People are the root cause of most risk and control issues
I just posted a new IIA blog on problems at Washington Mutual that contributed to its collapse. It occurred to me that, yet again, the problems came down to people.
In October 2008, I wrote a piece for the Internal Auditor that merits repetition.
At the root of risk: an effective risk-based audit must consider the most critical source of problems: people
ONE OF THE HARDEST TASKS FOR EVEN the most experienced internal auditor is defining the most effective and efficient scope of work for a risk-based assurance project. Because resources are always scarce, auditors need to make sure they can meet both quality and scheduling requirements and stay within their resource and cost constraints.
An essential step in defining the scope of a project is identifying the critical risks to audit and the controls required to manage those risks. An efficient scope focuses on the subset of controls (i.e., the key controls) necessary to provide assurance. Performing tests of controls that are not critical is not efficient. Similarly, failing to test controls that could be the source of major deficiencies leads to an ineffective audit.
Too often overlooked, the root cause of most risk and control failures is people. After all, outstanding people are required to make an organization successful, and failing to hire, retain, and nurture a strong team of employees inevitably leads to business failure.
Many consider Jack Welch, former chief executive officer of GE, one of the most successful and influential business leaders of our times. In an interview, he was asked what his greatest challenges were in turning the company around. He is said to have responded that his three greatest challenges were “people, people, and people.” Certainly, when auditors or management analyze the reasons for risk and control failures, people are generally the root cause. For example, weaknesses may include:
* Insufficiently trained personnel to perform the work. A common material weakness in the first few years of compliance with internal control over financial reporting requirements was a lack of experienced financial reporting personnel within the company. In more traditional process reviews, auditors often find that control weaknesses arise because individuals don’t understand the tasks they have to perform.
* Insufficient numbers to perform the work. When auditors find that important reconciliations are not performed timely, inventories are not counted, a backlog in transaction processing exists, or agreed-upon corrective actions to address prior audit findings aren’t completed, managers frequently offer the excuse that their area is understaffed.
* Poor management and leadership. Micromanagers and dictators can destroy a solid finance function. At the other end of the spectrum, the absence of leadership, motivation, and communication can cause teams to flounder. Both situations generally lead to failures to perform key controls consistently. For example, poor managers have difficulty retaining experienced professionals to perform account reconciliations on time and with acceptable levels of quality.
* Ineffective human resource practices. In some cases, management may choose to accept a certain level of inefficiency and retain individuals who are not performing up to par. For example, the financial analysis group of a U.S. refining company was failing to provide management with timely business information. Although the department was sufficiently staffed, the team members were ineffective. Still, management did not have the resolve to terminate poor performers — for fear it would not be possible to hire quality analysts to replace the people who were terminated.
In each of these examples, people-related weaknesses resulted in business process key control failures. The key control failure was the symptom, and the people-related weakness was the root cause. As a result, the achievement of business objectives was at risk.
The traditional view of risk focuses on the possibility that an event may have a negative impact on the organization’s ability to achieve its goals and objectives. After all, The Committee of Sponsoring Organizations of the Treadway Commission defines risk in its Enterprise Risk Management — Integrated Framework as “the possibility that an event will occur and adversely affect the achievement of objectives.”
However, there is also a positive side to risk: opportunity. And internal auditors should not be satisfied when business practices are sufficient to manage the downside of risk if an untapped upside potential for excellence remains. Consider an audit of an organization’s procurement function. If the auditor finds that all key controls are designed adequately and operating effectively, in compliance with company policy, and targeted cost savings are being generated, should the auditor conclude the controls are adequate? What if that department has a staff attrition rate of 25 percent and morale is low? Does that change the assessment? Clearly, even if the standard set of controls were in place, the function would not be performing at optimal levels.
Just as people problems can lead to risk and control failures, exceptional people can help a company achieve success. In fact, an effective system of internal control considers the adequacy of controls not only to address the risks related to poor people-related management but also to ensure success through excellence in people-related management.
Pace American is an excellent example of how improving morale and people management can impact the bottom line. Over a seven-year period, the company went from having low employee morale and 200 percent staff turnover to being the No. 1 manufacturer of enclosed cargo trailers in the country. The company attributed its success to good leadership and motivation.
The people issue should be addressed in at least two phases of the audit process: planning and issue analysis (i.e., understanding weaknesses, their root cause, and the appropriate corrective actions). In the planning phase, the auditor should consider how people-related controls might impact the audit and which controls should be included in scope. The following questions should be considered in relation to controls over staffing, organization, training, management and leadership, performance appraisals, and employee development:
* How significant would a failure of people-related controls be to the achievement of objectives and the management of business risk covered by the audit?
* How critical is excellence in people management to the achievement of operational excellence related to the objectives of the audit?
Issue analysis requires a different approach. Auditors may have to ask the question “why” three or more times before they get to the root cause of a problem, as illustrated by the following fictional conversation between an auditor and a manager responsible for reconciliations:
AUDITOR: “Why weren’t the reconciliations completed on time?”
MANAGER: “Because we were busy closing the books and one staff member was on vacation.”
AUDITOR: “You are still expected to complete the reconciliations, which are critical to closing the books. Even with one person on vacation, why were you too busy?”
MANAGER: “We just don’t have enough people to get everything done, even when we work through weekends and until late at night.”
AUDITOR: “Why don’t you have enough people?”
MANAGER: “Management won’t let me hire anybody else because of cost constraints.”
AUDITOR: “Why won’t management let you hire anybody? Don’t they realize the issue?”
MANAGER: “Well, I think they do, but I have been so busy that I may not have done an effective job of explaining the situation. Now that you are going to write this up as a control weakness, they will listen.”
The root cause of the problem in this scenario is that the manager responsible for reconciliations failed to provide effective leadership. He did not communicate the problem and ensure he had sufficient resources to perform the work assigned. The root cause is a people problem, and the auditor should address that directly in the audit report. If the auditor only reports that the reconciliations weren’t completed on time, senior management might only press the manager to perform better without understanding the need for both performance improvement and additional staff.
In many organizations, it is difficult for an auditor to discuss people issues with management, even when these issues are directly and clearly the cause of business problems. Auditors may find it tricky — for political reasons — to recommend hiring additional staff or to explain that the existing staff members do not have the experience or training necessary to perform their assigned tasks. Additionally, they are likely to run into political resistance to reporting management and leadership failure. But, that is the job auditors are expected to perform: provide an honest, objective assessment of the condition of internal controls — including the people ones.
If the scope of internal audit work does not consider people risks, or if auditors are unable to report people — related weaknesses, they are not adding the value they should. They’re also failing to report and help resolve the root cause of organizational problems. Some might even say there is another people – related risk — in the leadership of internal auditing.