Tag Archives: audit committee

Coming Soon – Updated ISO 31000 Risk Management

Posted on by

I’m forwarding along a discussion about the expected update of ISO 31000 Risk Management. Similar to posts that I have been doing for the recently updated COSO ERM framework, I will be adding ISO 31000 to the discussions when the update arrives. 2017 and 2018 are looking like important years for the development and improvement of risk management and ERM for officers, directors (and audit and risk committees), managers, elected representatives, and suppliers, and throughout the entire entity or organization. On this blog you will also find earlier, but recent, posts where I have been discussing the new COSO ERM framework. I particularly like the culture and governance category which was added as the first category for consideration.

Click on the following link for the discussion about the expected update of ISO 31000 https://www.iso.org/news/ref2239.html

Best to you, David Tate, Esq.

Factors Influencing Corporate Culture – Chart From The IIA – Plus, Let’s Agree Upon Sample Culture And Governance Audit Programs

Posted on by

Passing this along, a chart from the Institute of Internal Auditors, identifying factors that influence corporate culture. I’m not sure about some of the ranking – particularly training and enforcement through disciplinary measures – it seems to me that those two categories would be ranked higher, and at about the same level as the establishment of a code of conduct (i.e., immediately below the first two ranked factors). Just comments for thought.

This chart came from a discussion about how to audit culture, and that it can be audited. As noted, for years auditors have tended to stay away from auditing culture, and I’ll also add governance as an audit area that auditors, internal and external, tend to stay away from, which is really perplexing since for years it has been known that culture is an important indicator of the possibility of fraud and unlawful acts. But, if I’m not mistaken, from my years of audit, when designing or planning the audit, doesn’t the external auditor already to some extent do an evaluation of and take into consideration the estimated reliability of the financial recordkeeping processes and internal controls – and wouldn’t that, or doesn’t that, or shouldn’t that, already to some extent take into consideration aspects of culture and governance?

Now both the COSO 2013 internal control framework and the new COSO enterprise risk management (ERM) framework list culture and governance as important framework criteria. Culture and governance are the first, underlying criteria in the new COSO ERM framework. And many other organizations are now promoting culture, including the National Association of Corporate Directors.

LET’S NOW HAVE A PUBLIC DISCUSSION TO DEVELOP CRITERIA AND STEPS FOR SAMPLE AUDIT PROGRAMS FOR (1) CULTURE AND (2) GOVERNANCE!

And, I say a “public discussion” because public and private businesses, nonprofits and governmental entities, and their auditors, will then have criteria to try to meet or exceed. Note, however, that I am not advocating that the criteria and steps create a legal standard. Internal controls and risk management design are highly discretionary – any effort to create a broad legal standard, other than, for example, the business judgment rule, will be met with extreme resistance, and very most likely failure and an inability to move these topics forward.

So . . . if you are an internal auditor, or an external auditor, how would you, or how do you, describe to management and the audit committee, and perhaps the board, the steps that you would take to audit the entity’s culture and the entity’s governance?

That’s all for now. I’m David Tate, and I’m a California litigation attorney, and I also handle governance and risk management. You need to consult with an attorney or appropriate professional about your situation. This blog post or video or audio is not an advertisement or solicitation for services inside or outside of California. Thanks for listening, viewing or reading.

David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com

See also my blogs at http://californiaestatetrust.com and at http://auditcommitteeupdate.com

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Litigation (I broke out the litigation because this is my primary area of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Etc.
  •             Insurance Coverage and Bad Faith
  •             Lender/Debtor
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, and Contentious Administrations
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, Etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

Audit Committee 5 Lines of Defense 10222017 David W. Tate, Esq. jpg

 

 

 

Claim for violation of nondisclosure agreement must establish that the information disclosed was true

Posted on by

Nondisclosure agreements are in the news. Here’s an interesting aspect of making a claim that a nondisclosure agreement was violated – plaintiff’s claim for violation of a nondisclosure agreement must establish that the alleged wrongful disclosure was of confidential but true information, which was covered by the nondisclosure agreement. Of course, there are also other important issues relating to whether or not a nondisclosure agreement was breached – such as, for example, whether the holder of the privilege (e.g., the plaintiff employer) can actually prevent the disclosure, or reporting of the information to all sources or just some sources (such as, for example, to the police or to a regulatory entity or to the board of directors, compared to the press or the public), or whether, regardless of the existence of the nondisclosure agreement, the person disclosing the information has standing and a right to bring a legal action relative to the event or occurrence from which the information arose (such as, for example, in a situation of alleged unlawful discrimination or harassment).

