Articles on Internal Auditing
Soft Internal Controls:
Relying Upon the Organization's Ethical Environment
A quick review of management initiatives over the past few years.
Make it smaller
Downsizing was another clever word for layoffs. The term had no direction or goal other than to make it smaller. This concept seemed to be implemented by offering early retirement incentives and a redistribution of the work. There were fewer employees and they were not happy.
Process Type Changes
Total quality management (TQM) asks each and every one of us to raise the quality of our product. As some recognized, it raised the quality but did not substantially change the process. And the process, when viewed from a distance, addressed quality but might have lacked the efficiency and effectiveness component.
Reinvention focuses on continuous improvements in the established processes. More toward actually changing the process and raising quality. In some cases opportunities were recognized and a complete or partial change of direction was initiated
Reengineering is used for those cases where the only answer is to use a clean sheet of paper.
Recognizing the Human Side of the Equation
Eliminate the bureaucracy. I'm not sure whether this means a streamlining of the previous "authorization processes" or the reduction of the number and complexity of the laws, rules, regulations and policies which define how an organization does business. This may be a redistribution of authority as the result of fewer people in middle management.
Self-assessment recognizes that the increasingly complex management environment asks that everyone shares in the responsibility for recognizing and evaluating the risks of doing business. There is a danger that during the process the issues (risks) are not addressed in a straight forward manner due to internal politics. Some organizations would be better served to hire a facilitator to assist in the process.
Empowerment of individuals pushes the decision making authority downward and theoretically closer to the client/customer. It also resolves some of the problems of self-assessments. Responsibility without authority is another word for scapegoat when things don't go right. Measure results by establishing goals and objectives.
Team Leadership to Get Results
Management is moving toward a coaching position and away from the remote authoritarian style. Team leadership changes hands as the need arises. Individuals need to become both good leaders and good followers because their role in the organization will change as needs are identified. Currently a mantra of some importance and much discussion.
What Impact With all This Change Have on Internal Controls?
Many of the middle management positions have been eliminated and many more operations have been redesigned (reengineered?) to include less inspection controls. And while this change is occurring, will internal controls be inadvertently eliminated? Will internal controls be considered non-value adding activities?
The Ethical Environment
Management often designs internal controls that are procedural in nature. If the procedures are good then the organization must be in control. For high risk areas the usage of separation of duties and monitoring controls are a major component. This is based upon the premise that 1 out of every 2 people is honest. This can be contrasted with defining risk in terms of trust which is more of a feeling than a fact. This has proved to be a slippery slope when viewed in retrospect. Frauds have a high profile aspect. The heart of the matter for recognizing trust and integrity effect on internal control is about developing and maintaining an ethical organizational culture which is intolerant to fraud, waste and abuse. And the definition of intolerant implicitly means that every employee will report any and all suspected instances of fraud and misconduct. Management also needs to define a business ethics which supports good management practices, not just written documents distributed to employees when they first begin work for the organization, but repeated reinforcement of the commitment backed with action applied uniformly.
Soft Internal Controls - Trust and Integrity, Focus on Values and Belief
Soft internal controls (trust, integrity, values and beliefs) should be part of the organizational ethical environment. This helps define whether an organization consistently will do the right thing.
An organization might have written codes of conduct and other value defining type documents but that does not guarantee whether they are actually followed consistently. Most of the real understanding will not be expressly written in any document but better evidenced in the day-to-day discharge of everyday duties.
The ethical culture can only rise as high as the tone set by the top senior management. If management distributes the message poorly or worst yet, delegates the message, then the effectiveness of the ethical culture is greatly diminished.
Fraud and Soft Controls
To rely upon soft controls without first establishing an internal policy on fraud and dishonesty is a fools folly. Fraud policies are not written for the people who commit fraud and participate in dishonest acts. They are written for the honest employees who require a certain level of accepted and shared values and beliefs. As such, fraud policies that meet minimal legal requirements are inadequate because they lack sufficient value defining statements.
The first and foremost element of any fraud policy should be an assurance that anyone involved in a fraud or dishonest act will be referred to the criminal justice system. And although we recognize that the criminal justice system is overburdened and the likely punishment for white collar crime is often minimal (or no) time with some community service we also expect that the experience of the proceeding will at least teach the individual(s) the difference between right and wrong.
Next, policy must overcome the perception that reporting fraud and misconduct is not socially unacceptable. The people who commit fraud and dishonest acts have a real problem that does not deserve the loyalty and protection of honest people. Honest people have to pro-actively create a work culture that fits their shared values.
As with all documents a balance must also be presented. There needs to be a provision that accounts for innuendos and baseless allegations defined as follows:
Baseless Allegations are those made with reckless disregard for the truth or falsity. Baseless allegations are not situations where, for example, the allegation cannot be substantiated in the investigation. Rather, they are situations where it is apparent that the person making the allegation did so in a willful or deliberate act of being disruptive or causing harm to another individual or individuals
Conclusion
The current direction of management is toward the usage of self-assessments to recognize and document risks, empowerment to make the decision making process more in-line with delegated responsibilities and team work supported by team leadership to further recognize the contribution that all employees have to make to the organization.
The concept of accountability might be somewhat diluted from the manager of the past. The concept of accountability must be shifted to and shared by everyone. This gives rise to the need to recognize the importance of soft controls as a foundation of internal controls.
The ethical culture is to a small extent a preventative internal control, but more importantly it must be developed as a detective internal control. It is a monitoring control maintained by everyone taking responsibility for the values and beliefs of the organization.
About the Author, Ian Campbell, CIA, CISA
Member - IIA, Albany Chapter
Member - ISACA, Hudson Valley Chapter
Comments - contact the author at America On-Line (IanCampbel) or on the InternNet (icc95@poppa.fab.albany.edu)
Home | Bio | Internal Auditing | Fraud Investigation | Request to Reprint | Privacy | Site Map
© 1996-2013 Mark R Simmons, CIA, CFE. All rights reserved. Updated 25-Mar-2013