Earlier this year, I published my book, Total Quality Auditing® (TQA), describing a six-step process for auditors to identify and reduce key risks and addrealvalue to the organizations (customers)they serve. TQA is derived from many of the decades old Total Quality Management (TQM) lessons developed by W. Edwards Deming that have been widely implemented by companies, in one form or another, over the last half century, around the world. The basic principle of TQM is to focus on fulfilling customer needs and developing the right culture and the controlled processes to do so. It follows that TQA focuses internal auditors on fulfilling their customer needs (yes, internal audit has customers) andemphasizing an ethical culture, and provides a controlled, lean, and balanced process of doing so. And a more perceptive, thoughtful risk assessment is a good start in accomplishing the goal.
In my live TQA training seminars, I ask participants to answer 15 “workplace ethics” questions to rate their organization’s overall ethics and to pin-point specific areas that are of greatest concern regarding ethics. The questions range in topics from financial statements and controls, safety, product integrity, process control, regulatory compliance, values and conduct, leadership integrity, and conflicts of interest. With groups of auditors and accounting and finance professionals across all industries and geographic locations, there is a consistent consensus that “conflicts of interest” as a general category drives more unethical conduct than any other category.
Considering there are always limited audit resources, step one of the TQA risk assessment process is to identify the true high-risk areas on which to focus attention. Note I said, “true high-risk.” This means TQA also challenges what you might currently be identifying as high-risk. Adding real value through high-risk auditing means focusing on individuals, functions, and processes that inherently create conflict of interest situations. Let’s look at some examples to help explain what I mean.
Conflicts of Interest with a TQA Mindset
Emphasizing revenue and profits over safety and environmental concerns… Requiring products ship quickly, cutting corners and compromising product design/integrity in the process… Fudging the quarterly financial statements to “achieve”short terms goals… Opening fraudulent accounts (or whatever the goal) in order to increase incentive payments… All conflict situations. I expect BP figured this out afterthe environmental disaster. And Wells Fargo certainly figured this out after the retail banking debacle.
But here’s the deal. Smart companiesandtotal quality auditorsfocus on inherent conflicts of interest beforea crisis occurs. They are not the auditor that walks right by a high-risk environment (e.g. safety disaster, product integrity vulnerability, financial reporting deception, incentive compensation nightmare, just to reiterate a few)on the way to audit a low-risk situation (e.g., accounts payable, which has been viewed by my survey participants as extremely low-risk, regardless of what we have been continually taught).
When Incentives Trump Integrity
Individual (and small group) incentive plans with self-serving goals (e.g., more money in employee pockets) will often trump everyone else’s interests, including customers (and other stakeholders, like shareholders). If your organization still has incentive plans, immediately place this in the conflict of interest, high-risk bucket.
Then, the very first internal audit action should be to advocate for eliminating the plans altogether. If that fails, ensure that plan goals are focused on satisfying customer (stakeholder) interests and that the target-setting processes have integrity. And be fully prepared to allocate resources to audit the plans continuously and often. Start now.
And when I say, “audit the incentive plan,” I don’t mean just adding up the numbers… you know… making sure the calculations are “accurate.”It’s time to look beyondthe numbers and start analyzing what behavior they are truly incentivizing in the first place. What are the processes to establish incentive targets/goals? Are the targets promoting the employees to act ethically or tempting them to cheat? What are the processes to track, measure, and report performance? And lastly, what are the processes to pay incentives?
Most companies have figured out that financial incentives can lead to poor decisions, ethical breaches, and fraud. Deming did a long time ago when he identified incentive plans as counterproductive. Wells Fargo just figured it out, afterthe retail banking crisis fueled by poorly designed and administered incentive plans (and after $185M in fines were paid and 5300 “unethical” employees were fired). They have since redesigned their plans (should have eliminated, in my opinion, but they are in one of “those” industries… a subject for a later article) to focus on customer interests with beefed up plan controls.
The bottom line: The theory of setting stretch goals (sometimes unrealistic), providing incentives to reach them, and then achieving great results, is a myth. It is just as likely to lead to fraud and cheating (e.g., Enron, Wells Fargo, Lehman, and on and on) than anything else.
When Profits Trump Ethics
Revenue growth goals for companies that deal with personal information (social media, financial, retail, etc.) far too often trump security and privacy of the customers. The desire to grow (and control costs) has consistently resulted in the underfunding of IT functions, functions that ensure appropriate cybersecurity and customer data privacy policies and procedures are in place. In some cases, to achieve business objectives, governmental regulations have even been ignored.
