A survey conducted at the recent Institute of Internal Auditors annual conference by Protiviti has revealed that ⅔ of IA professionals believe their department is under-resourced and therefore unable to adequately carry out their duties.

Protiviti’s take is that due to increased expectations of the assurance Internal Audit can provide on an ever-widening spectrum of enterprise risks, auditors feel under-resourced. Sukhdev Bal, Director of Protiviti says:

This survey is a clear indication that internal auditors themselves believe that prior to the recession, they were not fit for purpose in terms of focus, skills and capabilities. Audit committees, Internal Audit leaders and management need to work more closely and collectively to agree the role of audit, objectives, criteria for audit and the overall approach of the internal audit function required to meet current and future evolving needs. Importantly, having agreed these, they need to ensure that the function is staffed with the right skills, capabilities and experience to meet these objectives.

There is evidence that spending on governance, risk and compliance didn’t decrease in 2009 compared to 2008, so I think Protiviti is correct with its assessment. IA is being asked to expand their risk coverage beyond traditional areas of expertise. It’s only natural to feel a little overwhelmed by the expectations. The key to adapting in my opinion (and experience) will be support for training in non-traditional areas.

The survey is available on Protiviti’s website (if you give them some personal information first).

Converting their payroll system has resulted in some serious errors to the tune of greater than $1.5 million for the Fort Worth (Texas) school district.

The school district overpaid employees and former employees at least $1.54 million, according to the [internal] audit. It also found that the district’s payroll system lacked proper controls, was cumbersome and inconsistent, and included manual paper entries that led to human error.

Aside from the poor conversion, it doesn’t sound like the new system is all that great if it requires manual entries. I’m assuming the entries are needed because the payroll system doesn’t interface with their general ledger system. Additional review controls over the process between systems is required in that case.

Some trustees are seeking an independent audit of the problems to get more assurance that fraud wasn’t a factor and that all the issues have been resolved.

[Trustee Christene] Moss said she wasn’t comfortable with parts of the report in which the [internal] auditors could not determine why various issues happened.

Yeah, I’d be concerned about that too! As well, the auditors aren’t certain that all the overpayments have been identified and fixed. I think these are the main reasons why an independent audit is needed. The situation calls for a specific engagement looking at the system conversion process and subsequent issues.

Board President Ray Dickerson reiterated that he didn’t think there was a need for a costly external audit. He said controls will be put in place.

[...]

Dickerson said the problems that were found are typical in such a transition.

“No matter how well you plan and train, once you flip that switch, you’re going to find things you didn’t know,” he said.

Uh, not really dude! And certainly not $1.5 million worth of “things you didn’t know” (on a monthly average payroll of $41 million)!

As a not inconsequential footnote, the conversion to a new system was required because the old system’s vendor was no longer going to be supporting it. A quick search for “open source payroll software” turns up many options which will prevent vendor lock-in in the future.

Update: Another story, this one in the Fort Worth Weekly, has more details about the internal audit’s findings and the attempts by the district to have some former employees repay the erroneous amounts.

A survey conducted in July and August of 2009 by Aon has revealed that companies are moving beyond “basic” ERM implementations:

62% of the survey respondents in the Global Enterprise Risk Management Survey 2010 reported going beyond basic ERM, compared with only 38% in Aon’s inaugural ERM survey in 2007.

I wonder what happened between now and 2007 that would’ve affected companies’ willingness to ramp up their risk management practices…

The survey asked respondents (of which there were 201) to rate the maturity of their ERM implementation, from “initial/lacking” through “basic”, “defined”, “operational” and “advanced”.

My take is that respondents are more likely to overestimate the maturity of their implementation and generally more likely to respond the more advanced they (feel they) are in the process. Still, the survey is a welcome indicator that ERM efforts are on the rise.

I also think the fact that ratings firms are taking ERM into account when they determine their grading is helping executives point to a tangible financial benefit and obtain buy-in from all stakeholders, which is critical. In my mind the primary indicator of maturity in a company’s risk management program is how comprehensive it is across all departments and divisions, as the “initial/lacking” stage is exhibited by a rigid, siloed approach.

