Handling Misconduct at the Management Level the Right Way

WhistleblowerRecently, the SEC awarded a whistleblower with more than $300,000. Though the employee first reported misconduct internally, the company failed to act and suffered greater consequences for inaction. This was the first such award given to a whistleblower working in compliance, and acts as a signal to the business community: respond appropriately to reports of misconduct, or pay the price.

It is easy for management to feel uncomfortable given such headlines. However, the lesson here is to encourage internal whistleblowing and adopt reporting procedures that maximize employee comfort.

Research proves that most whistleblowers try to report fraud internally before approaching the government. Employees only go to outside authorities when their complaints are ineffectively resolved or after they hit walls internally. To minimize your exposure to liability, enhance the comfort level of your employees and make sure that your company facilitates internal reports.

That same research shows that when businesses implement even-handed procedures for assessing complaints and treat reporting employees with respect, employees are far more likely to feel satisfied by the process, regardless of the result. Employees need to have confidence in the misconduct reporting process in order to use it.

Fortunately, there are some concrete strategies for encouraging internal whistleblowing:

Provide the Right Training

Let your employees know you have a reporting program, and demonstrate how to use it. Training helps employees see that you are committed to resolving misconduct complaints in house. Publicize your company’s internal reporting policy regularly, not just at hiring time, and remind everyone that they can report misconduct and fraud without fear of retaliation.

You should not tell your employees that they have to report internally first; regulators view this sort of mandate unfavorably, and such requirements have been expressly rejected by the SEC.

Put the Best Person in Charge

You need an open door policy and you need the right person behind that door; otherwise, no one will come in. Make sure the officer in charge of complaints is someone accessible that your employees can trust. Be absolutely certain that he or she understands confidentiality, and train them to be neutral.

Ensure that your investigator knows the applicable laws and tools to resolve issues. While protecting confidentiality is important, make sure the investigator communicates with everyone involved in a complaint. In order to maintain confidence in the system, the investigator should keep whistleblowers, the accused, and witnesses involved and informed.

Create an Avenue for Anonymous Reporting

Whether it is a comment box, an online form, or a hotline, make sure that your employees have a way to report misconduct and fraud without revealing their identity. No one likes to think that their organization could be dangerous or discriminatory, but it happens.

Talk To Your Employees About Their Experiences

Ask employees about misconduct routinely and in exit interviews. Be sure to let them know that responding is optional, but document willing answers thoroughly.

It is not a good idea to ask employees, during their employment or in an exit interview, to acknowledge whether they have disclosed anything confidential to the government. Furthermore, never ask employees to give up their anti-retaliation rights in any way.

Focus On the Process

Make sure all procedures are transparent. Explain the process in simple terms, not legalese. Always reassure employees, in no uncertain terms, that retaliation for reporting fraud or misconduct will not be tolerated.

Make sure that employees know that you are listening. When people complain about the fax machine, fix it. Listening to little complaints can foster confidence before a big complaint comes around.

Make It Worth Their While

Research and now experience shows that incentives, even just recognition, make employees more likely to report misconduct. Reward this kind of ethical behavior.

Lead By Example

Show your team that you are ethical and that they work for a company that does not tolerate unethical behavior. When reporting misconduct is simply an unpleasant but necessary aspect of doing business, employees are far more likely to take part.


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

  • Creating “start-up” Internal Audit Departments
  • Evaluating Internal Audit Department Effectiveness
    (QAR and Internal Audit Capability Maturity Model)
  • Reducing risk in international operations

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

Creating a Speak Up Culture

Speak up CultureResearch and case studies have proven that a majority of employees do not speak up when they see fraud or misconduct in the workplace. This is true across a spectrum of businesses, even when employees have great IT security, sound internal audit procedures, and other corporate resources to report misconduct. Modern businesses face a major ethical challenge in creating a culture that encourages employees to report wrongdoing and in combating retaliation. Despite its challenging implementation, a speak up culture is crucial to legitimate company compliance and training efforts.

Cultural Change Starts With Management

In 2011, more than one-third of all workplace discrimination claims filed with the Equal Employment Opportunity Commission (EEOC) were for retaliation against employees who expressed their workplace concerns. What can companies do to ensure that employees are safe from retaliation? A speak up culture can allow businesses to maintain their edge, while overcoming biases against whistleblowing.

