Scandal in fantasy sports underscores the importance of internal process and controls

Details of the scandal engulfing the online fantasy sports company DraftKings should be common knowledge by now – A DraftKings employee admitted to the early release of data not generally available to the public and won US$350,000 on a rival site, FanDuel.

The comparisons to insider trading quickly – and logically – followed.

Questions abound that why a major player in the largely unregulated, multibillion-dollar (US$3.7B annually) fantasy sports industry didn’t have stronger controls in place to restrict access to protected information or ban its employees from participating in fantasy games elsewhere.

Without the structure and processes, the mess was totally predictable and only a matter of time. While DraftKings and FanDuel announced permanent bans on employees participating in fantasy leagues within days of the scandal breaking, the damage had already been done to their brands and reputations:

  • ESPN initially announced it would end DraftKings’ sponsorship and later said it would stop its ads.
  • The New York attorney general’s office announced an investigation
  • A Kentucky man is seeking class-action status that accuses DraftKings and FanDuel of negligence, fraud, and false advertising.

The lesson from this latest corporate blunder should be crystal clear: A well-designed system of internal controls is fundamental to reducing business risks.

Should DraftKings executives be accountable for not anticipating such problems? Considering the industry is largely unregulated, has seen remarkably rapid growth, and handles huge sums of capital on a weekly basis, the answer is an unequivocal “yes.”

While DraftKings is not currently publicly traded, it is a textbook example of how limited or poorly designed internal controls can quickly be overwhelmed by the pressures of rapid business success. One of the criticisms of mandatory internal process and controls regime is that start-ups lack the resources to support them. But without such an investment, organizations are at greater risk of making much costlier mistakes in the future.

It’s all about the old expression, “Pay me now, or pay me later.”

Advertisements

The People’s Audit – from https://chiefauditexecutive.wordpress.com/

I wrote some time ago – and it is my most popular blog post – about Why internal audit is important. In this post I stated that organisations are simply not able to control and govern themselves with what Erica Schoenberger calls ‘strong objectivity’. This is the ability to be ultimately independent of one’s self in the corporate interest. In it I said ‘the executive turkeys are not willing, ultimately, to vote for Christmas, no matter how objective, strong or compelling are the reasons to do so.’

This was prescient. As we hear today about two scandals, first the peoples’ car – Volkswagen, appears not to be so people-oriented after all. BBC News – Volkswagen Second we hear about BBC News – Charities Regulation where even nice ‘fluffy’ charities cannot be trusted to behave as corporate entities, responsibly.

Now I am going to ask the usual question we auditors do – where was internal audit in Volkswagen? I ask this not to say that such a small bit of coding, in a chip in one car engine, could not be missed by internal audit – of course it could. I ask this because did internal audit not pick up the cultural controls that allowed such actions to be deemed acceptable? For let’s be clear, such actions would not be the actions of one rogue individual, they would not be signed off by one local manager in one small business unit, they are intentional fraud. So how far up the organisation, or from the top of the organisation, was the approval to commit, knowingly, fraud, approved? This says something much more about organisational governance, culture and control. Surely internal audit would pick this up across the business?

For charities, for the ones that are implicated in the UK review published today, fundraising is not a minor, marginal, activity. It is a major, business related, activity. It is core. So should internal audit have some understanding of the right or wrong ways to do fundraising and should it have reviewed the ethics of doing so? In my view, yes.

What does this tell us about internal audit as a profession more widely? First I think it reaffirms the importance of internal audit. Organisations cannot self govern. They need strong independent governance, audit and regulatory structures to ensure that they do not act in their own personal or even organisational interest. Of course we do not know the details or extent of the Volkswagen’s wrong doing – simply that there was wrong doing and that it could be very, very big – £4.6bn big according to today’s news. This could, of course, not just be Volkswagen, it could be other car manufacturers as well.

Second I think it reconfirms my view that internal audit is not some small rarefied  bubble in the organisation, testing the controls theory of organisations. It is a needed and core part of most organisations. It needs to see more, do more, interfere and intervene more. I have been having a debate on this blog with James Paterson and others who think my view of internal audit risks taking internal audit beyond its third line of defence position and, being more expansive and pervasive in an organisation, inherently weaken the second line of management control. I disagree and consider internal audit’s third line position does not mean it has to be small, weak, and review the theory of organisations. I see the third line position as one of objectivity and independence, not a prescription of reviewing just systems in theory or necessarily being small, marginalised and organisationally weak.

If Volkswagen had a well resourced internal audit, and had a stronger third line, with an interventionist position, then I think it could have spotted the £4.7bn disaster. That would pay for many years of very good internal audit even in an expanded third line form in my view.

I know those who hold to the established internal audit wisdom that organisations are run by first and second line management controls, by rational and organised organisational machines, and that internal audit’s role is to validate the correct and appropriate working of that machine, from a organisationally moral Mount Olympus will disagree with me. For me, however, organisations are not run like machines. People are not all rational. They are selfish, complex, self oriented and prone to moral relativism (I should say they can be amazing, honourable, giving and special too).

I believe internal audit’s unique proposition is objectivity, independence and its organisational position (between management and governance elements of the organisation). These can, and should, be applied at greater scale in most organisations. Why? because organisations cannot self govern. Layers of management are not independent of each other, they are one command chain. We learn time and time again that the lines of defence model, whilst a helpful typology, is not real – management cannot control or help themselves, even where it is organisationally rationale to do so – otherwise someone would have calculated the fines per vehicle and decided whether to risk it in Volkswagen and decided no.

So I come back to my core point. Internal audit matters. Internal audit must be bigger, better, braver, and be seen as a normal functioning part of any organisation that is serious about wanting to be run properly. It must look deeper and more into its clients, this takes money and resource, but the payback (if only in fines avoided) must surely justify this leap of faith?  Are you ready to leap?