Internal Control Training..."Mission?"
by
Michael L. Piazza
Overview:
Since my very early days as an
instructor, any seminar session to do with internal control was based on the
presumption that the participants were familiar with the basic process of
organizational development and the four functions of management (sometimes
depicted as five functions - staffing listed as a separate item from organizing). This
presumption was a given
throughout the 1980's and even into the latter part of the 1990's. Much
to my chagrin, after a several year stint as an executive and consultant, this
had totally changed
when I returned to the training room in 2003 and attempted to do introductory
sessions on the framework of internal control.
As I would open a session and discuss the flow from mission through to objectives in the organizational development process, the participants would gaze back at me with blank looks. After a few sessions, I developed the following graphic to depict the basic concept of mission, vision, values, goals and objectives with the four functions of management depicted next to it. The main message was that controlling, a management function, is predicated on the establishment of objectives. One of the primary tenants of the Committee of Sponsoring Organizations (COSO) Integrated Framework of Internal Control is that objective setting is a precondition to risk assessment and establishing related control activities. This graphic depicts that relationship, mission through to objectives, then controls are put in place to mitigate risks and help to achieve the objectives. A basic management function.
"Welcome to My World"
In the Spring of 2005, I was
subcontracted through the Institute of Internal Auditors (IIA) to conduct a
series of training sessions for the Province of Alberta in Edmonton, Canada. By
then, the above graphic was a staple in my sessions and was presented in enough
depth to give the participants a solid foundation to build upon when covering
the COSO framework and all of its elements. During the first two seminars I conducted
in Edmonton, the graphic played a vital role in establishing the context for
objective setting, risk assessment and control activities. All was well.
In the third seminar, Ralph Timleck (Audit Java Section Editor), attended the session and sat right in the middle of the front row. Ralph at the time had been in the control and audit world for over 30 years. When I started the presentation on this graphic, Ralph politely interrupted, "Why are you covering such basic concepts? This is basic 1970's management by objectives material" I, in turn, politely responded, "To date, none of the participants from your office have seen or heard of these concepts, so I cover them as a foundation for exploring the internal control framework."
Ralph scoffed at my answer and laughed, "No way, everyone is familiar with these basics!" I invited Ralph to turn to the other forty plus participants (most of them under thirty five years of age) and ask them for himself if they had in fact ever been exposed to the concepts. Ralph turned around to the group and inquired how many people were familiar with the basic concepts. No one acknowledged any familiarity with them. Ralph laughed and inquired again, "Surely, you've seen this before!?" Again, no one acknowledged any familiarity.
Ralph turned back to me with a flabbergasted expression. "Welcome to my world," I said to him, "this is universal from large private sector organizations and public sector organizations in both the US and Canada." For the next two days, Ralph assisted me during the remainder of the seminar to make the conceptual flow relevant to the work of his colleagues, even making presentations himself. The following year, I solicited Ralph to participate as a course developer and instructor in the IIA's Public Sector Training Initiative, a pilot program for public sector entities. By then, Ralph was used to my world, one where management basics had not been communicated or assimilated to internal control and internal audit practitioners.
"What is Your Mission Statement?"
Over the past
several years, the main fallout from
this universal lack of exposure is that when trying to establish the practical use of the
conceptual flow, one of my first questions after covering the graphic and
related concepts has been, "Can anyone relate to me verbatim your organization's
mission statement?" Virtually 100% of the time, no one was able to recite the precise
mission statement. My next question was obvious, "Can anyone paraphrase your
organization's mission statement." Almost 90% of the time, no one could even
approximate a stab at their mission statement. Amazing!!
The answer to the next question I still find alarming. "Has anyone seen, or at one time, known your organization's mission statement?" Sadly, only about 40% of the multitude of participants in in-house or even main site seminars had any recollection of having had direct exposure to their mission statement. My alarm to the group was simple..."If you do not know, or remember seeing your mission statement, how in the world can you competently understand the objectives and related risks and controls you are reviewing." It would usually take a while, but the substance of the question would sink in to the more astute participants.
"Can I Buy a Copy of Your Mission Statement?"
Routinely, I
covered the concepts in the above graphic after the first break in the seminar
and prior to lunch on the first day. While adjourning for lunch, I would
petition the group for someone to bring a copy of their organization's mission
statement to the seminar after lunch. NEVER, did anyone return with a copy of
their mission statement. Sad but true.