According to researchers at the University of Michigan, one of the most important factors in creating a speak up culture is ensuring that supervisors model appropriate behavior for employees. Employees will be more willing to report fraud or misconduct to supervisors if they have seen these supervisors express similar ethical behavior, especially following through on matters of misconduct. Employees who saw supervisors report ethical violations, conduct internal audits appropriately, or respond positively to complaints were far more likely to speak up.

Speaking Up: The General Motors Case Study

General Motors is a great example of a company that has struggled due to a lack of misconduct reports, but ultimately succeeded in reversing this trend by implementing a speak up culture. Harvard Business Review blogger Amy C. Edmondson points out several key problems that hampered GM’s employees from expressing concern and that ultimately led to compromised consumer safety. Specific issues involved broken communication channels, defective products that were approved only to be recalled, and lacking accountability among safety personnel. The resulting investigation highlights the importance of these crucial speak up practices:

Direct Exposure to Ethical Behavior

Employees are unlikely to risk bringing attention to potentially painful subjects such as fraud or internal audits if they believe these discussions will hurt their chances of success in the company. As the GM example shows, this individual mindset eventually causes problems for the company as a whole. Ethical leadership not only encourages employees to act on misconduct; it’s also good business.

Clear Channels of Communication—the More Direct, the Better

When important messages about serious company problems don’t get delivered, fatal flaws can easily erupt. Make certain that even the lowest ranking employee can communicate directly with higher-ranking management as needed to report ethical problems. Also, ensure that if an employee does come forward, he or she receives a timely, appropriate response. As with ethical behavior, when company leaders value good communication, so will employees.

Accountability

Edmondson points out that GM’s public apology was an effective, powerful step towards rebuilding trust with the public. GM also took responsibility for safety issues by recalling products. These efforts showed the public that there was no attempt to conceal mistakes and that the company was working to correct problems.

Training

To ensure that management is prepared to respond to ethical complaints, businesses must train leaders appropriately. Training should include education on how to handle failure personally and as a team. Formal training in speak up cultures is available from various sources. Best practice resources for creating a speak up culture are also available to businesses; here is one such resource from the Institute of Business Ethics.

Take Aways

Creating a speak up culture is essential for business success. There is no simple fix. This real problem requires real time and culture investment. Yet, solutions are within reach for any business willing to make the effort. Payoffs include legal, ethically-sound business practices, greater reputation, and happy employees. How can you afford not to invest in a speak up culture?


Sargon-Youmara-Internal-Audit-ExecutiveThis post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon Youmara has 20 years of diverse experience in business risk consulting, internal audit and public accounting. He leads various internal audit initiatives and Sarbanes-Oxley projects to a wide-array of companies from start-ups to multi-national corporations. Sargon is the Risk and Internal Control knowledge partner to his clients and has a depth of experience in:

  • Creating “start-up” Internal Audit Departments
  • Evaluating Internal Audit Department Effectiveness
    (QAR and Internal Audit Capability Maturity Model)
  • Reducing risk in international operations

If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn: http://www.linkedin.com/in/syoumara.

Fraud Prevention for Venture Capital and Private Equity

Fraud-Segregation-of-DutiesIt happens all the time, human capital / resource constraints at start-ups and small to medium sized companies limit the ability to have a robust accounting and finance staff. In most cases one person is typically responsible for many tasks. When these tasks overlap, like: reviewing and paying invoices; setting up and approving new clients; setting up and approving new suppliers; and writing checks, making deposits, and conducting bank reconciliations, the company exposes itself to significant fraud risks. In audit terms, this is called Segregation of Duties.

Segregation of Duties

While having adequate Segregation of Duties (SOD) is an essential building block of sustainable risk management and internal controls for a business, it is difficult for a small business to implement and it often gets overlooked.

Embezzlement

I came to know the investors of a start-up Title Insurance Company in Chicago. The ownership hired an experienced Title Insurance executive as President and CEO. They also assigned the President full access to the bank account. The company was out of business within 6 months of hiring the CEO. The CEO embezzled all the cash, ignored all invoices and payables, and left town.

