The story of internal controls and Netflix

On Dec. 14, 2021, in the Northern District of California, Michael Kail, the former vice president of IT operations at Netflix, was sentenced to 30 months in federal prison after his conviction for fraud and money laundering. Kail was indicted in 2018 and charged with 19 counts of wire fraud, three counts of mail fraud and seven counts of money laundering.

These corporate fraud stories are becoming more pervasive and are not isolated to a particular industry. In recent years, we have seen stories on the illegal conduct of executives from WorldCom, Tyco, Wells Fargo, Fannie Mae and others. One root cause amongst all of them: internal controls.

Like most companies, Netflix maintains a Code of Ethics; Code of Conduct; and a Gifts, Travel and Entertainment policy that addresses and prohibits employee conflicts of interest and requires the disclosure of actual or apparent conflicts of interest, and the reporting of gifts from entities seeking to sell products or services to the company. Although these policies are essential, it is equally important to build a culture that emphasizes ethical behavior, operationalizes procedures and monitors compliance with the program. Often, the failure to monitor provides employees with the opportunity to engage in misconduct and exposes the company to unnecessary risk and potential liability.

From 2011 until 2014, Kail was Netflix's VP in charge of IT operations. He approved contracts to purchase IT products and services from smaller outside vendors and authorized the corresponding payments as part of his role. However, he selected the IT contracts according to the kickbacks he would receive rather than on their merit. As the evidence at trial demonstrated, Netflix's internal control failures allowed Kail to employ a "pay-to-play” scheme. As part of his scheme, he approved millions of dollars in contracts for goods and services, and in exchange, he received over $500,000 and stock options from nine tech companies.

This case emphasizes the need for a robust compliance program. The Committee of Sponsoring Organizations (COSO) of the Treadway Commission identifies internal controls’ five integral components: the control environment, risk assessment, control activity, information and communication, and monitoring activities. Performing periodic evaluations of the program, a subset of the monitoring component, is critical to ascertain if internal controls are present, designed appropriately and functioning properly and effectively. Similarly, periodic evaluations help identify the relative strengths and weaknesses of the company's risk and control environment. Failure to do so can create an environment that condones unethical behavior, or worse, fraudulent conduct, ultimately deteriorating organizational culture.