In this day and age, auditors should always place IT security and privacy in the conflict of interest, high-risk bucket. Facebook seems to have figured this out afterthey were fined $5 billion. But obviously auditors have not been focused on this high-risk area of a social media company (or any other business that deals with data privacy… which is almost everyone, really). And if they were and they were ignored, they need to take my leadership and ethics training. Speaking up (loudly, if necessary) is part of an auditor’s job.
In the case of Volkswagen (VW), unrealistic market share goals trumped engineering integrity. Under resourced (or technically impossible, think Theranos) objectives should also be placed in the conflict of interest, high-risk bucket. VW’s actions prove it. Some VW managers and engineers were committing fraud on a global scale for years to “achieve” market share goals. After terminations, fines, and some prison time, you can bet that technical integrity is considered a high-risk area at VW now. And by the way, there was no mention of auditors until afterthe crisis.
High technology (artificial intelligence, autonomous things, virtual reality, connected devices, big data, etc.) by definition should be considered vulnerable to conflict of interest and placed in the high-risk bucket as well. The goal of “being the first”or “beating the competitors”in these new technologies seems to be outpacing the examination of the ethical dilemmas they create, meaning there could be collateral damage and little ability to control it. This is why “ethics in technology” is the number one technology issue in 2019. High-tech = high-risk, and one way or another, auditors need to acquire the knowledge to audit these high-tech products and point out the collateral damage first, or they will continue to be thought of as “irrelevant” and organizations will suffer the consequences.
When External Influences Trump Internal Values
Put organization units in remote locations and individuals that spend more time with people external to the organization (customers, vendors, contractors, etc.)in the conflict of interest, high-risk bucket. “Out of sight” can mean “out of control”when it comes to employee behavior. Those who spend most of their time with others (external to the organization) may align loyalty and values elsewhere (external to the organization). They are inherently at risk for violation of the organization’s mission, values, policies, and processes. Think sales personnel, client relationship managers, traders, brokers, purchasing managers, contract administrators.
And pay close attention to those that are geographically distanced from a “home” office or corporate headquarters. Decentralization may be popular in businesses today, but it can have extreme consequences if they fall off the radar completely (or even a little). And ironically, sometimes those in remote locations are often “incentivized” because they have less supervision! This is not only a big mistake; it is target for unethical behavior. But it is also a target for auditors…so get to auditing.
When Leaders’ Desires Trump Everything Else
Disingenuous leaders (the jerks at your organization who everyone knows) set unrealistic, arbitrary goals. They don’t provide sufficient resources and the necessary training to get the job done. They manage by fear. Disingenuous leaders play “gotcha”– they do not clearly communicate objectives and expectations and then they criticize employees when expectations are not met. They are narcissistic and all about self-interest. They think that they can outsmart (remember “the smartest guys in the room”) the system. They are “smart, charming, bullies” (credit the Theranos HBO documentary: The Inventor: Out for Blood in Silicon Valley). They are ethical rationalizers, thinking of all kinds of businessreasons to dishonor organization values, violate codes of conduct, and sometimes break the law. And, they create a culture of short cuts, mistakes, falsification, and a general lack on integrity.
Everymajor crisis had leaders that met the criteria for disingenuous leadership. Put disingenuous leaders in your conflict of interest, high-risk bucket. And make a case to get rid of the disingenuous leaders at your organization. Remember, speaking up (loudly, if necessary) is part of an auditor’s job. Everyone will thank you, and then you will thank me,later.
When Auditors Trump Scandals
Next time you start your risk assessment take out a blank sheet of paper. Don’t open last years. Open your mind and start looking for “conflicts of interests” of all types, throughout your organization. Find the real conflicts and identify potential conflicts. Here is my initial TQA risk “bucket” for your continued reference, but I just know your bucket may overflow compared to mine:
- Focus on how employees are being incentivized (or what they are being measured on).
- Focus on data privacy, security, and high-tech products, and everything about them.
- Focus on areas that have no defined, meaningful standards of conduct and/or do not enforce what they have.
- Focus on areas that invest little in training and education and lack resources to do their job.
- Focus on field offices, remote or overseas locations, etc.
- Focus on individuals or units that have high interaction with external organizations/customers.
- Focus on areas that are engaged in aggressive cost cutting.
- Focus audits on managers who set arbitrary or lofty goals.
- Focus on those who are “the smartest guys in the room,” the arrogant ones (i.e., the jerks).
- Focus on managers who manage by fear.
This is the Total Quality Auditing® way to conduct a risk assessment.
I will be so proud when auditors stop walking by these high-risk scenarios and, instead, stop the frauds, the scandals, the unethical behavior happening in the first place.
