Innovative Assurance and Advisory Services

The business teams mental picture of an auditor is of a guy focused on nitpicking financial accounts. The excessive focus from regulators on internal controls in finance processes has stereotyped auditors. However, in these dynamic economic conditions senior management expects internal auditors to break out of this image and become business partners. The question is – how can they do so? Let me share with you my story first.

My journey as an internal auditor changed in mid-nineties when I was an audit manager in an auditing firm. One day, I had a meeting with the client’s CAE to discuss the scope of work for the year. The client had in-house internal audit team and outsourced some areas of work. The CAE had mostly worked in UK and US, so was highly exposed to the international environment in comparison to the regular Indian CAEs at that time.

On starting the meeting, the CAE said – “Sonia, I think for the first quarter I would like you to cover marketing and customer service department.” I swallowed and nodded agreement.

He then continued – “Next quarter you can cover production”. I squeaked – “Production?” He replied – “Yes, shop floor audit would be interesting.” I tried to keep my expression under control and not show my shock, and again nodded in agreement.

He further added -“Last two quarters of the year, you can cover purchase department and inventory function”. I knew something about these two areas, so I tried to breathe. As the meeting closed, I started thinking how I am going to execute this scope of work. You see, there was a small hitch. I generally did service industry audit and this client manufactured cranes and forklifts. What does one audit in marketing of cranes? How are cranes produced? I was absolutely clueless.

As I drove back I wondered whether my boss had intentionally skipped the meeting. He knew if he had accepted this scope of work, I would have had reasons to crib. Now as I had accepted the scope of work, I couldn’t crib. If I did, he would say – “Sonia, you should have negotiated better.” So I took a small diversion and stop, before reaching my office. My boss was eagerly waiting and from his expression I knew he had already spoken to the CAE. It was a setup! I presented him the scope of work letter, my bookstore bill and the five books I had purchased on marketing function on the way back. He smiled gleefully.

I knew I was in trouble. In those days there was no internet and google in India. I tried to figure out how I  could convince my team that I knew more about marketing cranes than spell it.

Later on I realized that these assignments were the turning points in my career. They shook me out of my comfort zone and taught me a lot. While I could earlier rattle off the financial numbers of my clients, I really didn’t understand their business. What did they do? How did they make money? What challenges do they face in the market place? Without understanding the business, one could hardly do any value add.

So the relevant question is how can auditors become business consultants? Primarily internal auditors are driven in scoping their work according to materiality in financial statements. If we change the focus from financial to business, the scope of work automatically changes. I am sharing with you some of my ideas.

Of course as you read some of the suggestions the question will come up, does it fit into the third line of defense (internal audit), second line of defense (risk management) or the first line of defense (business teams). My view is that first an organization should decide, is this what they require? If yes, then they need to find an appropriate fit in their structure. Though some of these services do not fit the traditional sense of audit, they add a lot of business value. Moreover, the skill set required to perform these services is the same as an auditor or risk manager. The mindset has to be different.

The argument against it is that these are management responsibilities as some of these either appear to be focused on preventive or detective controls, and moreover do not focus on financial processes. The question to ask is – is management fulfilling these responsibilities in other functions? Additionally, if business risks and controls are not addressed, doesn’t it impact financial processes and income? Maybe, senior management needs to come out of the SOX mindset and think differently. Read on and share your views with me.

1.  Job Work Review

I am sure you must be wondering here – what is she referring to? As a corporate citizen you must have heard of management saying that with so many resources the work is still not done. On the other hand employees lament that they are over worked due to insufficient bandwidth. One wonders, are they talking about the same organization? Let me explain in detail as to what we can focus on here.

I had a banking client where the management and employees were in this tussle. Since it was an Indian nationalized bank, the tussle was fast becoming a labor union issue. Management appointed our company to identify the real work issues at a sample branch to resolve the problems. The branch had 50 odd employees and as a first step we asked them to fill a detailed form listing out their activities on a daily, weekly and monthly basis along with the time. We also gave time sheets for the bank employees to fill for a fortnight to record actual work done with time spent.

Meanwhile we analysed job descriptions, processes, MIS and business applications to assess the real activities performed by various departments within the branch. Finally, we conducted interviews with the employees to discuss our observations relating to their job roles and work done. We were able to identify duplicate work done, opportunities for minimizing manual work by using technology, improving processes, reducing time spent on non-value add work, restructuring department functioning and changing job roles. This improved the efficiency of the branch operations besides resolving the management problems.

In another similar assignment for a law office, we analysed billable and non-billable time spent by attorneys. By transferring the non-billable activities to other job roles, the attorneys were able to increase their billable time, hence directly improve revenues.

