The NASDAQ is making some changes.

Are you ready?

The NASDAQ has proposed a rule change similar to a rule implemented by the NYSE soon after the enactment of Sarbanes Oxley. The rule requires all companies listed on the NASDAQ as of June 30, 2013 to establish an internal audit function by December 31, 2013. For those not yet listed on the NASDAQ, an internal audit function must be created prior to listing on the exchange.

The proposed internal audit rule includes four key points:

• Each company must establish and maintain an internal audit function to provide management and the audit committee with ongoing assessments of the company’s risk management processes and system of internal control.
• The company may choose to outsource the function to a third party service provider other than its independent auditor.
• The audit committee must meet periodically with the internal auditors and assist the board in its oversight of the function.
• The audit committee should also discuss with the outside auditor the responsibilities, budget and staffing of the internal audit function.

Given the aggressive timeline associated with the proposed rule change, and the likelihood that it will become a requirement, companies listed on NASDAQ should begin considering how best to comply with the requirements. Should you like additional information please visit the Vonya Global website describing the NASDAQ Internal Audit Rule or contact the author, Sargon Youmara.

This post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has over 15 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-nationals. If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

Why do financial melt-downs and corporate fraud continue to happen? The implementation of effective corporate governance calls for a positive “Tone at the Top” displayed by corporate leaders who behave ethically and ensure that the business is run according to published ethical guidelines. However, among the CFO’s responding to a 2012 Global Fraud Survey by Ernst & Young, 47% said they could justify unethical practices to help their organizations survive a financial downturn. ACFE 2012 Report to the Nations on Occupational Fraud and Abuse reported that 56% of fraud was committed by owners and managers with a median loss of $573,000. The oversight responsibility falls squarely on the shoulders of the corporate board members. Is there a disconnect between management and their boards? The following discusses three areas in which the board of directors can contribute to strong corporate governance.

Manage risk proactively

To what extent is the board involved in strategy decisions? Does the board approve individual projects, or is it proactively approving strategy and monitoring projects and initiatives linked to those strategies? The synergy of several disparate initiatives linked to the same strategy may create a much higher risk profile than the projects by themselves. Board members should be aware of the company’s risk methodology to ensure that the combined impact of projects initiated across the organization is financially reasonable and within acceptable risk limits.

Clear the lines of communication

The OECD (Organization for Economic Co-operation & Development) notes in its study, “Corporate Governance and the Financial Crisis”, that one of the responsibilities of the board is to “monitor the structure of the company and its culture to ensure a reliable and relevant flow of information.” It goes on to recommend that a separate channel of risk reporting may be warranted. A chief risk officer may help ensure that:

• Risks are clearly stated and linked to strategic initiatives across the organization.
• All risks, not just financial, are considered in the proper context.
• Reporting of risk is not overshadowed or manipulated by upper management.

Ensure an effective board structure

It is important that there is a policy by which the skills and experience required by the board are identified. In the words of the OECD, “formal independence should sometimes be a necessary, but never a sufficient, condition for board membership.” Growing best practices, particularly in large, complex organizations, include:

• Training programs for board members.
• Board evaluations, which include the opportunity for board members to set collective and individual goals that can be measured to improve the board’s effectiveness.

In light of the financial meltdowns of recent years, emphasis has been placed on financial transparency supported by internal control. Rules, regulations, and laws have been published to ensure compliance. The effectiveness of corporate governance however is not as easily defined. Competent boards are key. However the composition and responsibility of board members vary widely and it is difficult to define an ideal. A proactive approach to risk management, clear lines of communication, and a policy for board composition are good places to start.

This post was contributed by Janet Hintz, a Director with Vonya Global. Janet is a seasoned advisor, focused on helping her clients find alternatives that align financial and operational objectives, increase productivity, and strengthen internal control. If you would like to contact or connect with Janet directly you can find her profile on LinkedIn: http://www.linkedin.com/in/janethintz.

Vonya Global is hiring a Business Development Professional to join our winning team. The ideal candidate will have an entrepreneurial attitude, a track record of success in sales, and experience selling professional services. In exchange we are providing salary, aggressive and unlimited bonus potential, long-term equity, and a dynamic work environment. If you are looking to make an impact for an organization that is taking flight, we encourage you to climb aboard.

Email your resume and cover letter.




.

“If you perceive that there are four possible ways in which something can go wrong, and circumvent these, then a fifth way, unprepared for, will promptly develop.” That is Murphy’s Law, and unfortunately it applies to internal control environments everywhere. Even when the audit testing has found no exceptions and the financials have been signed, sealed, and delivered, there are situations that should prompt renewed investigation.

