Executive Compensation: Set a Clear Course

Executive compensation has been filling the news media and creating a tremendous amount of public debate lately. One major question centers on pay for performance strategies versus pay practices in reality. In other words, at the end of the year did the executive pay strategy result in the desired performance and did it meet budgeted expectations. If not, what were the unintended consequences and what adjustments get made going forward.

Many say executive compensation is more art than science. A formula that works for one company will not work for another. And, a compensation formula based solely on a company’s income statement may not work at all.

At a high level there are three main principles that must be met in order for the compensation strategy to work.

• The program must be achievable.
• The program must be believable.
• The program must create alignment within the management ranks.

If any of these fail, the compensation program will fail.

With the founding principles in place, the starting point has to be the company’s strategic plan. The primary assumption is that the Board and Executive Management fully support the strategic plan. A failure to support the plan will not only derail the compensation strategy, it will derail the entire business. Obviously a strategic plan can include a tremendous amount of initiatives. It is important to narrow the strategic plan down to the 3-5 most critical and measurable activities. These have to be things that the company and executive have control over. The instinct might be to want to include many metrics in the compensation program, but in reality if there are too many measures, nothing gets measured. So instead, narrow the focus and use compensation to drive towards the desired performance.

The last three important elements to consider before finalizing a plan is to make sure there is agreement on the appropriateness of the measures/metrics chosen, make sure the amount of pay is appropriate, and make sure the compensation plan is driving towards the desired performance.

Is there a need to include Internal Audit in something as strategic as executive compensation? Many readers are probably responding, No Way! Before committing to an answer I suggest you consider it this way. Internal Audit’s job is to help the Board and Executive Management identify and assess risk and then help them establish and evaluate a system of internal control to mitigate the risk. I’d submit there is no better independent sounding board than the Internal Audit Department. So, before publishing the compensation program bring in your risk and control expert, and maybe a few of those unintended consequences can be avoided.

---

This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services, and a Director of the Adler-Caris Foundation, a not-for-profit dedicated to raising funds for Alzheimer’s Disease research. If you would like more information about Vonya Global or if you have a questions for Steve, you may contact him through this blog, the company website, twitter, or his LinkedIn Profile.

Boardroom Digital Literacy - R U Talking to Me?

[This article was contributed by Fay Feeney, CEO of Risk for Good]

Boardroom protocol is being exposed every day on the internet. Does Rupert Murdoch really think we can't see beyond his prepared remarks to determine for ourselves the "tone at the top" coming from his boardroom?

No need for board activists to add to the conversation from the outside about boardroom happenings. Now we hear directly from the CEO. When Yahoo fired their CEO Carol Bartz, she shared the inside scoop using her iPad. We learned of her accusing Chairman Roy Bostock, of board mistreatment. In the same Fortune interview, she called her fellow directors “doofuses” and said they “f---ed me over.”

It may be surprising to see the boardroom portrayed like this in mainstream media, but imagine what happens when 100 million people on Twitter can now get involved in the conversation.

I know that many people in the boardroom are still on the sidelines about social media. What will it take to get your board ready to tackle their willingness to learn what is happening on the internet? Will it take seeing your company’s name in the news before you add digital literacy to your director’s education? I can see the incredulous look on the directors’ faces when the board is called on for their oversight of digital issues.

I can only imagine a board being characterized as:

“illiterate”: showing or marked by a lack of personal knowledge with the fundamentals of a particular field of knowledge.

Or maybe a board will be portrayed as:

“ignorant”: Lacking knowledge, information, or awareness about something in particular: "ignorant of social media".

Worse yet is as a board leader to know that it is true. So I ask, when are you planning to get digital and social media on your agenda? Who is going to be responsible for taking action to get it on your fall board agenda? Whatever title you have in the boardroom (board chair or lead directors), you are setting the boardroom agenda. Are you waiting for your CEO, Corporate Secretary, Corporate Counsel, Audit Committee Chair to bring resources and spend budget to get this to happen for you and your board?

---

This article is the first in a series contributed by Fay Feeney, CEO of Risk for Good. Risk for Good helps board chairs and lead directors navigate the disruption to their business from a social, mobile and global world.

Today’s minefields can cost your company: time, money and goodwill. Risk for Good works with your board to evaluate your exposure and leverage the opportunity from: social media, corporate social responsibility, sustainability, board composition, succession and the multitude of other areas where your board needs to manage emerging risk.