Point is, all managers are told to prioritize work. Ever wondered, what percentage of managers to do it successfully. Additionally, what is the impact on revenues because of failure to do so? Isn’t it worth checking out. Shouldn’t organizations focus on employee risks? Employee risks are turning big and are mostly un-addressed.

2. Build Risk Assessment Tools

The business teams are primarily responsible for managing risks, however are not trained on risk management. The internal auditors and risk managers have vast knowledge of business risks. Then isn’t it worthwhile to bridge this gap. Here I will give you an example of what we did for a software development company.

The program managers were running million dollar software projects. As you know, the project risks impact cost, quality and time of the project. The software development teams focus more of running the project than doing project risk management. Hence, we developed an excel tool for them. The spreadsheet contained over 600 risks on various stages of a software development project. The project manager just had to assess whether a risk was applicable to the project and select a listed risk mitigation plan. S/he had to input the name of the person responsible for managing the risk and time schedule. In rare cases only, project teams identified a new risk, that we incorporated in the next version of the tool. An activity which took the project teams days of discussion could be completed within a day and project manager could review the risk status within an hour on a weekly basis. An overall organization count was available on risks occurrence, success/ failure of mitigation plans and risk losses.

Empowering the business teams with appropriate tools to conduct risk management is far more beneficial than a post facto audit. A reduction in risk loss directly improves profitability.

3.  Process Design Review

Internal audit and risk management functions generally are not involved in the process review at the designing and re-engineering stage. They audit the process after it is functioning and then identify control gaps and give recommendations for improvement. Doesn’t this sound like attempting to catch an elephant by its tail. I will share with you my ideas on this area.

When an organization is establishing its back offices, usually the processes are migrated with the same controls as were existing before. However, the risks and control requirement change considerably on process migration. If an auditor reviews the process and standard operating procedures at the process migration stage, not only business risks will be addressed it will save a lot of time in doing a subsequent audit. Additionally, management will be able to identify whether the process is high, medium or low risk and budget risk loss accordingly in the cost-benefit model.

The same applies when management is re-engineering processes according to six-sigma or lean or any other model. Sometimes on re-engineering processes, the existing control steps are removed to reduce work time and improve efficiency. However, no other compensating controls are put. This increases the risk of the process without management’s knowledge.

Reviewing processes proactively for controls and risks reduces probability of subsequent damage due to control failure. It significantly mitigates fraud risk also. Moreover, it reduces the audit time significantly.

4. Software Implementation Review

Again I see here that auditors review application controls at the time of SOX or financial audit. An assurance  needs to be given on the technology controls. However, the cost of changing an application program after implementation is 3-4 times the cost at the time of development. Hence, doesn’t it make sense to review the software program at the time of implementation, whether it is an ERP or customized application.

To demonstrate the value of the work, I am narrating my experience of doing an assignment for a government tax department in India. The department was implementing technology for the first time to improve tax collection. According to its estimates because of the manual systems and delay in collecting information, it was losing revenue in millions due to tax evasion. They had appointed a hardware vendor and software vendor, and then my organization for auditing. We worked with the department to review the technology implementation strategy, user and functional specifications for controls, network diagram for information security and conducted application controls testing. This saved the department from various problems that would have occurred after implementation.

Proactively addressing technology controls saves the organization subsequent cost of changing them and mitigates the risks occurring from control lapses. Conducting an ongoing review of implementation of critical business applications is beneficial.

 5. Policy Decisions Review

Now this is something that most auditors and risk managers do not go near as policy making is management responsibility. However, I am going to narrate an incident here, and let you decide whether it makes sense to re-look the policies.

I was conducting a financial statements audit of a consumer goods trading company. While checking the discounts given on a product, I realized that the total discount given was eroding the profit margin. The company had various discount categories, for instance – special discounts, festival discounts, dealer discounts etc.. However, it was not calculating the total of these discounts for each product. Hence, didn’t realize that though the sales were increasing the discount policies were faulty and eating away the profit margin. I did a marginal costing analysis, and assessed that if they continued with this policy the company will lose its “going concern” status in three years. Management was horrified on seeing my report and realizing that various discount policies cumulatively could have such an impact.

Look at it from another angle. If you see the banking sub-prime crises, maybe a review of the policies to give loans to financially weak or unstable income borrowers would have reduced the risk. If the banks had just disbursed loans to this category to a small percentage of the total retail lending, this situation may not have occurred. Conducting an audit after loan disbursement and commenting on the quality of loans hardly helps.

My suggestion here is that when policies are issued, they need to be reviewed for financial and risk impact. Issuing single policies doesn’t sound like a big deal, however when sum total impact of a group of policies in a specific area is analysed, the picture is quite different.

