Its time for risk consultants to be players with the team on the line. Learn how to achieve innovative advantage using the case studies.
Monday, December 21, 2009
Internal Control Failures 2009
Straight coming to the point, this case study presents a way of thinking that offers better internal controls, and also helps top management to redirect resources from unnecessary monitoring and evaluation of controls towards creating better, more efficient and more competitive controls.
A large group had recently acquired a medium sized company that had been in financial distress for a long time, changed hands three times, and grown very quickly. The group found out that the controls were abysmal. It thought of putting up strong controls as soon as possible.
One of the big firms was appointed to implement controls that would cover the identified risks, however, while approaching in an usual way, it ignored to implement the kind of controls that would be efficient and that could be implemented in the time available, and reinforce rather than weaken the culture of the company.
The dominant approach has always been long on evaluation of internal controls and short on design and implementation. It is long on post hoc reactions to weaknesses discovered and short on anticipation. There are lists of risks and controls but no overall internal control system design. Mind well, risk is only one of the considerations besides economics, strategic reality, and cultural fit.
The top management went on to debate all the individual control deficiencies identified by the firm and came out with a list of implementation items. The difficult task that had remained for the top management was implementation of the recommendations. But something went wrong thereafter.
Slowly things started to fall behind schedule and some strain was felt. The managers took all the time they were allowed and then a little bit more. At the same time, they gradually become aware that they were not as skilled or as productive at the controls work as they had imagined. The big firm came to help with long shifts, working through weekends, and the implementation was just a few weeks late, but it was over. Hooray!!! Champagne was opened and everyone celebrated. It was a success. We have done it. Work Hard, Party Hard.
Initially there was little or no evidence of things going wrong, but after a short while the first feint indications of problems under the surface begin to emerge. As they were investigated more problems came to light and this eventually revealed a ghastly mess of faulty data, stuck transactions, and lost items. It was too late to go back to backups. Thousands of incorrect cases already existed and the reason this was not visible immediately was that not enough checks were being done. The controls were not in place.
Huge time and efforts were spent again using a different big audit firm, who came out again with more deficiencies in the internal controls. Only difference in the approach was presentation of their reports. The top management again went on to debate all the individual control deficiencies identified and came out with a new list of implementation items. But something went wrong again. No results and waste of efforts too.
It is very simple, when control designing is more time consuming and technically demanding so, the companies should have more people capable of designing and building internal controls than they have for evaluating those controls.
The internal controls experts are not investing enough time for developing better controls but on writing more reports about how good or bad they are. Evaluating controls again and again does not help.
Control weaknesses absorb a lot of evaluation effort, so having better controls first hand reduces evaluation work. So have good controls. It is important to get assurance from direct indicators of controls effectiveness that are designed into the control systems. Large processes and other sources of risk should be monitored using controls effectiveness indicators such as error rates and backlog statistics. Well designed systems of internal control include and use such statistics. This is not possible for risks that crystallize less frequently. For these there is no alternative but to judge effectiveness from whether the controls appear effective in relation to the perceived risks.
The job of top management is to direct resources appropriately towards the activities that need to be done including design, development, testing, implementation, and operation of controls as well as evaluation.
Top management should study the factors that indicate resources are needed and should not focus on risks alone. Companies need to have sufficient skilled resources to carry out the whole process from design to evaluation. Resources need to be rebalanced towards design and implementation and away from evaluation. Reduce your cost of monitoring now. Happy New Year 2010.
Before I give account of the topic I have selected today, I would like to brief you on 'where I am coming from'. I am among the fortunate ones who have done Internal Audit of five star hotels like Taj & JW Marriott in Mumbai and have spent a considerable time of my career doing these Internal Audits. My first Internal Auditing lesson had come from doing Internal Auditing at Taj. My Internal Auditing style resembles my work at these five star hotels i.e. systems audit. When I say Systems Audit, I do not mean IT systems audit but Business Systems Audit. All who have done Taj Internal Audit before TPAM audit started there will understand what I am saying.
Now, I would like to share a specific Internal Control which I think has never been paid attention to, which I think is not only important from Revenue Assurance point of view but also from security point of view.
Like every business, inventory of these hospitality giants are also required to be reconciled and physically verified. There are two kinds of perishable inventory which a hospitality unit like Taj might carry. One is connected to their F&B business and other is connected to their Room Revenue business. We will talk about their Room Revenue Business Inventory called Room Nights. Inventory made of Time & Space which is sold to its Guests.
How do you physically verify such an inventory which is made up of Time & Space? Historical records will not serve the purpose as one cannot go back in time to do a physical verification once you have moved ahead in time. I am sorry; but we have still not invented something called Time Machine.
