Its time for risk consultants to be players with the team on the line. Learn how to achieve innovative advantage using the case studies.
Sunday, March 29, 2009
Microeconomics at play
When macroeconomics scenario is not well, it must be a time to focus on micro-economics. Why? Microeconomics deals with individual units in an economy like a firm, a household, an investor, a worker, a single market that makes up the broader economy. It deals with problem of demand and supply of particular goods and services, its price determination and examines how tax cut affects a firm's output. etc.
Microeconomics not only focuses on individual decisions and transactions under a free economy but also enlightens market failures while it tries to model reality at a larger scale. It observes how a country's economy work and finds ways to explain and predict the macro variables like GDP, labor, interest rates, etc.
Scarcity of resources, economic incentives available to individual units or persons within a unit, assessing impact of such economic incentives on the business controls and planning is domain of microeconomics. Microeconomics not only drives business transactions at grass root level but also determines culture and control environment of a business organization.
When all are talking about corporate governance, need of having independent directors, robust audit committees and transparency in financial reporting and disclosures, nobody is talking about an economically viable and sustainable business model post Satyam Scandal or in face of today's deflationary economic conditions.
Many are tempted by 'getting rich quick' schemes but when businesses are not able to grow with such schemes on a sustainable basis than the value created is lost. Many businesses ignore the fact that when they begin to drag their market place into the same sales outlets they shrink their market. Once they start getting confident, they offer guarantees that they can't hope to keep.
Knowledge of micro-economics is very useful while carrying Management Audit that can add significant value. Management Audit with microeconomics can warn you for the bad growth and recommend you to follow principles of sustainable business. When all resources are working at their maximum productivity and demand for the products cannot be further increased, a faulty incentive scheme may put more pressure on the resources and failure is inevitable. When slight volatility or crisis can hamper business planning then it is a time to get non-levered and not otherwise.
Targeted Management Audit and analytics can show the path of sustainable growth and thus optimize use of resources that makes certain that management share and enjoy the products of its labour.
Let's understand as to how analysis and audit using microeconomics can add value in area of purchases.
Traditional purchasing techniques largely rely on volume consolidation and rigorous negotiation tactics. Instead one may use analytically rigorous approach which is built on a keen understanding of the micro-economics of buyer-supplier relationships and can deliver significant savings. It's required to employ a reverse marketing strategy to create an intensively competitive, flat playing field amongst suppliers to exploit a range of analytical savings levers to drive down the prices without compromising specifications.
These savings levers focus on, for example, unbundling supplier pricing, eliminating non-value adding middle-men and gaining a clear understanding of the supplier's economics. The valuable insights from analysis are rolled into a comprehensive multi-round negotiation strategy for generating real savings from suppliers.
You know who can attract best of talents? Answer is the businesses that pay their taxes and dividends on time. Well, there is a connection. It's microeconomics at play.
Before I give account of the topic I have selected today, I would like to brief you on 'where I am coming from'. I am among the fortunate ones who have done Internal Audit of five star hotels like Taj & JW Marriott in Mumbai and have spent a considerable time of my career doing these Internal Audits. My first Internal Auditing lesson had come from doing Internal Auditing at Taj. My Internal Auditing style resembles my work at these five star hotels i.e. systems audit. When I say Systems Audit, I do not mean IT systems audit but Business Systems Audit. All who have done Taj Internal Audit before TPAM audit started there will understand what I am saying.
Now, I would like to share a specific Internal Control which I think has never been paid attention to, which I think is not only important from Revenue Assurance point of view but also from security point of view.
Like every business, inventory of these hospitality giants are also required to be reconciled and physically verified. There are two kinds of perishable inventory which a hospitality unit like Taj might carry. One is connected to their F&B business and other is connected to their Room Revenue business. We will talk about their Room Revenue Business Inventory called Room Nights. Inventory made of Time & Space which is sold to its Guests.
How do you physically verify such an inventory which is made up of Time & Space? Historical records will not serve the purpose as one cannot go back in time to do a physical verification once you have moved ahead in time. I am sorry; but we have still not invented something called Time Machine.
Thus, concurrent physical stock taking is the only solution available. Now-a-days most of the hotels have software to manage its room inventory. One can tell if a room is occupied or not. Front Office keeps track of room folios opened with a formal check-in and check-out procedures. Most often than not housekeeping department in the hotel perform a check to physically verify status of the room once or twice a day. They update system with room status independently verified by them.
When we have two sets of inventory data, we reconcile them and if there are discrepancies or variances, we would go and find out cause for the discrepancies. If room is occupied as per Front Desk record but vacant as per housekeeping than we have a situation called 'Skipper' and when room is vacant as per front office desk but occupied as per housekeeping it's called 'Sleeper'.
Both the cases involve a possible leakage of revenue for the hospitality unit. Along with this room status control, a few hotels also resort to something called baggage control. No. of patrons staying in a room etc to make this control complete. Most often than not, I have found serious lacuna in the said control. Inspite of reporting it several times to various hotel unit managements, this control has never been taken seriously by any one and always has ranked as a low risk area.
It's important that the managements of these hotels understand risk of having inventory that is made up of Space & Time and its possible abuse by any unscrupulous person.
Housekeeping department although independent from the front desk personnel to verify the room stock is not properly trained to verify the physical status of the room when they visit a room for cleaning or otherwise. Second issue is that, the housekeeping department in most of the hotels submits this room status discrepancy report only to Front Office Manager instead of Security Manager or Loss Prevention Manager along with Front Office Manager. Moreover, the luggage brought by the guests are also not tracked and controlled to ensure an effective status control activity. Currently, the control is too mechanical and that too is adhered to half heartedly and does not ensure a subsequent procedure to ensure no leakage of revenue or a security threat. In simple words, hotel management should know intelligently what is happening at every room without disturbing privacy of the guest.
