Audit, Compliance, and Data-Driven Behavior
Last week I had a guest post on Navex Global’s blog exploring the future of the internal audit function, and how a more powerful internal audit function might help the ethics and compliance department in new ways.
Today we have a practical example from Fidelity Investments, and the news that it has recently sacked more than 200 employees for abusing corporate benefit programs. This is a foretaste of the collaboration to come, complete with all the upside and downside that future will bring.
The story, in Friday’s Wall Street Journal, is straightforward. Fidelity audited employee use of two benefits programs intended to help defray the costs of computer equipment or physical fitness gear. The audit found that more than 200 employees violated terms of the programs. For example, some employees bought equipment and billed Fidelity for reimbursement, and then canceled the orders but kept the reimbursement. In at least some cases, employees submitted altered receipts to claim the reimbursement.
The WSJ article frames the audit and ensuing dismissals as a cost-cutting maneuver, and perhaps that’s the case in this instance. In the bigger picture, however, compliance and audit executives might want to consider the implications of audits like this on your organization’s whole corporate culture and control environment.
From Small Audit to Corporate Culture
The point I made in my Navex post, which certainly applies here with Fidelity, is that relatively small-bore audit exercises can have an outsized influence on corporate culture. And as internal audit functions become more adept at targeted, analytics-driven audits, ethics and compliance functions might want to nudge those efforts toward subjects that will provide maximum benefit for corporate culture.
For example, I can’t imagine that Fidelity’s audit turned up massive amounts of waste and misuse of company money. The firm employs 40,000 people — so firing 200 of them is a dismissal rate of 0.5 percent. Even if we assume all 200 errant employees scammed Fidelity out of $2,000 each (that seems to be the largest amount scammed, according to the WSJ), that’s a total possible loss of $400,000.
Fidelity’s 2017 revenue was $18.2 billion. So it’s not like that $400,000 was a material amount of money, either.
But small scams in corporate benefit programs can be a material threat to an organization’s control environment. They expose weaknesses in one leg of the Fraud Triangle (opportunity) because internal controls aren’t working properly. That makes it much easier for employees to knock down the second leg of the Fraud Triangle, rationalization — because hey, if the company never cares that I scammed 20 percent off my FitBit, why not try scamming a bit more?
From the compliance officer’s perspective, a small-bore audit like Fidelity’s is important for the message it sends about ethical values and compliance with policy — not for any money it might save or improvements it might recommend. The Fidelity audit reminded employees that adherence to policy isn’t optional, and that enforcement of policies can strike at any time.
Small scams in corporate benefit programs can threaten an organization’s control environment. From the compliance officer’s perspective, an audit like Fidelity’s is important for the message it sends about ethical values and compliance with policy.
In my Navex post, I gave a different example. One large business has a policy that travel and entertainment expenses under $50 do not need a receipt. So the audit department decided to review the T&E account for any employees with an unusually high number of $49 expenses — that is, people who were constantly just below the threshold for documentation.
The company found no significant abuses. But it did send a message to employees that the company can search for fraud even in small-dollar expenses without documentation. That’s a powerful message about corporate culture and control environment that employees see.
A More Fearful Future?
The internal audit department is only going to get better at targeted strikes thanks to improving technology. Audit teams will be able to select spending or activity areas with more focus, and then review the raw transactions more comprehensively. That’s auditing analytics in practice, and the tech to do that is only going to get better from here.
For example, imagine Fidelity trying to perform that corporate benefits audit with 1985 technology. Would the army of auditors, sifting through reams of paperwork, really be worth the $400,000 the company might find? Probably not. Today large companies can execute audits like that in a few weeks. Soon enough they’ll be able to perform those audits in a day. Or, more likely, anomalous behavior will be found instantly and appear on a risk dashboard sitting on a manager’s PC somewhere.
Will that be good for the company’s bottom line? Yes. But your inner ethics and leadership enthusiast might also want to contemplate what it means for corporate culture overall. That world isn’t leadership by inspiration; it’s management by fear. Ask anyone who lives in a world where overhead drone strikes are standard practice.
To put it another way, a very real threat to good conduct is ethical fading — the idea that after so many decisions to stick by the rules, our brains get tired and feel like we’re owed the opportunity to skip the rules once or twice. Ask anyone who has been stuck in stop-and-go traffic for a few red lights, and finally guns it through the intersection at yet another light about to turn red.
What’s the effect on corporate culture in a world where ethical fading is impossible, because you’re under constant, data-driven observation?
I don’t know. But we’ll probably find out soon enough.