Inadequate Segregation of Duties hits the news on regular basis. Said one executive: “Given the size of our organization, the distribution and separation of duties is tough. It’s a staff of three, four people. They suggest we shuffle around more of the burden. I’m not saying that’s a bad idea, but it will be difficult to implement.”

Difficult to implement? Maybe. But it is not impossible or impractical. The first step is understanding the risk and how it relates to the business. The second step is to consider key controls that would mitigate the risk without adding burden to the business. Simple solutions include requiring approvals for big purchases by individuals other than the CFO, placing banking restrictions on large payments, and regularly reconciling the all accounts.

While the Segregation of Duties risk may seem minor to other strategic, operational, or compliance risks, the failure to control the risk could be catastrophic.


This blog post was authored by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit co-sourcing, outsourcing, and consulting services, a member of the Institute of Internal Auditors (IIA) Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Using Audit to Reduce Costs of Major Construction Projects

Construction AuditOrganizations involved in major capital projects are missing out on significant opportunities to reduce costs. This is not to say that construction managers are fiscally irresponsible, conversely they are very reluctant to spend money where it is not absolutely necessary. So much so that in an effort to contain costs, most organizations don’t budget funds for construction audits until the project is complete or nearing completion. However, this “Close-out” audit is only one component of a successful control and cost containment program. Vonya Global believes that investing in internal audit early in the construction process may save thousands or hundreds of thousands of dollars throughout the project. “Full-scope” construction auditing optimizes the effectiveness of internal controls, reduces total project costs, and maximizes cost recovery.

Close-out Construction Audit

At the project’s conclusion, the owner requires assurance that the General Contractor/Construction Manager (CM) has completed the work in accordance with the contract. A close-out audit provides the owner confidence that the contracted obligations were fulfilled and the billing was accurate per the contract terms. While this is a critical step to verify compliance with the contract, it doesn’t solve other problems caused by a poorly written contract. In fact, contracts rarely protect all the interests of the owner.

Full-Scope Construction Audit

Involving construction audit services at the beginning, rather than the end of a construction project is far more effective because it mitigates risk before it materializes. Audit’s first responsibility is to protect the owner’s interest by creating favorable contractual agreements and improving the project control environment. Keeping Vonya Global engaged throughout the construction project assures the effectiveness of the control environment and identifies inappropriate cost overcharges.

Protected Interest

In creating the contract (the binding agreement between the owner and all parties involved in the construction process), many owners place their trust in the knowledge of the General Contractor/CM and Architect to include all the appropriate provisions in the contracts. Most owners will then seek legal counsel to review the contract focusing on the insurance and indemnification sections. Additionally, the General Contractor/CM and Architect are often relied upon to track and control project costs. The result is an agreement which may not contain the necessary terms and conditions to adequately protect the interests of the owner, may not establish an effective system of internal controls, and may not establish a systematic means of monitoring contract compliance.

The American Institute of Architects (AIA) provides standard construction contracts, such as the:

  • AIA A101 for stipulated sum projects
  • AIA A111 and A121 agreements for cost reimbursable projects
  • A201 which contains the related General Conditions to the agreement

However, even these contract provisions require modification to fully protect the interest of the owner. For example, the Accounting Records or “Right-to-Audit” clause should be strengthened, and the Changes or “Change Order” clauses often require clarification. These modifications improve the owner’s control over project costs, and allow for recoveries.

An effective “Full-scope” audit program utilizing the construction audit services of Vonya Global establishes an effective control environment, defines expectations for all parties, reduces the potential for conflict, reduces total project costs, and reduces the owner’s risk. Performing a “Full-scope” construction project audit is a best practice, and the earlier a qualified Construction Auditor is involved in the project life-cycle, the greater the benefits to the project owner.


This blog post was co-authored by Steven Randall and Brian Felix. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Exhaustive Management Review Control (“MRC”) Testing

Audit Overkill, CorpGov Necessity, or Value Add?

Management Review ControlAs we have discussed in previous articles, the PCAOB has come down hard on the public accounting firms for the adequacy of internal control testing when conducting the annual financial statement audit at their clients. The result in the current financial statement audit period has been significantly more testing by the public accounting firms than in years prior. This added testing is putting a burden on public registrants, and one specific area getting increased attention is Management Review Controls.