I am sure the recent attacks on Taj & Trident will ensure strengthening of this control further in light of this new risk lurking on the hospitality industry. I also see improvement possibility in gate security and guest room key control procedures.
I also feel strongly that there is something wrong with the procedures where the hoteliers have to submit details of the foriegn nationals staying in their hotels to the local police station on an every day basis. Its possible that police station takes these reports, stamps it and sit back without doing much scruitiny of these records.
My heartfelt condolence to the families of those who have affected by the recent inhuman act of terror at Taj, Trident and Nariman House.
All VFM Audits are not the same. An automobile chain based out of Muscat to promote a luxury brand in its showrooms had organized a very big bollywood temptations show at Muscat. Response to the event was overwhelming. The bollywood temptation show gathered huge crowd more than the expectations of the marketing department of the sponsoring automobile dealer. Great advertisements, banners, public and press exposure however, not yielded any significant results as far as sale of the latest brand was concerned.
Internal Auditors were called to examine the case. The task was to comment on operational performance including activity beyond the purely financial domain. Audit strategy required an organized procedure for the effiecient identification of unnecessary cost.
Just one years back Internal Auditors had carried out Value for Money audit using Value Analysis technique. A car seat covering could be made of leather, cloth or a vinyl product each requiring different techniques of production with different costs yet providing same basic service with different quality standard. If the standard provided more than adequate for the perceived need there will be an element of waste in the use of resources. With use of Value Analysis technique, wasteful expenditures were saved.
Internal Auditor required a different approach this time to carry out the Value for Money audit. They selected Functional Cost Analysis technique. Analysing cost objectively identifies the purpose of every item of expenditure and attributes it to specific management activities. Departmental management can then be made accountable to monitor their own performance in terms of exercising both economy when incurring costs and efficiency and effectiveness in the use of resources.
With thousands of the luxury brand on the road in other part of the world, the legions of luxury car drivers certainly included regular folks too. But who were they? Internal Auditor started studying the luxury car buyer's demographics for past years, and the trends were clear:
The luxury drivers had higher incomes, much higher than the average car buyer. In 2005, luxury car owner's incomes were about $100,000 a year versus $65,000 a year for the average buyer. As per 2007 survey 81 percent of respondents earned more than $125,000 per year for the selected luxury car model.
The luxury drivers were a few years older than the average car buyers - closer to 50 rather than the average age of 40. The study of auto industry marketing showed that only 2 percent of the luxury car owners were 24 or younger; while 29 percent were between 45 and 54; and 33 percent were 55 and older. An independent survey carried out in 2007 suggested similar results. And, the most important market factor for similar cars in Muscat - Luxury car owners were the locals i.e. Arabs.
And, the Bollywood temptations show at Muscat by the automobile chain attracted nearly 90 % audience who were young migrants from India having low income levels. Now Smile :)
How you will categories "Rs.400 crore turnover business"? Is it a SME or a large business?
SME stands for Small to Medium Enterprise. However, what exactly is an SME or Small to Medium Enterprise defers from country to country and depends on the industry norms used to classify it like headcount or annual turnover of the enterprise. Many country use SME to refer to a business with fewer than 250 employees, while classifying firms with 250 or more employees as "large" businesses.
Developments in prices and productivity make it necessary to adjust the financial thresholds norms from time to time and thus many countries have recently amended the definition of the SME to improve business environment for SMEs in their country. The increase in threshold limit allows an important number of enterprises to maintain their SME status and ensure their eligibility for support measures.
SMEs are an essential source of jobs which foster entrepreneurship and innovation and are thus crucial for economic growth of the country. However, it is very important for these enterprises to ensure Good Growth.
It is always thought that SMEs are often confronted with market imperfections. SMEs frequently have difficulties in obtaining capital or credit, particularly in the early start-up phase. Their restricted resources may also reduce access to new technologies or innovation. Well, I would say, it depends on the business objectives of the SMEs and differs on case to case basis. Many factors contribute to Bad Growth like type of ownership, management style and corporate governance, high dependency on few individuals or resources, business control environment and commitment for Good Growth etc.
Let's consider some real life scenario which I came across recently.
Few Months back, I had met CFO of a leading food retail chain firm at their Office in Mumbai. And, to my utter surprise, they have not carried out any Internal Audit during past 4 years and have no immediate plans either to carry it out in near future. Now that's a Bad Growth.
I had heard the story of a business group having facilities near Mumbai at a drive of around 3 hours from my place that has grown their business significantly in a very short time and is growing at an incredible speed on a Y-O-Y basis. The directors staying in Mumbai are flying owned helicopters to reach the work place on a daily basis. Again to my utter surprise, I came to know that they have very minimal Internal Audit programme for their fastly growing business. The Internal Auditors mainly involved in transaction audit that too remained inadequate due to growing transaction volumes. I quickly realized that the remuneration paid to Internal Auditors justified deploying two audit clerks only. That's called step behaviour with Internal Audit.
Recently, I had a chance to meet and talk to Purchase Manager of a SME organization with CAGR of more than 40 %. This time again to my utter surprise, the guy asked me how Internal Audit is different from ISO Quality Certification Audit. I am sure such unawareness about purpose of Internal Audit is somewhat faked. In my knowledge there are many such SMEs having turnover of Rs 100 crore or more which have Quality Certifications but does not have an appropriate Internal Audit Programme suitable to their size of operation. What one could find is missing controls, controls overridden, mis-utilisation of resources, mismanaged processes and tacit people issues within such enterprises.
