This week we have a guest column by Dan Helming. 

Noticed in Years

by Dan Helming

I noticed in the years that I’ve been an adult, that there are some things that I have learned to do, just from the interests I have from being a guy and have learned over time.

Like spot-touching up a car.  I don’t know much about cars, but I like my car to look reasonable, and I like to do things on summer evenings etc. that get you outside with a beer and the radio. 

I leave my car’s finish “open for business” in the late summer months.  In prepping for touchup or buffing out a scratch, you need to remove the wax or poly first with denatured alcohol.  So rather than strip a patch and put wax back on each time, I strip the car around Labor Day, and then keep it stripped until I’ve gone as far as the sunlight, the temperature, and my time goes into the fall.  I can layer some touchup paint over a couple of days, I can buff out a scratch, I can go back over the work that is not quite complete, etc.  Then ready or not, when the temperature is never above 50F, it’s time to do my wax or poly and put the finish away until the spring.  It’s a necessity to stop because the paint will not thin out properly or cure when it’s cold.  You want to paint at about 60F. or above, wax when the temp is about 45F. or above. 

Almost time to put the finish away but nice to have a 70F. Sunday again. 

Anyway, I was thinking about the same things that I have gotten a similar feeling for in business.  One is my feeling for jobs in the financial services industry, which I serve as well as other NY-area industries.  My wife does placement in the industry, and in my experience, when the recession has bottomed out… is when they have their last layoffs.  They clean up their balance sheets, put the costs of the last layoffs into the non-operations line, and have too much work for their people until they report the first good earnings and are ready to pick the hiring back up. 

Another thing I’ve gotten a feel for is internal controls and the potential for fraud in the workplace.   I see the COSO framework, and I see the Internal Control Questionnaires that are supposed to pinpoint where internal controls are lacking.  And I see them applied in the workplace.  But I don’t buy in to the idea that “anyone” can use these questionnaires, as a part of software or otherwise, and get the emphasis right.  

For one, I see an equal treatment of all functions, Accounts Payable, Inventory, Accounts Receivable, Treasury, etc. and there are a lot of boilerplate questions across the functions, i.e. where do entries originate, how are they recorded, how are they authorized, etc. 

With my experience as a controller, consultant, writer, and educator, I see things differently.  

I see Purchasing as being low on the totem pole in fraud, for example, but I still want to hone in on the personal computer purchasing, approval, inventory, and retirement processes, both for information security and for improper appropriation purposes.  I also want to have an understanding of any blanket orders and offsite storage of items like stationery.  I want to see that usage and inventory levels make sense in real-time, that the number of sheets of paper etc. make sense and we aren’t just pumping our cash into fraudulent, non-delivered inventory. 

I‘ll hold the detail on the others, but one area where I really want to focus is on the movement of cash through wire transfers.  No matter what firm I go to and what procedures I have, they break down on wire transfers.  The reasons they give for the controls breaking down:  1) The wires are urgent, that is why they are being done by wire. 2) The procedures are stripped down so that in an emergency (why a wire is usually required) a wire can get out the door. 3) the bank requires fewer controls for a wire. 4) the process is mostly administrative and administrators need to do most of the procedure; the higher-level people don’t know the process. 

Fine, but all of these reasons weaken the controls and cause it to be an area where people can make mistakes or take advantage.  And especially now, banks don’t focus on your internal controls or even very heavily on authorization signatures.  If they have a reasonable idea that your company is in favor of the transaction, they will let it go. 

Someone has got to tell me how the knowledge of vulnerabilities and experts’ experience with fraud can be compressed into a questionnaire or computer program.  I think these are great tools. However, have you ever heard this expression, I think is funny but true:  “a fool with a tool is still a fool with a tool”. 

And I count my time spent with getting certification in internal audit in as being one of the more valuable experiences of the last 5 years.  Some of the stuff is obscure.  Now I doubt that many of you will have to worry about the ethics of an internal audit dispute, and whether you would mediate, or go to the board, CEO, or audit partner first to disclose the dispute.  When you get certified, you will know, and it will make sense from the perspective of the thousands of years of experience of thousands of worldwide audit professionals who helped codify the ethics. 

But I’ve worked with leadership in some of my own working situations who weren’t certified, and: I don’t think it was accidental that they didn’t think it was important whether firms had more preventive or detective controls, even though Sarbanes-Oxley spells it out in Statement #2.  Which would you think?  [Statement #2 calls for a balance of preventive and detective, and too much of either is a weakness].  I think that certified internal auditors pay a little more attention to others prior experiences, rules and codifications.  What is the saying?  Smart people learn form the mistakes of others, mediocre people from their own mistakes, and dumb people don’t learn. 

Have a good week,

Dan Helming