Thus, concurrent physical stock taking is the only solution available. Now-a-days most of the hotels have software to manage its room inventory. One can tell if a room is occupied or not. Front Office keeps track of room folios opened with a formal check-in and check-out procedures. Most often than not housekeeping department in the hotel perform a check to physically verify status of the room once or twice a day. They update system with room status independently verified by them.
When we have two sets of inventory data, we reconcile them and if there are discrepancies or variances, we would go and find out cause for the discrepancies. If room is occupied as per Front Desk record but vacant as per housekeeping than we have a situation called 'Skipper' and when room is vacant as per front office desk but occupied as per housekeeping it's called 'Sleeper'.
Both the cases involve a possible leakage of revenue for the hospitality unit. Along with this room status control, a few hotels also resort to something called baggage control. No. of patrons staying in a room etc to make this control complete. Most often than not, I have found serious lacuna in the said control. Inspite of reporting it several times to various hotel unit managements, this control has never been taken seriously by any one and always has ranked as a low risk area.
It's important that the managements of these hotels understand risk of having inventory that is made up of Space & Time and its possible abuse by any unscrupulous person.
Housekeeping department although independent from the front desk personnel to verify the room stock is not properly trained to verify the physical status of the room when they visit a room for cleaning or otherwise. Second issue is that, the housekeeping department in most of the hotels submits this room status discrepancy report only to Front Office Manager instead of Security Manager or Loss Prevention Manager along with Front Office Manager. Moreover, the luggage brought by the guests are also not tracked and controlled to ensure an effective status control activity. Currently, the control is too mechanical and that too is adhered to half heartedly and does not ensure a subsequent procedure to ensure no leakage of revenue or a security threat. In simple words, hotel management should know intelligently what is happening at every room without disturbing privacy of the guest.
I am sure the recent attacks on Taj & Trident will ensure strengthening of this control further in light of this new risk lurking on the hospitality industry. I also see improvement possibility in gate security and guest room key control procedures.
I also feel strongly that there is something wrong with the procedures where the hoteliers have to submit details of the foriegn nationals staying in their hotels to the local police station on an every day basis. Its possible that police station takes these reports, stamps it and sit back without doing much scruitiny of these records.
My heartfelt condolence to the families of those who have affected by the recent inhuman act of terror at Taj, Trident and Nariman House.
The system is only as strong as its weakest control. Internal Control problems have various perspectives. Some experts have explained that Internal Control problems can be due to Managerial issues or they can be on account of Technical or Procedural issues. Weakness in one area can affect effectiveness of the other.
Internal Control frameworks like COSO have helped many corporate understand and implement Internal Controls better. However, these frameworks are not better equipped to handle Managerial issues and conflict which can affect effectiveness of Internal Controls within an organization.
If you visualize real time situations, you can enumerate many industrial and managerial issues which arise due to conflict between the Objectives of COSO Framework of Internal Control viz. Operations, Financial Reporting & Compliance. Similarly, conflicts and trade-off may be necessary within components of Internal Control namely Monitoring, Information & Control, Control Activities, Risk Assessment and control Environment. Effectiveness in one can lead to effectiveness in other or vice versa. Some components may be complimentary in nature or may be considered as an alternative Internal Control feature. So, all will not share equal place as generally shown in the popular COSO Cube diagram.
Looking at the third dimension of COSO Framework, You will again realize that one activity or business unit can affect other activities or business units. Thus it is important to know conflicts and trade off required between various businesses segments plotted on the COSO Cube.
Now let us consider degree of responsibility from bottom level management up to board of directors. Business people talk a lot of Corporate Governance and Internal Controls Convergence. We have laws like SOX and J-SOX. People want to get certified and we have SAS 70. CEOs & CFOs are required to certify adequacy and effectiveness of Internal Controls. Don't you think we are thinking too linearly and relationship between business components and objectives can be dynamic and the diagram cannot visualize multi dimensional aspects of business risk and controls?
Let us visualize that each COSO cell contains a triangle. Triangle of Responsibility. What you see? Conflicts in responsibilities! Disproportionate allocation of duties and responsibilities! Varying expertise at each level of management!
Why do you think we have cases like failing banks, workers killing CEO while on resolving industrial dispute, open disputes between brothers having legacy of a great corporate showman?
What is current state of affairs as far as Corporate Governance is concerned? Why Insider Trading is quite common.
Do we need to change our world view? Our current paradigm is not allowing us to see the reality. Whether you will consider breach of control at the lower level same as breach of control at the higher level. Will introduction of an extra control, legal provision or code of conduct be appropriate? If so, will it be treated and implemented similarly in all the cases or market forces can influence the justice or design of control itself? Overriding control is the name of the game.