In India, private equity & venture capitalist are looking to invest in such growing businesses; however, the individuals in the organization who have vested interest have created an environment which is not conductive for the Good Growth. Processes and controls are highly dependent on few individuals leaving the business leaders helpless. Also, a mindset has developed among such SMEs to not to part away with equity due to the same reason as cited above. SME Leaders need to realize that they need to expand the business with professional help and requisite control environment within the organization which could alone strengthen its path to high Profitability, Efficiency and off course Good Growth.
Increased focus on financial reporting has changed the way Internal Audit is being done nowadays. Hence, risk consulting firms like PWC and protiviti consulting have suggested adopting a balanced approach to Internal Audit, i.e. balancing the Internal Audit between Risk & Control Assessment focus and Business Performance Assessment focus so that Internal Audit resources are allocated appropriately between value protection and value enhancement objectives of the Internal Audit.
However question arises: Are these two focus or objectives, means to a same end? If so, do resources allocation between these would be amounting to duplication? Instead of a balancing act, I am in favour of hybrid approach just as a strategy to corroborate and substantiate various internal control/ risk assertions. Mind well, your cost of monitoring and cost of SOX or SARBOX compliance efforts are mainly driven by the kind of Risk Assessment you do and thus Control Activities you define within your business processes.
Many Internal Auditors who adopt risk based audit use following logic to reduce their monitoring cost. When they place higher reliance on Effectiveness of controls whether based on their subjective judgment or on basis of some kind of risk scoring, they reduce extent of testing Existence of control. Lesser the net risk score, lower it will be in the priority list. If we apply this logic in a situation where Internal Auditor has designed the controls, he will rely on Effectiveness of controls more and thus extent of testing Existence will be less. When the Management designs controls, IA test controls to provide assurance to the Management of its Existence and Effectiveness.
Now many would see a contradiction here and they may like to question as to how Existence of control is connected to its Effectiveness of control. Mind well, whether a control is Effective or not Effective, if a control exists on the list (List of Primary Controls), they have to be tested for its Existence to reduce the Audit Risk. In other words, there is no connection.
Now let's again turn to the main topic as to how we can reduce the cost of monitoring and achieve various objective of IA within available time and budget.
More we under rely controls, our strategy will be for deploying more procedures and will entail more cost. If we over rely controls to reduce our costs, we are responsible for not exercising appropriate diligence. Controls and Risks are affected by the type of industry, location, volume of business, type and value of assets, segregation of duties, past performance and efficiency of risk or process owners, etc. These controls and risk are owned by the Business Managers and they can influence the Effectiveness and Existence of controls.
Management Accounting concept used in designing a Performance Measurement System suggests that one should not be made responsible for inefficiencies of others. Clearly, Internal Audit is made responsible for the higher costs of audit when controls are ineffective or not complied with due to delinquent Business Managers.
Second problem within the Industry is testing Existence entails more cost than testing Effectiveness assertion of Internal Control. However, introduction of technology have solved this problem to some extent, bigger leaps are still to be taken.
So how would we reduce cost of monitoring while achieving appropriate level of deterrence for ensuring compliance and how we can free up IA resources for extending IA program to other non attended priorities? How inefficiency of Business Managers which increases IA cost be reduced or taken care of.
Many have adopted balance scorecard incorporating control objectives with its framework but in reality this management method is just diversifying the risk of the business managers who may have personal objectives that may not be in sync with the business objectives. An another management method named Control Self Assessment proving to be an exercise which is just enhancing controlling skills of a business managers instead of helping them achieve the business objectives in an optimum way.
We are suggesting below an Innovative Method which is proposed to reduce the cost of monitoring while keeping the deterrence level among the auditees and assurance provided to the management at the same level. This will make the business managers more business oriented who will then serve the business as a separate business unit and their performance and efficiency will measured as if they are an outside professional service provider.
Monitoring cost mainly depends on no. of transactions (sources of risk) to be tested and frequency of testing to provide the required level of comfort or assurance to the management.
IA determines a control liability score on basis of no. of non-compliant sources found. Say if IA founds 1 unauthorized credit note, it will give a score (-1). Thus when 10 credit notes are found unauthorized, it will give a control liability score (-)10 to the process owner concerned.
These scores may be connected to KPI of the process owner under his due knowledge which may create required level of deterrence. Unit Score may differ based on the type of risk or transaction to produce desired deterrence or incentive to comply with the controls. The entire score system may be designed by the top management or audit committee.
How new method will work:
We will take retail industry example. Say there are 5 SKUs in a period which should be correctly coded and approved by the Warehouse Manager. Assume that IA imposes control liability score of (-)10 upon the Warehouse Manager for each incorrect coding or non- approval.
Let's say, there are 2 of the 5 SKUs not coded correctly and checked. The IA could choose to iteratively test all the SKU sheets to inspect each for the appropriate authorization and coding; given that 2 are incorrectly coded, it would assess total control liability score of (-)20, if IA were to do a 100 % testing.
Instead, under our proposed method, the IA could randomly select fewer samples to determine control liability score and apply that outcome to determine control liability score for all 5 SKUs.
If the IA randomly selected 1 SKU as a sample and found it be with incorrect coding, the auditee would bear total control liability score of (-) 50. And, if the selected SKU is correctly coded, then auditee would bear a control liability score 0(Zero). Notably, using this approach, the process owner would be subjected to the same aggregate expected control liability score of (-) 20. 40% probability of (-) 50 and 60% probability of 0 of total control liability score. Thus even testing 1 SKU, IA can generate the same level of deterrence for the process owner. Similarly, whether you test two or three or four or all the five, control liability would remain same when you apply average result of the sample so tested to the entire population.
