Our Chapter’s Vice-President Rumbi Petrolozzi’s comment in her last blog post to the effect that one of the most challenging tasks for the forensic accountant or auditor working proactively is defining the most effective and efficient scope of work for a risk-based assurance project. Because resources are always scarce, assurance professionals need to make sure they can meet both quality and scheduling requirements whilst staying within our fixed resource and cost constraints.
An essential step in defining the scope of a project is identifying the critical risks to review and the controls required to manage those risks. An efficient scope focuses on the subset of controls (i.e., the key controls) necessary to provide assurance. Performing tests of controls that are not critical is not efficient. Similarly, failing to test controls that could be the source of major fraud vulnerabilities leads to an ineffective audit. As Rumbi points out, and too often overlooked, the root cause of most risk and control failures is people. After all, outstanding people are required to make an organization successful, and failing to hire, retain, and train a competent team of employees inevitably leads to business failure.
In an interview, a few decades ago, one of America’s most famous business leaders was asked what his greatest challenges were in turning one of his new companies around from failure to success. He is said to have responded that his three greatest challenges were “people, people, and people.” Certainly, when assurance professionals or management analyze the reasons for data breaches and control failures, people are generally found to be the root cause. For example, weaknesses may include (echoing Rumbi):
Insufficiently trained personnel to perform the work. A common material weakness in compliance with internal control over financial reporting requirements is a lack of experienced financial reporting personnel within a company. In more traditional anti-fraud process reviews, examiners often find that control weaknesses arise because individuals don’t understand the tasks they have to perform.
Insufficient numbers to perform the work. When CPAs find that important reconciliations are not performed timely, inventories are not counted, a backlog in transaction processing exists, or agreed-upon corrective actions to address prior audit findings aren’t completed, managers frequently offer the excuse that their area is understaffed.
Poor management and leadership. Fraud examiners find again and again, that micromanagers and dictators can destroy a solid finance function. At the other end of the spectrum, the absence of leadership, motivation, and communication can cause whole teams to flounder. Both situations generally lead to a failure to perform key controls consistently. For example, poor managers have difficulty retaining experienced professionals to perform account reconciliations on time and with acceptable levels of quality leading directly to an enhanced level of vulnerability to numerous fraud scenarios.
Ineffective human resource practices. In some cases, management may choose to accept a certain level of inefficiency and retain individuals who are not performing up to par. For instance, in an example cited by one of our ACFE training event speakers last year, the financial analysis group of a U.S. manufacturing company was failing to provide management with timely business information. Although the department was sufficiently staffed, the team members were ineffective. Still, management did not have the resolve to terminate poor performers, for fear it would not be possible to hire quality analysts to replace the people who were terminated.
In such examples, people-related weaknesses result in business process key control failures often leading to the facilitation of subsequent frauds. The key control failure was the symptom, and the people-related weakness was the root cause. As a result, the achievement of the business objective of fraud prevention is rendered at risk.
Consider a fraud examiner’s proactive assessment of an organization’s procurement function. If the examiner finds that all key controls are designed adequately and operating effectively, in compliance with company policy, and targeted cost savings are being generated, should s/he conclude the controls are adequate? What if that department has a staff attrition rate of 25 percent and morale is low? Does that change the fraud vulnerability assessment? Clearly, even if the standard set of controls were in place, the function would not be performing at optimal levels. Just as people problems can lead to risk and control failures, exceptional people can help a company achieve success. In fact, an effective system of internal control considers the adequacy of controls not only to address the risks related to poor people-related management but also to recognize reduction in fraud vulnerability due to excellence in people-related management.
The people issue should be addressed in at least two phases of the assurance professional’s review process: planning and issue analysis (i.e., understanding weaknesses, their root cause, and the appropriate corrective actions). In the planning phase, the examiner should consider how people-related anti-fraud controls might impact the review and which controls should be included in the scope. The following questions might be considered in relation to anti-fraud controls over staffing, organization, training, management and leadership, performance appraisals, and employee development:
–How significant would a failure of people-related controls be to the achievement of objectives and the management of business risk covered by the examination?
–How critical is excellence in people management to the achievement of operational excellence related to the objectives of the review?
Issue analysis requires a different approach. Reviewers may have to ask the question “why” three or more times before they get to the root cause of a problem. Consider the following little post-fraud dialogue (we’ve all heard variations) …
CFE: “Why weren’t the reconciliations completed on time?”
MANAGER. “Because we were busy closing the books and one staff member was on vacation.”
CFE: “You are still expected to complete the reconciliations, which are critical to closing the books. Even with one person on vacation, why were you too busy?”
MANAGER: “We just don’t have enough people to get everything done, even when we work through weekends and until late at night.”
CFE: “Why don’t you have enough people?”
MANAGER: “Management won’t let me hire anybody else because of cost constraints.”
CFE: “Why won’t management let you hire anybody? Don’t they realize the issue?”
MANAGER: “Well, I think they do, but I have been so busy that I may not have done an effective job of explaining the situation. Now that you are going to write this up as a control weakness, maybe they will.”
The root cause of the problem in this scenario is that the manager responsible for reconciliations failed to provide effective leadership. She did not communicate the problem and ensure she had sufficient resources to perform the work assigned. The root cause is a people problem, and the reviewer should address that directly in his or her final report. If the CFE only reports that the reconciliations weren’t completed on time, senior management might only press the manager to perform better without understanding the post-fraud need for both performance improvement and additional staff.
In many organizations, it’s difficult for a reviewer to discuss people issues with management, even when these issues can be seen to directly and clearly contribute to fraud vulnerably. Assurance professionals may find it tricky, for political reasons to recommend the hiring of additional staff or to explain that the existing staff members do not have the experience or training necessary to perform their assigned tasks. Additionally, we are likely to run into political resistance when reporting management and leadership failure. But, that’s the job assurance professionals are expected to perform; to provide an honest, objective assessment of the condition of critical anti-fraud controls including those related to people. If the scope of our work does not consider people risks, or if reviewers are unable to report people-related weaknesses, we are not adding the value we should. We’re also failing to report on matters critical to the maintenance and extension of the client’s anti-fraud program.