Conducting Risk Assessments the Total Quality Auditing Way

Ever wonder why incidents of fraud, wrongdoing, and other calamities in various forms continue at organizations year after year, decade after decade, and even seem to be increasing in frequency? Inevitably, after such crises someone asks, “Where were the auditors?” As much as I hate to admit it, the answer may be that the internal auditors were moving past the major, high-risk areas on their way to execute a routine annual audit plan which is invariably chock full of easy, superfluous audits that address low-to-moderate risks.

For the last few years, I’ve been developing my Total Quality Auditing approach, which describes a six-step process for auditors to identify and reduce key risks and add real value to the organizations they serve. TQA is derived from the Total Quality Management (TQM) lessons developed by W. Edwards Deming that have been widely implemented by companies around the world, in one form or another, over the last half century. The basic principle of TQM is to focus on fulfilling customer needs and developing the right culture and the controlled processes to do so.

It follows that TQA focuses internal auditors on fulfilling their customer needs (yes, internal audit has customers), while emphasizing an ethical culture. Total Quality Auditing provides a controlled, lean, and balanced process for addressing the most important risks and auditing what matters. And a more perceptive, thoughtful risk assessment is a good start to accomplishing those goals.

Here’s the deal. Smart companies and total quality auditors focus on inherent conflicts of interest before a crisis occurs.

In my live TQA training seminars, I ask participants to answer 15 workplace ethics questions to rate their organization’s overall ethics and to pin-point specific areas of concern. The questions range in topics from financial statements and controls, safety, product integrity, process control, regulatory compliance, values and conduct, leadership integrity, to conflicts of interest. With groups of auditors and accounting and finance professionals across all industries and geographic locations, there is a consistent consensus that “conflicts of interest” as a general category drives more unethical conduct than any other category.

Considering there are always limited internal audit resources, step one of the TQA risk assessment process is to identify the true high-risk areas on which to focus attention. Note I said, “true high risk.” This means TQA also challenges what you might currently be identifying as high risk. Adding real value through high-risk auditing means focusing on individuals, functions, and processes that inherently create conflicts of interest during risk assessments. Let’s look at some examples to help explain what I mean.

Taking a TQA Mindset to Conflicts of Interest
Emphasizing revenue and profits over safety and environmental concerns… Requiring products to ship quickly, cutting corners and compromising product design and integrity in the process… Fudging the quarterly financial statements to “achieve” short terms goals… Opening fraudulent accounts (or whatever the goal) in order to increase incentive payments… All are situations fraught with conflicts of interests. I expect BP figured this out after the environmental disaster. And Wells Fargo certainly figured this out after the retail banking debacle.

But here’s the deal. Smart companies and total quality auditors focus on inherent conflicts of interest before a crisis occurs. They focus on them during risk assessments. They are not auditors who walk right by a high-risk environment (such as work safety issues, product integrity vulnerability, financial reporting deception, and incentive compensation misalignment, just to reiterate a few) on the way to audit a low-risk situation, such as accounts payable, for example, which has been viewed by my survey participants as extremely low-risk, regardless of what we have been continually taught.

When Incentives Trump Integrity
Individual and small group incentive compensation plans with self-serving goals will often trump everyone else’s interests, including those of customers, shareholders, regulators, and other stakeholders. If your organization relies heavily on incentive compensation plans, immediately place this in the potential conflict of interest, high-risk bucket.

The very first internal audit action, when assessing incentive plans, should be to ensure that plan’s goals are focused on satisfying customer and other stakeholder interests and that the target-setting processes have integrity. You should be fully prepared to allocate resources to audit the plans continuously and often. Start now. In some cases, you may even want to advocate for eliminating the plans altogether.

When I say, “audit the incentive plan,” I don’t mean just adding up the numbers… you know… making sure the calculations are accurate. It’s time to look beyond the numbers and start analyzing what behavior they are truly incentivizing in the first place. What are the processes to establish incentive targets and goals? Are the targets incenting employees to act ethically or tempting them to cheat? What are the processes to track, measure, and report performance? And lastly, what are the processes to pay incentives?

Most companies have figured out that financial incentives can lead to poor decisions, ethical breaches, and fraud. Deming did a long time ago when he identified incentive plans as counterproductive. Wells Fargo just figured it out, after the retail banking crisis fueled by poorly designed and administered incentive plans, and after $185M in fines were paid and 5300 “unethical” employees were fired. They have since redesigned their plans to focus on customer interests with beefed up plan controls. In my opinion they should have eliminated them completely.

Individual and small group incentive compensation plans with self-serving goals will often trump everyone else’s interests, including those of customers, shareholders, regulators, and other stakeholders.

The bottom line: The theory of setting stretch goals (sometimes unrealistic ones), providing incentives to reach them, and then achieving great results, is a myth. It is just as likely to lead to fraud and cheating than anything else, and there are many more companies than Wells Fargo (Enron and Lehman Bros. come to mind) who have learned that lesson the hard way.

When Profits Trump Ethics
Revenue growth goals for companies that deal with personal information, such as those in the social media, financial, retail, and many other industries, far too often trump security and privacy of the customers. The desire to grow and control costs has consistently resulted in the underfunding of IT functions, functions that ensure appropriate cybersecurity and that customer data privacy policies and procedures are in place. In some cases, governmental regulations have even been ignored to achieve business objectives.

