Are there lessons to be learned from the IT Factory fraud case in Denmark?

by Jesper Jarlbæk¹

The month of December witnessed the unraveling of the largest fraud case in Denmark for several years, namely the IT Factory scandal. Very appropriately the case surfaced in the media on December 1^st, at a press conference held by the Chairman of the Board, Mr. Asger Jensby. He reported that Mr. Stein Bagger, the CEO of IT Factory, a company that only days before had been proclaimed winner of a prestigious growth company award, had disappeared during a holiday trip to Dubai and that apparently the company had been the victim of a massive fraud at the hands of the CEO. Each following day brought new revelations. It was a “Christmas calendar” for adults with every Hollywood ingredient imaginable – fraud, violence, drugs, a mistress, secret homes, fast cars, luxury yachts, missing files, shady business associates and so on. The entire Danish press had a field day. The rich mix of ingredients provided for great entertainment value, especially for the tabloids. No dinner conversation (and there are many, many dinners in Denmark in December) was missing a chat about the IT Factory (ITF) scandal. But apart from the entertainment value, was there really that much to be learned from this debacle?

To begin with the conclusion, in my opinion there was very little to be learned. I base that statement on some key facts from the case.

Corporate governance for limited companies in Denmark rests upon a two-tier management system; a non-executive Board of Directors and an executive management. ITF had only the minimum structure required, namely a 3 person Board and a CEO. But since the CEO also sat on the Board there were actually only two independent directors. Furthermore, it was revealed that in contrast to normal practice, the ITF Board met very infrequently indeed. In effect, the company was run as a partnership between the CEO and the Chairman only. By his own admission the Chairman of the Board had borrowed more than 3 million USD to finance his private home, from the CEO! In summary, the two-tier management corporate governance model at ITF was completely broken. Rules and regulations can be ever so fine, but if they are blatantly disregarded, they are of little value. The remedy is to punish those that break or disregard the law; not more legislation. In my blog () I have described three suggested new legislative remedies vaunted in the media and why they will not work.

The second part of the recipe for the ITF scandal was an almost complete lack of supervisory oversight from the Board, notably the Chairman. Despite strong documented warning signals received by the Chairman, including knowledge of previous charges of criminal fraud against the CEO and warnings from whistleblowers, the Chairman failed to act. An effective two-tier structure is no match for an incompetent or blinkered Chairman. In the temporary absence of the culprit, Stein Bagger, the inquisitive press turned their attentions to the Chairman. They uncovered several skeletons in his closet, stretching back over a 20 year period. The total picture painted by the media was not so much that of a criminal, but certainly of a person of dubious personal integrity. So whilst the Chairman may have been deceived by Stein Bagger, it is perhaps not surprising that he chose to overlook the warning signals. Once more this is a personality flaw, not a systemic fault.

Finally, there is the question of culpability of the auditors. Of course, the press was quick to point the finger of blame, aided and abetted by “experts” from academia. In fact, it is far too early to be able to make any assessment of the professional conduct of the auditors. Fraud committed by a CEO, possibly in collusion with foreign outside parties, executed by counterfeiting the Chairman’s signature and based upon a secret loop of leasing transactions involving intangible assets is well beyond what any normal audit is designed to uncover. Thus from the superficial facts, it is impossible to assess whether the auditors failed in their duties. Naturally, their work will be closely scrutinized by their peers and by the authorities, and in due course, probably two or more years from now, we shall find out whether the auditors, like the Chairman, were guilty of inexcusable omissions of duties.

Denmark is time and again ranked as being amongst the most corruption free societies in the world. Furthermore it is also characterized as a place where the population has the highest levels of trust in the business community of any country. It is no co-incidence that these two traits co-exist. Scandals like ITF only occur once or twice a decade, and since none of them in past 20 years have involved the general public (consumers) or politicians, I think it highly unlikely that ITF will have any lasting impact on the general standing of the business community. Thus, I think we will avoid any panic-like Sarbanes-Oxley legislation stemming from this scandal.

In the absence of lessons learned are there nevertheless recommendations to be made in the light of the ITF scandal? Well, yes. At least one. It might not have helped the blinkered ITF chairman, but it may prove very valuable to his more competent peers. The recommendation has to do with the communication between the Board and the external auditors.

In Denmark, there is a unique communication vehicle between the Board and the Auditors. It is known as the Audit Book Comments. It is a non-public document, where the auditors can convey how they performed their audit and the observations resulting from their work to the Board. Also, there is a tradition that in all major companies, as well as in a large number of medium sized companies, the auditor attends the Board meeting at which the annual financial statements are approved. Both of these practices represent strong corporate governance elements.

