Risk and Control Issues Commonly Overlooked by Internal Auditing 5: Management

In an earlier post, I mentioned that sometimes people fail to perform because their managers are ineffective. Let’s explore this further.

Managers at an operating level, even first level supervisors, can raise or reduce the effectiveness of their staff — not only those reporting directly to them, but other groups who have to work with the group. A failure to manage can lead to:

·         Poor operating results. For example, de-motivated employees are poor salespeople, less dedicated in their pursuit of purchasing opportunities, and less willing to put in the extra effort to optimize performance in general
·         Inconsistent operation of controls. Poor management can deprive staff of required training, information required to perform their assigned duties, and a reduced level of supervision
·         Compliance failures. Lack of training and supervision, together with de-motivated employees (who are also more likely to steal), increases the risk of non-compliance. De-motivated employees are also more likely to bypass controls that are there for their safety

As you take poor management practices up a level, the problem gets worse. More people are affected and you start to see a worsening of the general mood, the culture of the organization.

Ineffective management at the top of the organization can destroy it. I have had the misfortune of working with CEOs that had one or more of these problems:

·         did not trust others, delegated little, and stifled both initiative and decision-making
·         encouraged competition and tension among his direct reports. This led to the executive team failing to work together, even hiding information from each other; duplicate initiatives; the inability to optimize information technology across the organization (everybody looked out for themselves); and a corporate culture that reflected all of the above. We even had different divisions competing with each other for the same customer deal
·         pampered the executive team with a million dollar office renovation (even to the point of an expensive espresso machine limited to officer use), and awarded millions in no-cost stock options, at the same time as more than a thousand employees were fired for cost-cutting purposes. The corporate culture was poisonous
·         failed to see the inability of a long-time associate to perform. This individual was responsible for the development of new products, but was unable to deliver cost-effective, quality products on time. Even though revenue was falling (and the company lost its #1 position in the market), the CEO stuck by his man until both were fired by the board. The new CEO was excellent, but it was too late to save the company
·         did not have a vision for the company. He was rooted in his prior success and unable to see the change that was coming to the market
·         was unable to make the hard decisions. Even though the business was using less than 50% of factory capacity (it had over a hundred manufacturing locations), he could not make the decision to close and consolidate

I am sure you could add to the list, probably tripling it with examples of top management failure.

But, as internal auditors we need to ask whether we are awake to the failure to manage — at all or any levels. If we see it, what action are we taking? Are we assessing it? Are we reporting it — to the audit committee, if necessary?

Are we assessing and providing assurance on the risk of poor management?

Are you?

Posted on Aug 16, 2010 by Norman Marks

Share This Article:    

  1. This is a tough topic to address with management. A RM could lose their job over trying to tackle this topice with management

    Having worked for such a person for short period of time, it is clear you are correct. The company he had a large interest in is not doing well and I attribute this directly to the Risk of one or more on your list. This person allowed upper management to act in the same manner causing dissention and discord.  Loss of business is the Risk you can run in the service industry if you cannot see you are the Risk.

    Are we assessing and providing assurance, no, this is not the norm. Is this being reported, no.

  1. There are lot of control symptoms, issues and problems here. The selling point for internal audit is to be pro-active in an environment where management culture support honesty, integrity and highest ethical values at every level of management. Having said this, internal auditor's responsibility is to achieve risk focused audit approach with authority given via documented Audit Committee Charter. As such, bad management combined with bad corporate culture is simply a breeding ground for corruption where no one can eventually keep the sailing ship afloat, let alone, honest and professional internal auditor. The moral here is that honesty, integrity and highest ethical climate all around and it should not be limited to one or two individuals to carry the stick and run the place like poorly controlled gas station or a dog kennel show like "dog and pony show".

  1. I don't disagree with your points Norman.  I have seen the same issues myself over my career.  One challenge is that often the CAE or the auditors don't have enough status in the organization to be able to raise these type of issues.  You are talking about one person's opinion of performance over someone else's.  That someone else is often very high in the organization, had successes to point to and a close ear of the board.  Even if the CAE or internal auditor were to raise the question, it is difficult to know what "credence" would be placed in that opinion.  Of course, it is another story of the issues are blatant or obvious such as ethical behavior, harrassment, fraud etc.  But if you are talking about management decisions, doesn't that really become the Board's overall responsibility.

    The IIA profession would like auditors to have the type of stature you often speak about, the challenge is getting the remainder of the world to see that this could be a benefit.


  1. Norman,

    Completely agree with you that management capability and organization culture has significant impact on internal controls. Ideally we should be addressing it as auditors, but we will be skating on thin ice out here. The question will be how can we report this issue, and does the audit committee have the power to address it.

    I wrote an article last month on Deviant Organization Culture on my blog. You might find it an interesting read.http://soniajaspal.wordpress.com/


  1. Dear Norman,

    Then how you handled the situation?

    It is happening with me also .But the person who is wrong,partial etc is good at his work to justify his postion work wise ,( but power fight,politics etc. is being played to make his position safe & strong by bringing his own people ( good or not good whatever is justified) by removing others .Board knows also but what is the solution as work responsibility is taken by him.he brings up his own people by involving them,appreciating them,covering them,training them ,letting them steal others work,act as a spy for others etc.

    any solution .who can help?  BOD says yes we know you are right but we do not know the solution & we need hom also & we need vistim also .anyone has solution?

  1. what is the relation between internal control and risk management according to COSO2§§§

  1.  Rose, have a look at the COSO ERM Framework. COSO sees internal controls as how you respond to and manage risk.

Leave a Reply