Fraud Symptom 12 – Unethical Compromises by External Auditors

In the recent corporate frauds, auditors’ professional robes were soaked in dirty money. Their unblemished reputations tarnished, they dealt with allegations of compromising ethics, code of conduct and reporting responsibilities for self-interest and business opportunities. Auditors, the bastions of corporate governance and maintaining shareholders interests miserably failed in performing their duties. In some cases they failed to detect the frauds, and in others they collaborated with clients to facilitate them in conducting frauds.

The contract clauses of reasonable assurance, limited liability and others lets them escape criminal liabilities usually. The regulators, shareholders, employees, third parties and the public helplessly watch the organization going bankrupt and/or closing down because auditors failed to detect wrong doing or failed to report the same. The financial crises showed that without due care, global economies go in recession. That should make auditors more responsible; however, it is not the case.

Francine McKenna author of blog re: The auditors  is a pro in digging dirt about big four and openly shares her views. This extract from her blog shows the interrelationships between big four and corporate giants. With these relationships independence of external auditors is easily questionable and suspect frequent compromises. Though I normally don’t post big extracts from other blogs, this one is too good to miss.

“KPMG audits Citigroup, Wells Fargo – who now owns client Wachovia – GE, and GM.  They used to audit two big mortgage originators before they blew up – Countrywide and New Century. They also used to audit Fannie Mae and Moody’s before they were fired and sued. They also audit the US Treasury.

PricewaterhouseCoopers audits JP Morgan Chase, Bank of America, Goldman Sachs, AIG, the Federal Home Loan Banks, and Freddie Mac. PwC is also responsible for Satyam, Northern Rock in the UK, Glitnir in Iceland, and Russia’s Yukos.

Deloitte, who is now Fannie Mae’s auditor, was also auditor of four other housing related companies that had issues: Taylor Bean & Whitaker, Beazer, Novastar, and American Home. (The bank that TBW bankrupted, Colonial Bank was audited by PwC.) Deloitte audited three no-longer-independent large firms sunk by bad mortgages: Merrill Lynch, Bear Stearns, and Royal Bank of Scotland. Deloitte used to audit Washington Mutual before it was taken over forcibly by JP Morgan. They also audit the Federal Reserve Bank and Buffett’s Berkshire Hathaway.

Ernst & Young, everyone knows, audited Lehman Brothers. But don’t forget UBS and Societe Generale, home of the “rogue” traders, and Anglo Irish in Ireland. EY also audits News Corp and S&P, the ratings agency.”

The issue is can shareholders expect auditors to report independently and forgo lucrative business to adhere to ethical standards. Audit organizations need an organization culture that focuses on social responsibility with profit motive. However, some successful ones have a competitive aggressive culture that fails to build in the ethical aspects of auditing.

Therefore, the cultural climate in auditing firms raises questions. The research  paper “Public Accountants’ Perceptions of Ethical Work Climate” authored by Howard Buchan  evaluates Ethical Climate Questionnaire developed by Victor & Cullen for public accountant firms. The following questions were asked from partners to staff to assess the instrumental climate.:

• “E1 In this Firm, people protect their own interests above all else._____
• E2 In this Firm, people are mostly out for themselves._____
• E3 There is no room for one’s own personal morals or ethics in this Firm._____
• E4 People are expected to do anything to further the Firm’s interests, regardless of the consequences._____
• E5 People here are concerned with the Firm’s interests-to the exclusion of all else._____
• E6 Work is considered substandard only when it hurts the Firm’s interests._____
• E7 The major responsibility of people in the Firm is to control costs._____”

The instrumental climate emphasizes individual self-interest and company interests above all others. Though the study mentions that participants didn’t perceive an instrumental climate, the mean responses ranged from between “mostly false” to “somewhat false”. The results indicate that partners and junior staff perceive ethical climate differently in the firms. Hence, more focus is required on building an ethical culture within the auditing firms

Moreover, though audit firms have been asked by regulators to segregate non-audit and consulting practices, the  bifurcation is cosmetic and not in spirit. A recent example is of PWC India whose partners were implicated in the Satyam fraud.  Times of India reported the insurance claim by PWC for Satyam fraud is fraught with irregularities and arms length distance was not maintained between various PWC entities as required by Institute of Chartered Accountants of India (ICAI).

“Price Waterhouse (PW) Bangalore, the tainted auditor of scam-hit Satyam, utilized over 95% of a $60-million (Rs 280 crore approximately) insurance cover available to all Price Waterhouse entities in India to meet post-fraud litigation expenses and damages without paying a single rupee towards the premium. The revelation raises questions about the arguments put forth by the global financial services company that each of its Indian firms is a separate legal entity and not responsible for the acts or omissions of any other member firm. 

PW Bangalore, which had the mandate for the Satyam audit before the fraud came to light in 2009, did not contribute any money towards the Professional Indemnity Insurance (PII) of $60 million, but surprisingly enjoyed the cover when it faced trouble and litigation for the lax audit, documents accessed by TOI showed. PW Bangalore even used the cover to pay $15.5 million towards settlement of a class-action suit filed against it in the US. Till financial year 2011, various entities of PricewaterhouseCoopers India (PwC India)-including a private limited company which renders only non-audit related services-had a common insurance cover. “

The blame for the malpractices has to be shared by regulators, board of directors and shareholders. Most of the fortune 500 companies select big four as auditors. Though audit committees are required to annually review and recommend auditors, in most cases the auditors are not changed. In my previous post on audit committees, I had mentioned this data from Economic Times article - “Can the big four survive a break-up attempt”.

• In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
• 85% of the companies in EU are audited by big four.
• 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
• Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Without regulators taking their responsibilities seriously the audit firms aren’t going to change. For instance, ICAI disciplinary committee for chartered accountants have big four partners as members. In other committees also, big four partners have an influential position. Considering this, it is not surprising that the disciplinary process is slow, as was in the case of Satyam.

Recommendations

1. Regulators must lobby for laws to mandate audit firms rotations. For instance, the new Companies Bill 2011 (India)  requires rotation of audit firm every 5 years and audit partner every 3 years. It also states that no audit firm will audit a company for more than 10 years. These laws will ensure some level of independence and also give a growth option to other audit firms.

2. ICAI and other institutes granting permission for practice to audit firms may periodically conduct an assessment to evaluate the ethical climate of the firm.

3. ICAI and other institutes should either segregate disciplinary responsibilities to another organization or become proactive in disciplining errant chartered accountants.

4. Audit committees, boards and shareholders must proactively manage the appointment of audit firms and evaluate the financial reporting systems.

5. Audit firms should take a leaf out of their own book and focus on building a benevolent organization culture to balance their social responsibility with profit earning objectives.

References:

1. re: The Auditors by Francine McKenna
2. PwC arm’s insurance cover under cloud - Times of India 29 February 2012
3. Public Accountants’ Perceptions of Ethical Work Climate: An Exploratory Study of the Difference Between Partners and Employees within the Instrumental Dimension by Howard Buchan

If you wish to read the Fraud Symptoms series, click here.

Does Age Impact Ethics?

Michael Douglas’s movie “The Solitary Man” depicts a story of a high-profile businessman becoming a criminal. It is riches to rags story, where Ben, the character played by Douglas is reduced to asking his daughter home rent. The movie makes one contemplate – does age impact ethics? Watch these last scenes of the movie first.

The crucial point in the conversation is when Michael Douglas says – “No one noticed”. He changed from being a faithful husband to sleeping around with young women, because his wife didn’t notice. He shifted from being an honest businessman to a fraudster because no one noticed. The crux of crime – opportunity, reward and rationalization. When no one notices or stops you, it became easy to rationalize criminal behavior.

In another scene of the movie, he says to his friend Jimmy – “In the highest moments and lowest moments of life, you are all alone. On the cover of Forbes magazine, I am by myself. In business magazine cover with handcuffs, I am by myself.” As is the cliché it is lonely at the top. Does the isolation at senior level positions impact psychology and behavior?

Since very few juniors will confront a senior or CEO on unethical behavior, it becomes easier to rationalize. As seniors do not receive negative feedback they remain unaware of the impact of their behavior on juniors and the organization. Social intelligence antenna works on receiving direct and honest information. With diplomatic responses, some miss the signals.

One more critical comment that describes his psychology on ageing was - “I was becoming invisible. Thirty years ago the room changed when I entered. I was a lion.” With age no one noticed him and his ego couldn’t take it. He compensated it by chasing young women.

Douglas couldn’t transition from the sense of invincibility that comes with success and youth, to being just another mortal, whose significance diminished with age. Hence, he broke all social and ethical norms to delude himself into feeling powerful.

In all careers the change is significant. Before retirement, one is generally at the highest level of their career, and suddenly on retirement, the people whom one was working with don’t have time for the person. A person deals with loss of self-esteem, insecurities and feelings of vulnerability. Each retiring person treads this uncertain path; however huge the savings and retirement plans he/she has kept.

Moreover, statistical data shows that old people are subjected to extensive verbal and emotional abuse at home. A survey by Helpage India indicates Bangalore as the number one city in India for mistreating elders. Previously Bangalore was known as pensioners paradise, and now 44% elders say they face abuse at home. In upper strata of society sons mistreat, and in the lower-income group, daughter-in-laws abuse. India, a country where youngsters respected elders by touching their feet, is fast becoming a nation that abuses elders. Further, as India does not have a social security system, if elders do not have sufficient savings, they are financially dependent on the younger generation, mostly sons. As India has a huge young population, a second job after retirement is difficult. Hence, living separately is not an alternative available to many retired people.

The sense of financial insecurity increases propensity of fraud of  employees near retirement age.  Various surveys state that the frauds conducted by older and senior employees are much larger in value than junior employees. The focus on training senior employees on business ethics is low, as organizations assume that old hands are aware of the norms and culture. However, since outward behavior is normal, colleagues don’t realize when the person has snapped inside. Therefore, this group requires more focus than normally given.