Modern boardrooms address these questions before others demand a “comply or explain” response. We use the quiet in our client’s boardroom to prepare thoughtful answers to today’s tough business questions.

If you are interested in contacting Ms. Feeney, you may do so through this blog or the Risk for Good website.

Fraud Risk Management: Fraud Risk Has Been Rising And It's Likely to Continue

We have released the final report on the effectiveness of corporate fraud risk management. The report is the result of a study which compiled opinions on the risk of fraud and the effectiveness of corporate fraud risk management. While the study participants almost universally agreed that the risk of fraud has increased during the economic downturn over the past 24 months, many believe that the risk will continue to rise over the next 24 months.

Some of the results include:
- Fraud risk will continue to rise over the next 24 months
- Highest fraud risk lies with suppliers
- Executives say highest fraud risk is in Asset Misappropriation (false billing schemes)
- Internal Auditors say highest fraud risk is in Asset Misappropriation (Expense Reports)
- Employee tip is the #1 way fraud is uncovered
- Code of Ethics is #1 Fraud Prevention strategy

It is well known that the risk of fraud is present in almost every business regardless of size, shape, and complexity. The risk could materialize itself in an employee, a vendor, a client, or in the boardroom. It could be “detrimental” by bleeding company assets or “beneficial” by artificially inflating company financial statements. These frauds could play out in scenarios that are quite varied, and be concealed by strategies that are sophisticated and complex. The report reveals some of the strategies corporations use to combat the risk of fraud.

The study compiled opinions of Executives and Internal Auditors from private, public, and not-for-profit organizations, spanning many industries on strategic planning for fraud prevention, detection, and deterrence. One of the goals of the study was to provide information that would allow companies to evaluate the investment in fraud risk management. This is the second study Vonya Global has conducted on this topic; the first was released in 2009. The study compiles opinions about risk management strategies employed to combat fraud.

To download a copy of the report please visit Vonya Global’s home page: www.vonyaglobal.com.

---

This blog post was written by Steven Randall. Steve is a Managing Partner with Vonya Global, a premier provider of internal audit consulting services. If you would like more information about Vonya Global or if you have a questions for Steve, you may him through this blog, the company website, twitter, or his LinkedIn Profile.

The GRC Approach - for Small Internal Audit Departments

Governance, Risk and Compliance (Part 2)

First identify all of the functions and/or groups that interact with the area subject to assessment. Then through interviews and evaluation determine the following:

• Governance: the goal, mission and objective of the program.
• Risk: the risks that are being managed by each of the functions and groups involved.
• Compliance: the rules, regulations, internal policies, the operating procedures that influence the operating activities. In this space it is also necessary to identify all of the tools, people, and resources available in support of the compliance efforts.

Once determined, you can assess whether the various functions are aligned as to the Governance mission and objective, you can determine if they are operating against a common set of Risk factors and you can evaluate whether the Compliance efforts are operating cohesively across all groups and whether resources are being deployed to effectively address each of the compliance requirements.

This evaluation is then used as the springboard to development of a high level summary regarding the cohesiveness of the company’s GRC activities across the multiple disciplines subject to review.

---

This post was contributed by Brad Zolkoske. Brad is the Director of Internal Audit at International Coal Group. He is responsible for the design, development, coordination and communication of auditing services throughout the company. Brad’s number one goal at International Coal is to establish a professional internal audit function that actively supports the company’s growth and culture initiatives.

During the course of his 20 year internal audit career Brad has worked in internal audit management for several publicly traded manufacturing companies. He is an expert at getting exceptional performance out of small audit departments. Brad can be contacted through this blog or through his LinkedIn profile.

When does GRC Fit within a Small Audit Shop?

Governance, Risk and Compliance (Part 1)

Governance, Risk and Compliance (GRC) is the latest and greatest hot topic being thrown at Internal Audit functions. But what really is the place for GRC in the profession today? Having been bombarded with Risk Management literature and programs for many years and those programs appearing to still be in their embryonic state, what confidence is there to be had in the GRC initiative?