However, the full potential of effective communication between the Board and the auditors is rarely achieved. Why? Because, if the auditor only communicates with the Board after performing the audit there is no assurance that the audit strategy is aligned with the Board’s perception of risks. Why is such an alignment important? As the ITF scandal shows, simply looking at the transactions recorded does not give the complete picture. Also, the resources of the auditors are very scant, and it is simply impossible in any large company for the auditor to review more than a fraction of the transactions executed by the company. The auditor must base his work on an assessment of the internal controls. Which internal controls the auditor focuses on is guided by an assessment of risk. That assessment results in the audit strategy. The audit strategy should be discussed and agreed ex-ante between the Board and the auditors. That discussion takes place all too rarely these days. So we need to break the mould on how Boards and auditors communicate.

So why don’t Boards and auditors just do the right thing already? Well, it takes two to communicate.

The auditors; In Denmark, the young accountants have been taught that the engagement of auditors is a “one-sided contract” where the auditor independently decides the scope and methods by which the audit will be performed.  Nothing could be more wrong or more dangerous. We need to change that mentality amongst the auditors. Dialogue with the Board is not an infringement of their independence. Rather, it is a method to ensure that the knowledge of the Board is embedded in the audit strategy and that the audit resources are directed where they will be most effective.

The Boards; I am sure it will seem provocative to many, but my perception from attending board meetings during the past 25 years in companies of all shapes and sizes, is that in many Boards, the attitude is that the Board really just wants to get an annual message from the auditor saying that the everything is well and that they can carry on with the serious business of conducting business. ”Don’t bore us with facts; just tell us we have no issues. If it is broken, fix it”. The Board does not care much about how the auditor gets to the desired answer. Since the Board only meets with the auditor once annually, and since that meeting is perceived to have the approval of the annual accounts as its main purpose, there is a natural tendency to focus on accounting principles, disclosures and taxation matters. And anyway, the wording of the Directors report is a much more stimulating topic than internal controls; everyone has an opinion on the wording of the report, few have an interest or competence in assessments of internal controls.

The external auditors could provide the Board with a unique opportunity to assess just how effectively Management manages and controls the company. But as described above, for various reasons neither of the two parties has traditionally really been incentivized to do so. We need to change the current practices.

A final observation applicable to the large, listed companies: because of EU legislation they will now be forced to appoint an audit committee (many already have one). This is a vehicle that offers a highly appropriate solution to the challenge described above. Unfortunately, the new legislation will probably not meet the expectations of the public for two reasons. Firstly, an exemption has been created whereby the entire Board can act as audit committee. Given the current less than satisfactory practices, this exemption risks seriously diluting the whole intent of the law, since it is very unlikely that the entire board will increase its workload by 75% from one day to the next; and a 75% increase is what is actually required to ensure the committee’s effectiveness according to international experiences from countries that have long since required audit committees. Secondly, the audit committees currently in operation are conspicuous by their complete lack of any auditor trained members. Three out of the four main areas of the audit committee charter relate to the audit (only the last relates to accounting). Being a CFO is not a sufficient qualification to enable one to engage in an in-depth evaluation of a proposed audit strategy; auditing is not accounting. Not to mention all the Board members who do not even have a formal education in accounting, let alone auditing. Thus, here too, practices must change. In addition to a far greater adoption of the use separate audit committees, we need to radically revisit the guidelines and practices by which the Board and the audit committee are composed.

In closing, let me state that the vast majority of Danish companies conduct their business in an ethical and professional manner, and that they have both the intent and the ability to comply with corporate governance standards. Rare occurrences such as the ITF scandal must not be allowed to distort the picture and nothing in this article is intended to do so. However society’s demands of good corporate governance are continually evolving and this article has sought to identify areas where current practices could be usefully improved.

¹Jesper Jarlbæk was trained as a State Authorized Public Accountant and worked with major audit firms for more than 30 years , becoming Country Managing Partner-Denmark in Arthur Andersen & Co and subsequently Managing Partner-Advisory Services, Deloitte Denmark. Since 2005, he has worked as a professional Board member in listed companies in Denmark and the US, as well as private companies in the UK and Denmark. Furthermore, he is an advisor to a major Nordic private equity fund and also a Business Angel investor in a portfolio of growth stage companies.