Ideas for Action

1.  Organizations can handhold older employees prepare transition plans for retirement. Coaching employees on developing second source of income through developing different talents and hobbies will benefit. An active alumni group for retired employees helps in keeping their social circle intact. If organization provides pension benefits, including medical insurance generates confidence.

2. Employees themselves may develop supplementary business ventures near retirement. For instance, civil engineers in India generally buy residential properties and farmlands. After retirement they venture into real estate and farming.

3. Relationships with family and friends matter. Irrespective of the amount of money available after retirement, without family support one leads an unhappy life. Hence, employees must keep up work-life balance and focus on relationships outside office.

4. Organizations need to train employees that frauds do not contribute positively to retirement funds. The probability of legal penalties and miserable old age are high. With rising inflation and government targeting black money, illicit money put away in lockers is not a viable option. To mitigate this risk give refresher business ethics courses to older employees annually.

5.  Companies to detect fraud propensities must periodically conduct a background verification and credit check of old employees to confirm their financial position. For instance, in a few cases employees develop gambling, drugs or alcohol addictions. They conduct frauds to fund these addictions. A background verification discloses these deviations.

6. India socially has two challenges – lack of old age homes and a social stigma if any person seeks psychological help. Psychological abuse remains an unmentionable issue.Hence, abused elders don’t have any alternatives. They cannot seek outside medical or other help as they attempt to protect family reputation. Organizations in their corporate social responsibility programs can  build awareness about these two aspects.

Closing Thoughts

India’s transition from a developing country to global powerhouse has eroded Indian culture and social values. Adoption of western culture has benefited is some aspects. However, western societies challenges of lack of family support system are ignored. This has resulted in creating a number of social problems in Indian society. Balancing the advantages of western and Indian culture and addressing the negatives will benefit the society. Achieving economic growth at the expense of certain sections of society will harm the social fabric and destroy moral values. This old story says it all :

Devil appeared before a middle-aged man. The man was worried that his career wasn’t doing well and he  won’t have any retirement funds. The devil said – “I will ensure that you and your future generations will never have any financial problems, if you give me your soul.” The man agreed. Devil continued – “And the souls of your children, their children and all future generations.” The man again agreed and asked – “What’s the catch?”

References:

Daughters-in-law emerge as major abuser of elderly: Study

Program Change Management Risks

Organizations invest huge amounts in running numerous programs to improve operations, culture and profitability of the company. For instance, programs cover technology implementation, building social networks, improving employee engagement and corporate social responsibility initiatives. Some programs give good return on investment while others dwindle without much success.  The success and failure of a program appreciably depends on effective change management.

Even for information technology programs, various survey reports show success-failure ratio as 50-50 percentage. Failure results in cost overruns and delay in project schedule besides low employee morale. A few reports indicate just around 20% of the programs are successful in the first effort in all respects. The differentiating factor, with technology and implementation capability being the same, is change management skills. Lack of focus on change management risks results in program failure.

Before discussing some key aspects of program change management risks, let us understand the reason for the same. Change causes insecurities to surface, hence sows the seeds of conflict and discord. On start of a program, people do not understand the reason for change. They are unable to assess what is at stake and what success looks like. Moreover, people respond differently to change. Idea of change gets supporting, skeptical and scornful reactions. If not handled carefully, different groups within the organization prepare battle plans to sabotage the program.

Hence, change management strategy is an essential component of program implementation. Given below are some of the risks on the same.

1.   Senior Management Involvement

For approval of the program, the program manager shakes hands with all the senior managers to get their buy-in.  Managers assume that the senior management commitment will continue after approval. However, this is rarely the case. With time, commitment will wane if senior managers do not understand the direction of the program and/ or start giving priority to other programs. Hence, program managers need to monthly/ fortnightly update the senior managers through review meetings and reports on the status and plans of the program.

Additionally, users and employees need to see senior managers demonstrate commitment to the program i.e. walk the talk. Program managers need to leverage opportunities to show senior management support for the program. Develop a leadership plan to ensure senior managers become champions of the program.

2.   User/ Employee Adoption

The program managers gear most of the programs activities towards adoption by the users. For example, in building a risk culture, adoption of risk assessment template is a milestone. The point is change agents view program activities in isolation for pre-go-live stage without considering the overall impact on the organization. Programs influence strategy, process, technology, and people. Without synchronizing the four aspects, even with user acceptance, the program will be unsuccessful in the long run.

Second aspect to consider is the handholding and support after the go live stage. After implementation of a program, the users may still face some challenges or new problems and risks may arise. For continued success of the program a team is required to support it, else it will fizzle out.

3.    Multiple Communication Channels

A program requires a good communication plan and failure in communication jeopardizes the program. Communication messages must be clear, straightforward and from the heart. The corporate jargon and meaningless mantras does not get buy in from senior management or users. For example, do not have a mission statement for an ethics program that sounds like this:

“The company’s mission is to be the most ethical organization in the world by adopting best practices, making it a great place to work and rewarding meritocracy”

Employees will roll their eyes on the above statement and consider it as management hyperbole. There is nothing actionable or measurable in the statement. Neither are the steps linked to ethics.

Another risk is failure of communication from senior management. Program managers assume that employees understand senior management commitment from strategy and other generic documents. However, adopters need to hear from senior management, their views and aspirations regularly.

Moreover, when programs run into problems, the initial reaction is to hide the bad news from the adopters. Clear concise communication on challenges being faced by program managers and support required, gets the program back on track. Communicate more often when program is running into trouble.

More importantly, change agents sometimes fail to listen to the adopters. Adopters’ feedback is critical for the success of the program. Understand their angry reactions, criticism and challenges. Develop plans to address them and not ignore them.

 4.    Training Plans

 Standard training material is the bane of most programs. Change agents believe that once the training is imparted, their job is done. Some pieces are overlooked in training plans and I have mentioned these before in a post. These are:

• People have different learning patterns.
• People are at different stages of learning – beginner, learner, manager, and expert.
• People do not remember the training for long unless they start using the information in practical work.
• Old habits are hard to break; hence, people revert to old patterns of working if not monitored.

Last but the not least, is the content of the training. For example, fraud awareness training is a double-edged sword. The users, who didn’t know a word about fraud, now have some idea on how frauds are conducted. The information can be misused. Moreover, an overload of information may create panic reactions in users. Hence, when to deliver training and what information to give are critical decisions for successful program implementation.

 5.     Reward & Recognition System

For a program to be successful, set up a clear system about reward and accountability for the adopters. Failure to establish a system will result in rewarding mediocrity rather than meritocracy. Further, without implementing a penalty criterion, there is no downside for wrongdoing. Hence, maintain a balance between reward and punishment.

For instance, in an ethics program, build a system of bonus points at time of appraisal for meeting business objectives in an ethical way. If a manager had the option of choosing an unethical means to achieve an objective faster but selected an ethical way though had to work harder, award him/her bonus points. On the other hand, award penalty points to a manager who chose unethical means.

6.    Dealing with Failure

Sometimes, despite best efforts the program team stares at the face of failure. People adopt inflexible approach and refuse to acknowledge the logical benefits of the program. They foresee their personal and political agendas negatively impacted, hence refuse to contribute to the shared purpose of the organization. The situation reminds me of an old joke.

A man bought a parrot as a pet. To his dismay, the parrot had a bad attitude and spoke foul language. The man tried to teach the parrot to behave but the parrot refused to change. One day in a fit of anger the man put the parrot in the freezer. He heard the parrot screaming and abusing for a couple of minutes, then there was silence. The man opened the door of the freezer, the parrot trotted out and said – “I beg your forgiveness for speaking rudely. I promise to behave properly.” The man was amazed at the transformation. Then the parrot said – “May I ask, what did the chicken do?”

To avert sudden failure periodically conduct organization surveys to understand the acceptability of the program and organization readiness for the next stage. Measure the behavior and sentiment change due to the program. Do not rush to the next stage without ensuring that adopters connect with the program in the existing stage.

 7.    Awareness of Retaliation

Situations can get out of hand when people start retaliating against the program manager and his/her team. Some programs are launched for appearances sake. For example, senior management may approve a program for business ethics, diversity or employee participation. However, when the change agents sincerely attempt to run the program to bring about a cultural change in the organization, they get mobbed by the employees. In this case, the junior employees start complaining that the change agents are pressurizing, bullying and forcing them to change. This impacts the heart of the program and the change agents spend most of the time defending their actions. The senior management doesn’t really want change, hence looks the other way or gives tacit approval to derail the program and mob the change agents.

In such cases, the change agents have to pay a high price, but the seeds of change are sown. People recognize that there is a better way of doing things, and gradually move towards light.

Closing Thoughts

 Change is difficult. We ourselves find it difficult to change, so getting others to change is an obstacle race. As Mahatma Gandhi said on leading the non-violent Indian independence movement – “First they ignore you, then they laugh at you, then they fight you and then you win.” Being a change agent is a test of stamina, perseverance, discipline and sacrifice. There are no low hanging fruits to pluck, no short-term rewards, no personal glory, however, in the end organization benefits.

 

Women in Indian Boardrooms

You might be saying, “Oh, not again about women”. But this is one piece of news I wanted to share and discuss with you. Believe it or not, the New Companies Bill 2011 has a provision making it mandatory for companies to have one woman director on the board. One can look forward to more corporate women becoming rock stars. Female gender was mostly invisible in Indian boardrooms, may now gain some significant visibility.

Though personally I am against the idea of reservations and believe women should succeed on merit. I go by Charlotte Whitton’s quote – “For a woman to get half as much credit as a man, she has to work twice as hard, and be twice as smart. Fortunately, that isn’t difficult.” However, in India’s case I think reservation may really be beneficial. I am discussing two biases that are restricting the growth of women in corporate sector.

1. The Indian Bias

As mentioned in an earlier post, India has over 500 million women however just 335 held directorship positions in listed companies, that is less than 5% of total board of directors. Across the world women face a concrete ceiling (not glass ceilings, these are easier to break) in getting senior positions. In US,  for the last few years the percentage of women in senior management positions is 13-15% with no significant growth. Norway shows the highest percentage with around 30% women holding board positions. These countries have such low percentages of women at senior level although their social culture supports equality of genders.