As it turns out, there is a practical application for GRC in the world of Internal Audit. Certain cross-functional audit projects can greatly benefit from a GRC perspective. When faced with a large project across multiple disciplines, divisions, regions or operating groups the GRC model can provide a structure for evaluating the control environment in a manner and perspective that should appeal to senior management’s vision of the organization.

Stay tuned for Pat 2 of the GRC for Small Internal Audit Departments.

---

This post was contributed by Brad Zolkoske. Brad is the Director of Internal Audit at International Coal Group. He is responsible for the design, development, coordination and communication of auditing services throughout the company. Brad’s number one goal at International Coal is to establish a professional internal audit function that actively supports the company’s growth and culture initiatives.

During the course of his 20 year internal audit career Brad has worked in internal audit management for several publicly traded manufacturing companies. He is an expert at getting exceptional performance out of small audit departments. Brad can be contacted through this blog or through his LinkedIn profile.

Internal Audit Departments and Building a Definition of Risk

Internal Audit Departments today are constantly told to be "risk based" and to assist their companies in the management of risk. While this sounds great in concept, the execution is a different manner as many companies today do not have a formal risk management program with which to align. When tasked with developing such programs Internal Audit should not fall into the trap of developing a population of risks before first arriving at a common definition of risk.

Understanding how your company views risk is a good place to start. Is risk viewed as good or bad? Remember, risk is not just a negative; the presence of risk presents the possibility of reward as well as loss. In looking at risk as both a positive and negative, Internal Audit Departments will better align their risk activities with the thoughts and strategies of management.

This definition, once developed, can then allow Internal Audit Departments to evaluate risks and risk management activities to determine if the potential for success warrants the risk being taken; to assess whether the risks being taken are aligned with corporate values, goals, objectives, policies and management capabilities; and to determine whether the culture of your organization is strong enough to allow for a legitimate discussion about risk events that haven’t yet happened.

---

This post was contributed by Brad Zolkoske. Brad is the Director of Internal Audit at International Coal Group. He is responsible for the design, development, coordination and communication of auditing services throughout the company. Brad’s number one goal at International Coal is to establish a professional internal audit function that actively supports the company’s growth and culture initiatives.

During the course of his 20 year internal audit career Brad has worked in internal audit management for several publicly traded manufacturing companies. He is an expert at getting exceptional performance out of small audit departments. Brad can be contacted through this blog or through his LinkedIn profile.

Internal Auditors Pledge to Shape Up - Vonya Global's Shape Up for Summer 60 Day Charity Challenge

Vonya Global launched its’ inaugural “Shape Up for Summer 60-day Charity Challenge” last week. 28 Internal Auditors from various companies around Chicago in addition to the employees of Vonya Global have committed to shape up for summer. Throughout the 60-days Vonya Global, with the help of two certified personal trainers and one certified nutritionist, will provide diet and exercise tips to motivate the group on their quest to shape up. At the end of the 60-days Vonya Global will donate $1 for every pound the group loses to the Greater Chicago Food Depository.

“Our consulting business is designed to help companies shape up by assessing risk and evaluating procedures for controlling risk in business operations. We thought it was a perfect tie-in to individually shaping ourselves up while helping us fulfill our mission of social responsibility. We are excited about helping our group shape up while also befitting a great cause, the Greater Chicago Food Depository. We are also grateful for all of those who are helping us during the challenge.” Steven Randall, Vonya Global Managing Partner

Vonya Global encourages individuals around the world to participate. For more information about the challenge people can visit the Vonya Global website (http://www.vonyaglobal.com) and click on the links for “Shape Up for Summer.” The Shape Up conversation is already under way at the Vonya Global Facebook pages.

A Project for 2011... maybe for Internal Auditors: Reviewing Corporate Policies and Procedures

Are Policies and Procedures important? We certainly think so, unfortunately many companies have old, outdated Policy and Procedure manuals while some have none at all. As companies and internal audit departments are planning projects for 2011, consideration should be given to reviewing and updating the Corporate Policies and Procedures.

Policies and Procedures are a company’s way of documenting and communicating management’s vision into instructions for employees on how to handle issues as they arise and how employees should be executing their job responsibilities in a consistent manner.

Written Policies communicate:

• Company Rules in simple language
• Delegation of Authority
• Enforcement and consequences if not followed
• Impartial administration of company-wide Policy
• Evidence for Governance, if legally approved and followed

Procedures communicate:

• Clear guideline on how to implement a policy
• Establish boundaries for employees

While Policies are general in nature, Procedures provide the details as to what to do, often with examples and forms. Sometimes procedures include emergency steps.

