Reporting directly to the audit committee chair of Allstate Insurance Company’s board has its pros and cons, says Kathy Swain, head of the insurance giant’s 52-person internal-audit team. “The pro is that I can maintain this distance from the company,” she says. “It’s absolutely critical to the success of analyzing what’s going on in the business. The con is that, from a career standpoint, I’m a part of the company but I’m not a part of the company. I spend my time criticizing everything.”
As senior vice president of internal audit, however, Swain reports in dotted-line fashion to the company’s CFO, Steven Shebik. As part of the finance chief’s staff, she gets an inside view of the C-suite’s appetite for risk and the ethical tone it wants to set. In turn, that helps her determine if someone may be stepping out of line in the reporting of the company financials.
An 11-year veteran of the company, Swain has taken a winding path to her current post. First, as an Allstate assistant vice president in finance, she was responsible for financial and business-process solutions supported by SAP applications. In 2003, she moved into information technology and led an enterprise applications group, and in 2007 became head of internal audit. Before Allstate, Swain, a certified public accountant, was downstream deputy director of assurance and head of internal audit for BP Amoco in London.
In a recent interview with CFO, Swain spelled out what she thinks are the specific roles of the CFO and the internal-audit chief in detecting and preventing financial fraud. An edited version of that discussion follows.
What are the elements of an effective CFO approach to detecting fraud?
The first is an understanding of the business. The second is that the CFO ought to have identified those elements of their companies’ financials that use judgment. That will differ based on what business you’re in. But almost every business has some level of accounting that’s judgment-based, management-discretion based. Those are the areas that you can make changes in, and sometimes they slip through and you’re not aware of it. CFOs should review a couple of reports on a periodic basis that can point to things that were unusual, out-of-pattern or sharply different than in previous months.
What kinds of reports CFOs should be looking at regularly?
The example in the insurance industry would be deferred acquisition costs. You don’t have to write those off right away. There’s a lot of estimation that goes into the calculation of the number that sits in the financial system. And if you’re a good-size insurance company that could be a good-size number. So that’s one mechanism by which people can adjust the financials to sway the results during a period.
When I was in oil and gas, I learned that there’s a reserving calculation that’s done. You estimate the amount of reserves that you have that haven’t been produced yet. And that involves a fairly sophisticated engineering algorithm. Those are big numbers, and they can sway your external financial reporting. That’s because the company could take the costs of drilling the well and charge them out based on the life of the reserves. Someone can control earnings that way if you’re not watching carefully.
Compare your relationships with the audit committee and the CFO.
Having a solid line to the chair of the audit committee gives me a sufficient amount of independence and authority. That really allows and encourages me to critically assess what’s going on in the organization. And the reports that I do in the executive sessions of the audit committee provide me with enough of a communication mechanism to feel that I have a voice. I’m invited to just talk to the audit committee and report to them if I see something that makes me feel uncomfortable.
On the other hand, I absolutely need and work on my relationship with the CFO, as well as all the leadership. Administratively, [the CFO] oversees my staff and my resources. My information gets fed to me through the CFO. If I didn’t understand [the company’s] risk appetite and don’t understand the strategic direction and the choices that [leadership is] making, it would be hard to take a look at what the appropriate controls are.
Why is it so important for you to understand your company’s risk appetite?
I’ll give you an example. We have a $90 billion dollar investment portfolio here at Allstate, and we have traders who trade in different financial products. They trade bonds, they trade equities. They’re given boundaries within which they can trade. But they have discretion and the freedom to move as long as they stay within the boundaries. Management sets those boundaries, and they’re very clear in what those boundaries are. And that is the risk appetite.
Let’s take another example, from our claims process. Let’s say you have a $100,000 claim with the company and your policy is written to $90,000. The claims adjusters have some level of discretion as to whether or not they can settle that claim a little bit above or a little bit below that policy limit. There’s a risk appetite there. There’s cost. If you have every claims adjuster adding another $10,000 to every claim, you’re going to go out of business quickly.
How can CFOs determine and communicate how much discretion to allow?
You’ve got to be clear about where you’re OK with applying discretion and where you’re not. In our space, for example, we don’t have a lot of fixed assets, so there’s a little less prescription in how we account for some of the assets of the organization — like our computer software, for example. You can charge that to your credit card or you can book it a different way. Back in my BP Amoco days we didn’t have that. It was such a fixed-asset business, and there was a different risk appetite. Risk appetite translates into how you’re going to calibrate your policies and procedures. Are you going to give some space or are you going to make it very clear and precise exactly what’s expected? For most companies, particularly big companies, they have to leave it less precise but be clear on what their appetite for risk is.