6. Fraud Risk Assessment

In a speech given by Governor, Reserve Bank of India to Institute of Chartered Accountants of India in December 2011, he said – “The profession has shied away from the responsibility for prevention and early detection of fraud.” This is a valid allegation, although fraud risk is increasing at a tremendous rate, most organizations lack focus. Banks have fraud risk functions, however they are more focused on investigations. The thrust on fraud prevention can be improved.

Let me give you an example here. In India either banks are shifting back office operations or outsourcing it to vendors. Now these back offices have multiple processes, mostly run by people who are service delivery experts. The teams sometimes lack banking industry knowledge and are clueless on fraud risks of the process. At the time of process migration, training is provided to detect transaction level fraud. However, if you ask the process owners whether the processes they are running are – high, medium or low fraud risk, they will be unable to answer that.

I had once with my team developed a fraud risk assessment tool for banking back office operations. A weight was given to each data item that could result in fraud. For example, an employee having access to customer information can conduct account takeover fraud in a call center. The information normally required is name of the customer, account number, address, date of birth and debit/credit card number. If this data is available, the probability of fraud increases. Hence, the tool captured the data availability for each process and calculated the level of fraud risk for the process. Management and process owners knew the high fraud risk processes and could allocate more resources to fraud prevention to these processes. Incorporating controls in these processes reduced the overall fraud risk of the organization.

As mentioned in an earlier post, Kroll Fraud Report of 2011 states that globally organizations reported on an average 2.1% of earnings loss due to fraud and nearly 1/5 of the organizations had 4% earnings loss. In case of senior management involvement, for instance – Satyam, Enron, WorldCom, – organizations are nearly wiped out. Fraud risk additionally impacts financial, reputation and legal risks. Hence, organizations definitely need to focus on it.

 7. Review of Management Programs

Management initiates various programs, namely for – innovation, research, quality improvement, leadership development, etc. There is a lot of time and money spent on these programs as these enable the organizations to gain a competitive advantage. Risk managers talk about competitive advantage risks, however these programs do not come under the review radar of either internal auditors or risk managers. They check that the cost of programs is booked correctly, and are unconcerned about the success of the program and/or reasons for failure. Reason being, no obvious risk is seen.

My view is that if a program is developed to gain competitive advantage, then obviously its failure results in increasing competitive disadvantage. That increases business risks. These risks might not be immediately quantifiable, but have long-term impact. However, the reasons for program failure are not obvious and results in sunk costs for the program.

For instance, in a company I had run an organization survey to get feedback on implementation of a quality framework. Normally, negative feedback identifies the following problems – lack of senior management support, insufficient training, lack of implementation support, no hand-holding done in first project etc. In the feedback given, the respondents stated that these issues were addressed well and they had no complaints on these fronts. However, they were not motivated to use the framework because their was no reward or recognition system in place for doing well in this area. After implementing an employee bonus scheme for adopting the framework and using it well, participants commitment levels for the program improved.

As I had mentioned in an earlier post “Creativity@Risk“, organizations innovation programs may not be effective because creativity is not valued. I had given steps to audit creativity levels in the organization. Think of it, if innovation and research is failing, don’t the competitive advantage risks increase. How are organizations calculating and addressing these risks?

8. Brand Building Programs Review

Organizations are investing heavily in building brand names to gain competitive advantage and customer loyalty. They run advertising, social media and corporate social responsibility programs geared towards it. However, some are succeeding in their efforts, while others are reaching nowhere, specially Indian companies. For example, the global Brand Keys Customer Loyalty Leader report of 2011 in the top 100 brand names doesn’t even mention one Indian company. Hence, the question is where are all the advertising and brand building budgets going?

A review of the effectiveness of these programs helps to build better customer relationships. For example, some banks to get Gen Y customers have launched games on their website. If a customer logs in and does some transaction or activity on the website, s/he gathers points. After accumulating certain number of points, the customer is given a small gift. It is targeted towards building customer retention and loyalty. The cost of the program is low, impact is high.

Another aspect now facing organizations is social media risks. Any negative information that goes viral can damage the company reputation. Hence, the probability of reputation risks has increased. To ensure that these are properly mitigated and the programs are effective, these programs can be periodically reviewed.

9. Strategy Review

In an earlier post I had mentioned a point from a McKinsey report. It states that just 8% of the respondents said that their organizations review strategies on an ongoing basis. In 42% cases, the organizations were not conducting annual reviews of strategy. Now without reviewing the strategy, how do organizations really know where they are heading.

In another recent report of Economist Intelligence Unit  titled “The Long View” the key observation was that – “The time horizons for strategy and risk are often misaligned. Some companies are making longterm strategic plans without a proper consideration of the associated risks.” The main reason is that risk management is considered an operational activity rather than a strategic function. This is highlighted by the fact that just 24% organizations think that risk analysis is vital for strategy development.