By creating a Policy and Procedure Manual, the company provides a source for all employees to turn for guidance on standard matters and have management focus on exception handling and not need to waste time on day-to-day operations.

Successful Policy and Procedure Manuals require reviews and updates as laws and company environments change. Their dynamic nature requires work but overall it eliminates the redundant need for repeated instructions through time consuming meetings, memos or other correspondence.

Policies and Procedures should be assigned to a position within the company, for example the Finance Manual should be “owned” by the highest Finance position within the company, such as the CFO, and the Employee Handbook by the highest HR position such as the HR Director, etc. Policies should cover the key activities which need to be customized for each organization.

The objective is to create easy to understand policies and procedures that provide clear guidelines for everyone to follow.

Need a hand? We would be glad to help, just give us a call.

‘Tis the Season to be Internal Audit Planning

As the holiday season is rapidly approaching, good tidings are regularly shared as should be the case.  It is time to be joyous and celebratory for the year that was and hopeful for the year that shall come.

It is also a time for Internal Auditors to take stock in their year that was and plan for the year that shall come.  I presume most Internal Audit Departments have completed their annual risk assessment, are trying to wrap up any remaining items from the 2010 Internal Audit schedule, and are putting together their 2011 Internal Audit Plan.

Here are some questions I recommend Internal Auditors ask themselves:

• How has the economy impacted the audits I complete?
• How responsive is my audit plan to changes in risks?
• How was the 2010 plan better than the 2009 plan and how is 2011 going to improve upon 2010?
• What were my significant accomplishments in 2010?
• Were these accomplishments significant to only me or did they have a profound impact on the company?
• What significant accomplishments are going to be made from the 2011 audit plan?
• How is the 2011 audit plan going to enhance the strategic relevance of Internal Audit?

The easiest thing to do is keep everything the “same as last year” - and there could be logic in it like... the economic conditions, staffing shortages, resource constraints, regulatory requirements, and so on.  But, the CEO can’t go to the Board and say "the company's 2011 strategic plan is the same as our 2010 plan" and neither should the Internal Auditor.  Take whatever flexibility you have and think strategic, think relevance, and think profound impact.  Successfully do that now and in 12 months the 2012 planning will become much more fun!

For more information on Internal Audit’s strategic role please review The 2010 Report on the Strategic Role of Internal Audit.

Internal Audit - Adding Value in the Not-for-Profit World

While not-for-profit organizations perform many of the same accounting functions as public corporations, not-for-profits are inherently different in many ways and require a unique Internal Audit focus. In 2006, the American Society of Association Executives (ASAE) published the results of a research project undertaken by The Center for Association Leadership to identify characteristics of the most successful not-for-profit organizations. The study found the following factors to be common in the most successful associations: Commitment to Purpose, Commitment to Analysis and Feedback, and Commitment to Action.

By focusing on the conclusions of this study, auditors can go beyond assurance and provide insight that will help to identify and mitigate risk. An entity level assessment should ask questions to identify the risks associated with each factor listed above.

Commitment to Purpose
A successful organization aligns its products and services with a customer focused mission. Its reason for being is measured by its relevance to the customers and/or members. Questions for auditors to ask include:

• Are strategies aligned with the interests of the customer and/or member before the generation of revenue or the promotion of an image?
• How can upcoming changes in the external environment affect the commitment to the mission? Are underlying values constant?
• Does the association periodically and clearly define the customer? Does it best serve the customers and/or membership directly or through chapter organizations? Are the needs of special interest groups being prioritized effectively?

Commitment to Analysis and Feedback
Communication and data-driven strategies are vital to the success of a not-for-profit organization. The organization should be the ultimate authority concerning the needs and issues of its customers and/or members as well as the state of the business environment. To evaluate the risk associated with poor analysis and feedback, the following questions will be helpful:

• Are initiatives and strategic goals supported by data and research?
• How is information shared throughout the organization? Are all levels of employees actively involved?
• Are computer systems and models appropriate and sufficient?

