Image via WikipediaBy José Tabuena — May 4, 2010
Workforce issues such as recruitment, retention, diversity, and business conduct are often the expression of a company’s commitment to good values. A company with poor values is probably going to have confused and disgruntled employees. So it should be no surprise that human resource (HR) issues have been at the forefront of major business frauds or reputational breakdowns for years.
Internal auditors already evaluate parts of the HR function when they evaluate the “control environment” under the COSO framework, including tone at the top, the organization’s ethical climate, and management’s philosophy and operating style. All of those collectively comprise the corporate culture. Reviewing them is critical and challenging, yes, but auditors must also examine other emerging risk areas in the HR function if they want to achieve the best culture possible.
There are distinct risks involving HR departments such as non-compliance with employment regulations, inadequate compensation and benefit plan design, inappropriate staffing levels, and lack of funding for training. In addition to public scrutiny, ineffective HR programs can undermine an organization’s ability to achieve its mission by stunting its competitiveness in the labor market, increasing unjustified financial costs, and putting the organization at risk for lawsuits or regulatory inquiries due to non-compliance or misconduct.
Incentives and Discipline
Executive compensation policies, typically administered by HR, deserve attention; it’s a hot topic that has been the subject of political and public scrutiny. In an earlier column I wrote that internal audit professionals are in a position to review compensation practices (being mindful of pay-for-performance principles while seeking to avoid policies that encourage excessive risky behaviors) by providing independent and objective assurance that compensation at the organization works rationally and effectively.
Internal control experts like Tim Leech have commented we need to pay more attention to how rewards can affect the behavior of senior executives and staff. A misaligned reward system can hurt corporate culture and can even create the opportunity for management and the board to collude.
Consider examples from recent events. Were the incentives of executives in the auto and mining industries properly aligned to ensure that safety objectives would get proper consideration? Or was the reward system heavily skewed toward meeting financial targets? If incentives aren’t balanced, it becomes more likely that an environment of safety falters, leading to injuries and fatalities.
Internal auditors don’t seem to focus adequate attention on the reward system dimension. COSO touches on some of the elements of the reward system within the control environment; Tim Leech suggests that auditors look to the Criteria of Control (CoCo) model from the Canadian Institute of Chartered Accountants, issued in 1995, for more specific guidance on commitment controls. OCEG’s Red Book 2.0 (GRC Capability Model) is another resource that addresses the alignment of incentives with company objectives.
Still, executive compensation can be a touchy subject, especially regarding senior executives. I can recall past experiences where I faced resistance in getting payroll data when conducting a compensation audit, and had the same difficulty at a different company during an investigation of payroll fraud. The head of HR in both instances had challenged my authority to access executive personnel and salary information.
The auditor should make sure he or she has the support of leadership and access to such information cannot be restricted. This area is clearly within the province of the internal audit and compliance functions. When rewards are misaligned with core objectives, including complying with laws and staying within the company’s internal risk appetite, substantial risks can emerge that need to be recognized and agreed to by the board.
For example, the auditor can evaluate whether an existing compensation model (say, fully commission-based compensation) for sales staff pressures employees to engage in unethical business practices so they can meet individual or company financial targets. Recommendations can be developed for alleviating these pressures, or at least bringing some of them into balance, while recognizing that such pressures will remain inherent to the business.
Don’t Forget the U.S. Federal Sentencing Guidelines
Auditors also still neglect the Federal Sentencing Guidelines, although their principles on discipline and reward agree with the concept of commitment controls. The success of a corporate compliance and ethics program depends to a large degree on understanding why employees behave as they do. This is where the concept of rewards (the carrot) and punishments (the stick) enter.
Disciplinary action is generally well understood, and internal auditors can evaluate whether the organization’s standards are consistently enforced (particularly in cases involving high performers), and that infractions are addressed in a manner commensurate with the offense. Personnel files can be sampled of employees disciplined for a particular offense (fraudulent sales practices, for example) to determine whether discipline was consistently and proportionally applied. Again, auditors and compliance professionals must be allowed access to this information.
Reference to “incentives” was first added to the Sentencing Guidelines when they were amended in 2004. The standards now require that, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (a) appropriate incentives to perform in accordance with the compliance and ethics program …”
But while incentives are now an essential element of ethics and compliance programs, nobody has paid much attention to them. During recent U.S. Sentencing Commission hearings to consider changes to the Sentencing Guidelines, Joseph Murphy testified on behalf of the Society of Corporate Compliance and Ethics about the importance of incentives to influence positive ethical conduct. But the SCCE’s own surveys indicate that current use of incentives has been limited. Internal auditors can consult with the SCCE resource, Building Incentives in Your Compliance & Ethics Program, when evaluating the company’s reward system under the Sentencing Guidelines and as a dimension of the control environment.
Executive pay isn’t the only HR responsibility that might need attention. Auditors should review organizational risks in these main HR areas:
Workforce Planning
HR departments spend significant time recruiting candidates and selecting employees. Auditors can assess whether HR is documenting information promptly and accurately, and verify if suitable recruiting resources are providing an adequate number of capable candidates.
The hiring process should be reviewed including the interview process (are managers asking illegal questions?), whether background-screening policies are being followed (are criminal background checks done?), and if appropriate reasons for selection or non-selection are documented. Auditors can also perform a turnover analysis to assess whether low employee retention hurts productivity.
If contractors are being hired, auditors should ensure that contractor duties are monitored to ensure IRS tax requirements are met (typically, whether workers are properly classified as employees or independent contractors). An overall evaluation on whether the company has the right number of people with the right skills should be performed.
In reviewing the organizational structure, consider whether lines of authority and chains of command are clear. Sample job descriptions can be reviewed to ensure they specify knowledge, requisite skills, and extent of education and training, and that those requirements are used when making hiring, training, and promotion decisions. A sample of employee performance evaluations can help determine whether workers have the knowledge, experience, and training needed to perform their job. Problems in structure and roles can result in inter-departmental conflicts, inefficiencies, low morale, and unhappy customers.
Employee Development and Relations
Inadequate employee training can harm the company’s bottom line. Training on regulatory risk topics such as Occupational Safety & Health Administration, privacy, and conflicts of interest has become expected. In particular, supervisors need to be trained on how to manage their subordinates’ performance, including labor law requirements. There are risks if employee counseling and discipline are not done properly, which can lead to external complaints or lawsuits.
Auditors should verify that a supervisor documents performance issues and corrective action is taken. Assess whether performance appraisals are done timely and based on job-specific criteria. The handling of employee complaints and grievances is another critical area where good documentation is essential. Internal auditors need to review policies and analyze areas involving discrimination (a wage analysis, for example), harassment, wrongful discharge, and employee privacy. Auditors should confirm that controls are in place to ensure the confidentiality of personnel data.
Ultimately, Risk Management
Finally, risk around HR often overlaps with employee safety issues. Review the health-and-safety program to focus on whether prevention and other control measures exist to minimize workplace hazards. Is the risk-management department tracking and monitoring incidents, claims, and litigation with an eye toward preventing and mitigating potential risks?
HR activities touch upon almost everything a company does and every facet of the employee life cycle, from hiring, training, and development to retention and discipline. Despite its integral role and crossover with other critical functions such as compliance and legal, HR is often an overlooked audit area. Adding an HR audit and perhaps combining it with a review of the compliance and ethics program, and the company’s control environment, can provide important risk protection for the organization.
0 comments:
Post a Comment