Contributed by Huzeifa Unwala, Senior Partner, JHS & Associates LLP
The “People” factor in the design of internal controls
Global standards state that Internal Control is a process that is affected by the senior management and other personnel of an entity. Designing good governance standards, policies, process automation and operating procedures is only the starting point for building an effective internal control environment. The most critical step is to cultivate the behaviour of people in a manner that signifies a non-negotiable commitment to ethics and organisational integrity.
General Auditing standards the world over have yet not evolved to the extent of seeking special reports on human behaviour, especially around Personality and Psychology test reports. Financial statement audits are primarily aimed at providing assurance and not detecting frauds. Given this situation, we may continue to witness high profile frauds where regulators and auditors alike are blamed, whereas, in reality, they should not be; the cause potentially lies elsewhere.
Entities usually develop robust procedures for carrying out due-diligence while on-boarding new joiners. However, deficiencies are generally observed in evaluating the trust behaviour of senior people in the system. It should be kept in mind that large value fraud cases mostly involve the top rungs in the organisation, who design a fraud scheme that beats most intellectuals in the system.
Is regulating & monitoring human behaviour possible?
Each fraud teaches us a lesson on systems and process failures, which are compounded by integrity issues. However, monitoring and regulating human behaviour remains a constant challenge. People at the highest level are not only difficult but nearly impossible to question by people of junior authority.
There is a possibility that a certain percentage of auditees (senior management) may opt to disclose incomplete facts or deceive the system and auditors as they may fear losing their reputation, social stigma of failure, authority, the impact of increments/ bonuses/ promotion, so on and so forth. This risk is heightened in Work from Home scenarios where both auditors and auditees are working from home, and the auditee can conveniently explain not having physical access to certain documents or systems.
This makes the auditor’s job exceedingly difficult due to non-availability of sufficient evidence on which to base her/his opinions. To deal with this situation, while the auditing profession evolves requisite professional standards, auditors may in future be required to understand and document response styles, personality traits and psychology test results of auditees in positions of authority.
Technology is rapidly evolving to identify exceptions in human behaviour on a transaction or event basis. However, nothing much is available yet regarding predictive analysis on the oversight by key decision-makers. Technology may provide analytical intelligence and trends of human behaviour at lower levels of the corporate hierarchy. However, tracking the behaviour of the Board of Directors is infinitely more complex.
Crafting the right set of questions for the independent Board members, Audit Committee, and the Regulator’s desk could go a long way in monitoring a corporate leader’s behaviour. Audits of corporate culture may also help indicate the need for such an approach.
Behaviour can never be legislated. However, understanding it and questioning it in a timely and appropriate manner could make a difference. In a well-governed organisation, the influence of authority is controlled through the concept of entity-level controls which are the highest form of internal controls, and they primarily relate to policies, codes and procedures. A well-designed entity-level control framework can ask pointed questions to the highest level of authority.
Conclusions
While lawmakers and regulators may take time to discover a better way to regulate and monitor human behaviour, timely public interest actions and enhanced quality of disclosures are emerging as the most preferred solutions in today’s times.
In appropriate cases of significant audit findings, the concerned Regulator should issue a summary reprimand letter highlighting the areas of concern, significant observations and remedies. Convening public tribunals by regulators is another good way of naming and shaming bad apples in the system and reducing frauds as that would send out stern warning signals. Mandating audits of corporate culture in appropriate cases can also go a long way in reducing the possibility of ineffective governance at the highest levels. Internal Auditors would do well to build their expertise in this emerging area.
