An alarming story that came over the transom is how CalPERS’ Office of Audit Services has been crippled by high levels of turnover and vacancies, poor morale, and most important, the loss of independence of the audit function.
I ran the key facts by law professor and white collar criminologist Bill Black. His reaction:
Yes, very bad. CalPERS’ top management is determined to do the wrong things – and wants to improve the odds they can get away with it. That is the only reason, given the nature of its business, that the leaders would gut internal audit. Internal audit, like underwriting at a bank, is a great test of managers. If they are incompetent or sleazy (or both) they see audit and underwriting as cost centers. It they are competent and people of integrity, they see that great controls and underwriting are the core of investor (and bank) profitability and survival.
CalPERS apparently cares more about image management than protecting the pension system. Due to vacancies, many of which are long standing, Audit Services has only 55 employees, according to a recent organization chart. By contrast, the so-called Communications & Stakeholder Relations department has over 70 employees.
Recall that CalPERS has implemented poor risk management practices elsewhere. We described in 2016 how the the investment risk management team, a compliance function, reports to the Chief Investment Officer.
Anyone with an operating brain cell knows a staffer cannot oversee his boss, at least if career longevity is important to him. Having a control function housed inside the unit it supposed oversees is precisely the arrangement that led to $6.2 billion of trading losses in the JP Morgan London Whale scandal and the fake accounts abuses at Wells Fargo. And that is why the rest of Wall Street was shocked to hear that JP Morgan had such an obviously defective arrangement.
We gave this overview of the sorry state of the CalPERS audit function in our companion post today, quoting an insider:
The atmosphere inside the PERS Office of Audit Services is absolutely horrendous with mismanagement. Many of us have gone to the union for help, and some are pushing for a group grievance on behalf of all of us against all managers. Besides having lost nearly a quarter of the staff on our public agency audit side, the nepotism and favoritism given to people who are not deserving or qualified makes it tough to deal with.
Our Clive underscored why this matters:
You definitely do need good polices and procedures drawn up and in place to manage and control your system(s). But these alone are not sufficient. And you cannot “tech” your way to preventing insider-orchestrated harm.
You need a robust and appropriately-resourced audit function to ensure it is adhered to. You also need a certain fear factor – people need to know they are being supervised and their work will be checked both routinely and at random, not just through their line management organisation structure but with a completely ring-fenced and segregated inspection regime which does not report to just the CEO or the executive function but also has a dotted reporting line directly into to board.
Anything less than this is all-too-amenable to suasion, internal (or external!) politics, favour-mongering and collusion.
A UK example: Lloyds Bank operated several control frauds. In a rare show of seriousness, former executives were jailed for 11-15 years for one of the more serious scams
Part of the go-go era prior to the global financial crisis was the systematic gutting of the audit function in that bank. And what little was left had to work within an organisational design which had the audit function report to the C-level directors of the profit centres. Little wonder, then, that the emaciated team of internal auditors heard no evil and saw no evil. Even if they had the time and wherewithal to follow up on suspicious activity, the top management would not let them speak any evil, either. It was textbook criminogenic.
And CalPERS is moving in this exact same direction.
The audit function is the last line of defence. If that’s disbanded or weakened, it’s game over for CalPERS.
Here are the warning signs:
Ending the independence of the internal audit function. Matt Jacobs is running Audit Services and editing their reports. In an organization with proper controls, the audit function should report to the CEO and/or the Board. The CEO and the Board need to receive audit information, particularly internal audits, directly, and this responsibility is even more important when the CEO and board members are fiduciaries.
Audit Services has reported formally to the CalPERS legal department since at least May 2012. However, the story is more complicated than it appears. In 2011, Audit Services was granted a charter which included a clear and strong commitment to its independence. Thus even though unit may have been formally housed within the legal department, the commitment to independence meant as a matter of practice that the General Counsel did not control the substance of its work.
In keeping, members of the Audit Services confirmed that it had provided information directly to the CEO and Board under the tenure of the previous head of Audit Services, Margaret Juncker, who retired in mid 2015.
Perhaps we have missed it, but we have not been able to find any evidence of an official change in the status of the Audit Services unit in 2015. Audit Services staffers say that they are not aware of any policy document of that sort being discussed and approved at a board meeting. It appears that the new head of the operation, Beliz Chappuie, acceded to the demands of General Counsel Matt Jacobs to influence audit operations.
This change is particularly alarming because the choking of the information flow to the Board was never formally approved, nor was the reason for this change communicated to staff.
Another bizarre and troubling moves that undermines the effectiveness of the audit team’s work is the blanket designation of work product as attorney-client privileged. This is perverse in the case of the public agency side, since audit findings are reviewed with employers like municipalities and school districts so they can comment on them and make corrections before the reports are made final. Any document shared with a third party cannot be attorney-client privileged. From one insider:
One thing that completely mystifies us is how all “internal” internal documents have been labeled as ACP (attorney-client privileged) whereas before it was common to share information with each other.
So, for example, internal auditors who work on real estate matters can’t view the workpapers of internal auditors who specialize in IT audits. I don’t see it from management’s perspective, but there have been internal audit reports with findings that, after the internal assistant division chief spoke with the program area chief – they were reduced to discussion items. I tried to get the draft that showed this and final which shows they were removed, but wasn’t able to for timing reasons.
