Today I want to return to the Delaware Chancery Court and its decision that corporate officers have a “duty of oversight,” this time looking at the implications for internal audit executives. You in the audit crowd have both good news and bad news here.
The good news is that this ruling turns up the heat on all corporate officers, that they must establish “reasonable information systems” to obtain information about the activities going on within those executives’ fields of responsibility. Someone will need to provide assurance that those information systems work as intended, and that someone can be you.
The bad news is that chief audit executives qualify as corporate officers just like any other executive, so the Chancery Court’s ruling applies to you too. And given that your duty of oversight also means you cannot ignore red flags that the company might suffer harm, that could lead to some difficult conversations auditors might need to have with the board and management.
Simply put, this court ruling is both opportunity and peril for audit executives. You’ll need to approach it carefully.
Let’s first recap what the Chancery Court said. The case involves the former global head of HR for McDonalds, fired in 2019 for allowing a sexually harassing culture to exist at the company in the late 2010s, and facing accusations of sexual harassment himself. Shareholders then sued Fairhurst, alleging that his poor oversight harmed their financial interests. Fairhurst argued that he couldn’t be held responsible because under Delaware corporate law only board directors had a duty of oversight, not corporate officers like him.
Two weeks ago, Chancery Court judge Travis Laster issued a landmark ruling that corporate officers do have a duty of oversight, just like board directors. Specifically, Laster wrote:
This decision clarifies that corporate officers owe a duty of oversight … [Fairhurst] had an obligation to make a good-faith effort to put in place reasonable information systems so that he obtained the information necessary to do his job and report to the CEO and the board, and he could not consciously ignore red flags indicating that the corporation was going to suffer harm.
A good-faith effort to implement reasonable information systems that obtain information, so the executive can report to the board and not ignore red flags. That’s the duty of oversight that corporate officers owe their employer.
So what are audit executives supposed to do with it?
First, Provide Assurance
Judge Laster’s ruling makes clear that all corporate officers have a duty of oversight. This means each executive must strive to implement an information system relevant to his or her role. Again, let’s look at Laster’s actual text:
The Chief Financial Officer is responsible for financial oversight and for making a good faith effort to establish reasonable information systems to cover that area. The Chief Legal Officer is responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area. The executive officer in charge of sales and marketing is not responsible for the financial or legal reporting systems. And of course, the board can tailor the officers’ obligations and responsibilities.
Meanwhile, the board has its own duty of oversight (as defined in the Delaware Chancery Court’s Caremark ruling from 1996), which also includes a good-faith effort to establish information systems that obtain information.
So really, we have overlapping needs for information systems across the enterprise. Each corporate officer needs one, to assure that he or she can brief the CEO and board accurately about business activity and compliance risks; and the board needs to assure that some larger information system also exists to gather information from those sub-systems, so the board can make decisions.
Auditors can help with those needs. You can assess whether those information systems exist, whether they’re reasonably designed for the risks the business unit faces, and whether the systems work as intended.
The most important issue here is whether the information system is reasonably designed. For example, all business units need to track financial information, and perhaps you could centralize that information in a system run by the finance team. But many other activities are business-unit specific, where you couldn’t use the same information systems over and over across many parts of the enterprise.
So that will require a thoughtful assessment of which information is most important to track a business unit’s performance and risks, as well as the processes the unit uses to collect that information. You’ll also need to assess the integrity of those processes, to assure that the information collected is complete and accurate.
As we said, however, this could be an opportunity for internal audit, because corporate officers now have an incentive to get this right — or, more accurately, they will face increased liability risks if they ignore this need. So you can offer your services to the business units, forge closer ties to them, and demonstrate to the board just how invaluable your audit team is.
Risks for Internal Audit
On the other hand, we still have the latter part of Laster’s ruling, which says that corporate officers cannot consciously ignore red flags indicating that the corporation is going to suffer harm.
This strikes me as potentially quite perilous for chief audit executives, because it’s your job to identify potential red flags and do something about them. Exactly what are you supposed to do under Laster’s standard? What actions qualify as raising red flags about possible harm or misconduct? What if management ignores your warnings? What if you’re focused on one issue while another one explodes into crisis?
This isn’t idle speculation. In December an administrative law judge ruled that Wells Fargo’s former top audit executives should face millions in personal penalties for their roles in Wells Fargo’s massive fake account scandal from the 2010s. Across 78 blistering pages, the judge accused the two men over and over of “failing to provide credible challenge” to abundant evidence of Wells Fargo’s misconduct. How credible is a chief audit executive’s challenge supposed to be? What actions should he or she take, and how quickly? Where is the top of the escalation ladder, so that a CAE can declare, “I did everything I could and now it’s out of my hands?”
Laster first says this about red flags:
An officer’s duty to address and report upward about red flags also generally applies within the officer’s area, although a particularly egregious red flag might require an officer to say something even if it fell outside the officer’s domain.
That’s sensible enough in general, but internal auditors and compliance officers have a duty to beware of compliance and misconduct risks anywhere in the enterprise — so as a practical matter, you have a duty to report any red flag you see. There is no part of the enterprise outside your domain.
On the other hand, perhaps we don’t need to hyperventilate quite so much. To face liability under Delaware law, the corporate officer would also need to “act in bad faith by consciously ignoring the red flags,” Laster wrote.
In Fairhurst’s case, shareholders say he consciously ignored red flags because Fairhurst himself was engaging in sexual harassment, so by definition he was ignoring red flags about the issue. Hence the shareholder lawsuit goes forward.
The question for audit executives is under what circumstances you could be accused of consciously ignoring red flags. For example, if you raise an issue to the CEO but he or she tells you to move on, others will address the problem — does that count as you ignoring the red flag? If you allow an audit finding to go unaddressed for a few quarters and suddenly that weakness causes a crisis, does that count as ignoring the red flag?
Right now we have precious little guidance on any of these questions. In the fullness of time perhaps a body of law and common practice will emerge, but for now, audit executives need to be wary. The world is full of slippery slopes, and this is one of them.