Why Board of Directors and Audit Committee Members should know about Lean and Six Sigma? These are not the buzzwords often used by this community. Although these words are little technical and used mainly by CEOs and middle managers, the new age professionals involved in overview function should understand these concepts clearly as they are very much relevant as far as Corporate Governance, Business Integrity is concerned.
Let's take an example of a company that incurred huge loss in the last year. The company's main product line had become obsolete, and its newer ones were under performing. There were many sigma defects and wastage it wanted to eliminate to become Lean and profitable. Stiff competition, ever-increasing customer expectations and shifting market conditions made the change an absolute imperative.
Unfortunately, despite the good faith, diligent effort, and professional judgment that went into the cost-cutting efforts, the results did not turn out to be as expected. In absence of appropriate professional guidance, the company decided to tackle cost by reducing inventory and capacity and implementing JIT technique. It focused its initial efforts at the process level, instead of applying a top-down, risk-based approach. Program lacked a consistent, methodical approach and no appropriate benchmarking effort took place to capture the leading practices and performance differences correctly.
Managers were focused on achieving short-term results to drive continuous improvement without adopting a long-term strategy. Managers failed to reinvest cost savings for correcting flaws in the control design in the higher risk areas. Without a risk-based approach, it incorrectly and inadvertently cut too many controls or the wrong controls. As a result, in wake of some worst scenario, and due to huge pressure on performance, creative accounting practices were resorted to by the management to cover up the under performance.
Management often slashes costs and adopts shortcuts that jeopardize controls and upset their audit committee and shareholders. If they ignore costs, they miss opportunities to enhance competitiveness.
Weed out the waste and focus on what creates value. No body can deny benefits of the best practices that make the organizations Lean; however organizations run risk of under performance and failure when lean principles are incorrectly applied by the enthusiastic middle managers.
Lean does not always mean elimination of extra capacity, achievement of zero inventory level, complete absence of paper work as it can make the organization vulnerable in an unforeseen crisis. When you are stripped to the bone, you are left with nothing to absorb the shock. Performance suffers and profits are less than the optimum. When companies lack resources, the Managers adopt a limited view of the Lean principles and they are not clear about where to focus their improvement efforts. More often than not they choose the wrong targets for improvement.
It is important to understand that not all the activities, transactions, and risks are equal. Their importance largely depends on the nature of the business; the inherent risk in the transactions, processes, controls, technologies; and the effectiveness of people in the organization. Like many ambitious initiatives, the potential rewards of Lean are great, but it is also critical to consider risk and control dimensions involved.
Boards of Directors and Audit Committee Members are required to cultivate an atmosphere of trust that enables the directors to challenge one another and the management. They must address their company's strategic challenges - emerging markets, competitors, and technologies - rather than seek quick fixes and CEO ousters when the company stumbles. They need to know Lean, Six Sigma and Internal Controls equally as they compliment each other in creation of value for the stakeholders.
When your company takes up an Improvement Project like Lean or Six Sigma, it's important that risk based method is adopted in conducting the initial diagnostic review so that the project targets global performance and brings significant business results for you instead of isolated local improvements that involve conflicts and control issues.
Now, a puzzle for you. Check out the following diagram and tell me whether the threaded cylinder of Value Addition will move or not. Or, how each cog wheels should move so that the threaded cylinder will move? Finding it difficult to visualize? Please solve the puzzle of Value Addition, if you can. It's a Challenge.
If you like to meet us, please feel free to contact us.
How you will categories "Rs.400 crore turnover business"? Is it a SME or a large business?
SME stands for Small to Medium Enterprise. However, what exactly is an SME or Small to Medium Enterprise defers from country to country and depends on the industry norms used to classify it like headcount or annual turnover of the enterprise. Many country use SME to refer to a business with fewer than 250 employees, while classifying firms with 250 or more employees as "large" businesses.
Developments in prices and productivity make it necessary to adjust the financial thresholds norms from time to time and thus many countries have recently amended the definition of the SME to improve business environment for SMEs in their country. The increase in threshold limit allows an important number of enterprises to maintain their SME status and ensure their eligibility for support measures.
SMEs are an essential source of jobs which foster entrepreneurship and innovation and are thus crucial for economic growth of the country. However, it is very important for these enterprises to ensure Good Growth.
It is always thought that SMEs are often confronted with market imperfections. SMEs frequently have difficulties in obtaining capital or credit, particularly in the early start-up phase. Their restricted resources may also reduce access to new technologies or innovation. Well, I would say, it depends on the business objectives of the SMEs and differs on case to case basis. Many factors contribute to Bad Growth like type of ownership, management style and corporate governance, high dependency on few individuals or resources, business control environment and commitment for Good Growth etc.
