Robust internal controls are a critical part of any business' success, yet are often taken for granted or ignored. The importance of effective internal controls are too often not recognized until a control failure results in adverse effects on the enterprise. This presentation will focus on real-life consequences of control failures at Hill International and lessons learned that will benefit you and your organization.
- Robust internal controls are critical to the success of every business
- Consequences of not maintaining effective internal controls can be substantial
- Effective internal controls require commitment from the whole organization
This is a presentation on internal controls. I want to tell you a story. This is a story about controls. I went years with no control issues at any of my companies. I thought that the controls were just part of my DNA and my company’s DNA. After all, like many of you, I have an accounting degree. I started my career at a big four firm KPMG as an Auditor. I’m a CPA. So controls were just what I did, was inherent in all my training. I really didn’t think a whole lot about it. The same with my companies, I just thought it was part of my company’s DNA. The various companies that I worked for, it’s just an inherent part of what they did. I guess what you could say is that I took the internal controls for granted. Everything seemed to work just fine. Orders came in, we went through, we did the audit. Generally, we had these entries here. There are some adjustments, but nothing material, and away we went.
Then, a couple years ago, I went to Hill International. A very sad but enlightening story about controls. I’d like to share that with you, and talk about some of the consequences of not having sound controls, and some takeaways from that experience.
First of all, let me introduce myself. I’m Todd Weintraub, and I am the Chief Financial Officer of Hill International, which is a publicly held global construction management company. I’ve been there since 2018. Prior to that, I was the Chief Financial Officer at Macquarie infrastructure Corp, another publicly held company. Prior to that, I was the Chief Financial Officer at United Natural Foods, another publicly held company. All in all, I have 30 years of experience in accounting and finance, most of those with publicly held companies and 12 as the CFO of publicly held companies. So I do have quite a bit of experience with publicly held companies and internal controls, SOX, and everything that that entails.
When I went to Hill International, I acquired quite a mess with the internal control structure there. The [inaudible] material weaknesses that I inherited, and I’m not going to read through them all here because that would take up most of the presentation, but I did number them. If you look at the bottom, you can see that there are 18. So when I first got there, 18 material weaknesses, and it spanned. I’ve highlighted just some of the areas that it touched. Number 1, accounts receivable. Number 2, tax laws. Number 3, inappropriate resources. Number 4, financial accounting policies and procedures that were lacking. 5, intercompany balance accounting. 6, foreign currency accounting. 7, non monetary transactions and retained earnings. 8, tax effective balance is not being done correctly. 9, accumulated other comprehensive income accounting not being done correctly. 10, the cash flow statement not being done in accordance with GAAP. 11, revenue recognition not being done correctly. 12, the income tax provision—another material weakness. 13, interest accounts not being converted properly to GAAP. 14, again, more with intercompany accounts and inappropriate pairing those accounts. 15, inappropriate amortization of assets. 16, joint venture accounting not done properly. 17, entity impairment of long lived assets not being done properly. Finally, 18, the projected benefit obligation and pension accounting not being done properly. So that’s quite a bit, touches just about every part of the company and this is right inherited.
Now, I have seen, in the past, a material weakness. I remember way back in my Macquarie days, we had a material weakness relating to hedge accounting, which was very technical, very specific. We had to do a restatement, that was one. I remember all the resources and time it took to do one material weakness. To have 18 is mind boggling. That’s where I kind of came in a couple of years ago. So the question becomes, how did the company get there? When I walked in the door, how did the company find itself in that situation? What went wrong? Well, it was a public company. So this is not a mom and pop company where there’s an owner and not many employees, it was a public company and had been for over a decade.
Along with that, there was an internal audit function. There was also the external auditors that, of course, were there on an annual basis, and had to sign off on the financial statements, as well as doing the control environment and pining on that. As a publicly held company, there was also the requirement for an independent audit committee with financial experts, which there were for all those years. Also, an independent board, along with enough to expensive and very full featured ERP system and a credentialed staff. Not everybody on staff was a CPA, but there was plenty of CPAs on staff, as well as people with vast accounting experience and accounting degrees.
So with all of that, how did we get there? The point of this presentation is not to diagnose what went wrong. Frankly, it was before I was there. I have my guesses and my opinions on what might have gone wrong. But the point is, even in a company that has all of the things that you see listed here, we still ended up with 18 material weaknesses. So it can happen. It can happen to companies, no matter how big or how small, it can happen. Even if you have an audit, even if you have internal audits, even if you have audit committees, a good system, it can still happen. That’s the main point. No company is immune from it.