Management Review Controls

Management Review Controls monitor the results of operations and typically involve comparing recorded financial statement amounts to expected amounts to identify and investigate significant variances. A significant focus is placed on ensuring that the data that is being analyzed is complete and accurate. Examples could include:

  • 10K/10Q reviews to ensure that Financial Statements and Disclosures reflect a complete and accurate view of the business operations
  • Performing a variance analysis on the B/S where current month balances are compared to prior month and prior year
  • Performing a detailed review of organizational costs where variances from comparative periods or budget are analyzed
  • Peforming a detailed review of any material complex accounting treatment within the organization that might be proprietary to that industry
  • Review management’s review of the legal accruals to determine that it is complete and accurate

The public accounting firm now must demonstrate that they have exhaustively tested the design and operating effectiveness of Management Review Controls. To do so, the auditor will gather evidence to evaluate whether management defined metrics or thresholds that would identify a material misstatement and document the resolution of any identified outliers. To ensure that the appropriate information is analyzed, management has to first ensure that the “Information produced by the Entity” (IPE) is complete and accurate. The auditor will also use their judgment to evaluate if the design of the MRC is effective in identifying a material misstatement and if the operating effectiveness of the design is in place.

In the past, auditors evaluated management’s sign-offs and re-performed sample reviews related to management’s review. Not this year. Due to the requirements of the PCAOB, auditors are requiring a level of precision and specificity for the MRCs beyond prior years and reviewing far more documentation. Instead of reviewing management signatures which signify approval, auditors are interrogating management to understand the metrics used for their review and the resolution of identified outliers that would be indicative of their approval. Relying on system reports and excel spreadsheets has taken on a much deeper dive to ensure that the information used in the review is complete and accurate.

Why Investors Should Care

Producing audited financial statements to the SEC is not cheap. The Financial Executives International stated that the average financial statement audit of a public company in 2012 took almost 17,000 hours to complete at a cost of $4.5 million. That number is certainly going up for the 2013 audit cycle.

So, what do you think? Is the added testing overkill? Or, is the added testing necessary to demonstrate proper corporate governance? Or, does the added testing provide a value that goes far beyond its cost?

Let us know in the comments.


Veronika Fritz - Internal Audit ExecutiveThis blog post was written by Veronika Fritz. Veronika is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. Veronika is a CPA with over 18 years of audit and management experience. Her experience covers all areas of business including compliance, financial, operational and IT. She has led the planning, development and successful execution of financial audits, Sarbanes-Oxley Engagements, pre- and post-implementation ERP system reviews, and business process evaluations. Veronika has expert knowledge in evaluating the design, integrity, effectiveness and reliability of internal controls for financial reporting processes and Enterprise Resource Planning software. She has been a trusted advisor to companies spanning various industries. If you would like more information about Vonya Global or if you have a questions for Veronika, you may contact her through this blog, the company website, twitter, or her LinkedIn Profile.


Attention Audit Committee: Who Can You Rely On?

Rely on Internal AuditAn article published in the Journal of Accountancy on December 17, 2013 highlighted that the PCAOB is focusing a lot of attention on auditing of internal control over financial reporting. The Center for Audit Quality lists internal control over financial reporting as one of its primary key risk areas of external auditor’s work heading into the 2013 audit cycle.

The PCAOB conducts annual audits of the Public Accounting Firm’s financial statement audit process. The results of the PCAOB audits were discussed in a speech given by Jeanette M. Franzel, PCAOB Board Member, on Oct. 13, 2013 at the NACD Board Leadership Conference 2013. During her speech, Ms. Franzel stated that relative to internal control over financial reporting “the external auditor failed to gather sufficient audit evidence to support the audit opinion” in 36% of audits during the 2011 audit cycle and 37% of audits during the 2012 audit.

Ms. Franzel is not stating that the public accounting firm financial statement opinion was wrong, rather that there was insufficient work completed to formulate the opinion. If there is insufficient work to formulate an opinion, the opinion becomes unreliable. An unreliable opinion should send a warning signal to investors.