To illustrate the need for strategy review, I am narrating an incident. I was pitching for work to a CEO. He handed me his strategy documents for building 100 collection centers. I analysed the numbers, and realized that though the revenue numbers and assumptions were correct, the costing was not so. I visited a few collection centers, developed an operational plan and costing analysis and submitted the revised numbers. When the CEO saw the numbers, he asked me for my recommendation. I said in a straight forward manner – “If I was in your position I wouldn’t implement this project. Though revenue numbers are good, the break even point is at 75%. There are no quick earnings and failure probability is high.” The CEO agreed to my observation and project was not undertaken.

As I persistently continue to make this point, strategy review is essential for success. A lot of funds are wasted on wrong strategies. Start with focusing on the strategy formation process and reviewing business strategies to move up the value chain.

10. Business Continuity Plan Review

Most organization dependent on information technology have disaster recovery plans and/or IT recovery strategies. Few have developed and implemented full-fledged business continuity plans envisaging various  natural and man-made disasters. Although, with the increasing frequencies of floods, earthquakes, hurricanes and terrorist attacks this would be an obvious move. Last year the earthquake in Japan and floods in Thailand caused problems for companies worldwide whose vendors were located in these countries. The supply chain broke down.

Conducting a business impact analysis requires breaking each activity in the business process as critical, necessary and optional in case of a disaster. These activities might be required in normal business functioning but not in a disaster scenario. For example, for a bank having credit card operations running 24/7 is critical, however a loan application approval process can be delayed without a big problem for a couple of days. A solution is required for all critical activities. For instance, in 9/11 attacks in US, the Amex center in Delhi acted as the back up center for US offices. It was one of the few companies whose customers didn’t feel any impact on customer service due to the incident. Hence, ensuring that all critical activities have a backup facility with trained resources operable in a short time span is critical for business continuity.

A review of the plan and testing documents ensures that there are no gaps and all possible disaster scenarios are covered. A periodical review is required as sometimes processes and business change, while the business continuity plan is not updated.

Closing Thoughts

To provide value add to business, auditors and risk managers need to focus on these services. Big 4 earn most of their revenues providing these services to clients as few companies have developed in-house capability.  Though some organizations have shown progressive thinking and renamed internal audit departments as business assurance and advisory function. One arm of the department focuses on regulatory requirements of internal audit and the other arm focuses on providing assurance and advisory services to various stakeholders within the enterprise. The cost of setting up the function is low, the rewards are high.  Senior managers just have to re-imagine audit and risk management functions. It will be worthwhile.

References:

  1. The long view – Getting new perspective on strategic risk by Economist Intelligence Unit
  2. Brand Keys Customer Loyalty Leaders 2011
  3. Challenges to the Accounting Profession Some Reflections – Speech of  Dr. Duvvuri Subbarao, Governor of Reserve Bank of India on 16 December

Reducing Recruitment Costs

I checked out Seth’s Blog global Alexa traffic analysis and it states – “Visitors to the site spend approximately two minutes per visit to the site and 84 seconds per page view.” I checked out my blog’s analysis and it states- Visitors to the site spend roughly two minutes per visit to the site and two minutes per page view.” My readers spend more time per site visit (2 minutes) than Seth Godin’s (84 seconds) do. Yippee!Obviously I am ignoring the traffic ranking, as there is a few hundred thousand difference.  Now you must be wondering how this data relates to reducing recruitment costs. Read on.

I further analyzed the ranking of Tata Consultancy Services, Infosys and Wipro Technologies; the three technology and business process outsourcing  giants of India. Now look at the table below:

Company Website Global Rank Audience Age Total time on site Time per page view
Tcs.com 12,405 Mostly under 25 6 minutes 44 seconds
Infosys.com 17,672 Mostly under 25 5 minutes 41 seconds
Wipro.com 12,706 Mostly under 25 6 minutes 46 seconds

What am I getting at? Most of the site visitors are young males looking for a job. Each site has a career section that allows candidates to register and submit their resume. Look at the table from a recruitment cost lens. If the organization focuses on career webpage, it can reduce recruitment costs.

The Business Case

Overall, recruitment costs include job advertising costs, recruitment company fees, employee referral, interview travel expenses, relocation expenses and human resource recruitment department operating costs.

Let me take the example of IT and BPO sector recruitment costs. According to the NASSCOM Strategic Review 20011 report, the IT and BPO sector will employ 2.5 million employees in 2011. In comparison to 2010, the total employee strength will increase by 240,000 employees. Secondly, the attrition rate is ranging from 20-40% in the sector. This means that approximately one-third of the employees will change jobs. Back of the envelope calculations show that BPO and IT sector organizations will hire roughly one million employees in 2011.