Sample Size One Probability of sample selected with risk present: 2/5 = 0. 4 Probability of sample selected without risk present: 3/5 = 0.6 Control Liability Score: 2/5*(-50)+3/5*(0)= -20
Sample Size Two Probability of both samples selected with risk present: 2/5*1/4 = 0.1 Probability of one sample with risk present: 2/5*3/4 + 3/5*2/4 = 0.6 Probability of samples without risk present: 3/5*2/4 = 0.3 Control Liability Score: 0.1*(-50)+0.6*(-25)+0.3*(0)= -20
Sample Size Three Probability of two samples selected with risk present: 2/5*1/4*1+2/4*3/4*1/3+3/5*2/4*1/3 = 0.3 Probability of one sample with risk present: 2/5*3/4*2/3 + 3/5*2/4*2/3+ 3/5*2/4*2/3 = 0.6 Probability of samples without risk present: 3/5*2/4*1/3 = 0.1 Ctrl Liability Score:0.3*(-33.33)+0.6*(-16.67)+0.3*(0) = -20
Thus whatever may be the sample size 1 or 1000, the final control liability score will remain same.
Size of sample may be determined based plan approved by the management or the audit committee to ensure adequate assurance within the available time and budget. The size of sample can be negotiated between the parties concerned before the audit period.
The method will also reduce the frequency of audit or monitoring as well. However, the method should only be applied for past transactions and not for prospective transactions. This method will reduce cost of testing Existence of Control so that IA can deploy resources freed up to other compelling IA priorities.
Remember, in real life scenario, the auditor may not know the exact no. of non-complied risk sources within a risk population but size of risk source population, sample size and degree of control liability score for the type of control risk would determine the action, discipline and efficiency of the concerned process owner even before the start of the audit. The method provides adequate incentive to the process owners to remain complied while optimizing the business results to be achieved. They should be trained with various risk reduction techniques to reduce their control liability score and optimize the business results. Thus IA can become proactive in coaching the process owners with controlling skills as well as help them improve the business performance.
The control liability scores should reflect the kind of assurance required and facilitate achievement of business objectives. The scores have to evolve for each industry or type of business or transaction so that they can be benchmarked across the industry or the business segments appropriately.
This new concept is at the idea incubation stage and thus any suggestion or critical comments are welcome from the IA community and members of management around the globe interested in reducing the cost of monitoring or SOX / J-SOX / Clause 49 Compliance while achieving increased value addition.
If you have any confusion with the new method suggested, let me know how you are positioned looking at the SERMON cartoon below.
Once upon a time, in India, there was a big hermitage of a sage in the valley of Himalayas. There were lots of cows, by milk of which alone the expenses of the hermitage were met. The milk was also consumed by the resident of the hermitage. One day a disciple came to the sage, the headman and his Guru to make a complaint. He expressed his doubt that somebody is mixing water in the milk of the hermitage regularly. How to curb the ill practice? asked the Guru. The disciple suggested that one person be employed who will monitor the milk to control the adulteration. Thus, one person was employed for the purpose.
After few days, the disciple came again to his Guru and said that since they have employed a person to keep a watch over the milk, there has been more mixing up of water than before. The Guru casually said to keep one more person to watch over the first. A few days later, there was a big blunder and many disciples came to the Guru to complain heavy adulteration in the milk. Moreover, along with water someone had also found a fish in the milk.
The Guru said that if you employ more and more people to monitor, the adulteration is bound to increase. Initially there were lesser number of people who had their share in the milk and therefore there was lesser water in the milk. When you had increased a person for monitoring, his share was also added which in turn increased the stress on the existing resources. When you employed the second person, the adulteration increased to such an extent that you have now a fish in the milk instead of cream.
The disciples humbly asked the Guru for a correct solution. The Guru said it was his mistake that he never made his disciples mindful enough to educate and rightfully guide their subordinate disciples. By making a few people mindful does not make the society free of ills but all should understand their duties. We have to change ourselves first to bring the changes in the society. Mahatma Gandhi once said that we should become the change we want to see.
The Guru said we should have capabilities to change the mind set of the people in the hermitage. We preferred the easy way of making a complaint instead of selecting hard way of making our subordinates mindful of ills of adulteration and benefits of caring cows to produce more milk.
The Management Accounting says no one should be made liable for inefficiencies of others. The Internal Auditor is made liable for inefficiencies of the Control Owners. Cost of Internal Audit is connected to extent of its testing and monitoring. When controls designed and exercised by the management are ineffective and IA places lesser reliance on it and increases the extent of testing and monitoring which inturn increases the cost. When IA over rely on effectiveness of controls it faces risk of not exercising due care and diligence for preventing control failures.
Self Control Assessment (SCA) technique in its current format too is not effective as Control Owners are made ready to the skills of monitoring instead the objective and the ethics. There are newer ways of reducing cost of monitoring but need is to go beyond the prevailing dominant designs in the industry. We must first find out how to balance our monitoring programme which does not involve duplication of efforts allocating the valuable resources incorrectly and thus increasing our cost of monitoring. Secondly, we should become more and more objective oriented to find out newer ways of creating deterrence at a lesser cost. What you think about Ethics Gospel like this?
Your application of Indian philosophy is better only when you draw correct analogy. Remember it's a rocket science and you need the escaping velocity to mitigate the effect of dominant forces of existing systems and mind sets. The problem is difficulty in drawing a correct analogy because adulteration is on and purity is gone. Now, draw an analogy to be able to better understand the presented case study and change your execution style hereon.
Risk of fraud is lurking on every business. A recent survey suggested that fraud is increasing at the rate of 15 percent per year. Turn on the television or read the newspapers, it is common to find a story relating to fraud or financial manipulation. Frauds stories involving insurance, medical, securities, government, payroll, banking, telecommunication or credit card are just to name a few. These frauds involve but are not limited to inflated sales or profits, over stating expenses, employee or management misappropriations, related party transactions and security manipulations. Our story is no different.
