2010
Fraud, Ethics and Empowerment
David McNamee, CIA, CISA, CFE, CGFM
Contact TEL: 1-925-934-3847
The subject of fraud, ethics and empowerment is important to internal auditors. The
empowerment movement has gone from the management buzz word of the month to a
reality in a few short years. The result has been a certain amount of control chaos and a
lot of worry and concern as internal auditors scramble to adjust to a very new way of doing
business. These issues are important to auditors because they are important to senior
management, the Board, and the whole of the organization. For many organizations,
getting it "right" or getting it "wrong" is a matter of survival.
What is empowerment? Empowerment evokes a number images and concepts:
The inmates in charge of the asylum.
Enlightened self-interest.
Industrial democracy.
Mob rule.
Self-directed work teams.
Empowerment is not the delegation of power. Instead, empowerment is sharing
responsibility to achieve goals, the means to achieve the goals, accountability for the goals
and the means employed, and the authority (power) to accomplish the task within the
given set of means. These were the duties and responsibilities of supervisors and
managers. Once they are shared with the customer-facing employees, the need for direct
supervision disappears, since many more people are accountable to the organization for
those goals. Supervisors become redundant in this situation.
The means to achieve the goals are broadened to include all those normally employed by
the supervisor in the role of coordinator of work. When work steps are consolidated and
the requisite tools and information is made available, there is little or nothing left to
coordinate. Supervisors and managers become redundant in this situation.
Losing two of the most important general controls, active supervision and the segregation
of duties, has got to have an effect on the overall control system. Something has to be
built to replace these controls. They have been essential in detecting and deterring fraud
and other antisocial behavior. They must be replaced.
There are many organizations who have achieved empowerment for some work groups
through experimentation. There are some organizations who have achieved widespread
empowerment without losing control. From these latter organizations, we can see that
empowerment is a "state of becoming" rather than a "state of being." From these early
successes, we have found three key elements all have in common:
1
2010
A robust management information system that provides real-time information to everyone
in the organization, an active practice of building vision, values and ethical behavior into a
supportive and positive corporate culture, and significant controls and barriers that protect
the main financial data of the organization from misuse.
With these three elements and an active and committed leadership in place,
empowerment works well. It can even work reasonably well in some organizations that still
lack state-of-the-art management information systems. Without a compelling vision and
binding ethical values as well as strong financial accountability, empowerment is doomed.
Fraud and other behavioral problems will not be far behind.
To understand empowerment, internal auditors need to understand how their
organizations interact with their environments, how change takes place, and how to stay
"connected" (under control) throughout the change process. Internal auditors play an
important role for senior management and the Board by evaluating and reporting on how
the organization is adapting, or not, to changes in the environment. Internal auditors also
play a role in advising management on streamlining controls without opening up the door
to fraud.
Downsizing, Rightsizing and the Consequence of Change
Most empowerment situations are driven by the consequences of decisions on structure:
downsizing, rightsizing, restructuring, reengineering, or whatever the reorganization may
be called. Empowerment is not the goal. The goals are to reduce costs or boost valueadding functions that serve customers or constituents. Empowerment may be the result of
middle management trimming and increased spans of control. Empowerment that is born
by "accident" of restructuring needs to have special attention to ensure that the appropriate
measures are taken to reduce the exposure to risks such as fraud.
Fraud is a significant threat to organizations. That threat grows as organizations try to trim
their payrolls through restructuring. In two 1994 KPMG studies of fraud in the USA and
fraud in New Zealand, both found that the countries' executives forecast a similar problem
of increased economic pressure that will be an increased contributor to fraud. Forty-two
percent in the USA study believed specifically that organizational downsizing is a
contributor to increased fraud (up from 30% in 1993). [Note 1] One of the two significant
frauds in 1994 in the USA was false medical claims, indicative of employee reaction to
organizational stress. Back pain and work-induced stress are common in USA companies
during downsizing. Both injuries are difficult to disprove, and both usually result in
prescribed lengthy time off the job (with pay).
2
2010
Understanding Change
Change is the biggest factor that increases risk. Failure to change is probably the second
biggest factor. Organizations must learn to change at appropriate rates and appropriate
times. There are distinct periods when change itself changes from predictable linear
change to rapid exponential change. These discontinuities are important to understand
and recognize. Implementing empowerment at the wrong time can create increased risk.
In our model of change, organizations continue to improve and fulfill their purpose. There
are boundaries that define the organization from its environment. The strength of these
boundaries is a false security: The stronger the boundary, the more risk of eventual
catastrophic adjustment to a changed environment. Specialized creatures are more fragile
than generalized creatures. Should you shoot white water rapids in a steel-hulled boat or a
rubber raft? Those organizations which can continue to carry out their purpose and adapt
to changes in their environment will be the most successful and have the least risk.