Most of the demand is for employees with 1-3 years of experience. Their monthly salary ranges between Rs. 20,000 – Rs. 50,000 and the recruitment companies’ fees range between 1-2 months of employee monthly salary costs.

Hence, if I take 10% of annual salary cost to company as recruitment fee and Rs 300,000 as annual salary, nearly Rs. 30 billion will be spent on recruitment fee alone by the sector. Definitely, a line item worth looking at for reducing organization recruitment costs. Especially in case of BPO and IT sector as the profit margins are decreasing with the recession in US and Europe economy.

The Solution

Simply put the organizations need to drive traffic to their websites to ensure prospective candidates submit their resumes on the website. Any percentage increase of hire through website will decrease agency recruitment fee costs.

As in the case of BPO and IT sector the audience age is less than 25. The Gen Y is technologically savvy and looks for the same in websites. Hence, some of things that organizations can look into are:

> Post a video message from CEO or other CXOs explaining the vision and mission of the organization.  Gen Y prefers flat structures, access to senior management and enjoys watching videos. This will increase their enthusiasm to submit their resumes.

> Aptitude tests – IT and BPO sector generally request recruitment agencies to do preliminary screening by giving candidates written aptitude tests. The tests can be web-enabled on the career page to enable candidates to complete it while submitting their resumes.

> Voice and language tests – BPO sector in call center business conducts voice and language tests. The organizations can provide a facility for prospective candidates to upload audio and video recordings for voice tests. Secondly, administer written language tests through web.

> Pre-employment background verification – Provide a facility to candidates for uploading relevant certificates required for background screening. In India, roughly 25% of the resumes are fake or inaccurate. The background screening costs are high if done after appointment. Hence, organizations can conduct a preliminary verification before interview by reviewing the scanned certificates.

> Application processing system – Organizations can provide an application  tracking mechanism to the candidates, either to update them through automated emails or showing the application status on the website.

I was amazed that technologically advanced companies that provide technology and business consulting services have not focused aggressively on developing the career page and attracting candidates through them. Maybe the technology costs are higher, though to me it does not seem so. Maybe the thinking is that putting boots on the ground will reduce the recruitment pressure on the human resource teams. In my opinion, since in BPO and IT sector the recruitment numbers and costs are high, the human resource teams should have all technological advantages to do their jobs better. What is your opinion?

References:

NASSCOM: The IT+ BPO Sector in India – A Strategic Review 2011

Fraud Symptom 4- Growth strategies based on financial numbers

The core reason for failure of companies is adopting the wrong strategy and the worst thing to do is focus on a growth strategy that is driven by numbers. A strategy based on organic or inorganic growth maybe aimed at delivering the financial numbers in the stock market quarter on quarter. These companies are not developing on core skills, products, customers or long-term strategy. The COSO report Fraudulent Financial Reporting 1998-2007- An Analysis of U.S. Public Companies states the following –

The SEC’s most commonly cited motivations for fraud included the need to meet internal or external earnings expectations, an attempt to conceal the company’s deteriorating financial condition, the need to increase the stock price, the need to bolster financial performance for pending equity or debt financing, or the desire to increase management compensation based on financial results.”

To illustrate my point I am taking below cases of acquisitions that resulted in corporate disaster and internal focus on numbers that showed mismanagement and fraud.

If you consider the cases of WorldCom and Marconi both invested heavily, in telecom sector not realizing that in 2000, the market was saturated and there were limited growth opportunities.  Some of the acquisitions were done without adequate due diligence and purchased at a high price. That is, the boards ended up purchasing some bad apples at a huge cost. The new acquisitions were a huge financial drain on the existing company. In a couple of years, the companies were cash strapped. The initial high financial figures, which were reported, were fraudulent. The true financial status of the organization could be hidden because of the number of acquisitions, mergers and consolidations in numerous countries provided minimal transparency and one could not assess the real performance of the company.

In India, the Satyam case was again an attempt to show high growth and profit margins while the reality was significantly different. Fraudulent bills were passed at year-end to show higher turnover. The investment of Maytas was engineered to show growth and assets. The deal failure resulted in collapse of Satyam and disclosure of fraud as the reality could not be hidden any longer.  

At a macro level, the mergers and acquisitions scene in India needs to be viewed considering the foreign direct investment inflows and outflows and within country acquisitions. Indian companies in the last five years acquired a few companies outside India. Few group names, which forged ahead for acquisitions are Tata, Wipro, Bharti and Dabur.    Tata Steel’s purchase of Corus and Tata Motors purchase of Jaguar and Land Rover in the United Kingdom has already received some negative publicity. Reason being, that the companies are facing a severe cash crunch from the acquisitions and are surviving on domestic market. This aspect is raising questions whether the investment was required. In the next couple of years, we will know whether the acquisition could be considered a strategy good move.