Next, I would then ask to buy a copy, stating that I would pay $20 for someone to bring an official copy of their organization's mission statement after the afternoon break. With only a rare exception or two, no one would bring a copy back after the second break. Many of these sessions were in-house and all the participants would have to do is pick up a manual or click on an intranet or internet page and copy/print the statement. In dismay, I tried to make the point more dramatic, so when adjourning for the day I would routinely increase the offer to $100 for an official copy of a mission statement. That usually got a good laugh. I would close the day by saying that I was very serious. A $100 for an official copy of a mission statement...pretty easy money from where I come from.
It is hard to accept and to report that over the past seven years in well over hundred internal control seminars I conducted with more two thousand participants in attendance, that only few participants per seminar would actually bring their mission statement to the session on day two. My loose statistics was that less than 1% of the participants would actually follow up on the challenge. Only one of them ever accepted the payment for bringing the statement. All the others were too embarrassed, understanding that as a practicing control and/or internal audit professional it was ridiculous to have to be bribed to actually look up and print out a copy of the mission statement that drives their organization.
The one person who accepted the payment was attending as a consultant from a large multinational accounting firm. She came to the session early on the second day, before anyone else arrived. She handed me her mission statement and stated that during the five years she had been with the huge and prestigious firm, she had never been shown or thought to look up their organization's mission. "I am so ashamed that I had to have an instructor offer me $100 to go find it and print it out. The simple reading of it has changed my entire perspective of my organization." She accepted the money, 'on principle' she said. "I will never forget how I earned this money..."
"Everyone Knows Our Mission Statement"
My wife
Linda is a very good listener and allows me to babble on about things from my
work. One night in late 2009 we were going out to dinner accompanied by her daughter Megan
and son-in-law Michael. While jabbering away in the front seat about this
horrible dilemma that control experts did not have a clue about mission, Megan
spoke up from the back seat and stated factually, "I know our mission statement,
everyone in the company does." I looked at her in the rear view mirror and said,
"Okay, give it to me." I was expecting her to stammer through some
semblance of a statement, but not the actual statement. No control or internal
audit professional for the prior six years had been able to give me an accurate
recital, how could this twenty seven year old give me something seasoned
professionals could not?
With complete confidence and articulation, Megan succinctly stated her organization's mission. While trying to give her accolades for this amazing feat, she interrupted me and said, "No, everyone knows it. At anytime, any employee can be stopped and asked to repeat the mission. You have to know it. Everyone does."
I was amazed. Megan was living in Orlando at the time and was an event planner with the Gaylord resort there. She told me that all employees: housekeeping, maintenance, sales, administrative, executive, it did not matter; everyone had to know the mission. Anyone could be stopped at any time and asked for the mission statement and received demerits if it was not recited accurately. I asked her if they had any openings at the resort, I wanted to go to work there. She laughed, but I was serious and Linda knew I was as well. It was not only refreshing but outright amazing to hear that an organization in 2009 required ALL employees to be versed in and tied to the mission...as your are supposed to be.
Conclusion:
With the contemporary emphasis on risk
management, controls, governance and all of the processes that are intended to
make an organization successful, I have found it tragic that the most basic
understanding of organizational behavior has been ignored. Fundamental adherence
to mission cannot be on the radar of the organization if the professionals who purport to practice
in the field of risk and controls are not familiar with, and generally are not willing to
access the most poignant behavioral aspect of the organization...the purpose for
existence. How can any behaviors be united into workable objectives without a
unified purpose for existence as stated in the mission statement? Without that
basic behavioral foundation, all of the governance, risk and control gyrations could end up being
exercises in futility.
I attribute the following to my high school principal, Brother Mark, SC. When a few of us were boldly professing superior knowledge in our studies which he knew was false boasting, he pointed out to us that, "When one goes about purporting to have advanced knowledge and mastery of a discipline that he or she has not garnered the basics of, he/she is simply a fool seeking a time and place to fail."
My challenge to audit executives and managers is to walk about in your audit organization and query your staff about their knowledge of the organizational mission statement and its application to the internal control framework. Chances are, your staff may unknowingly be fools looking for a time and a place to fail. Ignorance is easy to correct. Focus on the most basic behavioral control...the accomplishment of objectives in support of the organizational purpose for existence as stated in the mission statement. Do so and you will add immeasurable value to the organization.
Published September, 2011
