Download (direct link):
Controls programs are the bedrock of most compliance efforts and, while often basic in their nature (e.g., segregation of duties), they will surely benefit from future development and refinement. In thinking about controls, I am prone to recall Leuciâ€™s observation about people in organizations: 5 percent are clean, 5 percent are dirty, and 90 percent are â€śwaiting to see what happens.â€ť In discussing Leuci previously, I mentioned him in the context of organizational socialization processes and informal cultures. I think it is also possible to think of his observation in terms of controls as well.
Carpenter and Mahoney likewise cite the Institute of Management and Administration/Institute of Internal Auditors 1999 Business Fraud Survey on this issue:
Similarly, communication of the organizationâ€™s ethics and fraud program to the workforce would seem to be an obvious component of an effective fraud detection program. However, 34 percent of the respondents noted that their program was â€śwell-intentioned but meaningless to employees,â€ť while an additional 21 percent stated that no such program existed. When asked how their fraud detection programs could be enhanced, 63 percent of survey participants recommended requiring strict monitoring of basic internal controls.9
In this regard, it appears that Campbell, in his thoughts on building a successful security function at Fidelity Investments, was insightful in his emphasis on the need for effective communication of program objectives as being crucial. We shall later examine Campbellâ€™s accomplishments in more detail.
Controls are ubiquitous. They are probably unnecessary for 5 percent of employees, and are seen as an obstacle to be evaded by another 5 percent, but it
is the remaining 90 percent that interests me. The 5 percent who do not need controls must accept them as the cost of doing business. The 5 percent that may try to evade them must be identified and dealt with in an appropriate manner. For the remaining 90 percent, controls are certainly constraints on their behavior but also, I would hope, instructive in explaining the organizationâ€™s view of how one is expected to comport oneâ€™s self. They are designed and in place as a ready reference guide, to be consulted when uncertainty or temptation appears.
Perhaps Leuci has done us a great service in suggesting we resist the temptation to focus on the anomaliesâ€”the good and the evilâ€”and pay most attention to the middle.
When thinking about the law enforcement concepts we have discussed, especially in New York City, one is tempted to think about numbers. Numbers, indeed, may impede an effective controls program. One may be persuaded that while the NYPD was able to effect some impressive innovations and reduce crime by a significant amount, they are also a huge organization. Much bigger than any internal audit function of which I am aware.
There is substance to this argument, but we must not let it oversimplify our thinking. Certainly, a three-person audit shop in an organization with 50,000 employees is going to have its hands full and, in that instance, staffing levels may be a legitimate issue on the way to an improved compliance climate. But, let us again think of New York City. The NYPD has, for sake of argument, about 38,000 cops to police a city of roughly 8.5 million. That is a ratio of about 224 to one. Now, to take our mythical organization with 50,000 employees; we would need an audit capability of about 223 people to maintain parity with the cops. Is this likely? In my experience, no. Most organizations of that size would be unusual if they had an audit capability of one quarter that size, or 50 people. So, how do we try to be more effective when we may be seriously understaffed?
For gross understaffing, there is probably no magic answer. It is tough to get five pounds out of a one-pound bag. But, lest we be blinded by pure numbers, we should remember three things:
1. The cops in New York City also have a few more things on their plate than we do, like murder, robbery, rape, drug use, speeding, gang warfare, gambling, prostitution, underage drinking, organized crime, crowd control, guarding VIPs, protection of transit systems, and terrorism, to name but a few. We are dealing with only occupational fraud, although granted, it can occur in a lot of places and in a variety of formats.
2. Policing is a 24/7 type of business. Even though big-city police departments may have an impressive number of officers, they also have to deploy them through three shifts each day, cover holidays and weekends, and also devote substantial numbers to crowd and traffic control at sporting events, concerts, and demonstrations.
3. We must remember that it was the â€śthrow numbers at numbersâ€ť mentality prior to the 1970s that had the cops wrapped around their own axles. If production of arrests is the answer to crime, then more and more cops are needed to make more and more arrests. They started to make progress when they got away from that mentality.