In this day and age, auditors should always place IT security and privacy in the high-risk conflict-of-interest bucket, during risk assessments. Facebook, for example, seems to have figured this out after they were fined $5 billion by the Federal Trade Commission. But obviously auditors at most online businesses have not been focused on this high-risk area. And if they were and they were ignored, they need to take those concerns to the board. Speaking up (loudly, if necessary) is part of every internal auditor’s job.

In the case of Volkswagen, unrealistic market share goals trumped engineering integrity. Under-resourced objectives (or technically impossible ones, think Theranos) should also be placed in the conflict of interest, high-risk bucket. VW’s actions prove it. Some VW managers and engineers were committing fraud on a global scale for years to “achieve” market share goals. After terminations, fines, and some prison time, you can bet that technical integrity is considered a high-risk area at VW now. And by the way, there was no mention of internal audit until after the crisis.

Companies in high tech-tech industries that deal with such advancements as artificial intelligence, autonomous vehicles, virtual reality, connected devices, big data, and many other futuristic offerings should be considered vulnerable to conflicts of interest and place processes around these areas in the high-risk bucket as well. The goals of being the first and beating the competitors in these new technologies seems to be outpacing the examination of the ethical dilemmas they stir up, meaning there could be collateral damage and little ability to control it. This is why “ethics in technology” is the number one technology issue in 2019. High tech equals high risk, and one way or another, auditors need to acquire the knowledge to audit these high-tech products and point out the collateral damage first, or they will continue to be thought of as irrelevant and organizations will suffer the consequences.

When External Influences Trump Internal Values
Put organization units in remote locations and individuals who spend more time with people external to the organization—such as customers, vendors, contractors, and others—in the conflict of interest, high-risk bucket. “Out of sight” can mean “out of control” when it comes to employee behavior. Those who spend most of their time with others (external to the organization) may align loyalty and values elsewhere, and can be vulnerable to kickbacks, bribery, misappropriation of funds, and other problems. They are inherently at risk for violation of the organization’s mission, values, policies, and processes. Think sales personnel, client relationship managers, traders, brokers, purchasing managers, contract administrators, and others.

Next time you start your risk assessment, don’t open last year’s assessment. Instead, take out a blank sheet of paper, open your mind, and start looking for conflicts of interests

Also pay close attention to those who are geographically distanced from a home office or corporate headquarters. Decentralization may be popular in businesses today, but it can have extreme consequences if they fall off the radar completely or even a little. And ironically, sometimes those in remote locations are often “incentivized” because they have less supervision! This is not only a big mistake; it is recipe for unethical behavior. But it is also a target for auditors… so get auditing.

When Leaders’ Desires Trump Everything Else
Disingenuous leaders (the jerks at your organization who everyone knows) set unrealistic, arbitrary goals. They don’t provide sufficient resources or the necessary training to get the job done. They manage by fear. Disingenuous leaders also play “gotcha” —they do not clearly communicate objectives and expectations and then criticize employees when expectations are not met. They are narcissistic and all about self-interest. They think that they can outsmart the system. (Remember “the smartest guys in the room?”) They are ethical rationalizers, thinking of all kinds of business reasons to dishonor organization values, violate codes of conduct, and sometimes break the law. And, they create a culture of shortcuts, mistakes, falsification, and a general lack of integrity.

Every major crisis had leaders that met the criteria for disingenuous leadership. Put disingenuous leaders in your conflict of interest, high-risk bucket. And make a case to get rid of the disingenuous leaders at your organization. Remember, speaking up (loudly, if necessary) is part of an internal auditor’s job. Everyone will thank you.

When Auditors Trump Scandals
Next time you start your risk assessment, don’t open last year’s assessment. Instead, take out a blank sheet of paper, open your mind, and start looking for conflicts of interests of all types throughout your organization. Find the real conflicts and identify potential conflicts. Here is my initial TQA risk “bucket” for your continued reference, but I just know your bucket may overflow compared to mine:

• Focus on how employees are being incentivized or what they are being measured on.
• Focus on data privacy, security, and high-tech products, and everything about them.
• Focus on areas that have no defined, meaningful standards of conduct or units that do not enforce the standards they have.
• Focus on areas that invest little in training and education and those that lack resources to do their job.
• Focus on field offices, remote, and overseas locations.
• Focus on individuals or units that have high interaction with external organizations.
• Focus on areas that are engaged in aggressive cost cutting.
• Focus audits on managers who set arbitrary or lofty goals.
• Focus on those who are “the smartest guys in the room,” the arrogant ones.
• Focus on managers who manage by fear.

This is the Total Quality Auditing way to conduct a risk assessment. I will be so proud when auditors stop walking by these high-risk areas and, instead, stop the frauds, the scandals, and the unethical behavior that is happening in the first place. 

Photo by Tommy Lisbon, on Unsplash

Amanda “Jo” Erven is president and founder of Audit. Consulting. Education. LLC, a firm specializing in providing progressive internal auditing and leadership seminars. She is the author of  Total Quality Auditing: How a Total Quality Mindset can Help Internal Audit Add Real Value.

Did you enjoy this article? Consider making a small donation of as little as $25 to support independent business journalism at Internal Audit 360°. Click Here! And much thanks to those who have already donated. Our success depends on it!