Proactive organizational monitoring Featured

7:00pm EDT November 25, 2007

One of the primary functions of management is to understand what is actually going on in an organization as opposed to what is supposed to be happening. However, for monitoring to be truly effective, there must first be good communication, a culture that promotes ethical behavior and a solid understanding of the particular organization’s risk factors.

“Organizational monitoring is not just about protecting a company from fraud,” says James P. Martin, CMA, CIA, CFE, CPD, CFFA, a partner with Cendrowski Corporate Advisors LLC. “Monitoring systems can help ensure quality, that customer needs are being met and that the company is doing everything else that is necessary to achieve its goals.”

Smart Business asked Martin how companies can get the most from their monitoring systems.

How can monitoring help a company stay on track?

Monitoring systems are put in place so that management will know exactly what is going on in the company at all times. This will enable management to correct minor issues before they become bigger problems. There will be a lot less time reacting, so the company can focus on success.

What are the steps to an effective organizational monitoring plan?

First, the company must clearly define its goals. What is it trying to accomplish and how will it accomplish those goals? Second, what risks does it face — what can get in the way of the company accomplishing those goals? Third, what type of early warning system does the company need? How will it know if and when a risk has actually occurred or if someone has not performed as expected?

What impacts are electronic monitoring systems having?

Electronic monitoring systems have been around for some time but are drawing more attention now that the penalties and potential outcomes for violations are more severe under Sarbanes-Oxley. Electronic monitoring systems are similar to a car’s dashboard. When trigger points, which are predefined events or hurdles, are detected, ‘warning lights’ appear on the manager’s desktop. While electronic monitoring systems are useful, they cannot — nor should they — replace human involvement. The most important thing managers can do is be involved with the company’s operations on a day-to-day basis. This includes walking around the company and talking with employees, holding regular meetings, receiving regular reports and phone calls, etc.

How are trigger points identified?

An organizational assessment of risk will help management identify areas that have more robust monitoring needs than others. Examples might include finance — everything related to potential issues arising with cash — or vendor management, for example, notification every time a vendor’s address changes. Triggers can also be set up to monitor quality metrics, supply chain issues, personnel issues, etc. The system should be proactive so that management can address issues before they get out of control, preventing a crisis management situation.

It’s important to note that a monitoring system is more holistic than the definition of trigger points. The single biggest factor is people — the behaviors of what people will do in a given situation. There needs to be an overall culture with good communication systems and a clear understanding of the expectations that management sets. Monitoring techniques need to continuously adapt to consider potential changes in behavior. There are a lot of examples of companies that had defined monitoring procedures, but creative people were able to identify and exploit areas that were not considered in those procedures.

How do private equity firms monitor the activities of the companies they invest in?

Private equity firms have to monitor the operations of the portfolio companies, not to the extent of detail that internal management does, but they do need to define risk. These companies have expectations, and if they identify certain events on the horizon, they can be prepared to take certain actions. Like the companies they monitor, private equity firms must also define their own particular trigger points.

Any tips for improving a system?

Make sure you’re monitoring the right areas. There may be areas you’ve historically monitored a certain way that have now changed. This is where the importance of the internal audit function comes in. The board’s audit committee must understand what is critical for the organization in the upcoming year. In examining the ‘audit universe’ — the model that defines every auditable event within the organization — areas of risk are identified, then are prioritized for audit. It is management’s responsibility to determine how many resources to invest in each given area of risk.

JAMES P. MARTIN, CMA, CIA, CFE, CPD, CFFA, is a senior manager with Cendrowski Corporate Advisors LLC, Bloomfield Hills. Reach him at (248) 540-5760 or cs@cendsel.com or go to the company’s Web site at www.frauddeterrence.com.