The survey is available on Aon’s website (if you give them some personal information first).

New charges in the Satyam scandal were laid by India’s Central Bureau of Investigation, for “creating fake invoices to inflate revenues by US$94 million and forging company board resolutions to obtain unauthorised loans worth US$265 million” according to this story in Accountancy Age.

This comes after charges were laid on November 21 against the former Head of Internal Audit, VS Prabhakar Gupta, for the company, for “willful suppression of auditing irregularities.”

A lot of coverage in the blogs (primarily Dennis’ and Francine’s) thus far has focused on the role the external auditor PricewaterhouseCoopers played in the fraud, but Internal Audit arguably should’ve been better able to root out the fraud due to its closer familiarity with business processes.

It’s difficult to detect fraud in the best of circumstances, but when the charges involve suppression of irregularities discovered by internal audit, questions will be raised (and arrests made).

DNA (Daily News & Analysis), an Indian English language newspaper, provided additional detail on the arrest of the former Head of IA:

While the spokesman refused to divulge any further information about Gupta, sources in the agency claimed that the auditor had helped in falsifying accounts including inflating the overseas employees pay bill.

On top of this, the Internal Audit department received the Recognition of Commitment from the Institute of Internal Auditors in 2005, which according to the IIA was “available to all internal audit activities that submitted an application fee and met specific criteria in the areas of quality, outreach and professionalism, based on a point system.” The program was discontinued in 2006.

On the occasion, the now former Head of IA had this to say:

We are extremely happy with the recognition that our Internal Audit team has received on an international platform. Satyam is one of only 26 internal audit departments worldwide receiving this award in 2005 and it reinforces our commitment to meet the international standards in the concepts and approaches to audit function contributing to better corporate governance.

Satyam is now commonly referred to as India’s Enron.

You’ll have to hurry before Rupert puts it behind a paywall and blocks Google from indexing it, but the WSJ had a good article recently about technology in the workplace.

At the office, you’ve got a sluggish computer running aging software, and the email system routinely badgers you to delete messages after you blow through the storage limits set by your IT department. Searching your company’s internal Web site feels like being teleported back to the pre-Google era of irrelevant search results.

I don’t have a sluggish computer at work (it’s actually newer and better than my personal laptop), but it does run Windows XP still. Email storage limits should be a thing of the past and likely will be in 5-10 years as more businesses take advantage of cloud computing (or are forced to compete with that level of service). And I think we’ve all had bad intranet search experience!

Even more galling, especially to tech-savvy workers, is the nanny-state attitude of employers who block access to Web sites, lock down PCs so users can’t install software and force employees to use clunky programs.

For me, preventing software installation is much more heinous crime than blocking websites. Both treat employees like children, but the former serves to hurt productivity much more so than the latter. Youtube is a bandwidth hog, but explain to me why the default browser is still IE6?

“Virtual machine” software, for example, lets companies install a package of essential work software on a computer and wall it off from the rest of the system. So, employees can install personal programs on the machine with minimal interference with the work software.

This is an interesting idea. Has anyone experienced this method of organizing a work computer? It seems like a good compromise.

When they get fed up with work technologies, employees often become digital rogues, finding sneaky ways to use better tools that aren’t sanctioned by the IT department.

Is this really what the company (or the IT department) wants? Clearly not.

Instant Messaging (IM) is one area where corporations have really dropped the ball. Before I graduated from school I worked remotely part-time for a dotcom and I used MSN to communicate with my manager much more often than email. And it worked superbly. But that type of environment seems like a dream now.

The article talks about the changes Kraft Foods implemented to take better advantage of new technologies and improve worker productivity. They give employees an allowance for a phone and let them choose which one they want (60% chose iPhones). They even let employees choose their own computer, with the rule that they must consult forums for technical support if they choose not to use Windows.

For many of us, our computers and mobile phones are the primary tools we use to do our jobs. Companies that fail to provide their employees with the best tools will not get the best results.

If you enjoy hardware and software freedom at work, tell me about it in the comments!