The response by the public accounting firms this year has been to significantly increase internal control testing. The burden falls onto the external audit client (the publicly registered company) to provide evidence of risk assessments, internal control design, and internal control effectiveness. This results in increased time commitment from both the auditors and the audit client. Audit fees for the accounting firms are increasing as is operating costs for the audit client. The combination of these two unintended consequences is placing an onerous burden on public registrants.

As investors, we want to rely upon the accuracy of financial reports, which inherently means we want to rely on the effectiveness of internal control over financial reporting. Audit Committees are charged with the responsibility to maintain oversight on the accuracy of financial reports, which also inherently means assuring the effectiveness of internal control over financial reporting. The Audit Committee can’t do this alone; they must heavily rely on the public accounting firm opinion and there is a significant problem if the audit approach is unreliable.

There is an obvious answer to this. There is a group, typically in-house, charged with the responsibility to evaluate the effectiveness of internal control over key risk areas of the corporation, including financial reporting risks. This group has a time tested methodology for assuring the reliability of their work. This group has a set of professional standards they must adhere to while completing their work. Best of all, the public accounting firms can place reliance on the work of these qualified and accredited individuals reducing the amount of time public accounting firms spend on the audit. This group is the Internal Audit Department.

So Audit Committees, who can you rely on? Your Internal Auditors.



This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Is Internal Audit Strategic?

Strategic Internal AuditAnswers to the above question has changed over time, as witnessed in the Report on the Strategic Role of Internal Audit published by Vonya Global every 2 years.

Here is the trend with Executive Management:
2008 = 44%
2010 = 42%
2012 = 57%

Vonya Global is conducting its fourth study on the Strategic Role of Internal Audit. The study is currently open and we are seeking participants. The study consists of a 14 question online survey and should take no more than 15 minutes to complete. Participants will have exclusive access to the preliminary results.

To participate in this study, click here:

Participate in the Strategic Internal Audit Study



Cyber Threats – Knowledge is Prevention

Cyber CrimeThere are many articles and reports published on the top risks that the organizations are facing today and the emerging risks for future. While regulatory risk, IT risk, strategic risk, and environmental risk among others seem to be the most common, cyber crime is a risk that can’t be ignored.

Cyber crime risk is a threat that targets us every day. A simple click of a mouse or touch pad could spell demise. The only way to prevent it is to increase the awareness of the risks, and make education a pivotal part of management’s communication plan. There is a recent scheme that needs attention and increased awareness.

Fictitious CFO emails, a new scam

It seems like every day someone becomes a victim of a new scam. Scammers use email, online ads, pop ups, and search results to trick you into sending them money and personal information. We just became aware of a new scam that has already cost corporations tens of thousands of dollars. Here is how it works:

    The real CFO leaves town. The CEO is not reachable. With this intelligence, an email gets sent to the person authorized to disburse funds, e.g. the Treasurer or the Controller from an outside email address disguised to look like the CFO’s. The CEO is typically cc’d. The email instructs for an immediate payment. Upon further inquiry back to the “fictitious CFO/CEO” a pressure tactic is used to do as instructed, otherwise the person will lose their job.
    The email of course is a complete hoax and the attached invoice includes wiring instructions to a fraudulent bank account. The threatening email from the CFO/CEO is sometimes enough for the employee to take action and as soon as the transfer is made, the money is gone forever.

Does this seem unrealistic? At the time I typed this, I knew of 2 companies who had fallen victim to this scam and a 3rd that fortunately caught it at the last minute.

If you get an email from the Senior Management requiring you to take drastic and immediate action, you better make sure the instructions are valid before you act.


This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, a member of the IIA Chicago Chapter Board of Governors, a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research, and the President of the Oz Park Baseball Association, a not-for-profit dedicated to providing fundamental based baseball in a safe environment in the city of Chicago. Steve was recently named The Institute of Internal Auditors’ Chicago Chapter’s New Member of the Year. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

The Risk Stops Here: a Story About Little Risky

This contribution to the Internal Audit Blog comes to us from the late John Landreth. We lost John a few years ago, far too early. While John spent his career in internal audit, he spent his life giving back to his family and community. He was an ambassador for the profession and a friend to all internal auditors. Years ago John came up with an idea for a story about risk, a fun little story about a cute lead character nicknamed “Little Risky.” He allowed me to read an early draft of his story. While the story needed a little tweaking, I immediately loved the his idea. Eventually his story was published and then converted into a presentation. The following is the short presentation about our friend “Little Risky.” If you like it, I ask that you please share it with your friends and colleagues. Let’s keep the story going and John’s legacy alive.

