Risk Assessment: The Total Quality Auditing? Way
Amanda "Jo" Erven, CPA, CIA, CFE, CTQA
Educator | Speaker | Author | Internal Audit & Ethics
Ever wonder why fraud and maleficence in various forms continues in organizations year after year, decade after decade, and seems to be getting worse? And ever wonder why, after the crisis, inevitably, someone (sometimes many) ask, “where were the auditors?” As much as I hate to admit it, the answer may be that they were walking by the major, high-risk areas on their way to perform their routine, annual audit plan which is invariably full of low to moderate risk, easy, superfluous audits.
Earlier this year, I published my book, Total Quality Auditing? (TQA), describing a six-step process for auditors to identify and reduce key risks and add real value to the organizations (customers) they serve. TQA is derived from many of the decades old Total Quality Management (TQM) lessons developed by W. Edwards Deming that have been widely implemented by companies, in one form or another, over the last half century, around the world. The basic principle of TQM is to focus on fulfilling customer needs and developing the right culture and the controlled processes to do so. It follows that TQA focuses internal auditors on fulfilling their customer needs (yes, internal audit has customers) and emphasizing an ethical culture... and provides a controlled, lean, and balanced process of doing so. And a more perceptive, thoughtful risk assessment is a good start in accomplishing the goal.
In my live TQA training seminars, I ask participants to answer 15 “workplace ethics” questions to rate their organization’s overall ethics and to pin-point specific areas that are of greatest concern regarding ethics. The questions range in topics from financial statements and financial controls, operational controls, safety, product integrity, regulatory compliance, values and conduct, leadership ethics/integrity, and conflicts of interest. With groups of auditors and accounting and finance professionals across all industries and geographic locations, there is a consistent consensus that “conflicts of interest,” as a general category, drives more unethical conduct than any other category.
Considering there are always limited audit resources, step one of the TQA risk assessment process is to identify the true high-risk areas on which to focus attention. Note I said, “true high-risk.” This means TQA also challenges what you might currently be identifying as high-risk. Adding real value through high-risk auditing means focusing on individuals, functions, and processes that inherently create conflict of interest situations. Let’s look at some examples to help explain what I mean.
Conflicts of Interest with a TQA Mindset
Emphasizing revenue and profits over safety and environmental concerns… Requiring products ship quickly, cutting corners and compromising product design/integrity in the process… Fudging the quarterly financial statements to “achieve” short terms goals… Opening fraudulent accounts (or whatever the goal) in order to increase incentive payments… All conflict situations. I expect BP figured this out after the environmental disaster. And Wells Fargo certainly figured this out after the retail banking debacle.
But here’s the deal. Smart companies and total quality auditors focus on inherent conflicts of interest before a crisis occurs. They are not the auditor that walks right by a high-risk environment (e.g. safety disaster, product integrity vulnerability, financial reporting deception, incentive compensation nightmare, just to reiterate a few) on the way to audit a low-risk situation (e.g., accounts payable, which has been viewed by my survey participants as extremely low-risk, regardless of what we have been continually taught).
When Incentives Trump Integrity
Individual (and small group) incentive plans with self-serving goals (e.g., more money in employee pockets) will often trump everyone else’s interests, including customers (and other stakeholders, like shareholders). If your organization still has incentive plans, immediately place this in the conflict of interest, high-risk bucket.
Then, the very first internal audit action should be to advocate for eliminating the plans altogether. If that fails, ensure that plan goals are focused on satisfying customer (stakeholder) interests and that the target-setting processes have integrity. And be fully prepared to allocate resources to audit the plans continuously and often. Start now.
And when I say, “audit the incentive plan,” I don’t mean just adding up the numbers… you know… making sure the calculations are “accurate.” It’s time to look beyond the numbers and start analyzing what behavior they are truly incentivizing in the first place. What are the processes to establish incentive targets/goals? Are the targets promoting the employees to act ethically or tempting them to cheat? What are the processes to track, measure, and report performance? And lastly, what are the processes to pay incentives?
Most companies have figured out that financial incentives can lead to poor decisions, ethical breaches, and fraud. Deming did a long time ago when he identified incentive plans as counterproductive. Wells Fargo just figured it out, after the retail banking crisis fueled by poorly designed and administered incentive plans (and after $185M in fines were paid and 5300 “unethical” employees were fired). They have since redesigned their plans (should have eliminated, in my opinion, but they are in one of “those” industries… a subject for a later article) to focus on customer interests with beefed up plan controls.
The bottom line: The theory of setting stretch goals (sometimes unrealistic), providing incentives to reach them, and then achieving great results, is a myth. It is just as likely to lead to fraud and cheating (e.g., Enron, Wells Fargo, Lehman, and on and on) than anything else.
When Profits Trump Ethics
Revenue growth goals for companies that deal with personal information (social media, financial, retail, etc.) far too often trump security and privacy of the customers. The desire to grow (and control costs) has consistently resulted in the underfunding of IT functions, functions that ensure appropriate cybersecurity and customer data privacy policies and procedures are in place. In some cases, to achieve business objectives, governmental regulations have even been ignored.
