forbes where he admitted he didn’t know who Cohen was, and had nobody in place who could have told the CEO to slow down and consider what he was doing. Consider this snippet:
Was there anyone in the process who should have told you no, or at least say, Look, Joe, do you know who this guy is? “You can imagine I wish that happened,” Jimenez says. I reply that I definitely can imagine he wishes that, but did a person who could have put the brakes on the process exist?
“I would say no,” Jimenez replied, “because of the speed with which we were moving, and that was a mistake. We should have done more due diligence. We should have slowed down. We should have thought it through. We were moving too fast.”
You gotta wonder what Novartis’ ethics and compliance function thinks of that statement. Maybe AT&T doesn’t have the most trampling control environment in this mess after all.