So what are the consequences when there’s a breakdown in internal control structure? Well, here’s what happened at Hill. There was a statement that had to be done—a three years statement. The costs of that were $10 million in hard costs plus a lower amount of hard remediation costs. To be clear, when I talk about hard costs, those are external costs to pay external consultants to come in and assist the company with getting through the restatement, with going through rebuilding the books essentially making all the adjustments that need to be made, and basically going back and redoing three years of financial statements from scratch. That really is not feasibly done with the existing staff. So there was a need and there will be a need to bring in external resources, and that was the cost of those resources.
The remediation costs are also very real too, while the remediation costs are still ongoing. It’s a lower amount in terms of hard costs, because most of those remediation costs are being done by existing staff out of necessity, because they’re the ones who have to put the controls in place and execute them. So although there are some hard remediation costs, there’s an unquantifiable amount of internal costs of remediation. That just goes to the staff time that is required to complete the remediation, the quality of life, all those types of things, staff turnover. In addition to that, when you do have a restatement or significant material weaknesses, there’s a fairly good chance that you’ll have an SEC investigation, which Phil did. The SEC investigation also consumes resources. There’s costs to the external counsel, SEC counsel that you’ll need. They’re also the internal costs of staff time and effort in order to respond to all the SEC questions and comments to have meetings etc.
In addition to that, there’s personal consequences for the people who were involved either wittingly or unwittingly in the restatement and in the lack of internal controls. There’s professional sanctions and fines. In many cases, people may be prohibited from practicing at a publicly held company. There can also be fines. They can be substantial for individuals. This is not only at the highest levels, this can happen even at lower levels too, if people are just going along with the program, and not fulfilling their professional responsibilities.
From a business perspective, in addition to the actual hard costs of your statement remediation, as well as the internal staff time and soft costs we’ve talked about, there’s a very real loss of business. As you’re going through this process, it becomes very difficult to focus on the business itself. The company’s attention and the board’s attention is diverted into getting through this restatement and remediating control weaknesses. It doesn’t pack the business, not only from a lack of proper attention focused on the rest of the business, but also, particularly as a publicly held company, it’s all out in the open, it’s public information. So even to the extent that your customers and potential customers are not aware of the internal issues that you’re having, and gain, it is public information, you can be sure that your competitors are going to be letting your customers and your potential customers know about the problems that you’re having. Although it doesn’t mean everybody is going to head for the doors, it becomes increasingly difficult to retain and attract new business, and there is real impact on both your top line as well as your bottom line.
There’s also staff turnover. Some of that staff turnover will be voluntary staff turnover as because of all the work involved and their statement or mediation, people will just look for other opportunities that are not so all consuming. But even of the people that stay, you’re going to want to turn over people who were part of this. In the case of Hill, we’ve substantially turned over the entire finance area that was involved with the initial control breakdown and the restatement.
There could be other consequences as well. In the case of Hill, there was a lack of being able to file 10Qs and 10Ks as they were going through the restatement process. That’s because you can’t continue to final cues when you still have a 10k audit opinion that’s been withdrawn, so that has to get done first. In the case of Hill, it took quite a long time to do three years of restatements. In the meantime, as a result of missing deadlines for current 10Qs and 10Ks trading in the stock was suspended, not delisted but suspended. So as this is going on and as you’re not filing current reports, investors obviously get nervous. That alone is going to drive the stock price down. Add to that loss of business we talked about, the decreased revenue, that increased bottom line and your stock price goes down even further.
Eventually, when trading was suspended, the price doesn’t really go down any further. But once company does get back up to speed and gets all its filings current again and can resume trading, investors are very wary, particularly because the restatement is only the first part, the hard work of remediation really is going to have a tail on it after the restatement is done. That’s still going to be very public information. So there is a very real, very real prospect that your stock price will be punished during this time. In Hill’s case, it has been punished on the stock that has lost most of its value. We have come back since then, and are back on the right track, but it was a significant hit to the stock price.
With all that said, with the consequences, and with the internal controls, what are the main takeaways? The point of this presentation is to talk about some very top level things that you can do not give a how to in terms of internal controls. I think the main takeaway and what I want you to leave with is be good, not lucky. You may recall that I began this presentation talking about taking internal controls for granted. Certainly with the background that I have, and with the background that a lot of finance accounting departments have, they’re certainly equipped to understand controls and to be able to execute them. But if there’s not a focus placed on them, you can take them for granted. I think that’s where companies can get into trouble. You fool yourself into thinking that you’re actually good and you’re doing a good job when, in fact, you’re taking it for granted, and you’re more lucky.
From personal experience, I can look back now, and where I thought I was being good for all those years where there really weren’t any problems, I now see that it was more lucky than good, that nothing ever really blew up. But certainly, I think the elements were in place where things could have blown up. I think those circumstances exist in many companies. Just because nothing does blow up doesn’t mean that can’t blow up. As we saw with consequences, it can be drastic.
