Last of 2 parts
IN his study of the “fraud triangle” (1953), Donald Cressey considers three dimensions of fraudulent behavior: pressure, opportunity and rationalization. Pressure motivates trusted persons to become trust violators due to the existence of financial problems that cannot be shared, opportunity makes them secretly resolve these problems even if they have to violate the trust placed in them and rationalization allows them to view fraud as justifiable for resolving such problems. Said triangle has been used as a tool for detecting fraud viz. American Institute of Certified Public Accountants (Aicpa, 2002), International Accounting Standards Board (IASB, 2009) and local organizations, among others. In another study, Troy, Smith and Domino (2011) theorize that younger, less functionally experienced chief executive officers and CEOs without business degrees will be more likely to rationalize accounting fraud as an acceptable decision.
Another form of fraud is the collusion between the organization and the auditing firm. The infamous scandal in a United States energy company, Enron Corp., that folded up due to its connivance with its auditing firm, Arthur Andersen, is a classic case of collusion. When the US Securities and Exchange Commission (SEC) allowed Enron in 1992 to use mark-to-market accounting instead of the accrual accounting method, Enron lost its checks and balances, resulting in massive greed and collusion of key fraudsters from Enron's chairman of the board, CEO, chief operations officer and chief financial officer to Andersen's lead partner legal counsel and auditing staff. Andersen fraudulently hid Enron’s financial instability in public reports for many years and kept stocks overpriced reaching $90 per share peak in August 2000. Unknown to the clueless investors, Enron was reporting fake profits. Months after, in December, Fortune magazine even hailed Enron as the most innovative large company in the US. But toward the end of 2001, the fraud scandal was escalating with stock down to as low as 0.61 cents until Enron went bankrupt on December 2. Congressional committee hearings ensued immediately in 2002, and Andersen was convicted of obstruction of justice in June 2002 due to the shredding of Enron documents. All the fraudsters were criminally convicted, leaving multiple failures of the board and management, auditor, bankers and regulators — a butterfly effect! To top it all, the Sarbanes-Oxley Act was enacted in July 2002, mandating that publicly listed companies protect investors from fraudulent accounting activities by strengthening its internal control through risk mitigation and corporate governance — that means, the buck stops with the board!
In the local scene, Republic Act (RA) 11232, or the “Corporate Governance Code,” revised and amended the 38-year-old Corporation Code of the Philippines to improve the ease of doing business in the country, and mandates stringent requirements on publicly listed companies. It was signed into law in 2019 by President Rodrigo Duterte. On the other hand, the Institute of Corporate Directors (ICD), which was established in 1999, is “a non-stock, not-for-profit organization dedicated to the professionalization of Philippine corporate directorship by raising the level of corporate governance policy and practice to world-class standards” for companies which are organized via shares of stock that are intended to be easily traded on the Philippine Stock Exchange. SOX and RA 11232 jibe in their respective principles to manage risks of fraud in publicly listed corporations.
In government offices, collusion was also detected as the Office of the Ombudsman ordered the dismissal of six Commission on Audit (CoA) auditors, who unlawfully accepted millions of pesos in bonuses from the Local Water Utilities Administration (LWUA) from 2006 to 2010. Former LWUA officials were then charged under the antigraft law for granting excessive bonuses to themselves and to CoA auditors.
Likewise, if there’s RA 11232 for corporates, it has a counterpart in the government sector, RA 10149 of 2011, or “GOCC Governance Act of 2011,” which aims to “promote financial viability and fiscal discipline in government-owned or -controlled corporations (GOCCs) and to strengthen the role of the state in its governance and management to make them more responsive to the needs of public interest and for other purposes.” The Governance Commission for GOCCs (GCG) prescribes the Government Corporate Governance Standards based on law and best practices.
To instill transparency in the Philippine Health Insurance corp. (PhilHealth), being a GOCC, it is recommended that RA 10149 be followed strictly through the oversight of GCG as clearly stated in Section 5: “Evaluate the performance and determine the relevance of the GOCC to ascertain whether such GOCC should be reorganized, merged, streamlined, abolished or privatized in consultation with the department or agency to which a GOCC is attached (i.e., Department of Health).” The GCG may also consider IT governance in their oversight function as it is not stipulated in RA 10149. IT governance refers to the strategic alignment of IT with the business to achieve maximum business (or e-government) value through the development and maintenance of effective IT control and accountability, performance management and risk management (Peterson, 2004) — this can be coordinated with the Department of Information and Communications Technology (DICT).
It may also be prudent that the GCG considers the National Privacy Commission (NPC)/DICT circular orders “to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected (Section 2).” To reinforce the RA 10173, or the Data Privacy Act of 2012 and its Implementing Rules and Regulations, the best practices in IT governance is highlighted in NPC’s Circular Order 16-01, dated Oct. 10, 2016, regarding “security of personal data in government.” These are:
– Section 6. “The Commission (i.e., the NPC) recommends the use of the ISO/IEC 27002 control set as the minimum standard to assess any gaps in the agency’s control framework.”
– Section 1. “The Commission recommends ISO/IEC 27018 as the most appropriate certification for the service or function provided by a service provider under this rule.”
One of the critical concerns in both corporate and IT governance best practices is the segregation of duties of personnel to eliminate possible fraud in both manual and computerized systems; that is, the adoption of the maker-checker principle that defines at least two individuals necessary for the completion of a transaction, process or highly confidential report. Next, to avoid possible data changes or tampering, the storage of data back-ups of PhilHealth may be stored in the premises approved by the DICT. In like manner, the source codes of the automated election system (AES) are kept in escrow with the Bangko Sentral ng Pilipinas (BSP) – RA 9369, Section 11. 3.
The last serious concern is the possibility of a certain IT person doing any combination of job functions like administration of systems, databases, network, information security, development and maintenance. If that is being practiced at PhilHealth, there’s a great danger in terms of data mismanagement. One strategy is to outsource the data processing activities of PhilHealth just like what the Bureau of Internal Revenue (BIR) did based on Malacañang’s Administrative Order 188, series of 2007, and the Commissions on Elections did when it outsourced AES implementation based on RA 9184, or the “Procurement Act,” among others.
And to augment financial audits by CoA and PhilHealth internal auditors, the GCG may require regular independent system audits of PhilHealth, say by DICT, to check whether risk mitigation measures are working in their information systems. The BSP practices may be adopted in this regard when handling examination and supervision of financial institutions.
IT governance in govt offices: Reality or not?