Commitment to Action
A successful organization is flexible and adapts quickly to crisis situations. For not-for-profits, these situations typically involve a financial setback or a leadership void. Leading not-for-profit organizations also actively pursue alliance opportunities that will leverage services for the membership. The following questions assess the organization’s commitment to continuous improvement and adaptability:

• Does the organization have an action plan that will support quick decision-making in the event of a crisis?
• Are there “sacred cow” programs or services that cannot be changed?
• How does the organization identify and evaluate potential alliances?

Internal Audit has a responsibility to monitor risks particular to the not-for-profit environment. By using the 2006 study as a guideline, a partnership between audit and organization leadership can help foster success and better results for the membership community.

Study Launched on the Strategic Role of Internal Audit

Vonya Global is surveying a cross-section of Executives and Internal Auditors from both public and private organizations in a variety of industries to evaluate their opinions regarding the strategic role of internal audit. This is a follow up study to one conducted in 2008. The results of the 2008 study revealed a expectation gap in the strategic role internal auditors play in their organizations. This follow up study will compare how expectations may have changed in light of continued risks of fraud, financial statement errors, environmental risks, security breaches, and privacy concerns.

One executive from the previous study stated the following: "Internal Audit could improve its capabilities in evaluating the effects of strategic and business risk on the overall risk profile of the Company. This would also enhance the primary mission of internal audit to look for potential financial issues.” This statement, along with many others, reveal the importance of internal audit becoming more than a financial compliance function. The results of this new study will highlight whether or not internal audit has taken steps in this direction.

To participate in the study, please visit the Vonya Global website: http://www.vonyaglobal.com

Responding to Fraud Risk: the CAE’s Role

Background: The Association of Certified Fraud Examiners (ACFE) conducts a bi-annual study on fraud investigations, the results of which get summarized in the ACFE Report to the Nation. The most recent report was issued in 2008 and revealed the following:

- U.S. organizations lose 7% of their annual revenues to fraud
- There is approximately $994 billion in fraud losses each year
- Fraud schemes typically last for at least 2 years before they are caught
- Corruption was the #1 scheme at 27% of all reported fraud cases
- False Billing was the #2 scheme at 24% of all reported fraud cases
- Frauds are most likely to be uncovered by a “tip” rather than any other method, including audit
- Roughly 38% of Frauds happened at small companies (>100 employees)
- Roughly 42% of Frauds happened at large companies (1,000+ employees)
- Roughly 39% of Frauds happened at Private Companies
- Roughly 28% of Frauds happened at Public Companies

What these statistics prove is while fraud may not happen at every company; no company is immune to fraud risk. As an inherent risk to business, fraud should be included in Enterprise Risk Management (ERM). Methods for managing and controlling the risk of fraud should include strategies for fraud prevention, fraud detection, and fraud deterrence.

The Chief Audit Executive (CAE) must be involved in the organizational anti-Fraud strategy. As with other business risks the CAE should be assessing Fraud Risk and evaluating the effectiveness of the anti-Fraud strategies. Here is a sample list of strategies:

Fraud Prevention

- Anti-Fraud Tone at the Top
- Strong Corporate Governance and Internal Control Environment
- Policies and Procedures to reflect mindset and actions
- Hire ethical employees (Background checks, signed forms, etc.)
- Code of Conduct – signed by every employee
- Conflict of Interest Statement (employees and business partners)

Fraud Detection

- Establish a Hotline
- Fraud Risk Assessment
- Fraud Penetration Study based on Schemes and Concealment Strategies
- Incorporate Fraud in every phase of an audit (SAS 99)
- Create/utilize a Red Flags Database
- Implement effective SOX Fraud Controls
- Data mine instead of sample testing
- Create a Toolkit including a resource roster of experts (Fraud expert, Investigator, Data mining, etc.)
- Continuously Monitor Transactions for possible Fraud

Fraud Deterrence

- Create an Internal Audit department
- Publicize Ethics Hotline
- Publicize Internal Fraud Cases and Punishment
- Publicize Continuous Monitoring Program

Vonya Global and the ACFE are not affiliated. Information in the opening paragraph is sourced from the ACFE 2008 Report to the Nation, which can be downloaded at the ACFE website.

2010 Hot Internal Audit Topics - what will be on top of your list?

This is quick poll created by Veronika Fritz of Vonya Global. Check it out if you have a chance: http://polls.linkedin.com/p/59060/dsoui