In India, only the constitution recognizes equality of genders. The social structure is biased against girls from the day they are born. This is because of the age old dowry custom in India. On marriage, the brides father has to give a big fat amount to the grooms family to get his daughter married off. In most families, if the money is not given, either the girl will not get a suitable match in arranged marriage or if she does, she is be harassed in her husband’s family. Women are not considered earning partners and in conventional families are not allowed to work. Hence, they don’t have economic power.

Just to emphasize the negative conditions of women living in India, including in urban areas, here is some shocking statistics :

1. The Gender Gap Report 2011 of World Economic Report ranks India 113 out of the total 135 countries measured.

2. An article on domestic violence mentions that “according to United Nation Population Fund Report, around two-third of married Indian women are victims of domestic violence and as many as 70 per cent of married women in India between the age of 15 and 49 are victims of beating, rape or forced sex.”

3.  According to National Crime Bureau 2010 report on Crime Against Women – “A total of 2,13,585 incidents of crime against women (both under IPC and SLL) were reported in the country during 2010 as compared to 2,03,804 during 2009″. India is amongst the most unsafe countries in the world. In 2010 there were over 22,000 rape cases and over 8000 dowry death cases reported.

Seeing the cultural and social bias against women a whole lot depends on their economic power. Hopefully, with this law, with more women in boardrooms the social mindset will change somewhat. When more visible stories of successful females are reported by the media, the Gen Y women might get a better deal and opportunities to gain financial independence. They might have more support from their families to hold a job and earn a living. Hence, this law gives Indian women a lot of hope and an opportunity to dream big.

2. The Global Bias

Before I discuss this point, here is a quiz, check out which of the words apply to your working style:

Aggression,  Empowerment, Autocracy, Communication, Management, Collaboration, Rules, Consultative,  Win-Lose, Social-sharing, Boss-hierarchy, Win-Win, Competition, Emotional Intelligence, Procedures, Teamwork, Control, Relationships, Toughness, Networking, Command and Empathy.

This may surprise you, the words above in red describe mostly a male working style and those in blue relate to female working style. The present global economy the female traits are in demand. As Tom Peters had mentioned in his presentation on gender diversity, women lead in 18 of the 20 attributes required in the present work environment. If companies wish to change their organization culture to meet the challenges of current economic environment, then doesn’t it make sense to hire more women as they naturally have these traits.

Here is another twist on strengths analysis. Traditional thinking is that competitiveness and command traits ensure success. On the contrary, there are numerous traits required in employees for an organization to be successful. For instance, too many planners and judgement oriented employees in a team will delay action, flexibility and innovation.  Interestingly, the book Strengths Finders 2.0 authored by Tom Rath mentions 34 strengths. People have a group of these strengths that can be leveraged to be successful in the business environment. I am listing the strengths here.  Read below and find out which strengths you have and are they really appreciated in your organization.

1) Achiever, 2) Activator, 3) Adaptability, 4) Analytical, 5) Arranger, 6) Belief, 7) Command,  8) Communication, 9) Competition, 10) Connectedness, 11) Consistency, 12) Context, 13) Deliberative,   14) Developer, 15) Discipline, 16) Empathy, 17) Focus, 18) Futuristic, 19) Harmony, 20) Ideation, 21) Includer, 22) Individualization, 23) Input, 24) Intellection, 25) Learner, 26) Maximizer, 27) Positivity,   28) Relator, 29) Responsibility, 30) Restorative, 31) Self-Assurance, 32) Significance, 33) Strategic and 34) Woo (winning others over)

On reading this list, irrespective of gender the question comes up – if as an employee you have attributes or strengths that are not valued in the organization, then what do you do?  .

In my view, the crux of the problem is that organizations are biased towards certain strengths. For example, Apple, Google and other technology companies may be are more focused on intellection, learner and strategic traits whereas in military the focus is on command, discipline and belief. The employees with different strengths are not encouraged, though balance makes organizations more successful. Hence, if one delves deeper the issue is not about gender, it is about the traits that are valued in the organization.  Usually gender equality is facing hurdles as macho traits are more appreciated in organizations. Hence, where boards are all male, women are not welcome. Organizations where non-macho traits are valued, generally have more women at all levels including the top.

Closing Thoughts

In India, without economic power women are unlikely to be respected. Though Indian mythology talks a lot of women equality, respect and honor, the reality is different. Hence to break the vicious circle, this law will help. The benefits will be the same as reservations of seats for women in panchayats in rural India.

On the global front, organizations need to develop an appreciation of non-masculine traits. As evident from advertising and branding of some successful companies, women consumer power matters. Without having women at the top, an all male bastion cannot understand the softer requirements of female consumers. It makes sense to have women deciding for women.

If you don’t agree with me, take this instance. Ask any hubby to buy a gift for his wife, he will sound as if he has to do a torturous task rather than a happy shopping expedition. Husbands complain they don’t know what their wife wants, and male board of directors decide on female consumers preferences. Then men say women are illogical. Couldn’t resist that one.

References:

1. Gender Gap Report 2011 – World Economic Forum
2. Domestic Violence in India: Causes, Consequences and Remedies
3. Crime Against Women report 2010 of National Bureau of Crime.
4. Strengths Finder 2.0 by Tom Rath

Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -”Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

References:

1. The long view - Getting new perspective on strategic risk by Economist Intelligence Unit
2. Brand Keys Customer Loyalty Leaders 2011
3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Shattering Perceptions About Audit Committees

Imagine driving a car with a speedometer in the rear. When you crash, a voice from the back of the car gives the depressing message – “You crashed because you broke the speed limit of 60 miles an hour”. Now this question will get most of the auditors and risk managers upset, but I shall stick my neck out on this one. Don’t you think this metaphor fits the role audit committees are fulfilling presently?  Should the audit committees function differently to help the CEO and board members perform better?

I am sharing below come controversial views on role and performance of audit committees. Let us say, I am auditing “auditing committees”. It might force you to rethink some issues. Do you share my views or hold different views?

1.  Formation of Audit Committee

Generally, audit committees are formed with 3-4 non-executive independent directors. The premise is independent directors are in a better position to give impartial and unbiased views. Hence, the committee is entrusted with responsibility of advising the board on effectiveness of systems of internal controls, compliance and governance in relation to financial reporting obligations.  The pertinent questions that arise are whether the independent directors are actually independent and capable of fulfilling their responsibilities. To shed light on this area, I am discussing some scenarios on appointment of independent directors.

Usually, independent directors are invited to join the board since they are either socially connected to the CEO or some other director. Delving into their backgrounds reveals commonalities between education, employment and/or social background. A board survey done in 2005-2006 in India showed that a “good 90% of the non-executive independent directors were appointed using CEO/chairperson’s personal network/referrals, and the remaining 10% through executive search firms.”

 Another challenge is getting independent directors with the right industry experience and expertise. To illustrate, in 2010 48% UK FTSE companies were unable to comply with the provision of 3 non-executive directors forming the audit committee, as there were  insufficient non-executive directors available in the board. Moreover, around 10-11% of the companies did not specify a director with relevant financial expertise.

Looking from another angle, appointment of independent directors to other company boards is dependent on favorable reviews and recommendations from existing board members. In light of this, wouldn’t the audit committee members be tempted to look the other way and avoid raising issues where CEO or board involvement is suspected in frauds. Can we really consider them independent?

Additionally, the value-add provided by the audit committee members is sometimes questionable.  I couldn’t find specific data relating to India, but Grant Thornton report on UK companies states that audit committee meetings on an average were held 4-5 times during the year and non-executive directors attended meetings on an average 17-18 times during the year. If I do back of the envelope calculations,  in rare cases only audit committee members would be spending more than 10 days per annum to fulfill their responsibilities for a particular company.

Considering this, I personally have doubts whether audit committee members are in a position to understand the complexities of business, the control environment and various risks impacting the organization. Keeping the size of organizations in mind and their global spread I sometimes feel that audit committees provide an illusion of confidence to shareholders rather than real confidence.

 2.  Selection & Appointment of External Auditors

 The appointment and selection of external auditors is one of the key recommendatory functions of the audit committee. The board in the annual general meeting generally proposes the name of the external auditor recommended by the audit committee.  .

Hence, the assumption is that audit committees take this responsibility seriously. I came across this Economic Times article “Can the big four survive a break-up attempt”. It highlighted some interesting facts:

• In top 100 (US) companies, the average tenure of audit firms was 28 years. 20 companies had the same audit firm for 50 years or more.
• 85% of the companies in EU are audited by big four.
• 99% of the audit fees paid by FTSE 100 (UK) in 2010 were earned by big four.
• Just 2.3% of FTSE firms changed their auditor between 2002 and 2010.

Separately, a Grant Thornton 2010 report states that average duration for UK FTSE companies of an external auditor is more than 31 years. Additionally, 55% companies provided minimum insight on selection process of external auditor and just 15% companies provided detailed information on the decision-making process.

I am going to let you decide whether with these facts you can presume the audit committees are ensuring proper selection and appointment of external auditors. The logical argument given would be that big four have the geographical reach and expertise to audit multinationals. I have a straightforward question – with the same audit firm continuing for numerous years, can one assume objectivity and independence in reporting.

I am personally in favor of the new Companies Bill 2011 (India) clauses relating to audit firm and audit partner rotations. It mandates rotation of audit firm every 5 years and audit partner every 3 years. In my view, that is a step in the right direction.

 3.  Relationship with Chief Audit Executive

Grant Thornton 2011 CAE Survey of US companies revealed some startling data. A quarter of the CAE’s had not met the audit committee chair outside of board and committee meetings. 29% had met 1-2 times and 31% had met 3-5 times during the year.

Another interesting fact from Grant Thornton 2010 report is that 13% of the UK FTSE 350 companies did not have an internal audit function. That is, 40 of UK largest companies did not have a third line of defense, so most probably didn’t have a CAE. Moreover, 25% of the companies did not disclose compliance to this provision in the reports. This fact is fascinating as in India internal audit is mandatory for listed companies and external auditors are required to comment on the function.