Reorganization

In the ongoing struggle to be more productive and ultimately more profitable, companies refocus their priorities and assign new reporting structures. This can have a profound effect on the day-to-day activities that support the control environment.

A multi-national company experienced such a control breakdown. Monthly budget reports were programmed to print each month and were distributed through inter-office mail. This was a basic detective control designed to spot unapproved spending or errors in bookkeeping, and it fit nicely in the SOX control plan. During interviews after the most recent reorganization however it was discovered that many of the managers never received a budget report, while others received them in inter-office mail on a random basis. No one knew who was responsible for distributing the reports, and there was confusion about the department structure.

Downsizing

Another threat to a smooth running control environment is downsizing. People who find that they must “do more with less” often find creative ways to be more productive. Sharing passwords to access systems that were not previously needed is common, as is informal delegation of responsibilities. One case involved a supervisor reassigning roles in an accounts payable department, unwittingly destroying the structure that had been designed to protect against conflict of interest and fraud.

Productivity Pressures

When employees are under increasing pressure to meet deadlines or objectives, controls may be circumvented. A payroll clerk decided to over-ride a system control designed to ensure supervisor approval because it enabled her to be more efficient. Inventory controls are also commonly avoided to expedite customer service or production quotas when the stakes are high.

The controls that are compromised are often related to basic process and procedure issues that are not always apparent. Management should keep controls in mind as they deal with changing environments. Auditors must look below the surface to ensure that the procedures designed to support controls are firmly in place.

This post was contributed by Janet Hintz, a Director with Vonya Global. Janet is a seasoned advisor, focused on helping her clients find alternatives that align financial and operational objectives, increase productivity, and strengthen internal control. If you would like to contact or connect with Janet directly you can find her profile on LinkedIn: http://www.linkedin.com/in/janethintz.

Twitter basics made easy for Internal Auditors who are just getting started

If you are an internal auditor you have probably attended a training class on the Risks of Social Media. If you haven’t attended, you have at least read about such classes. These classes teach you about the things that can go wrong. The lessons probably have you concerned about the Social Media policy at your company and the Social Media use by your fellow employees. If not, it should. Anybody can say anything about anyone at anytime on Social Media. Scary, right? On the flip side, anybody can say anything nice about anyone at anytime. Plus anyone can share knowledge, ideas, and best practices at any time. The fact is there are many valuable conversations going on right now on and if you are not participating, you are missing out.

Twitter is currently the most fast paced information sharing vehicle that reaches a vast audience. Why not make 2013 the year you dip your toe in the Twitter waters? You don’t even have to create an account on Twitter to check it out. I have provided a links to relevant information for the Internal Audit community. Click on these links and see if anything interests you.

Individual Twitter Accounts:

The IIA – @TheIIA
Vonya Global – @VonyaGlobal
Richard Chambers – @RFChambers
The IIA Chicago Chapter – @IIAChicago
Norman Marks – @NormanMarks
Francine McKenna – @reTheAuditors
The ACFE – @TheACFE

Twitter “Hashtag” Keyword Searches

#InternalAudit – information specific to Internal Audit
#CorpGov – information relative to Corporate Governance Topics
#Fraud – information specific to Fraud
#RiskManagement – information specific to Risk Management
#Leadership – information specific to Leadership
#Coaching – information specific to Coaching
#Compliance – information specific to Compliance
#Governance – information specific to Governance
#GRC – information specific to Governance, Risk, and Compliance
#FCPA – information specific to the Foreign Corrupt Practices Act

This should be enough to get you started. Just remember the information is updated in real time. If you check the information now, it will be completely different tomorrow. Try it, you might like it!

If I failed to INCLUDE YOU or a important keyword, please let me know in the comments.

“I’m not 39, I’m 23 with 16 Years of Internal Audit Experience”

Over Thanksgiving weekend, I celebrated my 39th birthday. The first thing that struck me about hitting 39 was that “39″ doesn’t seem nearly as “old” as it did when I was 23 and ready to take on the world (although my body does seem to creak and snap a bit more each morning). The other, more profound, phenomenon was the amount of introspection that comes with approaching a major age milestone. Pondering the big “four-oh” caused me to reflect on how I’ve spent my life. Being somewhat of a data geek, I broke it down into the following percentages:

• Licensed Driver – 61%
• Student – 44%
• Husband – 28%
• Parent – 18%
• Diapers – 7%

I realize this probably doesn’t mean much to anyone besides me, but I do find it interesting to see how much of my life has been spent in various situations. In some of these situations (parent, husband), the numerator will continue to increase and the role will represent an even larger portion of my life. In other cases (diapers), the percentage will steadily (and hopefully) decrease over time. Considering I’ve been in the workforce in some capacity since I was 15 (64% of my life) it would be foolish of me not to consider the impact work has had in my life. I started my illustrious career as a busboy (1.2%), road construction laborer (13%), and gopher/delivery boy (9%). Quite the impressive career, wouldn’t you say?