See, e.g., Glassdoor, Inc. v. Superior Court (2017) 9 cal. App. 5th 623, which held:

“An employer cannot establish a claim for breach of a nondisclosure agreement unless it is prepared to prove, and does prove, that the defendant disclosed actual confidential information, i.e., that his or her statements were, in some relevant degree, true. Nothing in this record would sustain a finding that the CEO’s statements—reported by Doe inaccurately, according to MZ—had this effect.

MZ’s hesitation on this point may be understandable, because Doe’s supposed disclosures do not cast MZ in a favorable light. But MZ cannot be excused from the requisite showing merely because proving a prima facie case might be embarrassing to it. If Doe accurately disclosed company policy, or the CEO’s statements regarding that policy, it was incumbent upon MZ to present evidence to that effect. Instead it denied the accuracy of Doe’s report without identifying any real confidential information it might be understood to have disclosed. MZ therefore failed to establish a prima facie case predicated on Doe’s account of the CEO’s statements.”

As an additional requirement, in trade secret cases the holder of the secret (e.g., the plaintiff employer) is required to describe the trade secret so that the court and the defendant are sufficiently apprised of the confidential information that is alleged to have been wrongfully disclosed – thus, since the disclosure of that confidential information by the holder of the secret would mean that the trade secret information is no longer secret and would therefore invalidate the holder’s entire case of trade secret secrecy, keeping that information confidential, while also sufficiently disclosing that information to the court and to the defendant is a requirement that must be carefully accomplished. Thus, for example, for California state court nondisclosure and trade secret cases, see also Cal. Civ. Code §3426.5, which states in part that the Uniform Trade Secrets Act, requires the trial court to “preserve the secrecy of an alleged trade secret by reasonable means, which may include granting protective orders in connection with discovery proceedings, holding in-camera hearings, sealing the records of the action, and ordering any person involved in the litigation not to disclose an alleged trade secret without prior court approval.”

That’s all for now. Of course, each situation is different.

David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in northern and southern California. http://rroyselaw.com

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Litigation (I broke out the litigation because this is my primary area of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Etc.
  •             Insurance Coverage and Bad Faith
  •             Lender/Debtor
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, and Contentious Administrations
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, Etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

 

Updated of possible risk management process summary chart

Posted on by

I have updated my summary risk management process chart, and I have provided the chart below. The chart generally follows the new COSO ERM framework (see also below), with some additional tweaks. You can find additional discussions about the COSO ERM framework in earlier posts.

Thank you. David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in northern and southern California, http://rroyselaw.com

Overview of Possible Risk Management Process 11122017

 

Royse Law Firm – Practice Area Overview – San Francisco Bay Area and Los Angeles Basin

  • Corporate and Securities, Financing and Formation
  • Corporate Governance, D&O, Boards and Committees, Audit Committees, Etc.
  • Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  • International
  • Immigration
  • Mergers & Acquisitions
  • Labor and Employment
  • Litigation (I broke out the litigation because this is my primary area of practice)
  •             Business
  •             Intellectual Property – Patents, Trademarks, Copyrights, Trade Secrets
  •             Trade Secrets, NDA, Accounting Issues, Fraud, Lost Income, Royalties, Etc.
  •             Privacy, Internet, Hacking, Speech, Etc.
  •             Labor and Employment
  •             Mergers & Acquisitions
  •             Real Estate
  •             Owner, Founder, Investor, Board & Committee, Shareholder, D&O, Etc.
  •             Insurance Coverage and Bad Faith
  •             Lender/Debtor
  •             Investigations
  •             Trust, Estate, Conservatorship, Elder Abuse, and Contentious Administrations
  • Real Estate
  • Tax (US and International) and Tax Litigation
  • Technology Companies and Transactions Including AgTech, HealthTech, Etc.
  • Wealth and Estate Planning, Trust and Estate Administration, and Disputes and Litigation

 

Good video about the GC relationship with the CEO, the Company and the Board – forwarding from Inside America’s Boardrooms

Posted on by

I have provided below a link to a recent Inside America’s Boardrooms video discussing the relationship between the general counsel (GC) and the CEO and the Board. You don’t hear these discussions very often. The GC represents the Company, not the CEO. But, of course, those common interests are most often aligned, but not always. The Board acts on behalf of the Company and the Shareholders, and as such you might say that the GC also represents the Board, but not the Board Members individually, and even this relationship between the GC and the Board can get sticky in some circumstances. This is a fascinating and important discussion.

Best to you, David Tate, Esq., Royse Law Firm, Menlo Park, California office, with offices in both northern and southern California, http://rroyselaw.com/

 

Help with employment termination investigations – new case Jameson v. PG&E

Posted on by

See, Jameson v. Pacific Gas and Electric Company, California Court of Appeal, First Appellate District, October 5, 2017, Case A147515

In relevant part, plaintiff employee claimed that PG&E fired him in breach of the implied covenant of good faith and fair dealing, that he would not be fired for other than good cause, and in retaliation. PG&E countered that it was an at-will employment, and that in the alternative that PG&E had good cause and that its investigation established good case. Plaintiff employee further claimed that PG&E’s investigation was inadequate and that the investigator, who was an attorney, failed to interview all of the identified witnesses or sufficiently consider plaintiff employee’s arguments and evidence. See below clip from the court’s opinion.