Let's consider some real life scenario which I came across recently.
Few Months back, I had met CFO of a leading food retail chain firm at their Office in Mumbai. And, to my utter surprise, they have not carried out any Internal Audit during past 4 years and have no immediate plans either to carry it out in near future. Now that's a Bad Growth.
I had heard the story of a business group having facilities near Mumbai at a drive of around 3 hours from my place that has grown their business significantly in a very short time and is growing at an incredible speed on a Y-O-Y basis. The directors staying in Mumbai are flying owned helicopters to reach the work place on a daily basis. Again to my utter surprise, I came to know that they have very minimal Internal Audit programme for their fastly growing business. The Internal Auditors mainly involved in transaction audit that too remained inadequate due to growing transaction volumes. I quickly realized that the remuneration paid to Internal Auditors justified deploying two audit clerks only. That's called step behaviour with Internal Audit.
Recently, I had a chance to meet and talk to Purchase Manager of a SME organization with CAGR of more than 40 %. This time again to my utter surprise, the guy asked me how Internal Audit is different from ISO Quality Certification Audit. I am sure such unawareness about purpose of Internal Audit is somewhat faked. In my knowledge there are many such SMEs having turnover of Rs 100 crore or more which have Quality Certifications but does not have an appropriate Internal Audit Programme suitable to their size of operation. What one could find is missing controls, controls overridden, mis-utilisation of resources, mismanaged processes and tacit people issues within such enterprises.
In India, private equity & venture capitalist are looking to invest in such growing businesses; however, the individuals in the organization who have vested interest have created an environment which is not conductive for the Good Growth. Processes and controls are highly dependent on few individuals leaving the business leaders helpless. Also, a mindset has developed among such SMEs to not to part away with equity due to the same reason as cited above. SME Leaders need to realize that they need to expand the business with professional help and requisite control environment within the organization which could alone strengthen its path to high Profitability, Efficiency and off course Good Growth.
Once upon a time, in India, there was a big hermitage of a sage in the valley of Himalayas. There were lots of cows, by milk of which alone the expenses of the hermitage were met. The milk was also consumed by the resident of the hermitage. One day a disciple came to the sage, the headman and his Guru to make a complaint. He expressed his doubt that somebody is mixing water in the milk of the hermitage regularly. How to curb the ill practice? asked the Guru. The disciple suggested that one person be employed who will monitor the milk to control the adulteration. Thus, one person was employed for the purpose.
After few days, the disciple came again to his Guru and said that since they have employed a person to keep a watch over the milk, there has been more mixing up of water than before. The Guru casually said to keep one more person to watch over the first. A few days later, there was a big blunder and many disciples came to the Guru to complain heavy adulteration in the milk. Moreover, along with water someone had also found a fish in the milk.
The Guru said that if you employ more and more people to monitor, the adulteration is bound to increase. Initially there were lesser number of people who had their share in the milk and therefore there was lesser water in the milk. When you had increased a person for monitoring, his share was also added which in turn increased the stress on the existing resources. When you employed the second person, the adulteration increased to such an extent that you have now a fish in the milk instead of cream.
The disciples humbly asked the Guru for a correct solution. The Guru said it was his mistake that he never made his disciples mindful enough to educate and rightfully guide their subordinate disciples. By making a few people mindful does not make the society free of ills but all should understand their duties. We have to change ourselves first to bring the changes in the society. Mahatma Gandhi once said that we should become the change we want to see.
The Guru said we should have capabilities to change the mind set of the people in the hermitage. We preferred the easy way of making a complaint instead of selecting hard way of making our subordinates mindful of ills of adulteration and benefits of caring cows to produce more milk.
The Management Accounting says no one should be made liable for inefficiencies of others. The Internal Auditor is made liable for inefficiencies of the Control Owners. Cost of Internal Audit is connected to extent of its testing and monitoring. When controls designed and exercised by the management are ineffective and IA places lesser reliance on it and increases the extent of testing and monitoring which inturn increases the cost. When IA over rely on effectiveness of controls it faces risk of not exercising due care and diligence for preventing control failures.
Self Control Assessment (SCA) technique in its current format too is not effective as Control Owners are made ready to the skills of monitoring instead the objective and the ethics. There are newer ways of reducing cost of monitoring but need is to go beyond the prevailing dominant designs in the industry. We must first find out how to balance our monitoring programme which does not involve duplication of efforts allocating the valuable resources incorrectly and thus increasing our cost of monitoring. Secondly, we should become more and more objective oriented to find out newer ways of creating deterrence at a lesser cost. What you think about Ethics Gospel like this?
