Risk and Control Issues Commonly Overlooked by Internal Auditing 3: People

The root cause of almost every internal control issue is people. See this earlier discussion.

It could be that individuals charged with designing or performing the control lacked judgment, experience, training, or simply under-performed. It could also be that they had too great a workload and were therefore unable to perform at required levels, or had failed to perform their duties on a timely basis.

Often, individuals under-perform because their managers are ineffective. Low morale clearly impacts performance, as does inadequate supervision. If individuals do not have the required experience or training, or are overwhelmed by their workload, that is the fault of their management.

Another issue can be that individuals do not have the information required to perform their work. Again, that may be due to their inability to perform, their manager’s failure to communicate, or a broader issue within the organization – a failure of teamwork, sharing, etc.

Organizational issues also include a failure to clearly assign accountability and responsibility. A document (such as a corporate standard or delegation of authority) is not enough. People need to know what they are accountable and responsible for – and have the necessary authority.

When internal auditors, you or I, perform an audit do we always assess the organization and staffing, and whether people have the knowledge, training, experience, information, etc. to perform their assigned work? Do we assess whether managers and staff have time to do everything asked of them, with quality products? Do we evaluate and comment on employee morale?

When is the last time you recommended additional staffing because the root cause of a failure to perform reconciliations on time was the lack of sufficient staff? What about commenting on an organization that is so complex, with multiple matrix reporting lines, that it was unclear who owned what?

I can remember a great commotion when I included in an audit report the finding that the issues related to an accounting group were due to a poor manager, who withheld information, tyrannized his staff, and created an environment where mistakes of significance were likely – and occurred.

In addition to tackling the people issue in every audit, I believe we need to re-think the importance of performing audits of (a) human resources processes, including hiring, performance evaluations, etc., and (b) organizational design, including whether accountability and responsibility are clearly defined and communicated, staffing levels are appropriate, and individuals receive the information necessary to perform their work.

Are you a people auditor?

I welcome your comments.

Posted on Jun 9, 2010 by Norman Marks

Share This Article:    

  1. I concur. People Issue is one of the most overlooked areas in Internal audit. While adherence to documented processes, best practices and internal controls / checks are held in high priority by IA, the concept of 'people' issue is all pervasive but is generally not accorded due merit when it comes to choice of operational audits by IA. I am certain that this would in due course of time be given appropriate priority by the IA team. Swami
  1. Here is a good habit to start and one that I used for over 20 years.  At meetings including internal audit, next to each attendee and for each new topic, indicate next to their name if they:

    * IGNORE the issue,

    * DENY the existence of the issue

    * BLAME others for the issue

    * ACCEPT any responsibility

    * Willing to work to SOLVE the problem

    You will recognize these are the five steps to solving people problems.

    By keeping score, you start to understand people in your organization.  Include these notes in your working papers to remind you when down the road issues are not mitigated and you are trying to figure out why.

    To add complexity, indicate if they align themselves with others in the room.  Interesting to see that HR or CIO will align themselves with different other managers like CFO or treasury and that varies from issue to issue as well.

    Remember the key to adding value is to inform people of issues they do not know, but need to know.  Sounds simple and often times it is the simpliest of issues that are overlooked like lock the office safe after hours will eliminate cash being stolen by the cleaning people.

  1. Don - I like your IDBAS method; is this your original idea; or did you get it from another?
  1. Hi Courtnay, can not claim as my own.  My first job after college, the president of the company would meet with new recruits and explain how he would weed out quickly employees that ignore, deny, and blame others.  He wanted to develop leaders that would accept resonsibility and solve problems.

  1. I agree, people are the most overlooked areas in an internal audit.  In my current job, this was not discovered until it was too late.

  1. I agree with you, Norman.  I have also worked for organizations that had these issues.  To support my current company's strategic objectives, we have included reviews of Human Resource processes - i.e., hiring, peformance reviews, promotions, terminations, and employee development - as a part of our audit universe.  However, efforts to assess organizational design need improvement.  Great article!

  1.  Absolutely - people's behaviour is a critical area for IA to watch and its much better to drill down below the high level talk of "improve the risk culture" and "why dont they get it" to remember the Organisation Effectiveness saying: "Every organisation is set up perfectly to get the results it currently gets - they just may not be the results you want!" 

    I think it pays to think about "working hypotheses" of why human nature will mean that there may be a risk and control issue - two of my favourites

    - People will not necessarily take accountability - the saying "success has 1000 parents, and failure is an orphan" and 

    - People will tend to report performance in terms of "Look how much I / we have done, and less in terms of "look how much I still have to do!"

    There are other human nature areas as well of course and I am trying to get views on the main ones - certainly how we dilute what we mean to say in groups is another favourite, as is a tendency to defend and justify what I have already done!


  1. I would have to agree people skills should not be over looked. They need to be trained properly and given the help needed to perform their job (i.e. sufficient staffing, guidence, and help when feeling overwhelmed). This should be done by the managers. However, managers do need to follow strict guidelines. They need to make sure the workers are not just slackers. I do like Don's way of ruling people out.

  1. Awesome point Norman! I couldn't agree with you more. Training and support, and employee evaluations all play a role in the employee's proficiency. Too many human resource functions place candidates in roles and do not check their performance until some 12 months later. A lot can be missed in one year. Employees have to have sufficient supervision, clear support channels and quarterly performance evaluations. The tone at the top is very important. IF management doesn't check on their subordinates' performance, the employees are left to blieve, and logically so, that management doesn't really care. Even if management feels a certain level of confidence in the candidate chosen for the job, they can't be certain job duties and controls are being met competently unless there are evaluation guidelines set and being followed. There a several ways to assure employee performance such as frequent meetings with teams and individuals, post-employment interviews and surveys, formal performance evaluations, etc. Simply put, auditors should consider these underlying factorsand make the necessary recommendations when controls are problematic. Many times, as you stated Norman, issues are due to people lacking the knowledge, training, support, experience, and information they need to perform successfully.

  1. The above approach benefits the bank by identifying the underlying cause of an issue and hence provides a long term perspective for the improvement of business processes. Without the performance of an effective root cause analysis and the appropriate remediation activities, an issue may have a higher probability to reoccur. This analysis helps prevent additional rework and proactively addresses future recurrences of the issue. It is important to recognize that there are often multiple related or unrelated causes of an issue. In certain circumstances, root cause analysis may be simple. More complex issues, however, may require a greater investment of resources and more rigorous analysis. It may require an extended amount of time to analyze the process, personnel, technology, and data necessary to identify and support the assessment of a root cause.



Leave a Reply