It was late in night when Prabhakar called Deven. He wanted to know if Deven had any serious suspicion during the last audit at Axel, an advertising firm and a crucial client of Prabhakar & Co. Deven wondered why Prabhakar would have called up so late enquiring about an audit which had closed six months back. Prabhakar wanted to know if there were any suspicious circumstances like long outstanding in debtors' ageing statement or alteration of invoices etc. Deven soon sensed a seriousness and urgency in his voice. ''Is everything alright?'' asked Deven, an Audit Manager with Prabhakar & Co.
Prabhakar had a meeting with Mr. Raj Tilak, Chairman of the Audit Committee at Axel that evening for discussing a recently discovered fraud at Axel wherein the COO of the company was found to be involved. Prabhakar revealed to Deven that the audit committee chairman has held him negligent in failing to detect and report the suspicious circumstances.
Deven asked curiously why Prabhakar was asking about the debtors' ageing statement and alteration of invoices. Prabhakar told Deven that many invoices sent to a client company were understated compared to the copy of those invoices which were used to account for the revenue in the books of Axel. Prabhakar disclosed to Deven that there was a conspiracy between the COO and one of the Account Payable Staff of the client company. This staff of the client company had provided the COO with a fudged balance confirming statement to cover up the mischief. The COO wanted to meet his annual sales target and was to reverse the scheme in the subsequent periods.
Deven immediately understood which client Prabhakar was talking about. He recalled asking the COO about the unrealized amount in the ageing statement. He also remembered the COO assuring him of recovery of the said amount as he himself was after the client company for its recovery. The COO had also showed him a letter from the company confirming the balance. Also, when he had located two invoices with the same number but having different amount, the COO had provided a vague explanation and suggested it to be a one of error.
Deven remembered how the Chief Internal Auditor of Axel had insisted him to remove the audit observation on long outstanding debtors from the report before the closing meeting. Deven had suspected the authenticity of the statement confirming the balance from the client company but the Chief Internal Auditor had told him that the third party evidence is always one of the most reliable evidences. He had told him that in his career of 25 years as an Internal Auditor he have never doubted the third party evidence and Deven still needs to learn how to use his skepticism appropriately.
Prabhakar told Deven that we have definitely missed on our duties. Deven just kept mum during the entire communication.
Internal Auditor should be reluctant to accuse anyone when a fraud is suspected and give the person the benefit of doubt until the facts and circumstances warrant otherwise. The auditor has a duty to review all situations that seem unusual. Be a skeptic even though you are criticized for being so. Only thing to keep in mind as an Internal Auditor is to focus on the audit strategy rather than abusing somebody when encountered with suspicious circumstances. Also, reporting suspicious circumstances is not enough as you have a duty to dispel your doubts by employing more procedures and documentation.
Do you think you have ever been in a position similar to that of Prabhakar or Deven or the Chief Internal Auditor of Axel?
If your answer is No, enjoy the video herein below.
No internal control can ever be proven to be 100% effective. The effectiveness assertion can only be supported or rejected. If our observation of the internal controls finds no issues related to the effectiveness assertion, then the assertion is reinforced and our reliance on that internal control increases. Each time the assertion is tested and found to be valid, it becomes more useful as an explanation of how controls work. But if any future event or testing finds the same internal control to be weak, the internal control must be rejected or modified. This modified internal control must in turn, be tested again. This is how our knowledge of internal control advances.
However, many of us form a hard opinion about the internal controls that have been found to be effective or otherwise in the past. Hence, possibility exists in such cases that all evidences that are needed to prove the assertion are not being collected and thus the evidence collection procedure is not corroborative. We often want an internal control to work in a certain way. The tendency in such cases is always to look only for confirming evidence and neglect denying evidence. But, when we step back a pace from our opinion and are willing to see our testing proving the assertion right or wrong, we are following the scientific method.
Einstein once said that no amount of experimentation can ever prove him right but a single experiment can prove him wrong. Let us understand how most of us search for evidence and how we should be doing it scientifically from the following exercise.
You have been told that the cards with light grey faces have a circle on the other side. Now suppose before you are four cards laid out, two having its face up and two having its face down as shown below.
What is the minimum number of cards you may need to flip to test whether the statement that all the light grey cards have a circle on their other side is true of false?
Think about the answer before you read ahead.
This simple exercise examines your tendency as to how you collect evidence. Many people opt to flip the cards that confirm the rule. They flip the cards with the light grey face, and leave it at that. Or they may also turn over the card with the circle. Flipping the card with circle does not add to the evidence because it could show either a light grey or a dark grey surface with the rule being still true as dark grey cards may also have circle.
The correct answer is two. You should first flip the card showing up the light grey face. If the reverse side of the light grey card is a circle, the rule is confirmed. But this does not give you all evidence you need. Now you must see on the other side of the square and not the circle. If that shows a light grey face, the proposed rule is false, because you have found a light grey card which does not have a circle on the other side and if it is a dark grey, or anything else, the rule remains intact.
So, if you are a next generation Internal Auditor, be clear with your logic of various assertions to be tested and use the scientific method whenever possible. Don't rely on internal controls at their face value, but observe them carefully, test them and be willing to adjust your opinion about them based on the evidence you gather.
The goals and objectives of Internal Audit department should be capable of being accomplished within specified operating plans and budgets, and to the extent possible, should be measurable. Frustrations at all levels are frequently due to the lack of clearly defined objectives and delegated responsibilities. The result can be mechanical auditing even when possessed with latest knowledge or technological skills just in order to meet the activity targets and creating the final output. Read the extract from a chat which I had recently with one of my professional friend working in the Internal Audit department of a multinational company.