Organizations that have matured to the point of diminishing returns take radical steps to
change their structure. When structural change drives strategy, the organization may
move toward empowerment as a means of harnessing the total organizational effort to
survival. Because the organization is in real decline at this point, empowerment can be
very risky without first building the necessary value system to support it. As the
organization goes through the human trauma of letting go significant numbers of workers,
the remaining workers may suffer too much from "survivor's syndrome" to accept the full
responsibility of empowerment. [Note 2] In addition, many employees of the successful
mature organization may not be prepared to take the individual accountability and
responsibility required by empowerment.
Accountability, Empowerment and Internal Control
It is sometimes difficult to clarify the nature and extent of authority in an organization.
Even when roles and rules are more clearly defined than in many empowered
organizations, there exists confusion over the meaning of such terms as authority,
authorization and approval. It is important to understand how these terms should be
interpreted in an empowered function.
Authority has several meanings. In the
organization, authority means power: the right to act or compel others to act on behalf of
the organization. In the case of an empowered work group in a functional area, these
rights are limited to a specific functional authority, or the right to act or compel necessary
action to carry out the functional tasks assigned.
In another context, authority can mean permission. Authorization is a derivative of
authority with this meaning. Authorization is the process of delegating limited or general
authority. Authorization is granting permission to use powers to act or compel others to
act.
General authorization tends to exist for the duration of the corresponding
responsibility. Limited authorization may exist only for a specific set of tasks or a specific
time period. General authorizations are often defined as part of:
3
2010
Job descriptions
Charters
Schedules of Approval
Approval is more limited than authorization. In the strict sense, approval is limited to a
single transaction or a single event. Occasionally authorization and approval are used
interchangeably. Approval is more limited in that it implies permission to act, but not
necessarily permission to compel others to act.
Empowered organizations are characterized by the nearly complete authority,
authorization, and approval rights granted to customer-facing employees to fulfill
customers' needs. The rights are limited to those transactions that have to do with serving
customers. It is not a general right. In many team-based organizations, such as Saturn,
these limited rights are granted to teams that deal also with internal customers. Few
decisions in their functional area need to be authorized or approved by anyone else.
In order to make most of the decisions and to know when a decision must involve others,
the internal control mechanisms for the empowered organization must include:
Well documented processes that are well understood by everyone involved.
Unit and organizational goals that are aligned and well understood by everyone.
An ethical framework for making decisions.
Sufficient information about the context and consequences of decisions.
Just as authority confers rights, its counterpart, responsibility, confers certain duties.
Responsibility in an organization is the ownership of the duty to perform some task. To
define responsibilities, organizations establish Codes of Conduct, charters, and other
fundamental expressions of general ethical behavior between employees and suppliers,
customers, other employees, and the community.
Accountability is the obligation to report on the results of functional activities.
Accountability can take the form of financial results or operational results, or both.
Authorization and accountability normally do not reside in the same individual (the
separation of duties principle), except in empowered organizations. Empowerment
contains the power of authority, authorization, and approval, as well as the duties of
responsibility and accountability.
In large organizations where limited rights and limited obligations have existed for some
time, it is often difficult to recruit employees to an empowered team concept. In a new
electricity generating plant in Queensland, workers took to the empowered team concept
readily. The plant was new, and patterns of behavior had not been established. The
same concept was attempted in the existing sister generating plant, and the result was a
dismal failure. Employees rejected the increased responsibility and accountability of the
empowered teams. Patterns of behavior had been established, and the new concepts
were uncomfortable.
Even when worker acceptance of the change is high, there is often a large hurdle in
designing and implementing an accountability system and an information system that are
sufficient to implement empowerment. Some organizations have invested millions in their
information and reporting systems, and they may be reluctant to scrap these systems and
4
2010
redesign the processes. Newer companies (or divisions) often have an easier time
because they do not have the sunk costs in existing information systems to consider.
FedEx is a highly empowered organization with a US$1 billion information network, but
FedEx is relatively new. It did not have to concern itself about unamortized information
systems' costs. Other companies are not so fortunate.
The reason organizations choose empowerment is that this operating principle is a
necessity for competitive advantage in today's marketplace. This is why my personal
belief is that all organizations will be empowered and team-based in the coming years, just
as all organizations once adopted the command-and control pyramid of the early industrial
revolution. Some of the reasons we hold this belief:
Empowered organizations have less risk of severe disruption or failure because they are
more adaptive. The permeable boundaries are where the organization meets its
environment: customers, government regulation and technology.