Of course, whether or not the investigation was sufficient and appropriately performed by a competent and qualified person will vary and depend on the facts and circumstances of each case and investigation.

David Tate, Esq.

With respect to the sufficiency of the investigation, in relevant part, the court held:

Jameson v. PG&E - employment termination investigation case 11042017-1

In this post – why I am restarting this blog – and some risk management (ERM) and audit committee materials

Posted on by

I last used this blog in mid-2013. For my recent posts to other blogs on these topics, please also click on the following:

http://auditcommitteeupdate.com – 103 posts from January 2, 2016 to the present (and ongoing – this blog is continuing).

http://directorofficernews.com – 310 posts from September 21, 2013 to January 2, 2016.

And, of course, I am also continuing with my longtime blog about trust and estate litigation and contentious administrations, conservatorships, powers of attorney, elder abuse and elder protection, real property, etc., http://californiaestatetrust.com.

You might ask, or wonder, why restart this blog? Because as I view the current business and people environment, the more broad scope of this blog title accurately reflects the status of the community and business environments and what is needed. As indicated above, I am also continuing with my longtime trust, estate and elder litigation blog, and with my audit committee and D&O blog. Thank you.

Best to you, David Tate, Esq.

 

 

The California State Leadership Accountability Act (Cal. Government Code §§13400-13407)

Section 13401

The California State Leadership Accountability Act in relevant part provides as follows:

(a) The Legislature finds all of the following:

* * * * *

(3) Effective systems of internal control provide the basic foundation upon which a structure of public accountability must be built.

(4) Effective systems of internal control are necessary to ensure that state resources are adequately safeguarded, monitored, and administered.

(5) Systems of internal control are necessarily dynamic and must be routinely monitored, continuously evaluated, and, where necessary, improved.

(6) Reports regarding the continuing adequacy of the systems of internal control of each state agency are necessary to enable the executive branch, the Legislature, and the public to evaluate each state agency’s performance of its public responsibilities and accountability.

(b) The Legislature declares all of the following to be the policies of the state:

(1) Each state agency must maintain effective systems of internal control as an integral part of its management practices.

(2) The systems of internal control of each state agency shall be evaluated on an ongoing basis through regular and ongoing monitoring processes and, when detected, weaknesses must be promptly corrected.

(3) All levels of management of state agencies must be involved in assessing and strengthening the systems of internal control to minimize fraud, errors, abuse, and waste of government funds. Monitoring processes should be designed to ensure objectivity of persons tasked with monitoring. Objectivity means allowing those tasked with monitoring to maintain integrity, impartiality, a questioning state of mind, and the ability to accurately and fairly assess circumstances and draw sound conclusions.

(4) It shall be the responsibility of the Department of Finance, in consultation with the Controller and the California State Auditor, to establish guidelines for how the objectivity of the persons tasked with monitoring processes are to be maintained. Those guidelines should include establishing monitor training programs, identification of appropriate chain-of-command reporting relationships, and recommended best practices for professional development and the conduct of objective monitoring, including, but not limited to, practices for the regular dissemination of strategies and lessons learned from successful efforts to strengthen state administration via interagency cooperation.

Section 13402

Agency heads are responsible for the establishment and maintenance of a system or systems of internal control, and effective and objective ongoing monitoring of the internal controls within their state agencies. This responsibility includes documenting the system, communicating system requirements to employees, and ensuring that the system is functioning as prescribed and is modified, as appropriate, for changes in conditions.

Section 13403

(a) As used in this chapter, “internal control” means a process, including a continuous built-in component of operations, effected by a state agency’s oversight body, management, and other personnel that provide reasonable assurance that the state agency’s objectives will be achieved. The following five components of internal control, if effectively designed, implemented, and operated in an integrated manner, constitute an effective internal control system:

(1) “Control environment” means the foundation for an internal control system that provides the discipline and structure to help a state agency achieve its objectives.

(2) “Risk assessment” means an assessment of the risks facing the state agency as it seeks to achieve its objectives and provides the basis for developing appropriate risk responses.

(3) “Control activities” means the actions management establishes through policies and procedures to achieve objectives and respond to risks in the internal control system.

(4) “Information and communication” means the quality of vital information used and communicated to achieve the state agency’s objectives.

(5) “Monitoring” means the activities management establishes and operates to assess the quality of performance over time and promptly resolve the findings of audits and other reviews.