Vimal: Hi, how are you? Me: I am fine. How was your training? Vimal: Cool. I have learnt some data analytics at the training. Me: Are you going to use the learnt techniques in your IA job? Vimal: May be to some extent to justify the training. Me: Why so? Vimal: I think we are more into designing our final presentation to the Audit Committee than to find trends in the business data. Me: But that must help you to find the problem areas for reporting. Vimal: Yes, true. But see, the experienced people in our audit committee think they know how IA has to be done. We remain more concerned about the comments they make reading our reports in presence of the auditees. Me: What you want to say? Vimal: You know auditees. They turn back many times after initially agreeing to a point. We just end up fighting on the facts and the languages used in our report at the time of final presentation. Moreover, timely reporting is a big issue while getting consensus from everyone is the most difficult and time consuming aspect of our job. What to say when our audit committee is so fussy about the reporting language and quantification. Me: What is wrong in that? Vimal: Even the properly drafted statutes and legal documents can be misinterpreted depending on the objectives of the parties involved then what to say about our Internal Audit reports. In spite of our taking all the care to report only fact based observations, misinterpretations are inevitable. Me: Are you saying your training should have been to improve writing skills instead? Vimal: No Man! Training is just to know what is going on in the industry. It's good to be updated from a career perspective. Practically speaking, Internal Auditors should keep everyone happy and remain popular. Me: So, what is your strategy? Vimal: Get into all sort of training when your company has a training budget. On the work front, simply get the final report vetted by the management and auditees. Remove all the objectionable points and keep it clean. Praise the efforts of auditees. Me: That's a good practice. We as an Internal Auditor should not only be finding faults. Vimal: No Man. I am just talking about cutting it short and false praising to keep them in check so they don't create issues for us while presenting the final report.
We have allusion of a duck swimming serenely along the top of the water. Underneath the water, however, its feet move frantically to make a mile a minute.
The duck parable is relevant to our new age internal auditing as well. It can be seen that final internal report has certain observable components; namely, the Executive Summary points. This observable dimension is like the duck floating calmly on the surface of the pond. This is all that the casual observer notices. Underneath the water's surface, however, two rapidly paddling webbed feet perform the work. One of these feet is the technological skill of the internal auditor, while the other is the knowledge of innovative internal audit strategies and techniques.
Emphasizing only one of these dimensions (just the technology or just the knowledge) will result in a one-legged duck swimming around in circles. Emphasizing only the logistics of producing executive summary or the final presentation to the audit committee or the top management without much emphasizing on the above mentioned dimensions results in what can only be termed as a 'dead duck'.
The emphasis on all the three areas moves the Internal Audit toward the readiness required for keeping up with the set expectations. Technological skills are needed for high efficiency and to provide with cutting edge solutions. Pedagogical models and strategies are for building intelligent business insights and know-how as well as maintaining cordial auditor-auditee relationship. Finally, the Internal Audit team, Management team, and Audit Committee should work together to add value in real terms.
Internal Audit partner and his client, the CEO had arranged pow-wow among their teams to encourage an open discussion on the bitter auditor-auditee relationship. At the pow-wow, the marketing manager made a remark that although one should never minimize findings or neglect ones obligation to report accurately, too many internal auditors needlessly drive a wedge between themselves and their auditees by presenting findings in a way that belittles the auditee instead of treating findings, analysis, presentation as an opportunity to address problems and to facilitate improvements. The purchase manager added that internal auditors always act as policemen and come with backing of authority.
To this, one audit manager answered that the business managers will have to begin to look internal audit as an objective consulting group and not just an independent assurance group. Answering to the concerns of the marketing manager, he said that part of the problem is that internal audit also has a stereotype like business managers and an education process is needed for both, the auditor and the auditee. He also said that our source of authority is our ability and independence whereas business managers think that we are in the organization to appraise them for their performance and thus our reports with suggestions are treated as report with coercion by them.
The CEO said that Internal Auditor should keep management informed of the progress of their work along the way. Letting management know what they are finding allows them to take action and fix problems while the audit is still in progress. We need 'No Surprises'. Also, internal auditors don't leave considerable time open in the audit schedule so that we can make special requests.
The IA partner replied that our terms of reference and scope should be clearly interpreted as the management inevitably try to prevent audit encroachment onto the 'management patch' and thus try to restrict us to the policeman's role, whereas we view our role as that of the independent reviewer covering all areas and levels of operations, decision making and governance. We agree that Internal Auditors should employ a just-in-time approach in setting up their audit plans for adjusting special requests of its clients, but at the same time, they expect from auditees to co-operate and respect their time.
The CFO said that both auditor and auditee have their own perception regarding one another's needs. Also, they have an expectation as to the nature of their relationship. I have closely seen both the sides in my life. This bitter relationship soon motivates young internal auditors to seek career elsewhere. This is also one of the reasons; the audit industry is seeing a huge turnover of young professionals. Internal auditing's success in the next millennium will depend on providing its audit clients with unique and exceptional services. We need to listen to each other innovatively. Such pow-wow is definitely a step in this direction. The pow-wow continues...
A Servicing Company had appointed a branded internal audit firm for four years continuously. Next year, the partner of the firm became Chief Internal Auditor of the Company who was managing its internal audits for all these years. The Managing Director was somewhat satisfied with his services. However, looking at the latest internal audit report, Managing Director became very concerned as it raised only the pending issues of the last year.
Managing Director knew that his line managers were performing reasonably well even during the bad times. After discussing with his line managers and the Chief Internal Auditor, he realized that all the recommendations, though got implemented in spirit, had not been implemented in the form as suggested by the Internal Auditor.
Internal Auditor was a knowledgeable person but he was not able to add more value with any newer perspective since long. Managing Director realized that they have been always basically washing themselves with the same dishwasher i.e. all ideas of his have been listened to and there have been no fresh perspective from a newcomer who could have brought new insights about the business.