Your application of Indian philosophy is better only when you draw correct analogy. Remember it's a rocket science and you need the escaping velocity to mitigate the effect of dominant forces of existing systems and mind sets. The problem is difficulty in drawing a correct analogy because adulteration is on and purity is gone. Now, draw an analogy to be able to better understand the presented case study and change your execution style hereon.
No internal control can ever be proven to be 100% effective. The effectiveness assertion can only be supported or rejected. If our observation of the internal controls finds no issues related to the effectiveness assertion, then the assertion is reinforced and our reliance on that internal control increases. Each time the assertion is tested and found to be valid, it becomes more useful as an explanation of how controls work. But if any future event or testing finds the same internal control to be weak, the internal control must be rejected or modified. This modified internal control must in turn, be tested again. This is how our knowledge of internal control advances.
However, many of us form a hard opinion about the internal controls that have been found to be effective or otherwise in the past. Hence, possibility exists in such cases that all evidences that are needed to prove the assertion are not being collected and thus the evidence collection procedure is not corroborative. We often want an internal control to work in a certain way. The tendency in such cases is always to look only for confirming evidence and neglect denying evidence. But, when we step back a pace from our opinion and are willing to see our testing proving the assertion right or wrong, we are following the scientific method.
Einstein once said that no amount of experimentation can ever prove him right but a single experiment can prove him wrong. Let us understand how most of us search for evidence and how we should be doing it scientifically from the following exercise.
You have been told that the cards with light grey faces have a circle on the other side. Now suppose before you are four cards laid out, two having its face up and two having its face down as shown below.
What is the minimum number of cards you may need to flip to test whether the statement that all the light grey cards have a circle on their other side is true of false?
Think about the answer before you read ahead.
This simple exercise examines your tendency as to how you collect evidence. Many people opt to flip the cards that confirm the rule. They flip the cards with the light grey face, and leave it at that. Or they may also turn over the card with the circle. Flipping the card with circle does not add to the evidence because it could show either a light grey or a dark grey surface with the rule being still true as dark grey cards may also have circle.
The correct answer is two. You should first flip the card showing up the light grey face. If the reverse side of the light grey card is a circle, the rule is confirmed. But this does not give you all evidence you need. Now you must see on the other side of the square and not the circle. If that shows a light grey face, the proposed rule is false, because you have found a light grey card which does not have a circle on the other side and if it is a dark grey, or anything else, the rule remains intact.
So, if you are a next generation Internal Auditor, be clear with your logic of various assertions to be tested and use the scientific method whenever possible. Don't rely on internal controls at their face value, but observe them carefully, test them and be willing to adjust your opinion about them based on the evidence you gather.
Is audit committee adding any value or is just for statutory compliance? asked the furious chairman, who had been advised recently about the abnormal functioning of some of the non-financial performance measures. He said I know you all are really independent but, are you performing your oversight function as expected? Although the firm has been certified by the external auditors for effectiveness of its financial accounting controls during the past years, these controls have inherent limitations when looked at in silos. It is high time for the audit committee to look at non-financial performance measures as well.
He further said that the stakeholder expectations are very high nowadays. Not just the financial accounting controls but the entire gamut of management accounting controls needs to be looked at. Those who design and implement controls can also override or bypass these controls. The audit committee members began to wonder how they could have met the expectations better. Audit Committee members while justifying for their current way of functioning emphasized on having, a written code of conduct and its communication at all the levels of management to prevent overriding and bypassing of controls and a hotline programme. Though the chairman considered the importance of these steps, he wanted the audit committee to become more smart and business like. He wanted the audit committee to add value.
The board room conflict was in the open. Surely the members of the board and committee had failed to understand each other's expectations. Another problem was that expectations were not shared and reviewed periodically. The expectation from the audit committee had been changed over time. With their expanded responsibilities, the audit committee members were struggling to fully understand and embrace the scope of their duties, including oversight of risk management and internal controls.
To avoid surprises, the audit committees should understand the importance of defining and agreeing with the board of directors on the scope of their oversight of risk management and internal controls. This scope should be revisited on a periodic basis.
Audit committee members can meet increased expectation by demonstrating the appropriate level of skepticism, asking probing questions, having open discussions with the management and the auditors keeping business perspective in the mind. Audit committee should also target non-financial measures and various key success factors for monitoring. These key success factors for monitoring should be determined with extensive top management involvement.
The conventional financial accounting reports, both internal and external, are much like a scoreboard at a cricket game. The scoreboard tells players whether they are winning or loosing the game, but does not tell one about what is right or wrong about his batting, bowling or fielding. One must watch the ball in order to get a hit rather than just study the scoreboard. Conduct of the management cannot be monitored effectively just looking at the financials alone; one should see the non-financial performance measures too.