So how can you be good and not lucky? Be involved in controls. I say that to the senior level people to whom I’m speaking now—CFOs, Controllers, VPS. Controls are not just something for the lower levels of the organization to be involved with, those of the people involved with the day to day activities, and books and records and putting together financial statements. However, we need to be involved as well, as senior leadership, as senior finance leadership.
A basic question that I think we all need to ask ourselves is, how do you know when we issue financial statements or any kind of financial information that we that we put out, how do we know that it’s accurate? How do we know that that’s correct? I think that we have a comfort level because of a lot of the things that we take for granted give us a false sense of security. Most of us do have good systems. We do have good accounting systems, and we know, inherently, that those systems have a lot of built in controls. That’s true, but that’s not enough. Just relying on your system, on your ERP system, on whatever other operational and accounting systems that you use, it’s not enough.
Oftentimes, we don’t pay a lot of attention to the access to those systems, and to the control over access to those systems. It’s not just a question of who has access, it’s a question of who has multiple access not just the system in general, but the different modules within your system, and how do those modules interact with each other. Even if there’s no intentional wrongdoing, having a lack of segregation of duties within the system can be a serious issue. How many of you can sit back and say that you really have a handle on the segregation of duties within your system, and you know that people do not have access to different things that would be in conflict with each other?
We also rely on our staff. We all are involved in hiring. We want to make sure we hire qualified people. We interview them, and we take some comfort in the staff that we hire and that we train that they’re going to carry out their responsibilities. Again, from a control perspective, that’s good, but it’s not enough. Even good people with their proper set of skills and the proper set of knowledge and with good intentions, can fail in a control environment. Mistakes can be made, things can be missed. If the control environment is not designed properly, then your staff is not going to catch the things that need to be caught.
Well, what about a high level review? Even if we’re not involved in the details of the day to day, we’re all reviewing our financials and our information at least on a monthly basis, some information more often, some on a weekly basis, some flash reporting. So if anything was really off with our financials, we would know because we know what to expect, we know what the numbers should look like. If they don’t, that’s a red flag we’re gonna follow up on. Again, that’s a good control, but it’s not enough. How many of our businesses are that predictable that if something was were missed, we would really know? A lot of times, what you’ll find is that when something does look very much out of whack, that’s when you ask a question. That’s when you can find that. Not only were you correct that it was out of whack, but it turns out, even in other periods where the numbers did not look out of whack, things were amiss.
The reason it wasn’t caught is because the numbers looked okay according to your expectations, but the fact is that they shouldn’t have looked okay. The fact is that if the business actually performs worse or better than expectation, and you’re relying on that expectation, which comes in where it should, then you’re gonna have a blind spot if the real numbers were wrong, but there was an error in those numbers. So high level review is good, but it’s not enough.
Finally, there’s the auditors. We all take some comfort in the fact that we have audits done. In the case of public company, we have the reviews done quarterly, and then of course, the year end audit in a fair amount of detail. We take some comfort that we are getting a clean audit opinion from our auditors. Also, we’ve all got internal audit teams as well that are doing their work. They’re going through the SOX so we do get some comfort that everything is well. Again, it’s not enough. We can’t rely on auditors to identify material misstatements and holes in our internal control system. It is management’s responsibility to do that. I go back to the case of Hill where we had all these things in place for years, and yet, again, 18, material weaknesses that I inherited when I came on board.
The real takeaway here is get involved in the controls. It can happen to you, don’t have it be a blind spot. By being involved in those controls, that means understand them, meet with the people who are in charge of administering the controls, ensure that they know and understand what that control structure is, and what everybody’s responsibility is. We really don’t have the time unfortunately, as senior finance people, whether it be CFOs or corporate controllers to be involved in all of the internal controls that we have at the lower levels, but we do need to make sure that we understand what those controls are, and that we have assurance that they are working properly. When that doesn’t happen, you can face what Hill has faced for the last couple of years.
Now, as we sit here, a couple years into this journey, we’ve gone from 18, we cut that about in half the first year that I was there. When we issue the 10k this year, we’re a [inaudible] under your company. I expect that we will have most of those remaining ones gone. I don’t think all of them, we may have one or two left. But if any of you have ever been through this before, you’ll know that even remediating one material weakness is quite a task, so doing 18 was not workable in a year. We’re going to get most of it done in a couple of years, but it can put a real drain in the company. So I would encourage everybody to be diligent with your internal controls, it can have dire consequences if you’re not.
Thank you for joining me. I look forward to any follow up questions or contact for anybody who has any further interest. Thank you. Good afternoon.
Get full Q/N Access
Sign up to Q/N with a few details to watch this presentation.