Along the same lines of our suspicion on internal documents becoming ACP, nearly all reports are filtered through the legal office. A senior colleague said that completely ruins our independence and objectivity if they rewrite any reports.
Another thing that was changed to ACP is our “administrative” information — it’s top secret for some reason. Say you want to request (via FOIA) a list of all projects: project number, project name, budgeted hours, actual hours, to see if how frequently overbudget our projects are, I can pretty much guarantee you’d get just a grand total of the hours.
These changes have confused and demoralized staff. As one department member said:
All the audit reports go through the legal office and into attorney-client privilege before presentation to the Board’s Risk & Audit Committee. This was not the case prior to the new chief assuming the position.
In terms of internal transparency, we are concerned that board members either don’t see the complete picture or the message is being filtered by the legal department. The line of reporting is an important consideration according to the IPPF Red Book Standards. This reporting change, whether or not it was significant, should have been communicated to staff, as Openness is one of our Core Values.
High and rising levels of job vacancies. As you can see from the organization charts below, the Audit Services unit was to have 65 employees in 2017 and 2018.1 This already seems light given that CalPERS has over 2000 pension plans, all of which should be audited periodically to prevent fraud and correct errors. Six positions were vacant as of the date of the 2017 chart and that rose to a whopping ten in 2018.
Downgrading and elimination of important functions. We will again turn the microphone over to Clive:
Did you see how they’d culled the entire designated “Actuarial” function in the Audit division? It used to be encompassed in the “Real Assets & Actuarial Team” but now you just have “Real Estate” (presumably the realty asset base) – with “Actuarial” dying in a fire. It kind-a looks like that function moved into the so-called “Pension” team (some of the Program Auditor and Associates moved into that team) – but without a designated responsibility for auditing Actuarial work. A pension fund that doesn’t, specifically, by name, audit its Actuarial function? WTF?
They’ve also lost the Asst. Division Chief (Young Hamilton), who presumably had a lot of experience in IT and with the actuaries, and not replaced that role. So there’s less coverage in the senior management positions who are going to be more stretched as a result. Has the Audit function suddenly gained some big-yet-mysterious efficiency improvements which means there’s less work to go round? Impossible. There’s no such thing as an automated audit.
High turnover. As you can see if you work through the charts below, a full 25% of the positions in the 2018 org chart are either vacant or have new incumbents. It looks like a lot of turnover for an employer like CalPERS with a good pension, excellent health insurance, reasonable pay, and theoretically low stress. One would expect to see almost no turnover in a job like that.
In addition to the issues Clive flagged immediately above, the organization structure has morphed in other ways, with a new team created under the Public Agency Reviews and considerable reshuffling of the people from the old teams who stayed on in 2018. One of the top level units, Real Assets, Actuarial, and IT Audits, was dissolved and the teams under it moved over to the Internal Audits and Consulting manager, which strongly suggests she is overextended.
As a management academic put it:
You’d expect the CalPERS audit group to change at the speed of glacial shift; it’s a job for life in what should be a boring department of (also what should be) a boring organization. Instead the year-over-year change looks more like a struggling startup. CalPERS looks like they systematically gutted their audit group.
Widespread concerns among staff about questionable credentials and experience. There are doubts among staff about the qualifications of certain incumbents, to the degree that it has damaged morale and led to many consulting with the union.
As we mentioned in our companion post today, when CalPERS was trying to change the job description for Chief Actuary to allow for someone to assume the role who was less qualified than many senior in-house actuaries, the members of that group made enough of a stink so as to force CalPERS to delay and then scuttle this plan. A similar rebellion may be brewing over doubts about the experience and qualification of certain team members and managers.
On the one hand, this crippling of the Audit Services unit may be the result of neglect, misguided cost-cutting, and General Counsel Matt Jacobs, who has no prior experience in a general counsel’s office, mistakenly prioritizing shielding CalPERS from Public Records act requests and even discovery over having a functioning audit department. On the other hand, this view may be way too charitable. As Clive pointed out:
The important thing to note is that, for an individual employee, when you’re working within this shared culture and sense of ethics, it is very difficult – impossible almost, certainly I didn’t detect the erosion of morality in my bank until it was glaringly obvious – to accurately determine where you are on the scale of corruption. You’re inevitably in some degree of denial (assuming you have a sense of personal responsibility and you’re not an out-and-out sociopath) about what, exactly, you’re in the midst of. We don’t like wrongdoing, we don’t like people who set out to exploit others, we don’t like the image of an organisation which perpetrates those activities and we don’t want to apply that image to ourselves.
But by the time an organisation is in the terminal stages of this cycle, the dishonest element in the workforce are the ones who are coming out on top. They tend also to bring in more co-workers who are like them.
The fact that Marcie Frost is perfectly content to let Matt Jacobs disembowel a critical control function out of his warped sense of priorities is further evidence that she is out of her depth as the CEO of CalPERS. And in terms of integrity, Frost, with her resume misrepresentations confirmed by the Financial Times, shows that the CalPERS fish is rotting from the head.
1 The charts show (65) under the name of Beliz Chappuie-Chief in 2017 and (66) in 201, which presumably refers to total staffing. But a count of the number of positions in 2018 shows only 65.