CEO of a large electronic products company received an email from his colleague seeking his ratification for some exceptions which were said to be related to some routine activities. CEO, who was not aware of existence of such activities, instead of ratifying, asked for the purpose of carrying such activities in first place and how these were relevant to the business?
On further inquiry, it was occurred to CEO that these activities were not adding any economical value to the business but consuming a lot of time of the company resources. Then he called Internal Auditor of his company who replied that although his role has been enlarged to improve processes but it is impossible for him to know details of each activity carried out in the organization. Not satisfied with his answer, CEO approached CFO to seek his views on current risk management efforts and responsibilities of identifying and plugging such problems.
When CEO came with his query, CFO was talking to his friend, a risk consultant, who had come to his office to meet him. Soon thereafter all three started talking on the subject. The risk consultant recited how a company has implemented activity based responsibility management, the methodology that provided the internal auditor with the ability to identify and eliminate activities that do not contribute economic value to a business. The management techniques have resulted in flatter organizational structures, the elimination of hierarchies, and fewer internal controls. Managers have taken on a new role as facilitators and coaches instead of supervisors. The old, rigid hierarchical structures have little place in the era of innovation and process improvement.
Advocates of process improvement cannot be allowed to arbitrarily dismiss the concept of extensive checks and controls. The new methodology champions audit trails, clear activity definitions, appropriate separation of duties, and well-defined performance measures. New internal controls take the form of information sharing and trust instead of internal controls inherently based on mistrust.
The approach enables management to actively participate in the process of systematically describing activities, decisions that have to be accomplished, and to clarify the responsibility that each plays in relation to those activities and decisions.
After due responsibility charting, issues are required to be addressed as follows:
Can or need the individual(s) stay on the top of so much? Can the decision/activity be broken into smaller or more manageable functions?
Does Individual(s) need to be involved in so many activities? Are they a gatekeeper or could management by exception principle be used?
Should this functional role or activities be eliminated? Have processes changed to point out where resources should be re-utilized?
Does proper segregation of duties exist? Should other group be accountable to ensure proper checks & balances?
Does the type & degree of participation fit the qualification of this role?
After risk consultant stopped talking, CEO smiled and with a pause invited both of them to join him for dinner as it was already 8:30 PM in the evening.
I was reading an interesting case study recently which seems straight out from the real world wherein CEO and Chairman of Audit Committee were arguing with each other as to how internal auditors should perform their work. CEO was stressing on lack of understanding of internal auditor about responsibilities and authority aspects of controls. He was vary furious about fault finding nature of their reports and he felt need for discussing the report with him before presenting it to the committee. Mr. Chairman at first was more interested in bridging the control gaps found in the report but later on some what convinced with what CEO was saying started instructing the Internal Auditor to pursue more transparency with the auditees henceforth. Not everyone in the meeting was of the view that the internal audit function is adding value to the firm.
Internal control is no longer the exclusive domain of highly trained accountants on the internal auditing staff. Corporate Boards, Committees, CEOs, CFOs and employees at virtually every level are now seen as responsible for designing, implementing and monitoring these controls; few, however, have the training and background needed to fulfill this complex responsibility along with understanding other's point of view of controls within the organization.
Every employee in an organization has a stake in the control process. So there is quite a possibility of conflict situations due to difference in the risk perceptions within the Organisation. Everyone who is made responsible needs to know the control framework in its entirety and how they work together.
Using a collaborative approach for building a culture of effective risk management through extensive employee involvement in identifying and controlling risk factors is essential. And thus, Control Self Assessment is being recognized as a powerful tool by businesses to help auditors, management, and others examine and assess business processes and control effectiveness within their organizations. However, harmonization in understanding the controls from various perspectives is also very essential. Conflict of interests due to varying use of management accounting information by different business managers should not hamper the risk management processes.
I have attached a risk score tool which will prove useful to score risk perspective of various participants and to foster innovative discussion between them to resolve conflicts and improve risk management processes.
Participative and playful discussion on differences of opinion makes the participants learn more about the controls and their own responsibility regarding risk management. They tend to become involved in designing and executing the controls that contribute to meeting the organization's goals and objectives.
When opportunity to commit fraud exist, someone has likely already exploited it. Then, the role of fraud investigators is just to determine the extent of the losses. What fraud perpetrators do? They don't play by the rules. They ignore internal controls or compromise with internal controls. Circle represents your 'As Is' internal controls and Square represents what employees really do. There is no proof in the audit books that segregation of duties is generally effective or worth its often significant cost. It depends on case to case basis. To my knowledge the segregation of duties is the most overemphasized and often least cost-effective control design option available.