The next issue is about acquisitions and investments in India. As such, more multinationals are either doing outright purchases to gain access to Indian domestic market or establishing an Indian arm by setting up business operations. Both these aspects are not free from flaws and I am giving below some insight on the issues.

The inward foreign direct investments are generally routed through Mauritius to take advantage of the tax breaks. Hence, the money trail from America or Europe does not flow directly into India. For operations also, the inflow and outflow is sometimes routed through the tax heavens. This creates opaqueness in the consolidated financial statements of the holding company.

The other aspect is Indian business are not transparent and sometimes proper due diligence may not be possible. Here is an example of a bad acquisition of an Indian company by a Japanese organization. Daiichi Sankyo from Japan acquired Ranbaxy Laboratories. Daiichi paid  $4.6 billion  to acquire a controlling interest in Ranbaxy. The price was very lucrative for Singh brothers – the sons of founder of Ranbaxy – as they got a 31% premium. However, this acquisition was bad for Daiichi as the FDA investigation details revealed. The FDA is alleging that Ranbaxy sold adulterated versions of HIV drugs in Africa and there is a patents dispute. The share prices of the company have fallen and the Singh brothers have resigned from the company after making a large profit. They are the only ones who appear to have benefitted from the acquisition. This case is a clear indication of acquiring a company for growth without adequate due diligence.

Now let us come to organic growth scenarios. As India is known as the center of for back office operations of multinationals, I am illustrating the normal operations of an in-house captive business process outsourcing. In my view the whole business process outsourcing industry is geared towards financial numbers. Multinationals invest in India for purpose of cost cutting.  As the focus is on cost reduction, the management layer is thinly spread and internal controls are compromised. To give you an example, in a business process outsourcing unit in India, a vice-president operations with 10 or more years of work experience can be managing between 150 to 800 customer service executives. Here is a table depicting the organization structure of a regular back office operations process in India.

Designation Years of experience Direct reports Number of direct reports
Vice President Operations 10 or more Assistant Vice Presidents 2-3
Assistant Vice President 8 or more Managers 2-3
Manager 5 or more Assistant Managers 2-3
Assistant Manager/ Team Leaders 2 or more Customer Service Executives 15 to 30

 In reality, the assistant managers are actually managing the process delivery. From a customer service executive they one fine day are promoted and are suddenly required to manage a team of 15-30 staff members. Normally, they have no formal training for management or team management. The reason why these structures are common is that more experienced assistant vice presidents and vice presidents come at a higher cost of USD 75,000 or more. Hence, if more vice presidents and assistant vice presidents are added to the structure, the cost advantage is lost. There is hardly any supervisory or management layer in the structure for implementing proper management controls. The high fraud risk processes operating in captive back office centers are at much higher risk.

Again, the organization culture plays a crucial role in determining how growth is achieved. The recent Rs 300 crore (USD 65 million) Citibank fraud by a rogue employee Mr. Shivraj Puri depicts a scenario where internal controls were compromised to generate numbers. According to media reports, Mr. Shivraj Puri traded Rs 900 crore (USD 195 million) in the stock market and Citibank did not detect the fraud internally.

This fraud has a different interpretation when viewed with the recently released Boston Consulting group survey report on banking industry in India.   It stated that in 2009-2010 Citibank average employee cost of Rs 19 lakh (USD 41,350) was the highest amongst the banks. In comparison, the biggest Indian bank, namely State Bank of India and other reputed Indian private sector banks (HDFC, ICICI) had average salary costs ranging between Rs 5-7 lakhs (USD 10,000 to 15000 approximately) per employee. Reserve Bank India report showed that Citibank’s   average business per employee was Rs 20 crore (USD 4. 35 million) that was the highest. In contrast, State Bank of India’s was Rs 6.4 crore (USD 1.39 million). To me, it appears to be an organization culture driven by numbers. Seeing the numbers and with my experience in Indian banking sector, my personal view would be to take a closer look at Citibank’s processes and strategy. It is possible that costs are being cut on implementing internal controls, risk strategies, fraud detection and prevention to show business profits.

If an organization culture is geared towards financial numbers, chance increases of employees and management window dressing the financial statements and various other reports. Therefore, the next question is how the frauds are reflected in the financial statements.  According to the COSO report – “The majority of frauds (61 percent) involved revenue recognition, while 51 percent involved overstated assets primarily by overvaluing existing assets or capitalizing expenses.”  This in Indian context is primarily done by manipulating service delivery MIS to show better performance, adding fictitious sales contracts and billings, showing non-existent interest earnings and other accrued income etc.