Managing Director immediately decided to change working of the internal audit function to make it more meaningful for the business. He resorted to bring rotation of duties with in the organization to change the leaderships. He thought it's not the branding which is essential as much as the competency to provide innovative and frank views without fear and favor. Thus, he worked with new risk consultants and not any branded consulting firm to change the way Internal Audit had been functioning. This ensured that they did not all go brain-dead talking to each other on the same topic just using latest buzz words which are not capable of bringing any new insights.
Simply, in most of such situations there is a need to change the entire IA function i.e. IA organization, IA leadership, IA strategy, IA technology, IA culture, Business Control Framework and Management Accounting System. Not for sake of bringing newness but to connect it with business results.
What is difficult to change is the thinking of these so called experienced top nuggets who say that there is nothing new or rocket science. These are the people who have not yet changed their ways. They have actually gone brain-dead.
Arvind, a young Internal Auditor had reached the internal audit location on time at 9:00 AM. He had the entire day at his disposal to spend on the audit area as planned. Mr. Swami, the Functional Head who had not been able to find time to see the email from the corporate office about the internal audit, exclaimed seeing Arvind. He asked him to wait for some time saying that the corporate office has not forewarned him about the Internal Audit. After some time he called up the corporate office in front of Arvind asking for sending the email again.
At 10.00 AM, Mr. Swami called Arvind in his office. Mr. Swami started with a waffler and took about an hour speaking unnecessary things without answering the Arvind's main questions on the audit area. Arvind broke in between to ask questions differently but Mr. Swami started with his Dog & Pony Show giving a long elaborate presentation to impress Arvind so that it may become difficult for Arvind to see the main issues. It was almost 12 PM then. He took Arvind for a round of the factory, which proved to be a very long round consuming one more hour. Mr. Swami suggested Arvind a good place for lunch. His idea seemed apparently to be to form a good working relationship with Arvind. The place suggested by Mr. Swami was miles away from the factory and after heavy lunch both returned at around 3.00 PM.
After coming from lunch, Mr. Swami left Arvind saying that he will be back in 30 minutes as he has a meeting with local excise officer. When Mr. Swami finally arrived after 1.5 hours, he saw Arvind, who had spilt some tea from his cup on the table. He then started lecturing Arvind for ensuring that he abides by complex hygiene and safety regulation. This was again a delaying mechanism by Mr. Swami. At around 5:00 PM Arvind started making some probing questions and asked for some documents and invoices. He told Arvind that he is not supposed to answer those questions as it is not making any business sense. He insisted to stop audit in lack of clarity about the scope. Unluckily Arvind had forgotten to bring the scope document and it wasted another half an hour. Mr. Swami then started suggesting areas which Arvind should look into. At around 5:30 PM and after some struggle, Arvind convinced Mr. Swami to give him the sample documents for his review as listed by him.
Mr. Swami came to Arvind at 5:45 PM without any documents. On asking for the documents again Mr. Swami exclaimed which documents he is talking about. Then he said Oh yes, I will just bring those to your table. At Around 6:15 PM, Mr. Swami came with few documents saying that he was unable to bring all the samples as requested as some documents are in processing with other departments and thus he picked up some other samples instead which were available with him but not listed on Arvind's list.
Arvind, the smart internal auditor picked up a serious problem from the given samples and asked about it to Mr. Swami. Mr. Swami suggested that this is a special one of case. He started abusing Arvind indirectly for his lack of knowledge about the business. When Arvind asked for more details about the said transaction, Mr. Swami told him that the accounting personnel who has the needed documents is on leave and he has no access to his drawers. He started then admiring and flattering Arvind for becoming over familiar with him. He won Arvind's mercy very soon when he spoke about a major deadline approaching that weekend and about his wife's illness.
This all took around half an hour more and around 6:45 PM; Mr. Chauhan, the Engineering head, who also lived near Mr. Swami's house, came there to offer him lift in his car. Mr. Swami looked at Arvind and said that he has provided him with all the data and now he has to call off the day as it takes about one hour to reach his house in the evening traffic and he has to cook food due to illness of his wife.
Mr. Swami suggested speaking to Mr. Ayengar in case he needs any documents or clarification. Mr. Ayenger did not know a single word in English or Hindi and he could only speak native language. After struggling a bit with Mr. Ayenger, Arvind given up and started enjoying the expensive chocolates which Mr. Swami had brought for him that evening.
At around 7:30 PM Arvind decided to pack up to catch the train of 8:30 PM to Mumbai as there were chances of heavy traffic as suggested by Mr. Swami.
After a week Mr. Swami received a report from Arvind which suggested that every thing was found to be in order.
A telecom company adapted not only its product offerings but also its organization structure due to rapid technological changes and change in customer demands. Due to increased pressure of these market enablers, it decided to change its organization structure which eliminated several levels of management and introduced business segment and market region wise management teams. More empowerment and greater decentralization of decision making have been introduced.
Along with its reorganization, it also changed its accounting system. It eliminated its use of annual budgets, replacing them with a system of rolling financial plans and forecasts. The focus was now on activities and how cost-centers consumed financial resources on various activities. Along with rolling forecast, it started to report profit & sales per business segment on a quarterly basis. Local authority levels were increased for financial transactions and spending.
It has broadened its reporting to include a series of Key Performance Indicators (KPIs) that provided non financial measure on customer, finance, employees, internal efficiency, and innovation. The forecasts and KPIs were to form basis of performance evaluation of the business units to be compared with the pre-specified targets as agreed.
The company wanted its risk management efforts to align with above re-organization and adaptations and to answer the following questions: Whether execution is aligned to its new strategy and the changing environment? Whether its management accounting system is functioning and evolving with the change and what risk and trade-off exist within its new reporting & MIS environment. Also, how best it can monitor and track its KPIs.