Breakdown in segregation of duty is mostly a symptom of bad control design. Apparently it seems that segregation of duty will improve controls. However, the laws of human psychology and the realities of the workplace prevent segregation of duties from being an effective control.
Segregation of duties is expected to prevent fraud and error and to safeguard assets. However reality is different. Let us take couple of examples from Hospitality business; the chef picks up the phone and orders the material directly from the supplier, and purchasing prepares the paperwork after the fact, often when the invoice arrives. What happened to requisition, purchase order approvals etc? It is to be noted that chef has done nothing wrong as far as business objectives are concerned. Does it mean control objectives are not in sync with business objectives?
In a Restaurant, check voids are supposed to be approved by the Restaurant Manager and Chef to serve a dual control. However, repeated void of a same menu item due to its bad taste never gets attention for taking appropriate action. What really happens? Manager & chef sign all void check just to serve a control. Actually responsibility is not fixed in this case. When we find everything approved, we say controls are effective. What about the purpose?
Such ineffective practices are bad for the business as they block innovation and learning. Need is for analyzing risk and control within a specific process or a work groups to couch the work groups about the control practices and its effectiveness. This will help us form a reliable opinion about effectiveness of the controls. The Companies should expect occasional error, fraud, or abuse and deal with it. The organization will be healthier as a result. Trust but verify - can be a powerful cost-effective strategy.
Some companies are using ongoing surveys to seek inputs from employee on sensitive soft control issues. Tools can be simple like automated excel sheet or web based tool to increase awareness and reflect real business needs for the controls. Risk perception determines your risk management process. So let us get innovative and meaningful in our approach.
If you think risk of shrinkage in a retail outlet can be reduced completely with latest technological controls like bar codes, smart tags, RFID, Scanners, and CCTV together with tight physical security then you may probably need to rethink.
Ethical shoplifting is a fraud story of a food retail chain in Mumbai. The story has dramatic scenes of shop lifting and shop un-lifting and inventory leakage without physical goods moving out of the store. If you wonder how it is possible to have inventory leakage without physical goods moving out unethically and voids. Read more.
A year back, I was on an assignment for a retail giant at their Lower Parel Office in Mumbai; one gentleman approached me and asked me if I am again on a hunt? I was surprised to hear the words and I felt that I have seen him earlier before.
I had managed to break traps of this Mr. Fraud when he was working with a renowned retail chain in Mumbai as a supervisor. Although he had changed his job since then to work with this biggest retail giant in Mumbai; he remembered me distinctly and how I had caught him and his tricks in the past. He was looking humble but cunning still.
This smart man has seen various store situations, peak time footfalls, power failures in stores, consumer disputes, and night times of cash counting etc. He had discovered around 10-12 tricks to earn Rs. 4000-5000 every day i.e. around 1% of the revenue of the store.
I am sharing one of his tricks here which is about ethical shoplifting/ un-lifting.
People leave articles at the cash counters before they settle their bills. They dont want to purchase may be. Even some times people return articles immediately after the same gets billed. People have disputed because they have been told to pay first and then return it at the sales return counter to get the money back. Many people paid less and left the articles at the counter. This is all about billing errors and mood changes of the customers. You cannot think what all happens at peak hour at a food retail hypermarket in crowded urban city like Mumbai and when customer service is your motto.
Duplicate bills. If you are a Retailer, I am 150% sure that use of duplicate invoices are not getting tracked properly in your store. I bet, just check back.
Mr. Fraud with his one favorite cashier had done the trick. They were managed to print duplicate bills on basis of which they picked up articles from the racks inside the store to send to the sales return counter as if articles were left behind by the customers after they have been billed but for which no collection could have been made.
The sales return counter had seen such situations and disputes with customers earlier. So, he could easily believe the circumstances. He could not perceive a risk because it never involved GIVING as no cash refund involved at the outset. Moreover he received the article which needed to go back on the racks after the due procedures. Mr Fraud, who was a supervisor un-lifted the lifted material at the sale return counter with the duplicate bill which had the sale of the article.
The cashier removed that much cash from the sales. At time of final cash reconciliation short cash got adjusted for the sales return. No one ever questioned the inter-counter cash adjustments between cash counter and sales return counter as there was a physical material present in view which got un-lifted at the counter some hours back in the good spirits. At night every body wants to go home. In morning, all controls are paper works and you will never know what had happened last day.
If you doubt that with strong physical control no cashiers can take cash out of the store, then mind your thought as it is the easiest of all. You can have hundreds of secret pockets and baskets in which cash can go out. NO POCKET policy is a flop. I could catch this trick of his and his other 12 tricks because I had an idea of some thing called THREADS. THREADS are always there.