Customers today are represented as a billion markets of one. Empowered employees are
able to adapt to a billion markets of one -- to find solutions to meet each customer's needs
quickly. Time is now a critical competitive factor.
Advances in telecommunications in the 20th century have eliminated the "information
buffer" that allowed organizations the luxury of slower changes to customer demands.
Now you must serve the customer or they will go elsewhere easily and quickly anywhere
on the globe.
A critical role of the organizational boundary is to be alert to the new and different -- ideas
that could change the organization. Instead of isolation, the adaptive organization
encourages ideas, searching for the seed of the next generation of product and process
ideas to serve the organization's purpose. The empowered organization is adaptive,
because its employees are constantly at the boundary dealing with customers and feeding
back information about changing customer needs and changes in the environment.
Most people, when they think of internal control also think of the power to compel order
and consistency on the environment. That is misguided. Control keeps an organization in
touch with its environment through feedback, allowing the organization to continuously
adapt and change to the changing environment. It is a type of order that keeps the
organization on the path to achieving its purpose and goals, not the path of ensuring
consistency of process.
Internal control serves the system purpose. Internal control exists to ensure that
established objectives are reached. Controls do not perpetuate the system process (this is
not the system's purpose); controls serve the system goals. As such, controls interact with
the system and its environment. Operating on the system boundaries, controls channel
the energy of the system toward fulfillment. They react to changes in the system
processes to keep processes in step with changes in the environment.
Internal control in an empowered organization has the same purpose as in any other
organization; however, the implementation of control may be different. Control will
necessarily be flexible and robust. It must be able to handle emerging issues as well as
routine transactions. This is why a strong system of values and ethics is so important.
This is where these 'soft' controls originate.
5
2010
Not all the controls must be or should be 'soft.' There must still be strong financial controls
over the main financial stream. Empowered employees do not need access to everything
-- just the access to the information they need to perform the task and the freedom to do it
as it needs to be done to satisfy customers' needs.
The Risk of Fraud
In any empowerment situation, there are the short term risks that all processes face:
Errors
Omissions
Delays
Fraud.
Errors, omissions and delays are system design and operational issues. There is
background variation in all systems, according to the quality management theories of
statisticians like W. Edwards Deming. [Note 3] System design can reduce the variation to
predictable limits. Fraud is different. Fraud is an intentional distortion of the system for
personal gain. Because it is behaviorally driven, fraud is not predictable. It is controllable
through deterrence and detective controls, but it is not entirely preventable.
Fraud consists of three acts:
The Theft: The theft of money, physical assets, time, or information.
The Concealment: Hiding the theft through altering or destroying records that would
reveal the theft.
The Conversion: Converting the theft into something for personal use or gain. Money
and time are not normally converted, they are already available for use by the fraudster.
Fraud is the result of a combination of factors: Opportunity, Pressure, Attitude.
All experts seem to agree that a key factor is Opportunity. Opportunity is a situation that
can be directly addressed by management. Pressure and attitude are human factors often
beyond the direct influence of the organization. Opportunity for fraud is increased when
security over access to assets is lessened. Pressure can be increased by job-related
issues, such as layoffs, or by off-the-job events. Attitude may be affected by the tone set
by top management or the pervasive culture of the organization. Auditors should take into
consideration all three of these factors for an accurate assessment of fraud risk. Internal
audit programs should contain specific steps to test the strength of these three risk factors
and specifically test for the symptoms of fraud.
Deterrence is a management responsibility. Deterrence is a system of controls limiting
access to assets and/or raising the probability of discovery. By limiting our assets to
exposure, we discourage fraud from happening through lack of Opportunity. People are
not tempted if situations are well controlled. In fact, it is unfair to tempt employees through
lax management practices and poor controls. Some implementations of empowerment are
an abandonment of traditional controls without any substitutes.
Little wonder such
organizations suffer from increased incidents of fraud.
6
2010
Although primarily a management responsibility, the auditor can participate in deterring
fraud. The auditor's role in deterrence extends in three dimensions:
Planning: Identify weaknesses through an extended risk analysis that includes the crucial
ethical climate of the organization.
Auditing: Examine and test the deterrent controls' effectiveness, including the acceptance
of the organization's vision and culture.
Reporting: Gain senior management support for strong deterrent controls and making
senior management aware of the risks in certain forms of empowerment through the audit
reporting process.
By making conscious efforts to detect fraud, the certainty of being found out may also act
as a deterrent to some who might otherwise commit a fraud. The auditor's role in the
detection of fraud likewise extends along the three dimensions:
Planning: Learning to recognize the symptoms or indicators of fraud (also known as The
Red Flags of Fraud) through cause-and-effect analysis.
