On the Frontlines: The Hard Lessons of FTX
The stunning collapse of cryptocurrency exchange FTX is shaping up to rival the most iconic corporate scandals in history. When news broke of its bankruptcy filing and the missing billions of dollars, it wasn’t hard to spot the troubling similarities with the WorldCom, Enron, and Madoff scandals. Those were seismic events with earth-shaking implications.
Why does this keep happening? It doesn’t take much digging to place the blame squarely on bad corporate culture, which can demolish a company and destroy its value. The scandal at FTX is a wake-up call, reminding us that governance and culture always matter. It also reminds us that company leaders must be open to hearing bad news alongside the good. The lesson learned from this debacle should be abundantly clear — unheard problems only get worse.
Billions of dollars in customer funds are missing for upwards of a million creditors. FTX estimates it owes its 50 biggest creditors more than $3 billion. We have once again witnessed wealth destruction on a massive scale because a company didn’t regard culture, governance, risk management, or internal controls as important. These attributes don’t necessarily create wealth, but without them, an organization can do significant harm.
FTX was regarded as one of the more stable, well-capitalized, and trustworthy crypto firms. Its 30-year-old former CEO, Sam Bankman-Fried, who ran operations out of the Bahamas, was seen as a visionary for the industry. He donated millions, championed effective altruism, and was purported to be pro-regulation for crypto. But within a year, the FTX’s feel-good story would unravel in stunning fashion.
FTX was valued at $32 billion in January 2022. By summer of that same year, FTX was offering to buy or bail out other failing crypto businesses and agreed to pay $135 million for the NBA’s Miami Heat home-court naming rights.
In November, CoinDesk, a news site that focuses on digital currencies, reported on a leaked FTX balance sheet that began to reveal a truer picture of the company’s standing: Alameda Research, FTX’s crypto trading arm, reported $14.6 billion in assets that relied heavily on FTX’s own tokens. Over a period of three days, China-based Binance, the world’s largest crypto exchange, announced and then pulled out of a deal to acquire FTX. On Nov. 11, FTX filed for Chapter 11 bankruptcy protection and announced Bankman-Fried had resigned. The next day, Reuters reported that Bankman-Fried had secretly transferred $10 billion in customer funds from FTX to Alameda and $1 billion to $2 billion in customer funds were unaccounted for.
John J. Ray III, the restructuring expert charged with managing Enron’s and several other high-profile liquidations, was appointed FTX’s CEO. Ray’s Nov. 17 bankruptcy filing provides a withering critique of the company: “Never in my career have I seen such a complete failure of corporate control and such a complete absence of trustworthy financial information.” A “substantial portion” of FTX’s assets were possibly missing or stolen, and the financial statements — prepared by Armanino LLP in the U.S. and Prager Metis for offshore operations — shouldn’t be trusted, according to Ray’s filing. He described “an absence of independent governance” between FTX and Alameda. “From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated, and potentially compromised individuals, this situation is unprecedented,” Ray continued.
Recall that Ray was a firsthand witness to some of the largest corporate failures in history. FTX, he wrote, was the worst he’d seen.
The filing and financials revealed a profound disregard for governance underpinned by a culture of smoke, mirrors, and carelessness. Neither FTX nor Alameda had an audit committee, board meetings, or an internal audit function. Employee ranks were rife with conflicts of interest. Alameda reportedly granted massive personal loans to Bankman-Fried and others. A custom-software “backdoor” was used to conceal the misuse of customer funds. Related-party transactions raised countless red flags. Expenses were approved via personalized emojis in online chats. Many communications were set to auto-delete.
Notably, neither of FTX’s external auditors provided an opinion in their audit reports on internal controls over accounting and financial reporting. It’s also been reported that Bankman-Fried clung to control to the very end, insisting he could save the company despite mounting evidence to the contrary provided by other FTX officials.
We can try to assess cause and effect. Did FTX’s lack of governance or oversight create its toxic company culture? Or was the reverse true? Frankly, in most cases, culture ends up being the determinant. The tail is not supposed to wag the dog, but it often does when it comes to culture. It’s the same lesson that Enron, WorldCom, and all those other earth-shaking scandals should’ve taught us: Good governance doesn’t happen if a culture doesn’t value it.
How can companies get the perspectives they need to build a culture that values governance? Effective internal audit is the answer. When internal audit is well-resourced and independent from the management team, it is well-positioned to keep its finger on the pulse of company culture and to report problems before they grow into scandals. But internal audit must first be empowered to share both good and bad news — and management, boards, and audit committees must be ready to listen, even when information is uncomfortable or damaging. The whistleblowing experience of Cynthia Cooper, former vice president of internal audit at WorldCom, is another iconic example proving that unheard problems only become worse.
Ultimately, the FTX meltdown was not a failure in corporate governance as much as it was a complete lack of it. Therefore, The IIA is calling for the U.S. Congress to establish new requirements to bolster corporate governance at cryptocurrency exchanges operating in the United States.
In a Dec. 5 letter to chairs and ranking members of various U.S. Senate and House committees, The IIA noted that as a privately held company, FTX was not required to comply with certain provisions of the Sarbanes-Oxley Act of 2002, which was established to promote sound internal controls over financial reporting and provide transparency to the investing public and accountability from corporate leaders.
Based on the painful lessons learned from the FTX collapse, The IIA called on Congress to enact two new mandates designed to promote transparency and prevent future cryptocurrency internal control failures:
- Require all cryptocurrency exchanges operating in the U.S., as well as affiliated partners, to possess a sufficiently resourced and highly qualified internal audit function.
- Require the senior management of cryptocurrency exchanges operating in the U.S. to certify, annually, that their exchanges’ internal controls are adequate and appropriate based upon an independent internal audit assessment.
The lack of sound internal controls made FTX’s failure a foregone conclusion. Even without those controls, many red flags were there. Management guru Peter Drucker’s admonition that “culture eats strategy for breakfast” is on point here. Even the greatest business strategies and smartest people will fail without a culture that values effective governance, risk management, and controls.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.
Anthony Pugliese, CIA, CPA, CGMA, CITP is president and CEO of The IIA in Lake Mary, Fla. Connect with Anthony on LinkedIn.