Risk Management System must support firm's new decision-making and control system instead of adding negative value by thinking in an orthodox way. Internal Audit (IA) function should ensure that the new system is providing quick and accurate information for decentralized decision making. IA should now emphasize on controls related to activities, business segments and KPIs.
Internal Auditor should understand that short term budgets are both planning and control tools. Long term budgets which were used earlier reduce managers' focus on short term performance and primarily used for planning purpose. Line item budget restricts the responsibility of a manager by forcing the manager to make purchases in prescribed amounts. The budget lapsing has benefit of greater control on short term spending. Manager who can control the size of operations should be evaluated based on static budgets; manager who does not control size of operations should be evaluated based on flexible budgets. These understanding will reduce any possible dispute with auditees.
Auditor should understand process of determining values of reporting KPIs and should have knowledge as to who is processing this information, possible conflicts of interests, and inter-dependence & trade-off possibility between various KPIs. It is also a good idea to develop Key Success Factors (KSFs).
Internal Auditor should ensure that the management accounting is facilitating regular follow-up on non-performing activities and management team is diagnosing the root causes and taking appropriate actions on a timely basis.
In other words, Internal Audit function has to think differently in this era of rapid change.
The internal audit has poorly performed as far as communications of findings are concerned. It is not just about creating a fancy presentation or writing executive summaries with punch lines to the reporting authorities. The innovative communication should change the image of internal auditor and internal audit should be looked as an objective consulting group instead of an independent assurance group.
Ponder hard at currently used methods of presenting audit findings and determine whether or not the process unnecessarily focuses on higher management instead of issues at the auditee level. Although one should never minimize findings or neglect ones obligation to report accurately, too many audit shops needlessly drive a wedge between themselves and auditees by presenting findings in a way that belittles the auditee instead of emphasizing the identification of problems, treatment of findings, analysis and presentation as an opportunity to facilitate improvement. In essence, the action plan should anticipate management's response to findings and help turn findings presentation into a constructive process rather than a barrage of criticism.
Internal Auditor should focus on two words: NO SURPRISES. This reduces pressure on the internal audit team. There should be some kind of interim presentation to the auditees about the factual findings to trigger discussions and understanding various options for correction or improvement. It is important to keep auditees informed of the progress of internal audit findings and work along the way. Letting auditee know what we are finding allows them to take action and fix problems while the audit is still in progress.
By resisting the temptation to hoard audit findings until big end-of-audit presentation, the internal audit can make auditees more enthusiastic about the results and the job becomes easier. Innovative communication reduces monitoring and internal audit cost to a great extent.
Case Studies is an effective and innovative way to communicate to the top management and audit committees about the results of internal audit or consulting project in place of executive summary. Consequently, it is recommended that a few issues or risk management projects be developed in a case study format. A typical case study describes the situation, provides appropriate background information including events that led to the intervention, presents the technique and strategies used to develop the study, and highlights the key issues in the intervention. Case Studies tell an interesting story of how the evaluation or test was developed and the problems and concerns identified along the way.
Case studies can be used in group discussions, where interested individuals can react to the material, offer different perspective, draw conclusions about the approaches and techniques. Also, it can serve as self teaching guides for individual who are trying to understand how risk evaluations were developed and utilise in the organization. Finally, case studies provide appropriate recognition to those involved in the actual cases. More importantly, they recognize the participants who achieved the results as well as managers who allowed the participants to be involved in the project. The case study format is one the most effective tool for learning about the internal controls and risk management.
Selective case studies may then be printed as success stories in the broachers or newsletters of the organization to spread and share the knowledge.
Independence and Objectivity of Internal Audit is on top priority list of the new Corporate Governance requirements. Reporting to Audit Committee Internal Audit has achieved the so called glare of Independence. Although now we have new definition for Internal Audit, something has been deliberately missed out due to global business trends.
The new definition of Internal Audit has two objectives in very simple words.
To add value by improving organization's operations.
To evaluate & improve the effectiveness of Internal Controls.
For second objective the global businesses are following COSO Internal Control framework. Either it be Sarbanes Oxley or Clause 49 in India, efforts are to improve the effectiveness of Risk Management & Internal Controls with respect to financial reporting objective of the COSO.
Now the question is how Internal Auditors are achieving the first objective? What frameworks or methodologies Internal Auditors are to pursue to achieve it? Do Audit Committees are concerned about the Operations or they finite themselves with financial reporting objective? Internal Auditor are facing disadvantage of not reporting to the Management as they are taking advantage of reporting to the Audit committees. Independence gained at the cost of objectivity.
No doubt Internal Auditors needs to work in their domain area and audit charter should define clearly scope and responsibilities, I see following four areas for Internal Audit to focus on in addition to risk management with respect to financial reporting to achieve the first objective of the new IA definition. The management should define the role of the Internal Audit to make it responsible and accountable to add value in the following.
Management Accounting
Resource Management
Financial Management
Knowledge Management
Above is nothing but the components of an Operational Audit and Value for Money Audit with assertions Economy, the measure of Input, Efficiency, the measure of relationship between input and output and the Effectiveness, the measure of output.
Steam engine describes the operational cycle, each component contributing towards the locomotion, the whole system being composed of interrelated parts, failure of one causing failure of the system. Risk Management is needed to be better understood holistically as it is not just internal control management of financial reporting or strategic/ operations risk in isolation.
When macroeconomics scenario is not well, it must be a time to focus on micro-economics. Why? Microeconomics deals with individual units in an economy like a firm, a household, an investor, a worker, a single market that makes up the broader economy. It deals with problem of demand and supply of particular goods and services, its price determination and examines how tax cut affects a firm's output. etc. 