While the COSO report states, the understatement of expenses and liabilities was reflected in only 31% cases, in India the problem is the opposite. Organizations prefer showing high sales and income, and higher expenses to avoid/ reduce taxation on profits. The expenses are increased by adding personal expenses of senior management under heads of gifts and entertainment, travel, membership & subscriptions, conveyance, salaries of personal house staff, personal telephone expenses etc. Hence, the problem is two-pronged in India, as neither the revenue nor the expense side figures are reliable.

Recommendations

This clearly shows that a growth strategy driven by numbers may not be the right solution if not supported by selecting right industry, developing new products, and establishing good management and systems. The number game can soon become pure gambling without proper controls and accurate financial statements. Hence, following should be kept in mind.

1.   Acquisitions should be done after through due diligence of internal organization and external factors. An analysis of industry, market, country risks and various statutory requirements is a must.

2.   Procedures and practices should be implemented to complement the business strategy. The business is likely to fail if adequate management control and supervision is not maintained.

3.   Financial statements should represent a true and fair view. There should be no manipulations and window dressing to reflect a distorted view of the business

4.    An organization culture should be developed on business ethics and not just numbers.

Hence, the final message is that a growth strategy needs to be developed and implemented with care.

References:

  1. COSO report Fraudulent Financial Reporting 1998-2007- An Analysis of U.S. Public Companies
  2. Boston consulting Indian Banking survey article in Asian Age-  Fraud-hit Citi emerges as best paying bank ( http://www.asianage.com/business/fraud-hit-citi-emerges-best-paying-bank-438 )
  3. Corus and Ranbaxy – Acquisitions gone wrong? by Sriram Vadlamani (http://trak.in/tags/business/2009/05/31/corus-and-ranbaxy-acquisitions-gone-wrong/ )
  4. India’s Ranbaxy Gives Headache To Japanese Drugmaking Parent (http://www.businessweek.com/globalbiz/blog/eyeonasia/archives/2009/05/indias_ranbaxy.html?chan=top+news_top+news+index+-+temp_global+business)
  5. Tata Steel’s Acquisition of Corus (B) (http://www.icmrindia.org/casestudies/catalogue/Business%20strategy/BSTR355. )
  6. Satyam Fraud Case- Confession letter of Ramlinga Raju (http://www.hindu.com/nic/satyam-chairman-statement.pdf)
  7. ‘Satyam Scam Tip of Corporate Fraud Iceberg’ ( Article in IPS News written by Praful Bidwai)  http://ipsnews.net/news.asp?idnews=45608

To read the full list of Fraud Symptoms, click here.

Fraud Symptom 3 – Board’s failure to exercise judgment

The board performance and effectiveness differentiates between success and failure of the organization. Before, I mention the details; I am giving a brief background of the Indian corporate sector and relevant laws. Ministry of Corporate Affairs Annual Report 2009 states that there were 821,212 companies limited by shares registered in India. Of these 83,010 were public limited companies and 738,202 were private limited companies. There were 2903 foreign companies operating in India as of 31 December 2009.

Now the question is how this data is relevant. SEBI’s Listing Agreement Clause 49 defines the corporate governance requirements for publicly listed companies in India. That means it is applicable to less than one-tenth of Indian companies.

The clause mentions requirements for independent directors, formation and working of audit committee, corporate governance norms and disclosures, code of conduct etc. The Indian Company Law’s various sections define the requirement for true and fair financial statements, audit committee and corporate governance requirements. However, most of the sections provisions are applicable to public companies and deemed to be public companies. The SEBI guidelines and Company Law requirements on corporate governance are not applicable to private limited companies. Hence, from a fraud symptom perspective, the issues are different and I am dealing with them below separately.

 The most renowned case of boards’ failure to exercise judgment in India is of Satyam. So let me cover that briefly. Satyam’s board consisted of well-known business personalities, namely Mr. Krishna G. Palepu a professor in Harvard Business School and Mr. Vinod Dham known as Father of Pentium. The Central Bureau of Investigation report stated (as given in Top News) –

 “The members of the Board of Directors had acted as “rubber stamps”, unwilling to oppose the fraud. Not a single vote of dissent has been recorded in the minutes of the Board meetings.”

This clearly raises questions on the effectiveness and role of independent directors. Four independent directors of Satyam resigned within a short span after the fraud disclosure. This issue which was brought into focus was “should independent directors be held responsible for the fraud?” The impact was felt across corporate India. The research paper Independent Directors and Firm Value: Evidence from an Emerging Market” mentions that in January 2009 at the time of disclosure of Satyam fraud there was a substantial peak in number of resignations of director. 197 directors voluntarily resigned though their term had not ended. The number consisted of 109 independent directors, 40 insider directors and 32 gray directors. There are certain challenges, which independent directors face in India that may not be applicable to developed countries. I will provide details after covering the SKS Microfinance case that also highlights boards’ failure in business ethics though not in fraud.

SKS Microfinance case came into light when the CEO Suresh Gurmani was unceremoniously fired by the board of directors. There were no performance or fraud issues. Eight of the ten directors voted in favor of his termination, the other two were absent. It is being said that this was done because the founder chairperson Vikram Aluka had some disagreement with the CEO.  Two of its reputed directors are Pramod Bhasin, President and CEO of Genpact and Chandra Shekran, Former Executive Director, SIDBI. This event brought focus to the internal operations of SKS Microfinance. The organization was formed as part of social entrepreneurship to give rural poor and farmers small value loans. It is said that the organization was charging an astronomical 28% interest and was coercing village women and farmers for recovery. A number of farmer suicide incidents were reported to police holding SKS responsible. Andra Pradesh government passed a revised law about microfinance lending which in the last three months has severely affected the microfinance industry. The question here is what was the board doing? Did the directors not question the excessive profits of the company whose objective was social entrepreneurship? Did they ask for information regarding operations? Shouldn’t the board of directors question business ethics of the organization?

The main reasons for failure of independent directors in India are that most of the public listed companies’ shareholding is structured differently. The family or founders bring in their relatives and friends as board of directors and control the organization. The independent directors do not receive insider information of the organization, as senior management is loyal to the founder / family. Hence, all effort is made to protect the family/ founders authority and control, rather than interest of the public shareholders. Therefore, though the qualifications of the directors are good and relevant they have little impact. The directors are appointed more to add prestige to the board and company, a men’s club is formed and nobody bothers to ask the right questions. For the directors it is a status symbol to be on the board, along with the director’s fee, free travel and various indirect privileges. In such a scenario, the board’s independence is lost and there is hardly any focus on curtailing fraudulent activities.  

Next issue to discuss is about private companies. As such, since the number of shareholders is less than 50, in most cases of fraud the financial impact is felt by a small group. The problem arises when the private limited company is a subsidiary of a public limited company or a multinational. According to SEBI Listing agreement  a subsidiary company having a turnover or net worth of 20% of the holding company or has a significant transaction which is more than 10% of its turnover, assets or liability with the holding company has to comply with certain requirements of independent director, audit committee and review by holding company board of directors. However, through multi-layered structuring of private companies, these rules can be circumvented.

As most of the multinationals operating in India have a business process outsourcing or information technology outfit, I am taking an ITES company example to explain how multi-layered structure increases management’s propensity for fraudulent activities. Suppose company “A” is a public listed company in US. A separate private limited company “B” is formed in US with a common founders or board members. Now a separate private limited company “C” is formed in India. Now company A enters into an agreement with company B for providing software development and call center services. Company B enters into an agreement with company C in India for providing the same services. Now let us say majority of the back-office operations are performed by company C in India. Some senior managers maybe reporting to company A and B senior managers. However, now because of the autonomy available to company C and then company B senior managers, the full information does not flow to company A’s board of directors. Hence, the board of directors of company A, whose funds have been used to setup company B and C, would have very little visibility of actual operations. With such minimal control and high autonomy, company B and C senior managers separately or in collision can undertake fraudulent activities without detection.      

Considering the above-mentioned factors, one needs to assess the intent of board of directors. If the intent is wrong, there will definitely be laxity and ineffectiveness.

Recommendations

The board’s independence and critical thinking is necessary for effective corporate governance and preventing large-scale fraud within organizations. The following recommendations are useful from Indian perspective:

1)    Ministry of Corporate Affairs should focus on providing a structure for corporate governance. Applying similar provisions as developed countries is useful, however if similar support structure is unavailable, the provisions become ineffective.

2)    SEBI should delve deeper into appointments of independent directors to ensure that public shareholdings interests are protected.

3)    Reputed professionals who are appointed as directors should fulfill their obligations in true spirit and sincerity. Directorships shouldn’t be just treated as status symbols.

4)    Organizations while forming a multi-layered structure of companies should build processes to ensure transparency and accountability. Procedures for corporate governance should be implemented across the group uniformly.

References:

  1. Ministry of Corporate Affairs Annual Report (http://www.mca.gov.in/Ministry/annual_report_2009.html)
  2. SEBI Listing Agreement (http://www.sebi.gov.in/Index.jsp?contentDisp=Database)
  3. Satyam CBI Report (http://www.topnews.com.sg/content/22973-satyam-scam-board-directors-also-party-fraud)
  4. Satyam Board of Directors Resignation (http://newkerala.com/topstory-fullnews-66077.html )
  5. SKS Microfinance (http://www.sksindia.com/ )
  6. Independent Directors and Firm Value: Evidence from an Emerging Market (authored by: Rajesh Chakrabarti, Krishnamurthy Subramanin and Frederic Tung) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1631710

To read the full list of Fraud Symptoms, click here.