Seeing the above US data, that 85% CAEs had minimal interactions with audit committee chair, can one say that they have a good relationship with the chair and members of audit committee?  Without having a good one-to-one personal relationship, do you think audit committee members are in a position to assess the real performance of internal audit department or gather critical information about the company from the CAE. With such limited communication among audit committee members and CAE, would you have doubts on their effectiveness?

Now add to this, a CEO can terminate CAE services if s/he shares an opposing view than the board. Very few boards are mature enough to allow CAEs to constructively confront their ideas. Audit committee members may not be able to protect the CAE in all circumstances. Under these circumstances, would you say that audit committee and internal audit departments are effectively assessing the internal controls environment of the organization?

My view is that most audit committee members spend time on audit committee charter, internal audit charter and internal audit reports submitted by the CAE. They don’t delve deeply into  procedures used to conduct internal audits. Additionally, in some companies there might be just superficial support given to the internal audit function.

 4.  Challenging Board Decisions

Audit committees have immense power in the sense that it can challenge board decisions. As per Companies Bill (India) if the “board does not accept any recommendation of the audit committee, the same shall be disclosed in the report along with reasons thereof.” However, I have rarely seen a report that states audit committee’s recommendation was not followed. This would make us presume that audit committee members are exercising their power properly and keeping a control on board activities. However, the picture is somewhat different.

A KPMG Audit Committee survey conducted in 2010 mentions that – just 27% boards encourage contrarian views and discourage groupthink, 64% do it somewhat and 9% do not accept different viewpoints at all. As I had mentioned in a previous post, Satyam fraud case portrays board’s failure to exercise judgment. Although Satyam’s board consisted on renowned personalities, Central Bureau of Investigation report–

  “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

Moreover, the lack of personal accountability in independent directors’ mindset was apparent after Satyam fraud came into light. In a short period, subsequent to the disclosure of fraud 109 independent directors voluntarily resigned although their term had not ended, fearing being held liable for fraud or non-detection.

SKS Microfinance case is another example of the extent to which the board will not raise issues. CEO Suresh Gurmani was fired at the behest of the Chairman Vikram Aluka. Eight of the ten directors voted in favor of his termination, the other two were absent, although the CEO had no previous performance issue.

The situation is similar across the world. Enron, WorldCom or Swiss Air failure reflects board’s ineffectiveness. They are not exercising their powers judiciously for the benefit of the shareholders. In my opinion, audit committee members and other board members can do much more by challenging the viewpoints of the CEO and his/her team

5.  Evaluation of Finance Function

Ensuring the integrity of financial statements is one of the key responsibilities of audit committees. The members are required to review the financial statements with the external auditors before submission of the board.  Just to give you an example, Tata Motors 2010 corporate governance report defines the responsibilities of audit committee in respect to financial reporting as follows:

“Reviewing the quarterly financial statements before submission to the Board, focusing primarily on:

• Compliance with accounting standards and changes in accounting policies and practices;
• Major accounting entries involving estimates based on exercise of judgment by Management;
• Audit Qualifications and significant adjustments arising out of audit;
• Analysis of the effects of alternative GAAP methods on the financial statements;
• Compliance with listing and other legal requirements concerning financial statements;
• Review Reports on the Management Discussion and Analysis of financial condition, results of Operations and the Directors’ Responsibility Statement;
• Overseeing the Company’s financial reporting process and the disclosure of its financial information, including earnings press release, to ensure that the financial statements are correct, sufficient and credible;
• Disclosures made under the CEO and CFO certification and related party transactions to the Board and Shareholders.”

Hence, it is crucial to evaluate the performance of finance function.

As I had mentioned in an earlier post, CFOs after CEOs are the most likely people to do accounting manipulations. CFOs either do it on their own or at the instigation of CEO. Due to the nature of their role in preparation of financial reports, they are in the unique position to hide critical information, change accounting policies, pass dubious transactions and present false reports. A Satyam or Enron couldn’t have occurred without CFOs involvement.

Another aspect to look into is that the role of CFO has expanded and become more critical. CFOs are not only managing financial reporting, but also play a key role in strategy development, risk management and business monitoring. The question is what audit committees need to take into account to evaluate the performance of the finance function. Below are some pointers:

• Evaluate the role of the CFO in the organization to understand the functioning and power dynamics.
• Assess whether CFO is able to maintain independence and hold his/her own position with the CEO.
• Understand the logic given for changing accounting policies and methods, entering into transactions that may not be arms-length and inter-group company transactions.
• Review the history of accounting frauds and manipulations, notices from regulatory agencies and industry specific risk impact on the organization.
• Evaluate CFOs relationship with external auditors to determine whether he/she is unduly influencing them. Obtain CFOs viewpoint on qualifications and disclaimers given by external auditors.
• Review the systems and processes used for maintaining accounts and preparing financial statements. Understand the finance department organization structure and segregation of duties matrix.
• Determine CFOs focus on cost control, risk management, cash-flow management, and acquisition and mergers.

In my view considering the crucial role of CFOs, audit committees need to spend time understanding the various facets of finance function and gathering critical information to evaluate the integrity of financial reports.  From the past corporate scandals, one cannot assume that audit committees are doing a good job at raising red flags and/or identifying accounting manipulations.

 6.  Nature of External Reporting

The present day hot topic of discussion is about the aspects audit committees should include in external reporting. As such, law requires that audit committees review the financial reports and related media releases. The question is should audit committees ensure that a company sticks to minimal reporting requirements or should it go beyond them.

In my view, corporate governance is about building good and transparent relationships with investors, shareholders, creditors, public and regulators. Hence, information that contributes to a healthier relationship between management and other parties should be disclosed.

Let me explain my viewpoint. Taking the example of India, a number of listed companies are family owned-managed companies (example, Reliance group, Tata group, Birla group etc.). Shareholders, especially the minority shareholders do not have significant say in company. The perception exists that family owned groups sometimes do not invest funds for shareholder benefits and squander them for personal privileges. Moreover, Indian corporate laws are good on paper, the regulation is not so great, though improving. Hence, Indian shareholders are a vulnerable lot. Additional information builds trust and confidence as seen in the case of Infosys.

The business benefits for upholding transparency are huge.

• The market value of shares increases. Velocity of share trading is also higher than other companies.
• Financial institutions show more propensities to invest.
• Foreign investors – institutional and individual – are open to trading in the shares.
• The companies have lower legal and regulatory costs as regulators are comfortable.
• Customers prefer buying products from companies that are ethical and socially responsible, hence transparency impacts sales directly.

The most important job of audit committees and board members is to ensure that management aligns company and personal objectives with shareholder interests. If the company is doing bare minimum reporting then audit committee is not really keeping shareholder interests in mind. For instance,  Grant Thornton report of UK companies’ corporate governance practices mentions that of the 303 largest companies in 2009-2010, just 11% of the chairpersons commented on the corporate governance practices.

In my view, audit committees should focus more on the extent and level of external reporting.  To enhance shareholder confidence more details can be provided on functioning of board, and internal audit, finance and risk management departments. A discussion on organization objectives, strategy and evaluation parameters would also be helpful. An explanation about the external auditor selection process and fees would be beneficial. Lastly, the company’s efforts in fulfilling corporate social responsibility would provide an added advantage.

7.  Information Available with Audit Committees

Besides the abovementioned activities, audit committee members are required to look into other aspects of the business also. For example, review – the utilization of funds through public issues, transactions that indicate conflict of interest,  cases of suspected fraud, financial statements of subsidiary companies, political spending and overall compliance with regulatory provisions.

Normally audit committee members rely on getting information from board meetings, minutes of the meeting, discussions with external auditors, reports and discussions with internal auditors, fraud investigation reports, whistle blowing hotline investigation reports etc. However, the question remains – do audit committees get the real information to make informed decisions? A KPMG 2010 US survey report states that 77% of the audit committees are activity engaged in obtaining information.

However, I do not see the same occurring in India. At the time of Satyam scandal and more recently on formation of new Companies Bill, there was a lot of discussion about responsibilities of independent directors in respect to fraud or inaccurate financial reporting. The independent directors had complained that they are not privy to the internal workings and thinking of the organization. Especially in case of family owned group. Hence holding them responsible is not the right step. If one considers this view, then audit committee members are actually abdicating their responsibility.

Another issue to deal with is that audit committee members may lack industry expertise, hence may not know the questions to ask. In my view, audit committee members should use their right to hire external consultant in case of doubt. Moreover, they should get additional information. A few pointers are:

• Obtain strategy and implementation plans.
• Review key performance indicators – financial and non-financial with status
• Interact with external and internal auditors of subsidiary companies directly
• Hold discussions with senior and middle managers were required of various business units
• Discuss with company secretary all legal and compliance challenges
• Discuss with ethics officer the key issues on maintaining code of conduct
• Discuss with fraud risk, information security and other risk officers the key issues they have faced during the year and their overall functioning.
• Review in detail all documentation relating to material transactions, acquisitions and mergers.
• Travel to other offices and locations to understand business operations.

This is not an exhaustive list, however will be beneficial in fulfilling audit committee members responsibilities better. Without gathering this information, the audit committee members would in my mind is doing superficial oversight.

8.  Effectiveness of Risk Management Programs

The financial crises got the focus back on risk management. In the annual reports boards are required to comment on the performance of risk oversight function is. Board has to the responsibility to ensure that the organizations risk management procedures are commensurate with the company’s risk profile. In most cases, board delegates responsibility for risk oversight to audit committees, especially when the organization does not have a separate risk oversight committee.

Risk reporting is generally done in the business review section, though integrated reporting of risks and internal controls is being encouraged. As per Grant Thornton UK report, 63% of 350 FTSE gave detailed descriptions of risks and focused on operations risks. The question that comes up is how audit committees assess the effectiveness of risk management function and programs.

Let me take some of the challenges of risk management in the financial industry:

• Risk management is increasingly complex for financial institutions as it involves managing interlinked strategic, financial, operational and systemic risks
• Risk managers do not have sufficient authority and are frequently overruled by business teams. In few cases, they play a role in strategic decision-making.
• Risk managers do not strong relationships with business teams
• Risk appetite is defined by the organization but data is so scattered that it is difficult to monitor when actual organization risk exceeds risk appetite.

During the financial crises some of the key examples were –

• Royal Bank of Scotland (RBS) acquired ABN Amro Bank without sufficient details. It faced quite a few unpleasant surprises later on.
• Lehman did not get timely funding as actual worth of CDOs was considered overestimated, hence had to file for bankruptcy.
• AIG faced challenges in finding an investment partner since it didn’t have financial systems for integrated reporting.

Still banks are increasing their risk profile in the coming year. Some may have improved the risk management function and reporting, while others may not have learnt their lessons.

In light of this, my question is simple. Are audit committees really in a position to comment and provide reliable assurance on effectiveness of risk management programs?

 9.  Assessing Risk Culture

Loud noises after major frauds and financial crises repeatedly proclaim the same thing – “The risk culture of the organization was wrong”. It all boils down to the culture of organization and the attitude of the management towards risk taking. When Wall Street bankers received bonuses after the crises, there was uproar in the government and public. The outcry was bankers should be penalized for excessive risk taking, and not rewarded for nearly collapsing the financial sector.

Hence, the question arises why doesn’t management do anything about the risk culture? The logic is simple if you view it from CEO/CXO perspective. Their performance is evaluated on the quarterly numbers they give in the financial reports. To give that incremental growth high risk taking is required. Building a risk culture requires a long-term commitment to reap rewards. While implementing a risk culture program, in the first year the performance might be lower as employees will not be as enthusiastic about taking risks. Moreover, most of the professional CEOs duration is of 4-5 years in a company.

Considering these aspects it is not surprising that only a few are committing to building a risk culture. Though the corporate scandals have reduced investor confidence and resulted in closure of many organizations, the belief persists that they will not land up in the same soup. However, there is enough evidence that a high risk taking culture can nullify all the efforts of risk departments.

To counteract the effects of high-risk taking, proactive chief risk officers focus on building the risk culture. Their challenge is that regulatory guidelines ensure lip service and real commitment is missing.  The question remains, can audit committees help them in doing so?

Audit committees in my view can assess the risk culture by focusing on:

•  Remuneration of key personnel, including the bonus component linked to performance.
• Code of business ethics adopted and implemented by the company
• Analyzing the extent of reputation and regulatory risks the organization is facing
• Reviewing reported ethical breaches
• The amount of risk appetite board has determined it is willing to take to meet strategic objectives.
• The processes implemented to monitor risk appetite and key risk indicators
• Transactions entered that reflect conflict of interest to some degree.

In my view, audit committees can do much more to improve the tone at the top about risks. A continued focus from board members is likely to influence management in incorporating a good risk culture. A detailed explanation on the risk culture in the annual returns would be beneficial.

 10.  Internal Controls

Last but not the least, audit committees responsibilities include ensuring that the organization has effective system of internal controls. In some countries including India, the board is required state in the annual report that proper systems are in place to ensure compliance to all the applicable laws of the country. If it is not so, then they need to provide an explanation.

As you recall history, the focus on internal controls had increased worldwide after the spate of frauds (Enron etc) in US and subsequent introduction of Sarbanes Oxley Act. On that premise, one would assume that most companies would have vibrant internal control systems now. Though all companies report on internal controls, the Grant Thornton report states that in UK just 25% companies provide a detailed description on procedures adopted to evaluate the effectiveness of internal controls.  Just 3 companies disclosed material weakness in internal controls. Hence, the quality of assessment of effectiveness of internal controls by audit committees comes in doubt.

Therefore, the question comes up – how do audit committees improve quality of assessment. Although regulations are more geared towards audit committees reporting internal controls on financial systems, a broader view covering operational and compliance controls is preferable. To do so, audit committees need to understand the business objectives, strategy, processes and information systems of the organization. This will facilitate them in understanding whether the organization is geared and equipped to deal with day-to-day operational problems. In the current environment, management requires real time information for decision-making  and managing business operations.

After gathering the abovementioned information, audit committees would be in a position to assess whether:

• The right financial and operational areas were selected for internal controls review
• Procedures and practices followed for assessing internal controls was sufficient.
• Any areas require further review.
• The reported control weaknesses are material

In short, though audit committees are focused on ensuring organizations have a proper internal control systems, additional work can be done to improve the confidence in the assessments.

Closing Thoughts

Audit committees are a critical tool for corporate governance. However, presently in my view they are not significantly effective. Hence, emphasis on working of audit committee can add value not only to the board but also to the investors and shareholders. It might appear a tall order, but ensuring that audit committee meetings are frequent, maybe monthly, would very much improve the performance. Worldwide, the corporate world needs to take this route to ensure better governance and build investor confidence.

I rest my argument here; share your opinion with me.

References:

1.  Economic Times article – “Can the big four survive a break-up attempt”
2. Evolution and effectiveness of independent directors in Indian corporate governance – by Umakanth Varottil, Faculty of Law, National University of Singapore
3. Grant Thornton 2011 Chief Audit Executive Survey – Looking to the future: Perspectives and trends from internal audit leaders
4. Grant Thornton 2010 Report on UK
5. Corporate Governance in India – Evolution and Challenges by Rajesh Chakrabarti College of Management, Georgia Tech
6. Tata Motors 2010 Corporate Governance Report
7. KPMG- Highlights of the 6 Annual Audit Committee Issues Conference 2010

Strategy to Execution – A Risky Path

Some companies fail and some succeed spectacularly in the same market conditions. The question for successful companies is – what did they do differently? On the other hand, failure is attributed to either poor strategy or pathetic operations.  A popular notion among managers is that if company is not achieving targets, then review the strategy, something must be wrong with it. If the strategy is found reliable, review the operations and focus on it to be successful.  Is the explanation for failure that simple?

In my view failures occur because complexities of the situation are either ignored or misunderstood. The third-fourth-fifth dimensions are normally missed and must be looked into. The overall strategy might be right, the execution flawless, and  the company may still be staring in the face of failure. According to me the path from strategy to execution is very risky. Below are my views on the same, do you agree with them?

1. The Human Dimension

Let me give you an example, that most employees are familiar with:

Objective of the company : Make the organization a “Great place to work”.

Strategy to achieve the objective : Focus on diversity, work-life balance and good leadership pipeline.

Execution plans :  Hire 25% women, promote 10% women to senior levels, issue policy of work life balance , introduce 360 degree feedback and balance score card system.

All the execution plans were implemented, however employees are still cribbing and consider the organization one of the worst places to work. So what went wrong?

Now let me give you a few situations that occurred in the organization :

a) A gorgeous looking woman was placed in a senior management position who was rumored to be having an affair with a CXO. Employees down the line didn’t like her personally as she did not have a reputation of high professional caliber or ethics.

b) A few employees in the 360 degree feedback, gave honest negative feedback about their bosses. In less than a quarter the bosses with help of human resource department terminated or demoted the employees.

c) Bosses allowed the employees to leave office premises by 6 pm. However, they asked employees to work at home and deliver reports the next morning at 9 am.

The missing component – the human dimension – was overlooked. The culture of the organization didn’t change with the strategies and plans. The messages that employees received were –  ”One gets promoted if one sucks up to the boss, merit doesn’t count, honesty has a huge downside and bosses will harass.  Nothing has changed.” The tone at the top remained the same and no one was seen walking the talk. Hence, though everything looked good on paper, and all execution deliverables were achieved, the execution team met the key performance indicators, the objective wasn’t accomplished. People make the difference, hence analyzing culture, messages and in some situations even the grapevine is helpful.

2. The Organization History

The often ignored impediment in failure of strategy is the organization history. History – good and bad - makes a difference in success and failure of strategy as it directly impacts commitment levels. If the organization has had bad incidents or history, a host of issues become undiscussable. These undiscussable issues make communication superficial, hide negatives in the wood work and portray a picture that management wants to hear. In a globally connected world, even a small incident can become a historical landmark. To bring clarity to my point, I am narrating an incident that I experienced.

I was working in an organization in which one of the core values was “respect for everyone’s time”. The offices were open plan, with no difference between a CEO desk and an admin desk. All meetings were conducted in various conference rooms and room bookings were done through an intranet application. The cultural guideline was – do not overstay in a room as it may be booked by another group/individual. There were no reserved conference rooms for senior managers.

One day a new employee with his group saw that the people in the conference room he had booked for a meeting continued in the room after their meeting time elapsed. He knocked on the room, and asked the team inside to leave. The other employees outside were horrified. After 5 minutes, when he saw no action, he again knocked. The team inside walked out and all employees were red-faced. The poor chap had just evicted the Global CEO and his executive team out from the conference room.

News traveled globally within a few hours of the incident. The mathematical geniuses developed statistical models on probability of the new employee being asked to leave. Others like me, indulged in simple betting. Within a week the CEO sent a global message appreciating the employee for adhering to the organization values. He said that he felt good that induction training was effective, HR was doing a good job in recruitment & selection, and employees were fearless in confronting seniors on core organization values. All employees were absolutely jubilant on losing their bets. The incident became part of organization history and employees were inspired by the leadership. Commitment to a strategy comes from the heart and not by the numbers given in a Powerpoint presentation. In some situations analyzing the past history of the organization and failure rate of strategies might be helpful.

3. Reliance on Performance Management Systems

Norman Marks in his post – “The inter-relationships of risk, objectives, strategy and performance“ rightly said that “performance management without considering risk is flying blind.” I agree with this statement. However, my question is – are organizations really measuring the right stuff ? If not, are organizations deluding themselves into believing that they are monitoring and as all performance indicators show green status, everything is great.

Let me narrate here my pet peeve on risk management performance indicators. Tell me, how many of us have filled a balance score card or prepared an annual plan stating the number of risk management reports issued during the year. Additionally, recall numerous times assurance has been given to senior management based on the reports issued and their findings.

According to me, these performance indicators for a risk management department make limited sense. Better indicators would be :

a) To calculate the amount of loss averted from timely risk mitigation. Or,

b) Counting the number of days organization risk was higher than the established risk appetite of the company.

However, only a few companies keep these performance parameters because these are difficult to calculate and require robust management systems. So we rely on parameters that are actually not telling us anything more than the fact that some work is being done. Therefore, my contention is that even if a the risk of not issuing 12 risk management reports (a performance measure) during the year would be available, it may be irrelevant risk identification. A good idea when doing management by objectives, is to check what the company is measuring.

4. The Organization Structure & Systems

The focus is not developing the strategy and operation plans, however the point that is missed is – whether the organization structure and systems are conducive towards accomplishing the envisaged operations efficiency.

The prime example of this is establishing backoffice operations in emerging markets or outsourcing processes. Most organizations initially off shored to save on costs. The cost-benefit analysis was done considering the explicit cost of labor and other costs in mind. However, the implicit cost of managing the operations remotely, variance in customer service quality, breakdown of services and increased risk of fraud were not considered. Quite frequently, the same process was outsourced without much re-engineering for outsourcing the process. This resulted in cumbersome and long processes, higher management time and more risks. In rare cases only the organization structure was aligned to outsourcing activities and managing the complex relationships.

In this case, the strategy was fine, effort was put in setting up back office operations properly. However, the interlinked impact on various functions and activities was ignored. Basically the problems arose due to structure and systems, as these were not considered at the strategy formation stage.

5. Strategic Risk Management

Finally, the concept of strategic risk management is gaining popularity, though it still has a long way to go. Problems sometimes arise in implementing a strategy, because at the time of formulation the strategic risks were not identified and assessed. Hence, the organization has a rosy picture of the strategy.

The additional challenge is when strategic risks are identified though not properly. Some hold the opinion that strategic risks are best identified by the top management or chief risk manager. The frontline operations teams do not have a role to play. My view is that while strategy may be developed at the top, the risks need to be captured at all levels and rolled up to the strategy development team.

To illustrate, let me share with you the venture of international fast food joints in India. KFC, McDonalds etc. made losses in the Indian market initially. The reason for entering the Indian market was clear – a huge educated middle class provided a good customer base. They replicated their operations model in India. However, they really didn’t understand Indian tastes. Indians preferred spicy food and didn’t appreciate the American bland taste. Secondly, Indians initially took these meals as snacks and not for lunch or dinner. Hence, were willing to spend much less than they would in an Indian restaurant.  It took the companies 3-4 years to understand the difference in customer tastes and expenditure patterns, and change the menu accordingly. Customer risk was local whereas the strategy was formed globally. Strategy failed due to lack of understanding of local market.

Hence, in my view strategic risk management is not a simple exercise undertaken at the top of the company pyramid. A robust enterprise risk management system aligning objectives, strategies and risks is definitely beneficial. If an organization is not meeting its key performance indicators, even when their are no obvious problems with operations, a through analysis of risks at all levels sheds light on quite a few issues.

6. Impact of Systemic Risks

Another aspect that is least understood in organizations is systemic risks. Organizations adopting enterprise risk management assume that since the key risk indicators are showing low risk, everything is running smoothly. However, as seen in the financial crises, the impact of systemic risks is huge. Underestimating it or ignoring it can nearly wipe out the organization.

Turner report highlighted the impact of systemic risks in the banking sector with the following lines:

“Five key features of this new model played a crucial role in increasing systemic risks, contributing to the credit boom in the upswing and exacerbating the self-reinforcing nature of the subsequent downswing:
(i) The growing size of the financial sector.
(ii) Increasing leverage – in many forms.
(iii) Changing forms of maturity transformation.
(iv) A misplaced reliance on sophisticated maths.
(v) Hard-wired procyclicality.”

Although, in the blame game the investment bankers are being labeled as culprits for playing in the CDO market, the interconnections between retail and investment banking  resulted in the crises. The retail bankers gave home loans to individuals with doubtful repayment capacity to leverage the boom in real estate market. Simple explanation is that the collapse of real estate market negatively impacted recovery of loans which resulted in making the CDOs worthless. The key lesson to learn here is that strategies can fail majorly if they are not protected against the impact of systemic risks.

7. Leadership Quality

The quality of leaders makes the largest difference to an organization’s success. Can one imagine GE’s tremendous success without Jack Welch? He accomplished a lot as a leader, though he portrays himself modestly in his book “Straight From The Gut” . He narrates -

“I came to the job without any external CEO skills. I had rarely dealt with anyone in Washington, even though the government was more into business than ever. I had little experience dealing with the media. My only press conference was scripted session with Reg on the day GE announced I would the the next chairman. I had only one or two brief outings before the Wall Street analysts who followed GE. And out 500,000-plus shareholders had no idea who Jack Welch was and whether he would be able to fill the shoes of the most admired businessman in America.”

Jim Collins in his book “Good to Great” analysed the impact on companies that had level 5 leaders. Organizations with level 5 leaders showed consistent performance and a far better share holder return than their industry counterparts. Hence, if either strategy or operations are failing, the quality of leadership should be looked into.

8. Assessment of  Strategy Formation Process

Last but not the least is a discussion on strategy itself. Two thoughts come into mind – how should a strategy be assessed for effectiveness and when should the strategy be modified or changed? The quality of strategy itself is in doubt sometimes.

The key reasons for adopting a wrong or misguided strategy relate to some of the points I had mentioned in my earlier posts on strategic risk management :

a) Very few organizations have a proper process for strategy formation. For most it is an end of the year data accumulation practice from different business units. An organization level strategy considering all interconnected aspects of business may not have been devised.

b) Board and CXOs generally do not negate a strategy given by the CEO or fellow colleague. The political repercussions of challenging a CEO/CXOs strategy can be huge, hence most keep their opposing opinions to themselves.

c) If the organization culture is not focused on creativity, ideas and learning, new strategies will not be presented for fear of being mocked or run over. Hence, contrary to popular perceptions the strategy pipeline is quite dry.

d) Moreover, the choices of strategy selection with CEO/CXO are limited. They receive ideas which people down the line have collectively agreed to. These might not be the best ideas as the popular ones generally do not shake people out of their comfort zones.

Understanding these circumstances for assessing the quality of strategy can be difficult. Senior management in such situations has to start from scratch to develop a strategy formation process. If the formation process is full of loopholes or ineffective, the probability of having a good strategy is low.

Closing Thoughts

In nutshell, getting the strategy and operations right is critical for organization success. However, these two components itself do not guarantee success, they are just the building blocks. Other management and organization parts need to be aligned properly to the objectives and strategy of the organization. A holistic picture is required to accomplish objectives. In case of failure in achieving objectives, a review of strategy and operations is definitely beneficial. However, aspects underlining these should be delved into deeply to do a proper root cause analysis. Looking beyond the obvious helps.

References:

1. Turner report – A regulatory response to global financial crises – Financial Serivices Authority, UK
2. Straight from the gut- Jack Welch with Johm A. Byrne
3. Good to Great – Jim Collins
4. Norman Marks Blog

The Business Enterprise Magazine published this post in February 2012 issue.

Achieving Excellence by Becoming a Learning Organization

When we wake up in the morning to read a business newspaper, the headline that grabs our attention is that a high-profile company has gone bankrupt. Companies with reputation of infallibility, just sink like titanic. Flawless legacies tarnish overnight. Being in fortune 500 list does not guarantee continuity in the next decade. Against this backdrop, the burning question is how do organizations mitigate the risk of failure, avert crippling blows and become impregnable fortresses of resilience and growth?

To complicate matters further, classic business models are losing relevance. The business environment and global dynamics are changing fast. It is obvious that resilient companies will sustain and grow, while others will die a sudden or slow death. Learning from the changing environment is the key for success. As Charles Darwin said – “It is not the biggest, the brightest or the best that will survive, but those that adapt the quickest.” 

Companies that learn to adapt quickly to the changing environment will succeed. Organizations with thousands of employees can’t wait for the CEO to lead, direct and react. The empowered frontline leaders make the difference in an organization’s success and failure. In learning companies, they become catalysts for change. Hence, the question is how an organization can achieve excellence by becoming a learning company.  Below are some of the advantages of becoming a learning organization. Read on and discuss with me your viewpoints.

1.       Build the corporate DNA

The Egyptian revolution taught one major business lesson – anyone can lead and be a change agent. For leading one doesn’t require a hierarchical structure supporting a leader, any formal authority or support of an organization. A person needs a good idea and strong influencing skills. That’s it.

Moreover, in the present organization structures the organizational boundaries are collapsing. There is no way to focus on an aspect in isolation, as everything is interlinked. For example, risk appetite calculation is not just a mathematical analysis, as it is highly dependent on the organization values and culture. Organization behavioral psychology influences risk culture.

It is apparent that organizations with hierarchical autocratic culture will lose the game to the socially networked organization. Social networks have made it easier for organizations to communicate vision, values and focus on culture. It allows multifunctional teams to work together and each employee can actively participate in the discussion.

Establishing the processes, systems and thinking pattern of learning organizations will facilitate organizations into building cultures that are more transparent. It helps companies break silo mentality, challenge groupthink and create an environment for employees to cope with change. The time has come for collective leadership.

 2.       Prepare plans in detail with failure scenarios

As Anon said – “Destiny is not a matter of chance; it is a matter of choice.” The age-old practice of senior management rolling out the strategic plan will soon become passé. Though presently, as I had earlier mentioned from the McKinsey report, just 6.5% of the organizations have a proper strategic planning process. Around 20% are just consolidating different business units’ numbers for the strategic plan. This doesn’t work in the long run.

To succeed one has to plan in detail with all possible failure scenarios. For instance, Bill Gates wrote “nightmare memos” describing various failure scenarios even when Microsoft was doing well. Paranoia is good.  When a company prepares for each of the assumptions of strategic planning going wrong, it devises alternative strategies in advance to quickly change track in emergency situations.

Learning organizations gather information on business opportunities and failure scenarios from all possible sources at local and central level. They have a better understanding of the local and global issues and this puts them in an advantageous position. Second aspect is with double loop reporting, the senior management promptly gets information about assumptions going wrong, failures and successes. This allows them to leverage opportunities, mitigate risks timely and change tracks where required.

3.       Change at strategic inflection points

With the rapidly changing environment, one of the bigger challenges is to differentiate between the noise and strategic inflection point. Nonconforming for the sake of being different doesn’t amount to leveraging strategic inflection points. As Andy Grove said in the book ‘Only the Paranoid Survive’ –

“A strategic inflection point is when the balance of forces shifts from the old structure, from the old ways of doing business and from the old ways of competing, to the new. Before the strategic inflection point, the industry simply was more like the old. After it, it is more like the new. It is a point where the curve has subtly but profoundly changed, never to change back again.”

The computer industry faced a strategic inflection point in 1980’s when from vertical industry it became a horizontal industry. However, quite a few big names failed to understand the changing face of the industry.

Thousands of individual events contribute to the transformation of an industry. The organizations that capture information of these individual events and get the bigger picture from putting the various pieces of jigsaw puzzle together have the upper hand. In learning organizations, employees are used to challenging the status quo and are wired to learn new stuff. They identify trends, changes and transforming events faster than the hierarchical organizations. Hence, organizations benefit by not reacting to the noise, but changing at strategic inflection points.

 4.       Innovate to implement & gain competitive advantage

Intellectual capital consists of organization, human and social capital. It gives organizations a competitive edge by encouraging a culture of innovation.  Organizations hit a home run, as innovation gives companies the first mover advantage and puts them ahead of the pack. As shown by Apple, intellectual capital and innovations add to the market value of the organization. Failure to innovate slowly erases the company from customers’ minds. An organization not only needs ideas, it needs a culture that transforms those ideas into products.

This underscores the importance of being a learning company. The rate at which an organization learns may become the only differentiating factor for giving an organization competitive advantage. Hence, knowledge management has become critical for success. Organizations need to capture explicit and tacit knowledge. Companies that have effective knowledge management systems and an environment for innovation are more flexible, adaptable and creative.

Learning companies have processes, systems and structures in place that allows them to leverage collective intelligence.  As individual employees’ knowledge on customers, suppliers and other relevant stakeholders is systematically captured, therefore value creation improves. As human and social capital is hard to imitate it becomes a valuable source of competitive advantage. Innovation in products and services adds to the bottom line.

 5.       Avoid psychic traps, rely on data

Success often results in C-suite wearing rose-tinted glasses and from their comfort zone tell happy stories for the future. These organizations might be operating real-time but may not be living in the real world. Psychic traps make it difficult for organizations to confront brutal facts, be straightforward and decipher the data.

Additionally, hierarchical structures with command and control environment reinforce the thinking – the boss is always right. If someone challenges the status quo, they get hushed up and told – this is the way things are done out here.  Moreover, when C-suite does mandate change, it results in failure since no one wishes to discuss the real problems and most nod their head in obedience. These change programs don’t get commitment, they get compliance, hence are mostly unsuccessful.

In learning organizations, business intelligence plays a vital role in decision-making. Management and employees rely on data, not individual hunches and intuitions. Secondly, companies adopt a two-pronged approach for information exchange and decision-making. Employees don’t expect C-suite to have all the answers. They take ownership for leading at local levels, gather requisite business intelligence and commit to change, as they are personally involved in organization success. Hence, the advantage is that no one can have distorted reality for a long enough duration to cause extensive damage.

 6.       Deliver consistent performance

Some organizations market value graph depicts a sea wave – goes high and low for some time then flatten out.  These organizations work on the mental model of quarterly earnings and making quick bucks. They try to capture the short-term gains at the expense of long-term benefits. As Sun Pin in ‘Art of War’ stated -

 “If you abandon your armor and heavy equipment to race forward day and night without encamping, covering  two days the normal distance at a time, marching forward a hundred kilometers to contend for the gain, the Three Army generals will be captured. The strong will be the first to arrive, while the exhausted will follow. With such tactics only one in ten will reach the battle site.”

Apple exemplifies the case of a long distance runner. After Steve Jobs return as CEO in 1997, Apple didn’t grow rapidly immediately. The company invested in research and development of new products. The market value started showing an upward trend after five years, and reached its pinnacle before Jobs death. The company worked on long-term plans and improved step-by-step.

Learning organizations as part of systems thinking focus on long-term goals versus short-term goals. They aim is on the whole not individual parts. These companies survive in turbulent conditions as they show different behaviors though the circumstances maybe the same. Consistency is the name of the game. They neither blindly rush to adapt to each change in business environment nor fail to make changes where required. They focus on showing consistent performance in earnings report and not spectacular successes and unimagined failures.

 7. Make learning fun

In the present business environment, John F. Kennedy’s statement holds true –“Learning and leadership are indispensable to each other”. Leaders must become master learners and create an environment of continuous learning within the organization.

In autocratic and bureaucratic organizations the two statements that predict death knell of an employee’s career is saying – “I don’t know” and “I made a mistake”.  The blame game is so intense on failure that employees are petrified to try out new things and follow procedures even if they don’t make any logical sense. Organizations cannot survive in culture of fear and defensiveness. More disasters occur when no one spoke up in time to question the plans and/or delivers the bad news.

On the other hand, learning organizations give people a platform to learn, unleash their passion and creativity. The shared values and visions allow them to discuss a number of bad ideas to arrive at a few good ones. Individuals feel responsible for fixing their own areas and don’t wait for top management to address problems. Learning becomes fun and inspiring. As Peter Senge said – “People talk about being part of something larger than themselves, of being connected, of being generative.”

Closing Thoughts

Becoming a learning organization is not an option any more; it is a mandatory requirement for success. At this business juncture, seeing the exponential change due to globalization, advanced technology and economic downturn, acting out from an old script isn’t going to help organizations. The organizations that are aiming for the biggest honey pot need to incorporate the core concepts of learning organizations within their culture.  Else, they might tank anytime.

References:

1. Leading Learning Organizations: Leading Learning Organizations : The Bold, The Powerful and The Invisible by Peter M Senge
2. Communities of Commitment :  The Heart of Learning Organizations by Peter M Senge and Fred Kofman 

Comments on Basel Committee’s consultative paper – The Internal Audit Function in Banks

The Basel Committee on Banking Supervision issued a consultative paper on the internal audit functions in banks comprising of 20 principles. This is a revision of the 2001 document and aims to promote a strong internal audit function and supervisory guidance of the function in banks. This is definitely a step in the right direction, however it still fails to address some of the critical issues apparent during the financial crises. Below are some of my observations that may help the function to become stronger and more effective. I am being a devils advocate out here and invite you to debate with me on these aspects.

1.  Independence and objectivity of internal auditors 

Principle 2 of the paper covers independence and objectivity of internal auditors. Point 15 mentioned below discusses the remuneration of internal auditors.

“The independence and objectivity of the internal audit function may be undermined if the staff’s remuneration is linked to the financial performance of the business line for which they exercise internal audit responsibilities or to the financial performance of the bank as a whole.“

My contention is that internal auditors within the organization can never be fully independent as their job, salary and bonuses are decided by the CEO/CXO. However, internal auditors/ risk managers face the dilemma of getting appraised at year-end for being good critics of the decisions taken and work done by CXOs/CEO. Hence, there is high possibility of being unfairly appraised on issuing strong reports. Senior managers may turn vindictive. This impacts independence as job, salary and bonus is dependent on senior management feedback.

The second aspect is about how internal auditors/ risk managers should be given bonus. Should they be given stock options like other employees? The committee paper “Principles of enhancing Corporate Governance” states -

“Banks should take other steps to better align compensation with prudent risk taking. One characteristic of effective compensation outcomes is that they are symmetric with risk outcomes, particularly at the bank or business line level. That is, the size of the bank’s variable compensation pool should vary in response to both positive and negative performance. Variable compensation should be diminished or eliminated when a bank or business line incurs substantial losses.

Compensation should be sensitive to risk outcomes over a multi-year horizon. This is typically achieved through arrangements that defer compensation until risk outcomes have been realised, and may include so-called “malus” or “clawback” provisions whereby compensation is reduced or reversed if employees generate exposures that cause the bank to perform poorly in subsequent years or if the employee has failed to comply with internal policies or legal requirements.”

Now my question is, if it is later discovered that internal audit function failed to identify some control lapses and risks that resulted in huge financial losses to the bank, should their bonus/stock options be reduced subsequently? My view is yes, if they are receiving stock options and failed, then they should be withdrawn. However, if possible their compensation should not have a high variable component.

Lastly, rotation of internal auditors, a point that I consider relevant for maintaining independence is not covered in the paper. Depending on the size of the bank, internal audit function key staff  should be rotated to other subsidiary organizations or different functions every 3 to 5 years. Here the logic is same as applied to external auditors, with deepening business relationships objectivity may be compromised.

2. Regulatory Compliance for Capital Adequacy and Liquidity

Principle 7 mandates that  ”internal audit function should ensure adequate coverage of regulatory matters within the audit plan.” One of the critical points covered relates to capital adequacy and liquidity assessment. The scope of audit should check compliance to regulatory framework and assess the adequacy of capital resources in relation to bank risk exposures and minimum ratios.

From a banking perspective I believe this is the crux of ensuring applicability of going concern concept for banks. As seen from the financial crises, the banks that failed basically had insufficient liquidity.

My argument here is about what happens when internal audit function does mention the problems in the report. Let me take the case of RBS failure. RBS faced liquidity crunch as the CEO had taken a strategic decision towards “capital efficiency” due to which it heavily relied on wholesale funding. As per the report   “the main weakness was the firm’s use of a 96% confidence interval in its assessment of how much capital it should hold, rather than the ‘standard’ 99.9%.” Secondly, the Supervision team was “concerned that the firm was underestimating the amount of capital that should be held.” The internal audit report also highlighted a few weaknesses relating to capital adequacy. A long term plan was developed to improve capital adequacy, however no change in capital efficiency strategy was envisaged.

Now my question is, in this scenario where internal audit function highlights key gaps and the same are ignored, what should be done? The FSA report on RBS failure states that no legal action can be taken as -

“There is neither in the relevant law nor FSA rules a concept of ‘strict liability’: the fact that a bank failed does not make its management or Board automatically liable to sanctions. A successful case needs clear evidence of actions by particular people that were incompetent, dishonest or demonstrated a lack of integrity.

Errors of commercial judgement are not in themselves sanctionable unless either the processes and controls which governed how these judgments were reached were clearly deficient, or the judgements were clearly outside the bounds of what might be considered reasonable. The reasonableness of judgments, moreover, has to be assessed within the context of the information available at the time, and not with the benefit of hindsight.“

According to the report, if senior executives ignore the internal audit reports and thus the firm suffers huge losses and goes bankrupt, they are not really legally liable. In my view, this is a flawed approach and encourages high risk taking since there is no downside to bad decisions.

My suggestion might raise a few eyebrows, nonetheless I think it is required to avert further financial crises. A few penal clauses should be incorporated in the guideline that ensures high risks/ control gaps are addressed by senior management. If senior management/board chose to ignore high risks they can be penalized by removal and/or not getting a similar position in any other bank.

3. Review of Internal Audit Function by Board

Principle 9 mentions responsibilities of board of directors and senior management in respect to internal audit function. Para 43 states that -

“At least once a year, the board of directors should review the effectiveness and efficiency of the internal control framework based, in part, on information provided by the internal audit function.“

My contention is that an annual review is too little. Keeping in view the dynamic banking environment and global impact review of internal control framework for banks should be done quarterly. If not, at least it should be done half yearly.

Additionally, para 72 states that -

” Supervisory authorities should receive periodically (e.g., on an annual basis), or upon request, the main internal audit findings and recommendations as well as the corrective measures taken or to be taken in response to the weaknesses identified, in the same way the audit committee is informed.”

My view is the same here, it would be best to review the observations and weaknesses quarterly. An annual review would be historic and no corrective action would be possible.

4. Impact on bank’s Risk Profile

Principle 19 states that “supervisory authority should consider the impact of its assessment of the internal audit function on its assessment of the bank’s risk profile and on its own supervisory work.” In para 92 it further adds -

“Where remedial actions cannot be agreed upon or where the bank faces ongoing delays in remediating the identified weaknesses, the supervisory authority should consider the impact of this on the bank’s risk profile.“

A good example of this case is the CitiBank Rs 400 crore fraud (USD 76 million) conducted by employee (now ex) Shivraj Puri. The fraud case was filed with Gurgaon police in 2010. An internal report of Citi Security and Investigative Serivces (CSIS) was submitted five months earlier before the date of police case filing. Moreover, unusual activity in Shivraj Puri and his wife’s account was detected in its initial stages in 2008 by fraud risk management team. The media report states that senior officials were aware of it, were involved in discussions, however did not take any action.

My argument here is the same as given in point 2. If there is failure to act on high-level risks, specially fraud risks, senior management/board can be treated as accomplice to the fraud. Hence, the guideline should include a few penal clauses on failure to respond timely  on identified risks and control gaps.

Closing thoughts

The framework fortunately does not subscribe to the COSO definition of internal controls and covers strategic risks. It also provides detailed guidelines on a number of aspects, including outsourcing of the function and managing the function in subsidiaries.

However, my view is that the guideline should be more stringent and include a few penal clauses. This might raise questions, as the guideline cannot replace the laws of the country. I understand that, so even a recommendatory guideline would be helpful. The logic behind this suggestion is that financial crises occurred due to bad decisions and high risk taking. It is unlikely that internal auditors/ risk managers of the banks were entirely clueless about the high risks. In all probability management chose to ignore those warnings hence the crash. Therefore, to avoid a similar disaster some measures need to be incorporated to ensure that management/board cannot override high impact risks that exceed the risk appetite/tolerance of the bank without being personally laible and accountable.

References:

1. Citibank failed to act on Puri scam warning signals, says probe report - Economic Times
2. The internal audit function in banks – consultative document – Basel Committee
3. FSA RBS Failure Report
4. Principles of enhancing corporate governance – Basel Committee

Comments on COSO revised Internal Control – Integrated Framework

COSO released the draft exposure of “Internal Controls – Integrated Framework” in December 2011 for public comments. The new framework still focuses on the five components of control described in the previous 1992 framework. The major change in the new framework is the explicit description of 17 principles. These describe the fundamental concepts related to the five controls.

The good aspect of the revised framework is that it has incorporated changes in business environment due to globalization, technology and governance regulations. It is more detailed than the original, hence gives a better understanding on a broad level. However, I still felt that some of my pet peeves with the previous framework remain unaddressed. Secondly, there are a couple of concerns regarding the practical application of the principles. I am covering some of my concerns below. Share your opinion with me, whether you agree or disagree and what changes would you suggest?

1. Definition of Internal Control

This is an old grouse, I am not in complete agreement with Internal Control definition given by COSO. In the current version I was hoping some changes would be made, but the definition remains the same. COSO defines internal control as

“Internal control is a process, effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following areas:

• effectiveness and efficiency of operations
• reliability of reporting
• compliance with various laws and regulations“

My concern is about the first bullet “effectiveness and efficiency of operations”. Before I give my view, let me further share the COSO definition of operations objectives.

“Operations Objectives – These pertain to effectiveness and efficiency  of the entity’s operations, including operational and financial performance goals and safeguarding assets against loss.“

This according to me excludes the major portion of management issues. In an organization, the flow in linear form is as follows:

Top Management > Strategy > Culture (People) > Finance > Process > Technology.

Most business failures and large-scale frauds occurred – Enron, Swiss Air, Olympus, Satyam – due to failure of top management, incorrect strategies or deviant/ aggressive cultures. In rare cases only, a major fraud occurred solely due to process or technology failure.

Additionally the framework states in Risk Assessment section “However, identifying and assessing potential opportunities is not part of internal control.” Hence, the upside risks are excluded from the assessment. In present day organizations, processes established for strategy, innovation, research and creativity give them competitive advantage. Without these organizations cannot be said to be operating effectively as they are leaving a lot of cash on the table. Hence, isn’t it misleading to give an assurance of effectiveness and efficiency of operations based just on assessing coverage of downside risks in finance, business and technology processes. Would it be more appropriate to replace “effectiveness and efficiency of operations”  with “adherence to established operation processes”?

2. Impact of Organization Culture

The COSO framework mentions the focus on internal control culture under “control environment.” It states:

“Control environment is sometimes seen as synonymous to internal control culture, in that  elements that make one strong, such as integrity and ethical values, oversight, accountability,  and performance evaluation, make the other strong as well.”

My concern is that internal control culture cannot be considered in isolation of organization culture. Aggressive, passive-aggressive, consultative, etc. organization cultures have an impact on internal control environment. For example, in a deviant organization culture management override is significant. Hence, an internal auditor or a risk manager cannot assess the risks without understanding the overall organization behavior and attitudes.

Therefore, in my view, the framework should cover on a broad level the types of organization culture, the risks associated with it and the methods to assess it. Though, this may come under organization behavioral psychology, a high-level understanding is required to conduct a proper assessment of internal control environment.

3. Strategic Risks

The COSO framework is focused on risks that threaten operations and regulatory requirements. It does not cover strategic risks unlike the ERM framework. Moreover, it does not even cover the process of strategy formation. As I had mentioned in earlier posts on strategic risks, strategies frequently fail due to the organization having inadequate strategy formation processes.

The issue becomes debatable more so, considering the following statements given in the framework

“Objectives - how management will create, preserve and realize value for its stakeholders”

“Setting objectives is a key part of management and a perquisite to strategic planning“

“Operations objectives relate to achievement of entity’s basic mission – the fundamental reason for its existence”

A good strategy basically protects the capital and generates earnings. Hence, evaluating internal controls on strategic planning process is critical to ensure management is maximizing value for its stakeholders. The fundamental question to ask is – without a strategy, can management do so?

The framework further mentions -

“Internal control cannot prevent bad decisions or judgments being made. It can only ensure management is aware of the direction entity is following.”

Hence, to me this sounds more like an assurance being given that “nothing is majorly wrong” instead of “everything is working properly”. To highlight my concern, let me give an example of Infosys. The company has recently entered into an agreement with an Australian company Portland Group Pty to acquire it for Rs 180 crore (USD 34 million ). However, investors have complained previously that Infosys management is extremely conservative on acquisition and mergers as it has cash reserves of Rs 18,601 crore (USD 3509 million ) as on 30 Sep 2011. In this scenario, can one say that Infosys is efficiently using its cash resources and maximizing shareholder value? May be a broader outlook is required for business management.

4. Miscellaneous

Some other aspects that I felt the framework needs to focus on are:

1. Linkages and relationship with Internal Control and Enterprise Risk Management Framework

2. Linkages and relationship with the technology controls mentioned in COSO framework with COBIT framework.

3.  Though now there is some coverage on calculating benefits of internal control and conducting a cost-benefit analysis, more details on benefits would be useful.

4. A chapter on the process to be followed for designing and implementing internal controls would be helpful. Presently, the major focus is on evaluating and assessing internal controls.

5. Principle 4 of control environment – Demonstrates commitment to competence, may be difficult to evaluate for an internal auditor. Can an internal auditor really evaluate competence of senior managers and be taken seriously when CAE’s don’t even get a seat on the board? Hence, though it sounds good on paper, it may not be practical.

Closing thoughts

The framework is a step in the right direction and definitely an improvement over the previous one as it addresses the existing business environment risks. However, as the revision has come in after twenty years one would expect to be more progressive by projecting the trends in the business environment, and guiding on internal controls issues envisaged in future. My question is – do you think with the changing business environment this framework will be relevant five years down the line?

References: 

1. Internal Controls - Integrated Framework
2. Infosys News