Auditing: Identifying and verifying fraud symptoms for their cause and effects.
Reporting: Work with senior management to follow through on suspected frauds and
ensure consistent reporting and punishment for wrong doing.
The auditor's main role is learning to be effective at detecting possible frauds. This is
accomplished through training and understanding of the symptoms of fraud for various
business processes, designing audit steps with fraud in mind, and following up on tests
that reveal weak deterrent controls.
Conditions for Fraud
Opportunity is the most controllable condition for fraud. How do we establish and nurture
conditions of opportunity? Research is nearly unanimous stating that frauds are more
likely committed where controls are weak rather than absent. Conditions that permit
operations and activities with no explicit internal control are less likely to be hotbeds of
fraud than conditions where controls exist but they are not enforced.
The twelve most common weaknesses, according to a 1984 IIA Research Foundation
study, in order of frequency are:
Too much trust in employees
Lack of proper procedures for authorization
Lack of personal financial information disclosure (for bank frauds)
Lack of separation of transaction authority from custody of assets
No independent checks on performance
Lack of adequate attention to detail
No separation of asset custody from accounting for assets
No separation of accounting duties
Lack of clear lines of authority
Department infrequently audited/reviewed
No conflict of interest statement required
Inadequate documents and records. [ Note 4]
7
2010
Fraud also thrives in certain types of organizations. Those organizations that have little
respect for controls have a culture that is ripe for fraud. Those organizations led by senior
managers who set a poor ethical tone at the top have more problems with fraudulent acts
by their employees.
It is important to take the right position on fraud, and even more important in an
empowered organization. It is not that organizations are really empowered, people are.
The empowered person is valuable to the organization, so the conditions that permit
empowerment to flourish must be nurtured from abstraction to reality through the positive
efforts of all system members, but especially by senior management.
Traditional views of the "tone at the top" consider the behavior and words of the
organization's leadership group. The workers will naturally imitate the behavior of the top
echelon. Mixed messages (behavior that is not consistent with the words or espoused
vision) tend to create confusion. "Tone at the Top" remains important as part of the
organization leadership vision and culture. Too lax a concern is as bad as too much
concern. People must be made aware of the "community of values" through a shared
vision. Building an ethical framework is a positive activity.
What about the person who is greedy, selfish or proven that they cannot be trusted? How
do we handle the sociopath in an empowered environment? Membership in the
organization is not guaranteed. Organizations must be able to deal with members that
cannot handle the responsibility and accountability of empowerment. System processes
must be designed to minimize temptation for the occasional weaknesses: Access to the
financial system can be limited without affecting the sense of empowerment.
The role of the auditor is very important in an organization embarking on empowerment.
By understanding the principles of empowerment, the internal auditor is equipped to serve
the organization as it tries to reach its goals. The auditor is the expert in internal control.
Combine this expertise with the freedom to range throughout the organization, and the
auditor is in the best position to ensure that the vision is understood and that the spirit of
community exists in sufficient strength to serve as the primary management control.
The Three "Must Have" Conditions for Empowerment
Even with a strong and active internal audit force, empowerment will foster fraud unless
three conditions exist:
A management information system that provides continuous feedback on processes and
how goals are achieved.
An organization culture with a value system built on trust, responsibility and accountability,
and a program of continuous improvement in communicating these organizational values.
Strong controls over the financial stream (reducing Opportunity).
In addition, a fourth condition would be "nice to have":
4. A system to identify and deselect individuals unable to accept the responsibility of
empowerment.
8
2010
Certain companies (Saturn, Maytag, Nordstrom's) have all three conditions and have
successfully implemented an empowered organization. In studying other organizations, it
appears that any organization missing either #2 (strong value system constantly being
reinforced) or #3 (controls over the financial stream) is doomed. Some organizations have
achieved a degree of empowerment without the ideal management information system,
but no one has done so without a strong value system and strong financial controls.
The management information system takes the place of supervision and separation of
duties. It provides complete information for the customer-facing employee to render the
service needed by the customer, as well as provide management the feedback on how
those goals were achieved. Organizations that want to reengineer their processes to
accommodate empowerment often are faced with expensive redesign of their systems.
[Note 5] The second condition for empowerment is a culture with a compelling vision and
strong ethical values. The vision establishes the ethical framework. Without an ethical
framework, there can be no trust. Everyone must be able to rely on everyone else for
empowerment to work. Nothing is more important in the organization than an ethical
climate that binds all the members together in a sense of "community."
Building trust is a matter of many small steps, constantly repeating a consistent message.
