It was recently announced that State Street Corporation, “one of the largest asset management companies in the world,” defrauded its customers out of $290 million…
“…through a deceitful scheme that was in practice for 17 years.”
Yes, you read that right. 17 years. 1998 to 2015. Check it out here.
You mean to tell me that internal (or external) auditors didn’t ONCE look at a file, spreadsheet, or other document that contained information regarding the markups on OOP – “out of pocket” – expenses charged to their customers? They never looked at one customer invoice/bill that noted this “pass through charge?” They never looked at the contracts that State Street had with its customers to bill only actual expenses?
Oh, wait. I bet they did.
But, I also bet they were focused only on “adding up the numbers” or “recalculating the invoices.” I bet they never once looked beyond those numbers and asked WHY that markup existed… WHY that OOP expense was different on the invoices than the actual expense to the company. (Actual expenses may have ranged from $0.02 to $0.15 per transaction; State Street would bill its clients $5 per transaction.)
Side bar: Check out my favorite Compliance resource/site here. Matt Kelly does an amazing job dissecting what happened in the State Street case. He just doesn’t mention the internal auditors – so I couldn’t keep my mouth shut about it and had to blog too. Oh, and if you don’t follow Matt on LinkedIn, you should.
To me, the fraud at State Street is just another example of internal auditors walking right by the important “stuff.” Add the State Street internal auditors to those at Wells Fargo, BP, Boeing, Purdue Pharma, and Volkswagen – who all failed to uncover the most egregious business ethics failures in recent times.
So, if they aren’t there (at the important “stuff”), where are they?
It may or may not bet there case here, but too often I see internal audit functions doing the same old risk assessment year over year, and working off the same old “rotational plan” to look at low, moderate, and high risk areas of their companies each year for “coverage.” I absolutely detest that word, by the way.
COVERAGE defined (by me) is “an absurd rationalization that we (internal auditors) must look at all areas of the organization within an irrelevant period of time.”
Internal auditors are getting “coverage” of those low and moderate risk areas regardless of whether or not that area has had ANY issues over the last year… regardless of what the organizational mission, vision, strategies are… regardless of where the MAJOR risks are to the organization… those risks that could bring down a company (or at least cause severe damage to its financials and reputation).
The bottom line is this…
Internal auditors, you need to implement this mantra:
Major on the majors
… RIGHT NOW.
Stop walking by the issues that land your organizations on the front page. Stop recalculating the fees or incentives, and start asking WHY the numbers are what they are in the first place. Stop worrying about the small potatoes. Stop filling your way-too-lengthy, nit-picky audit reports with things that don’t matter. Stop looking at the low and moderate areas of risk just to get “coverage.”
Start mattering to your organization.
Start auditing culture. Start training about ethics and culture. Did you see in Matt Kelly’s blog that they are now required to have a monitor to look at training “used to develop a strong ethical culture.” (And yes, I know what you are thinking, and I would love it if they hired me.)
In Becoming The Everyday Ethicist, I have a chapter called “Total Ethical Auditing.” The underlying theme of the chapter is that internal auditors should be spending more time on influencing culture. Why, because the MAJOR risks often come from the “unethics” of a culture. And I believe that could have very easily been the case at State Street.
- What are the organization’s values?
- Is anyone even talking about the importance of ethical conduct?
- Are there ethical standards of conduct? And are they enforced?
- Are leaders walking the ethical talk?
Just a few questions State Street management, board, and auditors should start asking.
If you liked what you just read, you would probably like Jo’s books too: Total Quality Auditing and Becoming The Everyday Ethicist. Each provides more information on WHAT EXACTLY internal auditors SHOULD BE focused on at their organizations.
Interested in having Jo train your internal audit department? No problem. Email her today: Jo@AuditConsultingEducation.com
Amanda “Jo” Erven, CPA, CIA, CFE, is the President and Founder of Audit. Consulting. Education. LLC. After a successful career in external/internal audit and accounting, Jo is now an active Internal Audit Strategist, Management Consultant, Higher Education Professor, Author, and Trainer/Speaker, providing Continuing Professional Education (CPE) hours, live and virtually, to organizations across the globe. Jo’s motto says the most about her personal and professional outlook: “Good things come to those who wait… but don’t. You deserve better than good.” Every one of her books and presentations focuses on that proactive stance, and how we can immediately connect our actions to our values.
