Mark B. Mitchell, MBA, CIA, CGFM Director of Internal Audit NYSERDA

1

AGA Audio Conference
Understanding the Importance of Soft Controls in
Improving Operations

• Mark B. Mitchell, MBA, CIA, CGFMDirector of
  Internal AuditNYSERDA
• November 12, 2008

2
Contents

• Understanding The Importance of Soft Controls
• What Are Soft Controls?
• Why Do Soft Controls Matter?
• Evaluating Soft Controls Key Elements of
  Improving Operations
• What Makes Soft Controls So Difficult?
• Soft Controls A New View
• GAOs Model of Strategic Human Capital Management

3

• What are Soft Controls?

4
What Are Soft Controls?
COSO Model The Organizational Culture

• Integrity Ethical Values
• Commitment to Competence
• Board or A/C Oversight
• Managements Philosophy Operating Style

• Organizational Structure
• Assignment of Authority and Responsibility
• HR Policies and Practices

5
Understanding Soft Controls
Where Are Soft Controls Written About?

• Internal Control Integrated Framework, by COSO
• Enterprise Risk Management Integrated
  Framework, by COSO
• Internal Control over Financial Reporting
  Guidance for Smaller Public Companies, by COSO
• Foundation Guidelines Red Book, by OCEG

6

• Why Do Soft Controls Matter?

7
Selling Soft Controls

• Why Do Soft Controls Matter?1
• They can help manager understand why people
  behave as they do
• They can increase managers effectiveness in
  predicting future behavior and
• They enable managers to understand how they can
  direct, change and control behavior.

1 Paul Hersey and Kenneth H. Blanchard,
Management of Organizational Behavior Utilizing
Human Resources, Third Edition (Englewood Cliffs
Prentice-Hall, Inc., 1977) p. xiv
8
Selling Soft Controls

• How can I Sell Soft Controls to Management?
• Management Working with and through individuals
  and groups to accomplish organizational goals.2

Potential Influence of Motivation on Performance
Employee Potential
80 to 90 percent
Percentage of Ability
Area Affected by Motivation
20 to 30 percent
2 Ibid. p. 5
9

• Evaluating Soft Controls Key Elements of
  Antifraud Controls

10
Evaluating Soft Controls

• