Fraud Risk Management in Ancient India

Presently, the Serious Fraud Investigation Office of India lacks sufficient powers to initiate investigations and prosecute. The Central Bureau of Intelligence isn’t independent due to which politicians escape prosecution for corruption and money laundering. Indian police force Economic Crime wing doesn’t have expertise in dealing with electronic and financial frauds. The legal system is pathetic and takes a long time to prosecute white-collar criminals. India has a shortfall of trained fraud investigators as it hardly has any courses for students in this line.

All these aspects may make you think that Indians are new to the concept of fraud risk management. This is far from the truth. Kautilya addressed financial fraud risks in 4th century BC and most of the concepts are still used presently. Let me narrate you some of the concepts he formulated in earlier times.

1.      Formation of a Central Investigation Agency

Kautilya proposed a central investigation agency for a kingdom to do espionage work. A network of spies located in different parts of the kingdom reported information to their handlers. The handlers in turn checked the authenticity of the information from three sources and if correct reported to the agency. The spies did not have direct contact with the agency to conceal true identities..

Spy selection depended on character and social position. Spies were recruited from all sections of society. Spies were positioned in all the departments and commercial ventures of the king to ensure that the head of the departments do not abuse their power or cheat the king. Women were considered particularly useful to penetrate wealthy households to get the inside story. In current India, there is a scarcity of female fraud investigators as it now considered a masculine job. However, in ancient India, women investigators and spies were quite common.

2.      Types of Financial Frauds

Kautilya identified 40 ways of embezzlement. Some of them are mentioned below:

  • Overpricing and under-pricing of goods
  • Incorrect recording of quantity of raw material and other stocks
  • Misappropriation of funds
  • Teaming and lading
  • Misrepresentation of sources of income
  • Incorrect recording of debtors and creditors
  • Incorrect valuing and distribution of gifts
  • Inconsistency in donations and distributions for charity
  • Misappropriating goods during barter exchange
  • Manipulating weights and tools for measurement
  • Misrepresentation of test marks or the standard of fineness (of gold and silver)

It is interesting to note that Kautilya mentioned most of the frauds that occur in accounting and preparation of financial statements. It shows human psychology has remained the same. However, in India the value system has deteriorated that has resulted in increased fraud and corruption. In olden times, the value of honour was held high. For example, the prime thought in Hindi was – “prann jiye pur vachan na jiye.” (meaning – it is better to lose one’s life rather than go back on a verbal promise given)

3.      Mechanism for Investigation and Punishment

The investigation process was quite similar to the current process followed. Information was initially gathered regarding the fraud from informants, spies, whistle blowers and audits. Background information of the suspects was gathered by sending spies to their residence and business premises.

Subsequently, the people involved, the suspects and witnesses were interrogated. Kautilya suggested separately examining ” the treasurer (nidháyaka), the prescriber (nibandhaka), the receiver (pratigráhaka), the payer (dáyaka), the person who caused the payment (dápaka), the ministerial servants of the officer (mantri-vaiyávrityakara)” for financial frauds. If any person lied, s/he received the same punishment as the main culprit.

Another fascinating aspect is that India doesn’t not have any law similar to the whistle blower provisions of Dodd Frank Act. However, Kautilya proposed –  “Any informant (súchaka) who supplies information about embezzlement just under perpetration shall, if he succeeds in proving it, get as reward one-sixth of the amount in question; if he happens to be a government servant (bhritaka), he shall get for the same act one-twelfth of the amount.”

The punishment for fraud depended on the nature and value of fraud. It ranged from nominal fines to death penalty. The victim was compensated for the losses suffered.

Closing Thoughts

The processes proposed by Kautilya for fraud detection were followed even until the Moghul rule. However, these were dismantled during the time of British Rule as the Indian Penal Code was formulated.  The difference between Mogul rule was that Moguls settled in India, marriages took place between Indian royalty and Mogul rulers and the culture got integrated over time.

The British came to rule for economic purposes. They wished to take advantage of India’s natural resources and vibrant economy. They levied their own rules and did not integrate them with the Indian culture. Hence, over time the Indian value system was lost or kept for namesake only. Overtime, as even after independence the British education system was used, a split ethical value system developed between personal values and business ethics. Therefore, corruption increased in the business environment till it became all-pervasive in the society. It is going to take a lot of effort to change the system now. No short-term solutions  will work.

Advertisements

Accounting and Auditing in Ancient India

Professionals want to know the origin of their profession, the work done in olden times and the level of knowledge. I thought of sharing with you the history of Indian accounting and auditing profession. I discovered in Kautilya’s Arthshastra that it existed in ancient India in 4th century BC. Therefore, my guess is that it would have originated at least a few centuries earlier.  The accounting principles and standards used in the present century are similar to those that existed in the 4th century BC. This nugget of information may have surprised you.

Broadly, Kautilya’s Arthshastra covers accounting principles and standards, role and responsibilities of accountants and auditors, the methodology of accounting, auditing and fraud risk management, and the role of ethics in managing financial activities. Let me share some of the concepts with you in the next couple of posts.

1.     Maintenance of Accounts

The accounting financial year was fixed to July-June period and with a full process for closure of accounts and audit of the same. It covered the method of consolidating the accounts from various departments of the government to assess the net income and loss. The accountants were required to furnish the completed annual accounts to the head office mid-July. Delay and/or failure to do so attracted financial penalties.

 2.  Classification of Receipts

 Kautilya states thatreceipts may be (1) current, (2) last balance, and (3) accidental (anyajátah= received from external source).” In it, he differentiates between cash receipts and debtors, current and accrued income, income from other sources, windfall gains, and recovery of bad debts. He recognized the concept of risk and suggested different rate of interests for loans. Foreign trade loan attracted the highest interest, as the returns were uncertain.

3. Classification of Expenditure

Expenditure classification was similar to receipts classification and included the differentiation between capital expenditure and revenue expenses. Kautilya described it as – “Expenditure is of two kinds—daily expenditure and profitable expenditure.” The difference between income and expenditure was termed as “net balance”. He insisted on making long-term investments in construction and other works as these would generate profits over a period. It also entailed keeping track of work in progress.

4. Role and responsibility of accountants

A hierarchical organization structure of senior to junior accountants existed within the king’s treasury function. The accountants maintained books of accounts on an annual basis according to prescribed standards. The same were furnished for audit at year-end. Kautilya suggested good salaries to accountants and auditors as high income would keep them ethical. Accountants would be more prone to commit fraud if they earned very little.

5.     Segregation of Roles of Treasury and Auditor

The fascinating part of Kautilya’s approach was that he recognized conflict of interest between finance and auditing functions. He categorically stated that the head of finance and head of audit should independently and separately report to the king. He recognized the possibility of collision between the two. In India, in the government the Comptroller General of Audit and Ministry of Finance are two separate functions. However, in the corporate world still in quite a few companies chief audit executive are reporting to chief financial officer rather than the chief executive officer.

6.     Building an Ethical Culture

Kautilya believed character reflected personal values of individual and ethical values learning must commence from childhood. Even as an adult ethical conduct was as important as professional skills. He proposed measures to build ethical climate in the kingdom. However, he was practical and recognized the potential of corruption. In accounting, he talked about misstating financial statements due to abuse of power and fraudulent reporting. He devised a system of reward and punishment to ensure compliance to rules and regulations.

7.     Verification and Auditing of Accounts

The concept of continuous monitoring, periodical auditing, verification and vouching existed in ancient times. Checks were done daily and periodically (five nights, pakshás, months, four-months, and the year). The attributes used in the present day for verifying income and payment vouchers were also used in earlier times. Interestingly, each department had spies to provide information and report wrongdoing to the seniors. There was a full process for discovering fraudulent transactions and punishing accountants for misstating financial statements. I shall cover that in the next post.

Closing Thoughts

Kautilya prescribed the accounting theory that included bookkeeping, preparation of financial statements, auditing and fraud risk management. He considered accounting as an integral part of economics. Various kingdoms in India used his work until the 15th century AD i.e. before the colonial rule. I am not aware whether similar level of knowledge existed in other parts of the world before the Christian era. If you do have information, please share it with me. It will be an enthralling journey into the past.

References:

Kautilya’s Arthshastra 

Auditors Criticise Without Value Addition

This is my 251 post and it feels good to have written so many. So I thought of dealing with a difficult and sensitive topic for auditors. The corporate world views auditors with jaundiced eyes and auditorville has a bad reputation. Scott Adams in his book “Thriving on Stupidity in the 21st Century” humorously described auditors in the following paragraph:

“Auditors get more respect and more bribes than accountants. That is because auditors are relatively more dangerous. Auditors are generally plucked from the ranks of accountants who had very bad childhood experiences. The accountants who don’t go on to become serial killers have a good chance of becoming successful auditors.”

The reputation comes from doing post mortems, writing long reports on deficiencies and criticizing the work of business teams. No one likes a critic and especially not those who do not do any value addition. So where are we going wrong?

1.  Criticizing Makes an Auditor Successful

The common perception is that more faults an auditor finds in an audit, the better is the quality of the audit. This is driven by the fact that some audit departments have a key performance indicator on number of observations. If there are no observations or weaknesses, the audit quality was not good. Let me mention an old story here.

A couple was riding a donkey to reach their village.

Two passer-by’s saw them and said – “Poor donkey, has to take the load of two humans.”

The husband heard the comment and got of the donkey. Further, two passer-bys saw them and said-“See, the wife is sitting comfortably on the donkey and the poor husband is walking on the road.” The wife got off the donkey and made her husband sit on it.

After a few kilometers  two spectators said – “See what the world is coming to, no chivalry. Man is riding the donkey and the poor woman is walking.” Now both husband and wife started walking along with the donkey.

Then another set of bystanders said – “See the idiots, both are walking and no one is riding the donkey”

The purpose of audit is to provide assurance on the process, not find faults with it. For instance, last year you conducted an audit of purchasing process and made ten observations. Will the audit of the same process be successful if you made 11 observations or nil observations? If auditee implemented previous year recommendations, then they should not re-appear. If without a change in process, you found new weaknesses, then it means the previous year audit was not done properly. Hence, criticism doesn’t make an audit a success or a failure. The quality of observations holds meaning.

2. My Way or Highway

The other presumption is that audit can be done without much of business knowledge. Just high-level understanding is required. This is really an incorrect view. I recall in my training period I was assigned an internal audit client that flew helicopters. When I was doing bank vouching, I had said to my colleague doing cash vouching  -“Wish we were auditing a car maker, at least I know the cost of a car tyre.” I was checking the appropriateness of expenses including repair and maintenance of helicopters when I hadn’t seen a helicopter from a five feet distance, let alone sit in one. Your guess is as good as mine on the quality of observations and value addition provided.

The big problem comes, when after doing an audit without business knowledge we refuse to listen to the business teams that the observations are irrelevant or incorrect. We don’t appreciate the different perspective of business teams and high-handedly push down our recommendations. Times of India mentioned a nice joke on this last Sunday.

Why did the chicken cross the road?

Plato: For the greater good.

Aristotle: To actualize its potential.

Darwin: It was the next logical step after coming down from the tree.

Neitzsche: Because if you gaze too long across the road, the road gazes back at you.

Buddha: If you ask this question, you deny your own chicken-nature.

Closing Thoughts

In the 21st century, auditors can’t hold a stick to beat the business teams all the time. The role has changed. With it the skill set and approach needs to be changed. If auditors are not able to give a better solution or process change, they should consider whether their criticism makes sense or not. Maybe, business needs to live with the control weaknesses, take the risks because the costs of plugging them are very high. The observation and recommendation should provide value addition, either in the form of assurance or improvement. Else, a lot of expenses are made to cater to auditors’ egoistical viewpoints rather than seeing business viability.

All criticism and feedback on the blog is welcome. Please share your views. A big thank you to my readers for reading my 250 posts.

Risk Managers Leadership Challenge

British Petroleum was recently fined US $ 4.5 billion for the Deep-water Horizon disaster in April 2010. The highest ever fine till date. The verdict implicated two employees for negligence. Similar news is coming of regulators charging huge fines to banks for their wrong doings. Regulators and law enforcement agencies change in approach sends a clear message – regulators won’t tolerate lax attitude towards risk management. Organizations will have to pay through their nose if caught contravening laws and regulations. Therefore, risk managers have to pull up their socks and gear themselves for tougher times.

It is apparent that risk management approaches and practices that worked until 2011, will not work by 2015. Frequently, risk managers focused on self-preservation by blaming the top management for lack of support. They continued the silo approach and turf wars with other risk management departments at the expense of the organization. They escaped majority of the blame for the debacles, as business was responsible for the risk management decisions. Risk managers role was recommendatory and supportive in nature; hence, the ball was never in their court.

1.     New demands from business heads

In my view, business heads will not allow this type of smooth sailing to risk managers now. They will hold risk managers accountable and responsible for the level of risk within the organization and for failure to prevent risk management disasters. In the current environment, risk managers need to focus on the following.

a)     Build risk awareness across the organization and spread the message to every employee of the organization.

b)     Maintain a risk register that captures internal and external risks at strategic, tactical and operational level.

c)      Ensure decisions are taken after giving due regard to risk versus reward parameters. Organization risks remain within the risk appetite.

d)     Guarantee complete compliance to all legal and regulatory requirements at a global level.

e)     Make risk management departments efficient and effective by managing costs and working with limited resources.

2.     Change in leadership style

Hence, it is crucial for risk managers to change their leadership style and take a deep look on the management practices they have followed until date. I know you would think that isn’t a big issue. I also thought on the same lines before I read Lisa Wiseman’s views on multiplier effect of leadership. She is the author of the book – Multipliers: How the Best Leaders Make Everyone Smarter. I must say it is a revelation. She has divided leaders in two major categories – diminishers and multipliers. Multipliers use and amplify intelligence of others that results in a 2X effect. Unfortunately, diminishers use less than half the intelligence of those around them. Diminishers have the attitude that they are the smartest in the room, and hence do not leverage on the intelligence of others. On the other hand, multipliers create an environment where best thinkers grow. See the chart below to understand the ten sub categories.

3.     Risk managers diminish business teams

I understand that our first reaction is to believe that we are a multiplier leader. However, you will change your opinion on reading the details in the paper or on taking the accidental diminisher quiz (links below). Majority of us are somewhere between the spectrum on multiplier to diminisher. Here are some of the instances where risk managers show diminishing behavior:

a)     As risk managers sometimes we have focused on building large departments to show importance rather than deliver value.  We do so at the expense of other risk management departments who might be requiring the resources desperately.

b)     We use our positions politically to create a fearful environment among business teams. They believe all shortcomings and failures will be reported to senior managers and their jobs will be at risk.

c)      We use our limited knowledge of business operations to give advice to business teams without considering their viewpoints and thoughts on the same.

d)     We roll out risk management plans and initiatives without having any discussions with the business teams and people at lower levels that have to execute the plans.

e)     We believe without our personal involvement business teams cannot manage risks. Instead of training and educating business teams, we get involved in every small aspect.

Closing thoughts

Though, if you read the top five things risk managers have to do at the top of the page, we need to cultivate multiplier behavior patterns. Nothing can be better than using twice the brainpower of a resource at the cost of one. Moreover, the multiplier effect will facilitate using the knowledge residing with business teams. It is only when business teams start thinking about risk management on their own that organizations will avoid disasters.

In the present environment, risk managers have to meet new demands with insufficient resources and knowledge. Do you think becoming a multiplier will address some of the problems? According to you what alternative approaches should be followed?

References

  1. Multipliers: How the Best Leaders Make Everyone Smarter Management Forum Series presentation by Liz Wiseman Synopsis by Rod Cox
  2. Accidental diminisher quiz

US Presidential Race – A Learning Board

A yearlong battle with approximately US $3 billion spent on it and the verdict is the  same. President Obama got re-elected; Republicans have majority in the house and Democrats in the senate. On the face, nothing changed. Even to maintain status quo, it is a case of survival of the fittest. So here are some lessons risk managers can learn from the US Presidential race.

1.      Don’t rest on your laurels

President Obama was leading the race, and then he was complacent in the first debate. Romney gained advantage and in the last few weeks, the race was neck-to-neck. Once we achieve something, we tend to take it for granted. Over time from peak status, we gradually unnoticeably start slipping until the gap is huge. Then we are shocked on discovering we are not as good as we thought. As risk managers, we need to continuously manage risks and upgrade skills. We cannot take it for granted that risks will remain the same and everyone will see things in the same light.

2.      Use disasters to demonstrate skills

President Obama in 2008 used the financial crises to demonstrate his leadership skills. In this election, he exhibited presidential capabilities during hurricane Sandy. The message was clear to the public, in crises he leads with calmness and control. He is on top of the things. Risk managers must lead from the front to build trust and confidence in the business teams. They must not start the blame game when risk disasters occur.

3.      Cover the whole organization

President Obama won the elections due to his people centric approach. He was the favorite among women, minority communities and middle class. The Republican party upper echelons are white dominated and Romney sounded pro-rich. He failed to address specific issues of the masses except the jobs shortfall. Risk managers to build a risk culture and make risk management successful, you must spread the word at all levels of the organization. Communicating just with the top management is insufficient and ineffective.

4.      Negative messages work

This election saw the highest number of negative messages from both parties. Democrats and Republicans ran down their competitors. Pointing out problems with others strategies benefitted their game. Risk managers need to incorporate negative messages in their communication strategy. Sometimes giving strong messages of what can go wrong helps in changing minds. Secondly, communication has to be continuous, not periodical. To build the right culture, communicate daily.

5.      Define starting point clearly

Most of the problems President Obama faced during first term were from President George Bush’s era. He took over an economy and country in distress. However, he made that clear to the public and did not take the blame for Bush’s bad decisions. In risk management too, on taking a new role clearly highlight the current status and previous problems. Define the starting point first before laying down the road map for progress. Don’t take blame or responsibility for predecessors problems.

Closing thoughts

President Obama’s first task is to address the fiscal deficit and that will lay the foundation of his second term. In his book – Audacity of Hope – he had inspired many to think beyond the present limitations and lead change. This term will define whether he will be remembered successfully as a President. With his personal achievements, he has shown the world that most barriers can be broken. Risk managers can take that lesson from his life and work towards changing the organizations risk climate.

Should Risk Managers Re-use Last Year’s Strategy?

Let me ask you a question. For 2013 planning, are you thinking of updating the 2012 annual audit plan or risk management plan? Alternatively, do you think major changes are required, and you need to start from scratch? While preparing 2013 strategy of plan, you cannot afford to just tweak your previous plan and get by. You need to do the whole works and start with a plain sheet of paper.

Exactly why am I making such a bold statement? Let me explain. You must have read various surveys in which business teams state that risk managers and auditors are not addressing the business concerns. The thing is risk management practice is changing at a much slower rate than the external and internal business environment.

Below is a simple graph. The lines in real world would not be straight; I have just used it for the sake of convenience to illustrate my point.

1.   External environment

The external environment is going through a rapid change. This includes the social, cultural, political, legal, economic, technological, financial and competitive environment. The speed of change is so high, that most organizations are failing to keep up to speed. Hence, there are a numerous upside and downside risks in the external environment that organizations are clueless about.

2.    Internal environment

Organizations attempt to make sense and adapt to the changes, however at a slower rate than the external environment. During a year, many organization changes take place. Changes occur in business strategy, objectives, policies, procedures, organization structure, roles and responsibilities, governance models, products, knowledge, processes, systems and technology. Due to these changes, the risks within the organization change. Numerous risks remain un-addressed when we do not consider the changes for preparing a risk management strategy.

3.    Risk management function

The risk management disciple as such is changing at a slow pace. If you recall, COSO issued “Internal Controls – Integrated Framework” in December 2011 for public comments. The internal control definition had not changed and only some areas were improved though this was the first revision issued after 1992. COSO received so many comments, that now it plans to issue the final version in 2013.

Within the organizations, the situation is the same. Risk management and audit functions are the last to change. While CEOs are demanding that they advise on strategic risks, very few are rising to the occasion. Even with five-year of financial crises and slow down of economy, the surveys show limited improvement in performance of risk management and audit functions. They haven’t leveraged the opportunity, leaped forward or made great strides. They are cribbing about the same old issues of lack of top management support instead of focusing on the changing business landscape.

Hence, the gap in knowledge of risk managers and auditors of business risks is huge. If they are not tuned into the internal business environment, they leave some risks unaddressed. If they haven’t focused on the external environment, they are a number of unknown risks that can affect the organization any time. Therefore, the annual risk management strategy and/or plan is ineffective if these aspects haven’t been considered.

Closing thoughts

The business environment risks can be best described in the words of Donald Rumsfield, the former US Defence Secretary. He had stated at a press briefing relating to the increasingly unstable situation in post-invasion Afghanistan: “There are known knowns. There are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know.  But there are also unknown unknowns. There are things we do not know we don’t know.” Risk managers and auditors are in the same situation. Hence, strategy and plans have to be devised keeping this in mind. Start from scratch for 2013 strategy.

Watch this video and share with me, will your old strategy work?

Winner of the Competition of Bullshit Quotient Book

Thank you all for participating in the poll and the competition held in the post “A Book Review – Bullshit Quotient“. Over a 100 people voted and mostly in favor of the views expressed by the author Ranjeev Dubey. Ranjeev has personally gone through the comments and chosen a winner. He has also expressed this thoughts on the various comments. Read below, as I am sharing an unedited version of his opinion.

My thought as I read through the thoughtful comments posted by your followers was mainly at the high level of comprehension here. Why we nevertheless allow this endless repetition of culpable double speak is a moot question. Why this clear understanding of the reality on the ground does not translate into a program of change is another moot question. I can draw your attention to the following nuggets that I particularly liked:

“The business of the company is to deliver value to the stakeholders/shareholders. Everything else is incidental. All the stuff about delivering value to customers is BULLSHIT. – M Seshagiri Rao:

“Small practices often have no audit trail. Accountability is ensuring that you understand and carry out the actions of the law, with ethical and moral actions. So, the laws are there, [but] the government is in the hands of those who thrive on power, regardless of having the right to vote, that doesn’t even matter…”- Joanne McNamara:

“As a cynical private investigator I have found that the bigger the lie, regardless of the circumstances, simply means that there are more person involved.”- Jeff Moy

“To add to the misery, a nation in need of an inspiring dream, is fed the empty corporate drivel”. – Amey Kawale

But at the end, the prize goes to the one who goes beyond the points made, to the next level so to speak. And for me, the winner is:

“Commercial organization sometimes fail to realize (or take the ostrich approach to the fact) that they don’t exist in a vacuum, but within an ecosystem where the (mostly competing) interests of companies, customers, employees, regulators, environment and the larger society are required to be optimized. This was the stated (though in a different way) objective of the concept of Trusteeship, which sadly has gone out of the window gradually after Indian independence.” – Deb.

Thank you all, and especially, thank you Debashis

Rajeev Dubey ”

The winner of the competition is Debashis Gupta. Congratulations!

Debashis please email your address to me and we will send you the prize.

Ernst & Young Insight For Internal Audit Transformation

The last post – ‘Coal Gate Scam – Should Auditors Comment on Policy Decisions’ ignited a thought-provoking discussion on LinkedIn. The major debate was on role of internal auditors on evaluating strategic decisions and strategy per se. The message is – transform the internal audit department and leave behind the old thinking of verifying compliance to existing processes. Hence, I thought of sharing some great insights from the Ernst & Young report – The Future of Internal Audit is Now.

Before we discuss the details, check out transformation process depiction below.

The key aspects of the transformation process are:

1.      Align with organization strategy

According to the study, 61% of the internal audit departments did not have a documented mandate aligned to business. One can question then, exactly what are they working on. The way forward is to understand the business strategy – sales, operations, human resources, products, etc. and identify the strategic and business risks of the same.

2.      Formulate the internal audit strategy

Based on the understanding of business strategy and strategic risks, devise an internal audit strategy. Developing an internal audit annual plan isn’t sufficient. Take the time period of the business strategy, and formulate the internal audit strategy for the same period or a three to five year period.

3.      Acquire the right talent

Execution of a strategy is as good as the people deployed to the task. Upgrading skills is a must. Besides technical and functional knowledge, auditors now need business acumen. Rotate resources from operations to get in-depth business knowledge. To highlight the importance of business skills, according to the report just 47% of the IA departments have a training plan for leadership and business management.

4.      Operate as a business function

Internal audit should stop viewing itself as a support function and take a leaf out of line functions. It should measure itself against the same standards as business functions. Have the right strategy, execute it effectively, provide value add and measure against key performance indicators. As it is mostly a cost centre, it doesn’t mean it should let itself go.

Closing thoughts

Survival of business in this global economic crisis is hugely dependent on effective risk management. Internal audit plays a vital role in improving the financial performance of the organization. Hence, transforming the department functioning from old mind-set to fit the 21st century requirements is must.

Before closing, here is something to start your week on a good note. An old man for the first time saw moving walls. While he was standing in front of them, he saw an old woman enter the walls, and in a second a young woman came out. He said to his grandson – Son, hurry home and get your grandmother.

References:

The Future of Internal Audit is Now – Ernst & Young report

Coal Gate Scam – Should Auditors Comment on Policy Decisions?

The Coal Gate Scam report has squarely put the loss of Rs. 1.86 lakh crores (USD 35. 097 billion) at the Prime Ministers door. Comptroller and Auditor General (CAG) report states that Prime Minister Manmohan Singh agreed to introduce competitive bidding for allocation of coal blocks way back in October 2004. However, his office indulged in delay tactics of approving the revised policy. This resulted in allocation of coal blocks according to the old policy introduced in 1993. Failure to use competitive bidding resulted in a loss of Rs. 1.86 lakh crores (USD 35.097 billion).

This raises interesting questions from the corporate sector perspective. Should auditors see the validity and applicability of policies? Alternatively, should they restrict their role to the compliance of existing policies?  What happens when a policy or standard operating procedure of an organization is redundant however is still being followed? If competitors are using better processes, technology and policies than the organization, what role should auditors play in it?

1.     Delaying Policies Becomes a Political Game

According to the CAG report, the Screening Committee allocated blocks and the process lacked transparency. Allegations are that private companies with political links benefited at the expense of others. However, competitive bidding policy could have been introduced with an amendment from the administrative desk. Prime Minister’s role becomes critical as he was also fulfilling the responsibilities of Minister of Coal. CAG says he made it into a bigger issue that the policy should be changed for all minerals and not just coal; hence the process for making such large-scale policy change was different. This allowed the coal ministry to follow the 1993 process.

This happens in the corporate sector too. For instance, an employee or a small group suggest a change to an existing control process that will take just one man-month effort. Some others with vested interests do not wish for the change to occur. However, they can’t reject the suggestion for strengthening controls without looking bad. Hence, to stall the project, they add a few more suggestions which make the project larger into 24 man-months effort. Now the change can only happen once the huge budget is approved. Since, the project is not priority; it stays on the bottom of the budget approval list. Hence, status quo remains and subsequently someone exploits the control weakness to conduct a fraud.

In such a situation, as an internal auditor would you highlight the initial attempt to strengthen controls and put responsibility on the other group for delaying the change? Do we as internal auditors go back in such depth to find out what projects or policies were kept pending approval and they had such a huge negative impact?

2.     Auditor’s Role in Policy Review

The Supreme Court has upheld CAGs power to comment on policies. Justices R M Lodha and A R Dave bench said “Do not confuse the constitutional office of CAG with that of an auditor of a company or corporation.” This response was in respect to a petitioner’s contention that CAG should restrict itself to auditing expenditure and not comment on the government’s rational of policy decisions. The bench had further added – “CAG is not the traditional Munimji to prepare only balance sheets. It is constitutionally mandated to examine the efficiency, effectiveness and economy of the decisions of the government in using resources. If the CAG will not do this, then who will?

This viewpoint raises some interesting points for internal auditors in the corporate world. Should auditors be commenting on strategic or policy decisions of the company?

For instance, the company decides to use print media for advertising open job positions. However, it is much cheaper to use job portals and social media. These significantly reduce the cost of recruitment. Should an auditor restrict himself to checking that all expenditure is authentic or question the hiring policy?

Another aspect is the strategy decisions. Let us say, Company A decided not to enter into the emerging markets, whereas Company B operating in the same industry entered the emerging markets and increased the profitability tremendously. Should an auditor audit strategic decisions, and not just say that it is management responsibility. Where is the line of demarcation drawn in respect of corporate internal audit?

Institute of Internal Auditors new standard applicable from 2013 ‘Achievement of the organization’s strategic objectives’ states that – “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding the achievement of the organization’s strategic objectives”.  Hence, should we conclude that evaluating strategic decisions comes under internal audit purview?

3.     Auditor’s Role in Calculating Presumptive Loss

The CAG audit reports on 2G licenses and Coal Block allocations have raised a storm due to the calculation of presumptive loss figures. The government’s contention is that CAG should not be calculating the opportunity loss, as policy decisions are taken to benefit the public.

CAG however, contended that – “We had never commented on government policies, neither did we ever say that auction was the only route or that all natural resources should be auctioned. In both 2G spectrum licences and coal block allocations, we had only commented on the ‘effectiveness or non-implementation’ of policies. The presumptive loss or windfall gain figures are only to highlight the serious issues of an act of commission during implementation of government policies.”

In the corporate world, internal auditors make an observation and restrict their recommendations to suggest improvements. In rare cases, a cost-benefit analysis is done on the impact of the control weakness. We generally fail to draw management attention to the seriousness of the issue, as they are no numbers given. Should corporate internal auditors change their approach to audit work to give a cost-benefit analysis for their observations? Will that garner more attention from the management and initiate action?

Closing Thoughts

These are questions worth debating about and there are no easy answers. The business world internal auditors can learn quite a few lessons from the government auditors. They are doing a good job of raising contentious issues. Below is a poll to assess your views.

References:

  1. CAG not a ‘munimji’ of govt’s balance sheet: SC
  2. CoalGate: CAG does not let Manmohan, PMO off the hook
  3.  Performance Audit of Allocation of Coal Blocks and Augmentation of Coal Production (Ministry of Coal)

Performance Appraisal for Risk Management Functions

Think of climbing into an aircraft that doesn’t have an aircraft control system and the Air Traffic Control rooms don’t function properly. Would you be willing to go for a free ride in the plane?

