SEC Finally Catches Up With Former Deloitte Vice Chairman

Back in November, 2008, Deloitte sued its former vice chairman for trading in securities of the firm’s audit clients. The SEC has filed its case against Thomas Flanagan and included his son, Patrick Flanagan.

The SEC alleged Flanagan traded in the securities of multiple Deloitte clients on the basis of inside information that he learned through his duties as a Deloitte partner, resulting in profits of more than $430,000. Flanagan also tipped his son Patrick, who earned profits of more than $57,000 based on the inside information.

“21. Between 2003 and 2008, Flanagan made 71 purchases of stock and options in the securities of Deloitte audit clients. Flanagan made 62 of these purchases in the securities of Deloitte audit clients while serving as the Advisory Partner on those audits.

22. On at least 9 occasions between 2005 and 2008, Flanagan traded on the basis of material nonpublic information. Flanagan traded on the basis of material nonpublic information about Best Buy, Motorola, Sears, and Walgreens. On at least 4 occasions, Flanagan tipped Patrick who also traded based on this material nonpublic information.”

What took the SEC so long?

The insider trading problem had already been uncovered at least eighteen months ago. Flanagan had violated the Deloitte policy on trading on audit clients’ securities. He failed to report his trading activity and failed to include some brokerage accounts in Deloitte’s trade tracking system.

Since he used Deloitte Tax for his personal returns, he falsified the names of the securities on his tax returns. (I wonder if Deloitte tax would have run the tax return’s securities against the restricted list?)

The Flanagans agreed to pay more than $1.1 million to settle the SEC’s charges. Thomas Flanagan paid disgorgement with prejudgment interest of $557,158, a penalty of $493,884, and is banned from appearing or practicing before the SEC as an accountant.  Patrick Flanagan paid a disgorgement with prejudgment interest of $65,614, and a penalty of $57,656.

How could you catch them?

One question is how could you improve your insider trading policy and procedures to stop this?

If someone is going to conceal their trading activity in clear and knowing violation of the insider trading policy, it’s hard to catch them. You can’t find the account if the employee does not tell you about the account. You need to make them aware of the insider trading policy and that their job is on the line for violation of the policy.

The next step is to review tax returns and tie them back to trades. The employee is then at risk for failure to report income to the IRS. (That’s how they got Al Capone.) In Flanagan’s case he went so far as to fake his tax returns.

How Did Flanagan Get Caught?

According to the Deloitte complaint (.pdf) the SEC investigated trading activity for a particular client who had announced an acquisition of a public company in July 2007. I assume the SEC saw an uptick in trading and options activity.  Looking back at the SEC complaint, it looks like that incident was when Walgreens’ purchased Option Care. It’s typical in a public M&A deal for the SEC to question the companies’ advisers when the see unusual trading activity around the time of the deal. That exposed Flanagan’s activity to Deloitte in August of 2008.

Did Flanagan not think that he would eventually get caught? Francine McKenna places the blame a compliance failure at Deloitte.

Sources:

Deloitte’s Year End Reporting Issues: An Update on Current Issues and Items on the Horizon

Deloitte, as part of their Financial Reporting Series presented a webinar on year end reporting issues. The panel consisted of:

  • Bob Uhl
  • Beth Ann Reese
  • Glen Donovan
  • Stuart Moss

Valuations will be a hot topic for year end reporting. The problem is the current “market impairment” existing for many securities.

Auction Rate Securities settlements offer some particular accounting issues. Credit derivatives will require enhanced disclosures (both qualitative and quantitative) about why you are using derivatives under Statement 161.

The SEC staff is expecting an increase in the number of goodwill impairments compared to prior years. They are also expecting greater disclosure about the impairments.

The SEC’s Division of Corporation Financial has several initiatives to address the current market conditions. They are focusing on improvements in communications with issues.

Liquidity and capital resource disclosure are likely to be a concern. Companies will need to disclose if the there are uncertianties in their ability to access financing.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations.  Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.”  You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

  • 72% Yes
  • 24% No
  • 4%  Not sure

Audience poll: How many have read the new regulations and guidance:

  • 45% Yes
  • 55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

  • 29% Yes
  • 62% No
  • 9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

  • 30% Training for all employees
  • 13% Training for selected employees
  • 52% None
  • 5%  Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge.  53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor.  59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).

Fraud Detected More Often At Bankrupt Companies

Bankrupt companies are three times more likely to have been cited for fraud by U.S. regulators, according to a study released on Monday from Deloitte Financial Advisory Services LLP. The study also showed that fraud incidents were much more likely to land a company in bankruptcy court.

Sheila Smith, head of reorganization services at Deloitte said it was not clear whether employees at bankrupt companies are more likely to commit fraud or whether the microscope of bankruptcy makes it easier for regulators to detect it.

See also:

Deloitte sues vice chairman for client stock trades

Accounting firm Deloitte & Touche LLP has sued its former vice chairman for trading in securities of the firm’s audit clients. In a lawsuit filed Oct. 29 in Delaware Chancery Court, Deloitte said Thomas Flanagan “repeatedly lied to Deloitte about his clandestine trading activities in annual written certifications, going so far as to conceal the existence of a number of his brokerage accounts to avoid detection.” Complaint of Deloitte LLP v. Thomas P. Flanagan. (.pdf)

The complaint states:

  • In 2007 Flanagan purchased stock a client’s acquisition target one week before the client publicly announce the acquisition.
  • Between January 2005 and June 2008, Flanagan engaged in put and call trades for at least 12 audit clients.

These actions were violations of Deloitte’s insider trading policies. See the story in  Crain’s Chicago Business: Deloitte partner accused of improper trading in client stocks.