(b) The elements of a satisfactory system of internal control, shall include, but are not limited to, the following:

(1) A plan of organization that provides segregation of duties appropriate for proper safeguarding of state agency assets.

(2) A plan that limits access to state agency assets to authorized personnel who require these assets in the performance of their assigned duties.

(3) A system of policies and procedures adequate to provide compliance with applicable laws, criteria, standards, and other requirements.

(4) An established system of practices to be followed in performance of duties and functions in each of the state agencies.

(5) Personnel of a quality commensurate with their responsibilities.

(6) An effective system of internal review.

(7) A technology infrastructure to support the completeness, accuracy, and validity of information processed.

(c) Agency heads shall follow the standards established by this section of internal control in carrying out the requirements of Section 13402.

(d) Monitoring systems and processes are vital to the following:

(1) Ensuring that routine application of internal controls do not diminish their efficacy over time.

(2) Providing timely notice and opportunity for correction of emerging weaknesses with established internal controls.

(3) Facilitating public resources and other decisions by ensuring availability of accurate and reliable information.

(4) Facilitating production of timely and accurate financial reports, and the submittal, when appropriate, of recommendations for how greater efficiencies in support of the state agency’s mission may be attainable via the consolidation or restructuring of potentially duplicative or inefficient processes, programs, or practices where it appears such changes may be achieved without undermining program effectiveness, quality, or customer satisfaction.

(e) It shall be the responsibility of the Department of Finance, in consultation with the Controller and the California State Auditor, to establish guidelines for the management of state agencies on how the role of monitoring should be staffed, structured, and its reporting function standardized so it fits within an efficient and normalized state agency administrative framework.

(f) Agency heads shall implement systems and processes to ensure the objectivity of the monitoring of internal control as an ongoing activity in carrying out the requirements of Section 13402.

* * * * *

Link for U.S. federal government ERM – OMB Circular A-123 – Management’s Responsibility for Enterprise Risk Management and Internal Control  https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf

Society of Professional Journalists, Code of Ethics https://www.spj.org/ethicscode.asp

Discussion about a worthwhile video from Boardmember.com: The Audit Committee’s Role and Structure

Posted on by

An audit committee related video discussion from Boardmember.com, This Week in the Boardroom: 04-04-13, The Audit Committee’s Role and Structure with TK Kerstetter, President, Corporate Board Member, and Trent Gazzaway, National Partner, Audit Services, Grant Thornton LLP.  Click Here To View The Video.

My thoughts.  This is a worthwhile video for its discussion (16+ minutes), particularly Mr. Gazzaway’s comments directly relating to the audit committee and the process of the audit committee reporting back to the board.  Mr. Gazzaway went into greater detail than I anticipated, and he didn’t give the board a free pass to simply delegate to the audit committee.  Mr. Gazzaway did remind us that the board remains responsible for oversight, and for oversight of the audit committee – it isn’t appropriate to simply rubberstamp the audit committee’s recommendations.  Agreed.  As we know, the board has a duty to exercise diligence, inquiry, and decision making, including over the committees of the board.

Mr. Kerstetter also asked Mr. Gazzaway asked about ERM.  I prefer “risk and uncertainty management” more in line with the discussion contained in ISO 31000.  To be fair, the video discussion did not intend or purport to cover the risk management topic area, which would be impossible given the time allocated.  And, risk and uncertainty management should be a separate discussion.

Mr. Gazzaway is correct when he says that this topic area is still in its early stages.  In fact, his comments, at least from my viewpoint, confirm that there is a current need for discussion about how to handle risk and uncertainty management.

The board is responsible for the oversight of the entity’s risk and uncertainty management.  And, if the aboard appoints a committee, I believe that it is best for the board to appoint a separate risk committee instead of delegating risk to the audit committee although delegation to the audit committee also is acceptable – the audit committee already is sufficiently busy, the potential areas of risk exceed the traditional areas addressed by the audit committee, and there is no automatic guarantee that the audit committee members are the best board members for the risk oversight topic area.  However, as we know, even if the board delegates to a risk committee, the board remains responsible for active risk and uncertainty oversight.  Whereas the entity’s actions, processes, attitude and governance relating to day-to-day risk and uncertainty management is entirely different and more detailed, of course – but those are discussions for different materials.

I also appreciated Mr. Gazzaway’s comment or warning about Regulation FD and communications with shareholder or stakeholders.  This also should be a separate topic of discussion.

View the video.  Enjoy.  Dave Tate, Esq. (San Francisco)

Article – KPMG Audit Committee Institute, Governance Challenges, The 2013 Agenda & Risk Management

Posted on by

The KPMG Audit Committee Institute, governance challenges and the 2013 agenda including risk management, Click Here For Discussion.