Risk culture as the (most) important element of corporate integrity

Sonja Stirnimann is an expert in corporate integrity, holds an Executive MBA in Financial Services & Insurance, an IMD Director Diploma and a Sustainability & ESG Designation and Certification (GCB.D) diploma.

She is also a Swiss Certified Public Accountant, Certified Fraud Examiner and Business Mediator. Her membership of various boards of directors contributes to her broad experience in the areas of governance, risk, corporate compliance and finance.

In a conversation with Prof. Dr. Reto Eberle, Sonja Stirnimann discusses the role of corporate culture in fraud prevention along with other current topics.

Prof. Dr. Reto Eberle

Partner, Member of the Department of Professional Practice

KPMG Switzerland

mail
call

Prof. Dr. Reto Eberle: You are a member of various boards of directors. What is it that makes working on an audit committee so fascinating?

Sonja Stirnimann: The interesting thing is dealing with different personalities. The interaction between management, internal and external auditors and employees is very varied and rewarding. Each function and every individual contribute different perspectives and have their own ideas about how they can contribute to the company’s success.

Prof. Dr. Reto Eberle & Sonja Stirnimann

Isn’t there a risk of overload for the audit committee?
What can be done to counter this potentially excessive burden?

As the board, you must be able to set priorities for the company. What are the risks and how do you deal with them? What is relevant for the company, and what could jeopardize its survival? What could keep the company from implementing its strategy? If you try to give equal weight to all issues, you will inevitably overwhelm your resources.

A good board of directors is characterized by the fact that it repeatedly asks itself: “What should we be doing for our company?” and not just what is everyone else doing. That is not to say that you should not learn from others, especially across industries.

The topics covered by an audit committee are extremely diverse: financial reporting, ICS, data protection, cybersecurity, sustainability and related audits, internal audit or perhaps also corporate culture. Which topics are particularly important and where do you see the greatest need for action?

All the topics you mentioned are certainly important. Some have been around for years, others are new. Priorities differ from company to company and depend, among other things, on the maturity level of an organization. Every board of directors must ask itself “What do we need and what topics must we address to take our company to the next level, expand our competitive advantage and also protect ourselves from risks?”

Some have been dealing with the issue of cybersecurity for a long time and are well positioned, while others still feel that it is not their concern and not something that will affect them. The audit committee is responsible for preparing many of the topics you mentioned, decisions are then taken by the full board of directors.

One of the hot topics at the moment is how to deal with fraud. Auditing standards are currently being adapted to strengthen the auditor’s professional skepticism and improve communication within the board of directors. Will this really help to reduce the expectation gap regarding the role and function of the auditor?

The crux of the matter is not inadequate standards, but how they are implemented. If auditors properly implement the existing requirements and maintain professional skepticism, there is no need to revise the auditing standards.

The problem is that some auditors still sometimes treat fraud issues shabbily. They do not want to jeopardize their client relationship and are not critical enough. As a board member, I have intervened with an auditor in this regard.

At an event held by the Federal Audit Oversight Authority (FAOA) some time ago, I gave a presentation on this topic in which I examined the three-way relationship between the authorities/supervision, internal and external auditors and the board of directors. However, judging by the FAOA’s annual report, there still appears to be room for improvement in this regard.

Questions about abuse and fraud arise not only in the area of financial reporting. Non-financial reporting and corresponding audits are gaining in importance. Suddenly, sustainability goals and criteria are being included in bonus calculations. But this again creates incentives for improper exertion of influence.

This is certainly becoming an issue. The Association of Certified Fraud Examiners’ (ACFE) fraud tree, which sets out all the fraud patterns, is being expanded accordingly and new patterns are being added.

Here, too, it is important to talk about these different patterns as a way to raise employee awareness. Equally important in this context is training for internal and external auditors.