Management must "walk the talk;" that is, management must model the expected behavior
as part of building the ethical climate. Organizations like FedEx and Levi Strauss maintain
a continuous dialogue as part of their explicit ethics maintenance program. Still others rely
on the use of teams as the basic building blocks of the organization to reinforce the ethical
climate. "Many believe that teamwork will help to restore a sense of community within the
corporation, a feeling of belonging shattered by waves of restructurings and downsizings."
[Note 6]
The third requirement is a system of strong financial controls. Hammer and Champy have
criticized the need for controls in a reengineered organization:
"Another kind of nonvalue-adding work that gets minimized in reengineered processes is
checking and control; or, to put it more precisely, reengineered processes use controls
only to the extent they make economic sense." [Note 7]
The experience of many other companies is that strong financial accountability and strong
financial controls promotes the ethical climate, reduces the opportunity for fraud, and can
even be a source of renewal for the organization. [Note 8] The challenge for the internal
auditor is to ensure that the controls operate in a thorough and efficient manner. Efficient
controls do not need extra layers to control conditions that slip through the first layer.
Finally, all organizations would like to have a method to deselect those who cannot accept
the responsibilities of empowerment. Major culture change in large organizations takes
usually five plus-or-minus two years. Some people are "early adopters" who embrace
change. The majority have to be led through the transition to the change. A few will
actively resist change. These last must leave voluntarily (or not) in order for the change to
be completed. In many organizations, especially in the public sector, these change
resistors must die off or be bought off in order to make way for the change. That is why
major change takes three to seven years on average.
9
2010
A Prescription for Making It Work
"Freedom and Order turn out to be partners in generating viable, well-ordered,
autonomous systems. If we allow autonomy at the local level, letting individuals or units
be directed in their decisions by guideposts for organizational self-reference, we can
achieve coherence and continuity. Self-organization succeeds when the system supports
the independent activity of its members by giving them, quite literally, a strong frame of
reference. When it does this, the global system achieves even greater levels of autonomy
and integrity." [Note 9]
Making empowerment work is no small task.
implementation include:
The requirements for successful
Leadership with a compelling vision and a sound change management process.
A strong ethical climate that is continuously communicated and reinforced by positive
actions.
Strong financial controls over the main financial stream.
An information system that provides operational information in real time to those who deal
with customers and feedback to management on how customers' needs are being met.
Fraud is an issue of all organizations. The risk of fraud is lessened in empowered
organizations than in traditional ones, because:
Empowerment gives proprietorship/stewardship over the business process to many
individuals. There are more people concerned with operating and financial performance,
so there are more active "supervisors" of the process.
The level of commitment and the ethical climate required for empowerment serve as
powerful deterrents to fraud. There is a greater community of spirit in the work place.
Limiting employees to access to assets and financial processes only to the extent
necessary to perform their work is a more rational control process.
Often control systems are thoroughly reviewed prior to the implementation of
empowerment. The resulting redesign of the control system may give rise to more efficient
(and therefore more rational and effective) controls.
In addition, the organization is likely to benefit in other ways from empowerment:
Creativity (and productivity) is increased when employees can make rational changes to
their job tasks.
Empowered employees work on the interface between the organization and the
environment.
The empowered employees become an early warning system for
organizations that need to change.
(c) Copyright 1995 David McNamee
10
2010
-------------------------------------------------------------------------------NOTES:
1 - KPMG, 1994 Fraud Survey (USA Edition), page 5.
2 - Knowdell, Branstead, and Moravec, From Downsizing to Recovery, Palo Alto, CA: The
Consulting Psychologists Press, 1994, p. 215.
3 - Deming, W. Edwards, Out of the Crisis, Cambridge, MA: MIT Press, 1982, pp. 321-322.
4 - Albrecht, et al., Deterring Fraud: the Internal Auditor's Perspective, Altamonte Springs,
FL: Institute of Internal Auditors Research Foundation, 1984, p. xv.
5 - See Marcella, Al, Outsourcing, Downsizing, and Reengineering: Internal Control
Implications, Altamonte Springs, FL: Institute of Internal Auditors, 1995, for a discussion
from the information systems perspective.
6 - Paradigms for Postmodern Managers, Business Week: Reinventing America (special
issue), 1992, p. 63.
7 - Hammer and Champy, Reengineering the Corporation, New York, NY: Harper
Business, 1993, p. 58.
8 - Waterman, Robert H., Jr., The Renewal Factor, New York, NY: Bantam Books, 1987,
p. 117.
9 - Wheatley, Margaret J., Leadership and the New Science, San Francisco, CA: BerrettKoehler, 1992, p. 95.
11