One of the primary functions of management is to understand what is
actually going on in an organization as opposed to what is supposed to be happening. However, for monitoring to be truly
effective, there must first be good communication, a culture that promotes ethical
behavior and a solid understanding of the
particular organization’s risk factors.
“Organizational monitoring is not just
about protecting a company from fraud,”
says James P. Martin, CMA, CIA, CFE,
CPD, CFFA, a partner with Cendrowski
Corporate Advisors LLC. “Monitoring systems can help ensure quality, that customer
needs are being met and that the company
is doing everything else that is necessary to
achieve its goals.”
Smart Business asked Martin how companies can get the most from their monitoring systems.
How can monitoring help a company stay on
track?
Monitoring systems are put in place so
that management will know exactly what
is going on in the company at all times. This
will enable management to correct minor
issues before they become bigger problems. There will be a lot less time reacting,
so the company can focus on success.
What are the steps to an effective organizational monitoring plan?
First, the company must clearly define its
goals. What is it trying to accomplish and
how will it accomplish those goals?
Second, what risks does it face — what can
get in the way of the company accomplishing those goals? Third, what type of early
warning system does the company need?
How will it know if and when a risk has
actually occurred or if someone has not
performed as expected?
What impacts are electronic monitoring systems having?
Electronic monitoring systems have been
around for some time but are drawing more
attention now that the penalties and potential outcomes for violations are more severe under Sarbanes-Oxley. Electronic monitoring systems are similar to a car’s dashboard.
When trigger points, which are predefined
events or hurdles, are detected, ‘warning
lights’ appear on the manager’s desktop.
While electronic monitoring systems are
useful, they cannot — nor should they —
replace human involvement. The most
important thing managers can do is be
involved with the company’s operations on
a day-to-day basis. This includes walking
around the company and talking with
employees, holding regular meetings, receiving regular reports and phone calls, etc.
How are trigger points identified?
An organizational assessment of risk will
help management identify areas that have
more robust monitoring needs than others.
Examples might include finance — everything related to potential issues arising
with cash — or vendor management, for
example, notification every time a vendor’s
address changes. Triggers can also be set
up to monitor quality metrics, supply chain
issues, personnel issues, etc. The system
should be proactive so that management
can address issues before they get out of
control, preventing a crisis management
situation.
It’s important to note that a monitoring
system is more holistic than the definition
of trigger points. The single biggest factor
is people — the behaviors of what people
will do in a given situation. There needs to
be an overall culture with good communication systems and a clear understanding
of the expectations that management sets.
Monitoring techniques need to continuously adapt to consider potential changes in
behavior. There are a lot of examples of
companies that had defined monitoring
procedures, but creative people were able
to identify and exploit areas that were not
considered in those procedures.
How do private equity firms monitor the
activities of the companies they invest in?
Private equity firms have to monitor the
operations of the portfolio companies, not
to the extent of detail that internal management does, but they do need to define
risk. These companies have expectations,
and if they identify certain events on the
horizon, they can be prepared to take certain actions. Like the companies they monitor, private equity firms must also define
their own particular trigger points.
Any tips for improving a system?
Make sure you’re monitoring the right
areas. There may be areas you’ve historically monitored a certain way that have
now changed. This is where the importance of the internal audit function comes
in. The board’s audit committee must
understand what is critical for the organization in the upcoming year. In examining
the ‘audit universe’ — the model that
defines every auditable event within the
organization — areas of risk are identified,
then are prioritized for audit. It is management’s responsibility to determine how
many resources to invest in each given
area of risk.
JAMES P. MARTIN, CMA, CIA, CFE, CPD, CFFA, is a senior
manager with Cendrowski Corporate Advisors LLC, Bloomfield
Hills. Reach him at (248) 540-5760 or [email protected] or go to
the company’s Web site at www.frauddeterrence.com.
