Mark B. Mitchell, MBA, CIA, Mark B. Mitchell, MBA, CIA, CGFM CGFM Director of Internal Audit Director of Internal Audit NYSERDA NYSERDA November 12, 2008 Understanding Understanding the Importance of Soft the Importance of Soft Controls in Improving Controls in Improving Operations Operations AGA Audio Conference
30
Embed
Mark B. Mitchell, MBA, CIA, CGFM Director of Internal Audit NYSERDA November 12, 2008 Understanding the Importance of Soft Controls in Improving Operations.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Mark B. Mitchell, MBA, CIA, Mark B. Mitchell, MBA, CIA, CGFMCGFM
Director of Internal AuditDirector of Internal AuditNYSERDANYSERDA
November 12, 2008
Understanding Understanding the Importance of Soft the Importance of Soft Controls in Improving Controls in Improving
OperationsOperations
AGA Audio Conference
2
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008ContentsContents
Understanding The Importance of Soft Understanding The Importance of Soft ControlsControls
What Are Soft Controls?What Are Soft Controls? Why Do Soft Controls Matter?Why Do Soft Controls Matter? Evaluating Soft Controls: Key Elements of Evaluating Soft Controls: Key Elements of
Improving OperationsImproving Operations What Makes Soft Controls So Difficult?What Makes Soft Controls So Difficult? Soft Controls: A New ViewSoft Controls: A New View GAO’s Model of Strategic Human Capital GAO’s Model of Strategic Human Capital
Internal Control over Financial Internal Control over Financial Reporting – Guidance for Smaller Public Reporting – Guidance for Smaller Public Companies, Companies, by COSOby COSO
Foundation Guidelines “Red Book,” Foundation Guidelines “Red Book,” by by OCEGOCEG
Where Are Soft Controls Written About?
6
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Why Do Soft Controls Why Do Soft Controls Matter?Matter?
7
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
““Selling” Soft ControlsSelling” Soft Controls
Why Do Soft Controls Matter?Why Do Soft Controls Matter?11
1.1. They can help manager understand why They can help manager understand why people behave as they do;people behave as they do;
2.2. They can increase managers’ effectiveness They can increase managers’ effectiveness in predicting future behavior; andin predicting future behavior; and
3.3. They enable managers to understand how They enable managers to understand how they can direct, change and control they can direct, change and control behavior.behavior.1 Paul Hersey and Kenneth H. Blanchard, Management of Organizational Behavior: Utilizing Human Resources, Third Edition (Englewood Cliffs: Prentice-Hall, Inc., 1977) p. xiv
8
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
How can I “Sell” Soft Controls to Management?How can I “Sell” Soft Controls to Management?Management: Working with and through individuals and Management: Working with and through individuals and
groups to accomplish organizational goals.groups to accomplish organizational goals.22
““Selling” Soft ControlsSelling” Soft Controls
2 Ibid. p. 5
Employee Potential
Per
cen
tag
e o
f A
bil
ity
80 to 90 percent
20 to 30 percent
Area Affected by Motivation
Potential Influence of Motivation on Performance
9
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Soft Controls: Evaluating Soft Controls: Key Elements of Key Elements of
Antifraud ControlsAntifraud Controls
10
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Soft ControlsEvaluating Soft Controls
Evaluation TechniquesEvaluation Techniques:: Whistleblower HotlinesWhistleblower Hotlines Staff Focus GroupsStaff Focus Groups Employee SurveysEmployee Surveys ““Customer” SurveysCustomer” Surveys Internal Control Internal Control
1.1. Has a Code of Conduct/Ethics been Has a Code of Conduct/Ethics been adopted that promotes:adopted that promotes:
Honest/ethical conduct, including internal Honest/ethical conduct, including internal and external dealings, and the handling of and external dealings, and the handling of conflicts of interest?conflicts of interest?
Accurate accounting records and Accurate accounting records and reporting?reporting?
Compliance with applicable laws, rules, Compliance with applicable laws, rules, and regulations?and regulations?
Prompt reporting of violations of the code?Prompt reporting of violations of the code?
2.2. Is the Code of Conduct Operating Is the Code of Conduct Operating Effectively?Effectively?
Communicated effectively (know to Communicated effectively (know to staffs)?staffs)?
Annual certification by everyone covered?Annual certification by everyone covered? New hire and periodic reinforcement New hire and periodic reinforcement
training?training? Management involvement and oversight?Management involvement and oversight?