In this day and age, auditors should always place IT security and privacy in the conflict of interest, high-risk bucket. Facebook seems to have figured this out after they were fined $5 billion. But obviously auditors have not been focused on this high-risk area of a social media company (or any other business that deals with data privacy… which is almost everyone, really). And if they were and they were ignored, they need to take my leadership and ethics training. Speaking up (loudly, if necessary) is part of an auditor’s job.
In the case of Volkswagen (VW), unrealistic market share goals trumped engineering integrity. Under resourced (or technically impossible, think Theranos) objectives should also be placed in the conflict of interest, high-risk bucket. VW’s actions prove it. Some VW managers and engineers were committing fraud on a global scale for years to “achieve” market share goals. After terminations, fines, and some prison time, you can bet that technical integrity is considered a high-risk area at VW now. And by the way, there was no mention of auditors until after the crisis.
High technology (artificial intelligence, autonomous things, virtual reality, connected devices, big data, etc.) by definition should be considered vulnerable to conflict of interest and placed in the high-risk bucket as well. The goal of “being the first”or “beating the competitors” in these new technologies seems to be outpacing the examination of the ethical dilemmas they create, meaning there could be collateral damage and little ability to control it. This is why “ethics in technology” is the number one technology issue in 2019. High-tech = high-risk, and one way or another, auditors need to acquire the knowledge to audit these high-tech products and point out the collateral damage first, or they will continue to be thought of as “irrelevant” and organizations will suffer the consequences.
When External Influences Trump Internal Values
Put organization units in remote locations and individuals that spend more time with people external to the organization (customers, vendors, contractors, etc.) in the conflict of interest, high-risk bucket. “Out of sight” can mean “out of control” when it comes to employee behavior. Those who spend most of their time with others (external to the organization) may align loyalty and values elsewhere (external to the organization). They are inherently at risk for violation of the organization’s mission, values, policies, and processes. Think sales personnel, client relationship managers, traders, brokers, purchasing managers, contract administrators.
And pay close attention to those that are geographically distanced from a “home” office or corporate headquarters. Decentralization may be popular in businesses today, but it can have extreme consequences if they fall off the radar completely (or even a little). And ironically, sometimes those in remote locations are often “incentivized” because they have less supervision! This is not only a big mistake; it is target for unethical behavior. But it is also a target for auditors… so get to auditing.
When Leaders’ Desires Trump Everything Else
Disingenuous leaders (the jerks at your organization who everyone knows) set unrealistic, arbitrary goals. They don’t provide sufficient resources and the necessary training to get the job done. They manage by fear. Disingenuous leaders play “gotcha”– they do not clearly communicate objectives and expectations and then they criticize employees when expectations are not met. They are narcissistic and all about self-interest. They think that they can outsmart (remember “the smartest guys in the room”) the system. They are “smart, charming, bullies” (credit the Theranos HBO documentary: The Inventor: Out for Blood in Silicon Valley). They are ethical rationalizers, thinking of all kinds of business reasons to dishonor organization values, violate codes of conduct, and sometimes break the law. And, they create a culture of short cuts, mistakes, falsification, and a general lack on integrity.
Every major crisis had leaders that met the criteria for disingenuous leadership. Put disingenuous leaders in your conflict of interest, high-risk bucket. And make a case to get rid of the disingenuous leaders at your organization. Remember, speaking up (loudly, if necessary) is part of an auditor’s job. Everyone will thank you, and then you will thank me, later.
When Auditors Trump Scandals
Next time you start your risk assessment take out a blank sheet of paper. Don’t open last years. Open your mind and start looking for “conflicts of interests” of all types, throughout your organization. Find the real conflicts and identify potential conflicts. Here is my initial TQA risk “bucket” for your continued reference, but I just know your bucket may overflow compared to mine:
· Focus on how employees are being incentivized (or what they are being measured on).
· Focus on data privacy, security, and high-tech products, and everything about them.
· Focus on areas that have no defined, meaningful standards of conduct and/or do not enforce what they have.
· Focus on areas that invest little in training and education and lack resources to do their job.
· Focus on field offices, remote or overseas locations, etc.
· Focus on individuals or units that have high interaction with external organizations/customers.
· Focus on areas that are engaged in aggressive cost cutting.
· Focus audits on managers who set arbitrary or lofty goals.
· Focus on those who are “the smartest guys in the room,” the arrogant ones (i.e., the jerks).
· Focus on managers who manage by fear.
This is the Total Quality Auditing? way to conduct a risk assessment.
I will be so proud when auditors stop walking by these high-risk scenarios and, instead, stop the frauds, the scandals, the unethical behavior happening in the first place.
This article was written by Amanda “Jo” Erven, President and Founder of Audit. Consulting. Education. LLC, a firm specializing in providing progressive internal auditing and leadership Continuing Professional Education (CPE) seminars. In 2019, Jo published a book/workbook on Total Quality Auditing: How a Total Quality Mindset can help Internal Audit Add Real Value. She offers TQA webinars and live training to internal auditors worldwide.
SOX/NI 52-109 | ICFR | IT Audit | COBIT| Continuous Auditing and Monitoring Solutions | IA | Data Analytics | Robotic Process Automation | Established Compliance Frameworks (COSO) |
5 年Amazing article. Great work!
We Make Audit Analytics Actually Work | Host of The Audit Podcast
5 年Great article. Thank you!