Binding Internal Audit with GRC

Then there’s internal audit. I spent the first 12 ½ years of my post-collegiate career as an internal auditor. The last 3 ½ years were dedicated to researching the profession, as well as enabling the broader practices incorporating GRC through technology. I’ve obtained three Internal Audit (IA) related certifications (four if you count the CPA that I immediately shelved upon passing the exam). I’ve performed a number of roles in consulting, IA department management and IA quality assurance. I continue to serve as a volunteer instructor for the Institute of Internal Auditors (IIA). In the grand scheme of things, I have dedicated quite a bit of my career to this fine profession (16 years, 41% of my life, 64% of my time in the workforce). To say I’m vested in this profession would be an understatement.

I realize that many of you haven’t spent 41% of your lives practicing internal audit, and that’s OK. With that in mind, I am pleased to do you the service of helping you raise your “IA-IQ”. This will be the first post in a series focuses on a profession that truly is the glue that holds your broader GRC program together.

Knowing What the Glue is Made of

To start this series off, let’s begin with a primer on the glue that holds the glue together: The International Professional Practices Framework (IPPF). The IPPF organizes the full body of authoritative guidance set forth by the IIA regarding the content of the work and the workers within the internal audit universe. The key elements of the IPPF are categorized as “Mandatory Guidance” (non-negotiable – you must do this) and “Strongly Recommended Guidance” (if you plan on being successful, you’ll do this too).

Mandatory Guidance

Definition of Internal Auditing

States the fundamental purpose, nature, and scope of the profession. For GRC professionals, consider that the definition contains some familiar phrases. This definition states that internal audit gives organizations a “systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” (my emphasis added)

Code of Ethics

States the principles and expectations governing the behavior of individuals and organizations in the conduct of internal auditing

The International Standards for the Professional Practice of Internal Auditing (Standards)

Represents the “principle-focused framework for performing and promoting internal auditing and for evaluating the effectiveness of its performance.” Think of this as a list of: 1. how to audit, 2. how to communicate your results and 3. how to determine if you are any good at what you do.

Strongly Recommended Guidance

Position Papers

Assist interested parties in understanding significant governance, risk or control issues

Practice Advisories

Assist in the application of Mandatory Guidance (those items from the above list)

Practice Guides

Provide detailed guidance for conducting internal audit activities

In terms of the day-to-day practice of internal auditing, the Standards represent the roadmap that internal audit practitioners can follow to effectively execute their responsibilities. If you are unfamiliar with the Standards (or if you’re an internal auditor that hasn’t brushed up recently – hint, hint), I encourage you to visit the Standards page on the IIA’s website to gain a deeper appreciation for the intricacies of internal audit.

Fusing Care and Due Diligence with Audit Principles

I’d like to offer one closing thought on this discussion on the IPPF. Once on a consulting engagement at a Fortune 500 company, a high-ranking, internal audit manager told me that demonstrating compliance with the Standards was “as easy as falling out of a boat and hitting water.” To say I found this statement to be both arrogant and misguided would be an understatement. Those who take the time and effort to read and understand the IPPF will realize that that while its components are principles-based and written in plain language, demonstrating clear and basic compliance with it is not anywhere as simple as this manager suggested. As with any professional guidance, there is much room for interpretation and a great deal of reliance placed on the proficiency and judgment of individual practitioners. It is paramount that any internal audit department that wishes to truly fulfill its responsibilities read the Standards, work to collectively understand them and constantly evaluate whether they are living up to them.

I look forward to continuing the internal audit discussion and hope you join with me as we review this topic in future blog posts. I am thrilled to be involved with this fine profession, and I’m hoping that my 41% lifetime involvement statistic continues to trend upward.

How may compensation structures contribute to risk in organizations?

Executives design strategies to lead their corporations toward excellence. In order to be effective these strategies must be communicated, so individual goals and objectives are created to align responsibilities across the organization. These objectives often are tied to monetary rewards for success. Employees, for the most part, want to succeed, and if there is a monetary reward attached to their actions, they will be particularly industrious. If the objectives are not carefully communicated, the personal motivation to achieve a monetary reward may conflict with the intended strategic outcome. The following three examples discuss how unforeseen corporate risk was created from poorly designed employee objectives.

