Brick by Brick – Building Construction Audit Skills in Internal Audit

On Dec. 14, 2021, in the Northern District of California, Michael Kail, the former vice president of IT operations at Netflix, was sentenced to 30 months in federal prison after his conviction for fraud and money laundering. Kail was indicted in 2018 and charged with 19 counts of wire fraud, three counts of mail fraud and seven counts of money laundering.

These corporate fraud stories are becoming more pervasive and are not isolated to a particular industry. In recent years, we have seen stories on the illegal conduct of executives from WorldCom, Tyco, Wells Fargo, Fannie Mae and others. One root cause amongst all of them: internal controls.

Like most companies, Netflix maintains a Code of Ethics; Code of Conduct; and a Gifts, Travel and Entertainment policy that addresses and prohibits employee conflicts of interest and requires the disclosure of actual or apparent conflicts of interest, and the reporting of gifts from entities seeking to sell products or services to the company. Although these policies are essential, it is equally important to build a culture that emphasizes ethical behavior, operationalizes procedures and monitors compliance with the program. Often, the failure to monitor provides employees with the opportunity to engage in misconduct and exposes the company to unnecessary risk and potential liability.

From 2011 until 2014, Kail was Netflix's VP in charge of IT operations. He approved contracts to purchase IT products and services from smaller outside vendors and authorized the corresponding payments as part of his role. However, he selected the IT contracts according to the kickbacks he would receive rather than on their merit. As the evidence at trial demonstrated, Netflix's internal control failures allowed Kail to employ a "pay-to-play” scheme. As part of his scheme, he approved millions of dollars in contracts for goods and services, and in exchange, he received over $500,000 and stock options from nine tech companies.

This case emphasizes the need for a robust compliance program. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission identifies internal controls’ five integral components: the control environment, risk assessment, control activity, information and communication, and monitoring activities. Performing periodic evaluations of the program, a subset of the monitoring component, is critical to ascertain if internal controls are present, designed appropriately and functioning properly and effectively. Similarly, periodic evaluations help identify the relative strengths and weaknesses of the company's risk and control environment. Failure to do so can create an environment that condones unethical behavior, or worse, fraudulent conduct, ultimately deteriorating organizational culture.

Kail's actions impacted Netflix's operations and compliance objectives, hurt the company's shareholders and tarnished Netflix's reputation.

It's no secret the regulators continue to scrutinize compliance. Many deferred prosecution, non-prosecution and enforcement releases hammer companies for poor internal controls. The regulators don't realize that companies need a methodology to have properly designed internal controls, where everyone consistently follows without exception. Many are treating the symptoms and not the root cause.

Many in the industry continue to be perplexed by the arrogance of some companies who think they can override or circumvent internal controls and believe they won't get caught.

For more information on internal control, or to learn how Baker Tilly’s Value Architects™ can help, contact our team.

People in a crosswalk from above
Next up

Managing cyber risks Part 2: Cyber insurance policies