All the best,
Steve


This blog was contributed in the memory of John Landreth (April 14, 1957 – June 6, 2010). John served as the Chief Audit Executive for a variety of Chicago based companies. Outside of internal audit, John was a board member of Park Ridge Baseball and Softball, and the Alliance for the Great Lakes, former member of Park Ridge Indian Scouts and the District 64 Caucus.

Policies and Procedures: First to be ignored, last to be updated

Policy and Procedure RiskBusinesses around the world have traveled a long, winding, and often times bumpy path over the last decade. The global economic collapse and the ensuing recovery have made it necessary for companies to morph into new structures. The result has become organizations that are lean, dynamic, and more adaptable. However, a significant problem is beginning to reveal itself, the corporate policies and procedures are holdovers from a now extinct company.

All organizations have policies and procedures. Whether the policies and procedures are formal written documents or informal and unwritten they exist and guide daily decisions and help determine how stakeholders are treated. As organizations change, the policies and procedures must be adapted to meet the new business.

The problem with unwritten policies and procedures is that they are not subject to review and approval and all accountability is lost. Employees are left to their own devices to determine what defines quality and what the company deems important. While the absence of written policies and procedures empowers employees fulfill their job responsibilities, they take inconsistent approaches based on personal preference and which leads to organizational inconsistency and inefficiency.

Outdated policy and procedure manuals are worse than unwritten because they may actually point employees in the wrong direction. The employees that understand the policy and procedure is out of date will take it upon themselves to find a work around, which is the same as having an unwritten policy and procedure.

In either case, the business is inconsistent and inefficient.

The solution is obvious. Companies should update or create a policy and procedure that accurately represents the vision and goals of the current business. Well written policies and procedures increase organizational accountability and transparency and become fundamental to quality assurance and quality improvement programs. To be most effective the policy and procedure manual should be short and to the point, yet dynamic to allow for relevant changes.

When was the last time you took a critical look at your policies and procedures?

Policy and procedure manuals are often the last things to be modified when organizations go through a transformation. There are several reasons:

    Policies and Procedures are difficult to write

    Consideration needs to be given to how much detail to include and what the overall company policy really is, let alone what the standard procedure is that should be followed

    Policies and Procedures are difficult to publish

    Consideration should be given to how many and which executives to include in the review

    Policies and Procedures are dynamic

    As the legal environment, industry, and company structures and practices are constantly changing consideration should be given to what policies are needed and what procedures should be documented

    Policies and Procedures need an owner

    Consideration should be given to who the administrative owner of the Policies and Procedures will be. The person will periodically assess the validity, draft updates, and communicate all changes to the Policies and Procedures.

Creating a comprehensive and customized policy and procedure manual is not as easy as it may seem, it is time consuming and requires an investment of resources. However, when done right a clearly understood set of policies and procedures establishes an overall tone at the top which enables employees to execute the vision and strategy of management in their daily activities. Plus policies and procedures are not simply used internally; Policies also communicate to stakeholders and third parties the vision of the company.

If you are uncertain when the last time you reviewed your policy and procedure manual or don’t know if you have one, now is the time to get started.


Veronika Fritz - Internal Audit ExecutiveThis blog post was written by Veronika Fritz. Veronika is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. Veronika is a CPA with over 18 years of audit and management experience. Her experience covers all areas of business including compliance, financial, operational and IT. She has led the planning, development and successful execution of financial audits, Sarbanes-Oxley Engagements, pre- and post-implementation ERP system reviews, and business process evaluations. Veronika has expert knowledge in evaluating the design, integrity, effectiveness and reliability of internal controls for financial reporting processes and Enterprise Resource Planning software. She has been a trusted advisor to companies spanning various industries. If you would like more information about Vonya Global or if you have a questions for Veronika, you may contact her through this blog, the company website, twitter, or her LinkedIn Profile.