Sales Goals

A company had product lines that were marketed under several different brand names. An annual revenue increase was an overall corporate goal, so quarterly sales objectives by product and brand were given to the sales team. As they created their Annual Plan, they discovered that some of the sales goals could not be achieved for the first two quarters so they included revenue from new models that would not be introduced until months later. Unfortunately, the Annual Plan was the basis for production planning and procurement. Component inventories were stocked in the first quarter, and when the design for the new models changed, obsolescence resulted. Instead of inspiring sales efforts, the objectives resulted in manipulation that skewed financial planning, resulted in obsolete inventories, and provided an unrealistic basis for measuring progress.

Productivity Goals

Increased productivity was a corporate goal at a manufacturing plant. To inspire performance, specific goals were set for the different phases of the manufacturing process, and production workers were included in a quarterly bonus payout tied to the measurements. The objective of fewer mistakes on the production line was measured by the amount of scrap material that was generated. After some time scrap significantly decreased, and the plant celebrated a more accurate and productive process. An audit however found that scrap reporting was being manipulated, and scrap materials were being hidden. Instead of a more efficient production process, the result was sabotage and an incentive to smuggle items out of the plant.

Quality Goals

A food processing plant was focused on quality. Compliance with government regulations and a good reputation in the marketplace were mandatory for success. Objectives tied to compensation were given to the quality control department to ensure that there would be no issues. One of the responsibilities of the quality control supervisor was a subjective smell-touch-taste test on food product that had been held in the lab several days beyond the shelf life. The purpose was to document results so that faulty processing functions affecting food storage and distribution could be addressed. As part of the supervisor’s performance plan, a 95% pass rate was defined as the goal for this test. In the weeks that followed, the success rate steadily rose. Was the quality of the product truly improving, or had the supervisor been motivated to be less rigorous in his assessments?

Objectives that aim to drive a specific behavior or performance goals that are beyond an employee’s control are often open to manipulation. Unintended consequences may expose the organization to risk or fraud. When designing compensation strategies to achieve corporate goals, executives must recognize the actions (both positive and negative) that will be motivated. Then, they must monitor measurements carefully to verify that improvements actually reflect the desired outcome.

This post was contributed by Janet Hintz, a Director with Vonya Global. Janet is a seasoned advisor, focused on helping her clients find alternatives that align financial and operational objectives, increase productivity, and strengthen internal control. If you would like to contact or connect with Janet directly you can find her profile on LinkedIn: http://www.linkedin.com/in/janethintz.

The “Frankenstorm” Hurricane Sandy is an example of how quickly a change in weather can become a business disaster. Employees are absent, production comes to a grinding halt, and essential components are stranded several hundred miles away. Companies that rebound quickly have implemented strategies to allow them to manage more effectively when well-oiled processes are unhinged.

Cross-training
When the work-force has been depleted, essential processes are still accomplished when employees have been trained in more than one role. Some employers find it helpful to rotate their employees through several roles. This helps to ensure business continuity, makes the work environment more interesting for employees, and creates a forum for discussing new ideas.

Standardization
Companies that rebound quickly have standardized component parts across their product lines. Custom designed components can shut down production when transportation is delayed. Having too many of these components in inventory can be costly when designs change.

Although it is important to differentiate products to satisfy target market segments, customization should be accomplished as part of the production process. When inventories are depleted, as many different products as possible can still be produced from basic parts.

Shared capacity
Along with standardization comes the ability to move capacity from one line to another or from one plant to another. When production has been halted in one location, another can pick up some of the slack to keep distribution balanced and the fill rates at an acceptable level.

Distribution Requirements Planning
Which locations receive shipments when the demand outstrips the supply? This is a complex question which is often addressed subjectively and inconsistently. Companies that have implemented a strong DRP system have the ability to determine shipment sizes, locations, and customers objectively and quickly based on shipment availability, lead times, and customer demand.

There is always room for unpleasant surprises. Some companies hedge their production by investing in higher inventories. Smart companies find ways to adapt.

This post was contributed by Janet Hintz, a Director with Vonya Global. Janet is a seasoned advisor, focused on helping her clients find alternatives that align financial and operational objectives, increase productivity, and strengthen internal control. If you would like to contact or connect with Janet directly you can find her profile on LinkedIn: http://www.linkedin.com/in/janethintz.