14
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Commitment to Evaluating Commitment to CompetenceCompetence
1.1. Are employees properly trained to Are employees properly trained to carry out their work?carry out their work?
Evaluation Techniques:Evaluation Techniques: Employee SurveysEmployee Surveys Internal Control EvaluationsInternal Control Evaluations AuditsAudits Staff Focus GroupsStaff Focus Groups
15
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Commitment to Evaluating Commitment to CompetenceCompetence
1.1. Are there established procedures for an Are there established procedures for an Ethics Hotline/Whistleblower Program?Ethics Hotline/Whistleblower Program?
Evaluation Techniques:Evaluation Techniques: Is there a procedure for receiving and Is there a procedure for receiving and
retaining information?retaining information? Do procedures provide whistleblower Do procedures provide whistleblower
protection and provide for anonymous tips?protection and provide for anonymous tips? Are any calls coming in?Are any calls coming in?
3 Adapted from COSO, the Sarbanes-Oxley Act of 2002 and PricewaterhouseCoopers white papers.
2.2. Is Top Management providing Is Top Management providing oversight?oversight?
Evaluation Techniques:Evaluation Techniques: Are they periodically evaluating internal Are they periodically evaluating internal
controls and antifraud programs?controls and antifraud programs? Assessing whether control activities over Assessing whether control activities over
fraud risks are adequate and effective?fraud risks are adequate and effective? Are fraud audits and are investigations Are fraud audits and are investigations
conducted fairly and objectively? conducted fairly and objectively?
18
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Management’s Evaluating Management’s Philosophy and Operating Philosophy and Operating StyleStyle
1.1. Does management evaluate and test Does management evaluate and test the design and operating effectiveness the design and operating effectiveness of antifraud controls on an annual of antifraud controls on an annual basis?basis?
The potential for fraud should be The potential for fraud should be considered as part of the agency-wide risk considered as part of the agency-wide risk assessment.assessment.
Antifraud programs and controls should be Antifraud programs and controls should be in place that are appropriate to the in place that are appropriate to the likelihood and impact of potential fraudlikelihood and impact of potential fraud
19
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Management Evaluating Management Philosophy and Operating Philosophy and Operating StyleStyle
2.2. What is the way in which management What is the way in which management responds to any significant deficiencies and responds to any significant deficiencies and material weaknesses that are identified by material weaknesses that are identified by the agency, internal audit or OIGs?the agency, internal audit or OIGs?
1.1. Are matters thoroughly investigated? Disclosed?Are matters thoroughly investigated? Disclosed?
2.2. Are internal controls assessed and improved?Are internal controls assessed and improved?
3.3. Is there communication and training to reinforce Is there communication and training to reinforce values, policies, etc.values, policies, etc.
4.4. Are violators treated in a consistent and Are violators treated in a consistent and appropriate manner?appropriate manner?
20
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating Assignment of Evaluating Assignment of Authority and ResponsibilityAuthority and Responsibility
1.1. Are unit and individual performance Are unit and individual performance linked to organizational goals?linked to organizational goals?
Evaluation Techniques:Evaluation Techniques: At the most senior level are executive At the most senior level are executive
performance agreements used?performance agreements used? Are executives held accountable for results?Are executives held accountable for results?
Are expectations set so that staff Are expectations set so that staff understand how their daily activities understand how their daily activities contribute to results-oriented programmatic contribute to results-oriented programmatic goals?goals?
21
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
Evaluating HR Policies and Evaluating HR Policies and PracticesPractices
1.1. Are targeted investments in Are targeted investments in professional development being made?professional development being made?
2.2. Is a results-orientated culture Is a results-orientated culture encouraged?encouraged?
3.3. For sensitive positions, are background For sensitive positions, are background checks being performed?checks being performed?
22
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
What Makes Soft What Makes Soft Controls So Difficult?Controls So Difficult?
What Makes Soft Controls So Difficult?What Makes Soft Controls So Difficult? 44
With hard controls both theory and practice With hard controls both theory and practice are provided (technical skills)are provided (technical skills)
Early contributions to behavioral sciences Early contributions to behavioral sciences seemed to provide knowledge without seemed to provide knowledge without effecting changes in behavior. (Elton Mayo)effecting changes in behavior. (Elton Mayo)
The challenge is to identify social skills that The challenge is to identify social skills that are usable in ordinary human situations.are usable in ordinary human situations.
4 Paul Hersey and Kenneth H. Blanchard, Management of Organizational Behavior: Utilizing Human Resources, Third Edition (Englewood Cliffs: Prentice-Hall, Inc., 1977) p. 1
24
AG
A A
ud
io
Con
fere
nce
Novem
ber
12,
2008
What Makes Soft Controls So Difficult?What Makes Soft Controls So Difficult? 55