If I say risk management functions play the role of Air Traffic Control rooms and provide the relevant feedback to the business, you would mostly agree. But what are the systems in place to see whether the risk management functions are fulfilling the role of Air Traffic Control rooms properly. If Air Traffic Control rooms fail, the planes crash and the same happens in business. Isn’t then performance appraisal of risk management functions critical?

Generally, I have seen risk management functions do an appraisal within the team and sometimes take feedback from senior management. This is despite the fact that in most surveys conducted, the business teams respond that they face challenges with risk management functions and highlight quite a few shortcomings. As the year is ending, the functions would be busy preparing annual budgets and strategies. This would be the right time to obtain feedback and do a proper evaluation.

Let us take an example of the fraud department and study the process of performance appraisal for the department.

1.     Senior Management

Get uncensored honest feedback from the senior management. Not the form filling one, where meets expectations means haven’t committed a big blunder till date. Check whether senior managers are ticking the appropriate boxes to keep the risk management function out of their hair for another year or is it genuine support for improvement. Ask the probing and difficult questions to the audit committee and CXO level:

a)     Does the risk management function help you to perform better?

b)     Did the risk management function add value to the business during the year?

c)      Where you worried during the year that some unpleasant risks will appear that have not been identified before?

d)     Does the risk management function makes you feel confident that the business is running on course?

That will give out a message to senior managers that the function is geared to take up a bigger role in business and partner with them for success.

2.     Business Teams

Though the risk management functions issue reports relating to operation risks, the feedback of business teams is restricted to obtaining their replies to the observations made in the reports. Risk management functions rarely go back to business teams for an evaluation. One way is to conduct a yearly survey to obtain business teams assessment on performance. The other way is to incorporate a value scorecard system. This ensures that after every assignment,  the business teams’ feedback is obtained in the value scorecard. This enables the function to take corrective measures promptly to provide better service in the next assignment. Some of the questions to ask are:

a)     Did the risk management assignment offer value to your business operations?

b)     Did the risk management teams partner with you to solve your concerns? For instance, in a fraud investigation, did the report help them identify the suspect, and give a solution to prevent future frauds?

c)      Did the risk management team give you a practical solution or recommendation to mitigate the risks?

d)     Do you get prompt replies to your request for help or advice?

Build a value scorecard with 10-15 questions. A periodic assimilation of the responses will highlight the strengths and weakness in performance of the risk management functions.

3.     Other Risk Management Functions

If one wishes to breakdown the silo approach to risk management, then each risk management team should be evaluating and giving feedback to the other teams. For instance, a fraud department should get feedback from compliance and business ethics function.

This is the most beneficial of feedback, because other risk management teams actually understand the nature of work, issues and challenges. Obtaining feedback opens doors for sharing best practices and aligning the work. With numerous functions managing business risks, there are some un-addressed risks as each department assumes that the other is fulfilling the responsibility. Hence, some relevant questions need to be asked. Here are a few examples:

a)     Do you believe we are complimenting your work or are working at cross purposes?

b)     Do you get information on our work to tie up and give a joint strategy to address related risks?

c)      Do our teams collaborate well together on joint projects?

d)     Do we share our methodologies, knowledge and best practices to benefit each other?

Working in isolation isn’t going to help the function, other teams or the business. Hence, taking feedback from other functions is really important.

4.     Risk Management Team

Doing a fair and honest evaluation of team performance is of paramount importance. If possible, implement a 360 degree performance evaluation system. A top down evaluation system will not work for risk management function, as most of the interaction with business teams is done by middle and junior managers. They are aware of business team attitude towards risk management. Even the office rumour mill gives some useful information of acceptance and popularity of the risk management function. Some of the questions the team should be asking are:

a)     Are we viewed as business partners by operation teams and do they think we add value to their business?

b)     Are we doing the best possible work to mitigate the risks?

c)      Are we using standard tools, methodologies and knowledge to give the best possible service to business teams?

d)     Do we have a good talent pool that understands the business and associated risks?

Unless the risk management function does an honest self-evaluation, it is unlikely to find the gaps and improve. Hence, a good deal of time should be spent on it.

Closing thoughts

A good performance appraisal is possible after assimilating the information from all four sources and asking a lot of probing questions. Rather than shy away and get defensive it is best to take the feedback in positive light. Without feedback the function is directionless. Here is a small video pf HCL on performance appraisal. It brings the point home.