My next study is on Just in Time (JIT) Inventory Method Blunder. This is not a fraud story but incorrect application of JIT.
After this, I want to write on ENRON & BOW-FORCE. I know you will like to know in brief how SOX had taken birth to take away millions of dollars from the corporate world and it is unfortunate that the situation is still the same and chances of corporate frauds have never reduced at all.
Nowadays many want to look SOX as a process improvement tool rather than Fraud Prevention Assurance Tool. I bet; all big minds have again missed it completely and ethically justifying higher controlling costs.
I was given an assignment a few years back to find leakage of revenue in a disco outlet of a five star hotel in Mumbai. I was quite excited about the place. Mind you!! It is still one of the most happening places in Mumbai.
I remember I had met the outlet manager and discussed about the processes. He said there are good controls like continuous vigilance by CCTV, proper segregation of duties, strict control over cash handling, accurate and well documented revenue reconciliations, coupon stationery controls and so on.
Those days while searching on Google, I came across an interesting web page saying 101 ways to cheat in a Restaurant and Bar. I was amazed to see such a material on the net. I am not sure if controllers in hospitality industry know this. These were tricks of the trade. I thought, like an ethical hacker, some day I will be working as an ethical control breaker to see if controls can be broken or overridden. I had started to do abstract thinking and visualizing immediately.
To enter that disco outlet, you had to pass through bumpers, the men who see if you are an eligible character to enter the disco. Then you have to purchase coupons either by credit card or cash from the cash counter to be able to enter the disco. Sales of coupons were recorded in the POS system immediately.
The bar tender were required to take correct amount of coupons for drinks served. These coupons were minced or shredded before putting in a locked box; the keys of which were with the food & beverage controllers.
Room guests of the hotel were also required to purchase coupons to enter the disco. They could settle coupons purchased directly in their room folio from the POS.
Room guest were also given a facility inside the disc to run a tab, a facility by which one can have drinks without paying every time. Idea was to settle all the drinks at the end on the basis of tab recorded by the bar tender. These tab consumptions too were charged to folio of room guests by the cashier in presence of the bar tender.
Once amount was settled no one could change anything in the system and there were proper revenue reconciliations happening.
Although controllers and outlet manager told me that the controls are effective and current monitoring system is able to mitigate the possibility of any substantial mischief, I had approached with a mind-set to challenge the existing processes like an ethical hacker.
Clear evidence of duplication of the process was revealed to me. Dues of room guests could be settled directly to room folio when running a tab and for the purchase of coupons.
I could see if I were a cashier, I would have beaten the system to earn some extra money every night. The job remained was to see if cashiers were thinking like me or not and to gather the evidence of such a possibility.
It was then simple. To do a mischief it was required to show some drinks sold against running tab as sale of coupons to room guests and then to remove that much coupons for a personal gain without getting accounted for those.
On close scrutiny it was revealed that for some of the room guests there were two checks prepared for every tab in addition to a check prepared for purchase of coupons at the time of entry into the disco.
Out of those two checks, one was charged directly to the room folio for a part of the tab consumption and remaining was charged to room as sale of coupons. Although the correct amount was charged to the room folio, the cashiers could embezzle the coupons without getting noticed in the reconciliation process.
All evidences were present of effectiveness of controls. However, there was a trick. Although it looked so simple, no body thought of it initially. It was both a control effectiveness and efficiency issue. Once problem identified solution was simple.
The case study presented here is for intentional mischief where duplication of process was involved. However, duplications can also lead to unintentional leakages. Also, this is just one of the aspects to be kept in mind while testing effectiveness and efficiency of controls.
Duplication can cause problems in higher level processes too. I am aware of a case wherein a Business Head of an Advertising Agency was involved in manipulating his Sales KPI (Key Performance Indicator).
My next case study is devoted to Ethical Shoplifting at a Food Retail Chain. This is again an interesting mischief happened in one of the Retail Chain in Mumbai despite of having all of so called good controls. This will be followed by one case study on Risk of incorrect benchmarking and incorrect process improvement initiative and failure of Just in Time Inventory Method.
Till then, I want you to live with following thoughts.
One needs to challenge the existing in an ethical way. Some of the ethical hackers who hack into technological systems with due permission of the corporate were just below 15 years of age. It does not require experience but the power of abstract and radical thinking and knowledge of the tricks.
Dont you think you need some one who can beat your systems, of course ethically? Its about efficiency of controls. One of our services is to increase efficiency of your controls.
Note: I thought a story like case study will be more appropriate than a structured one. However, I will look forward to your comments.
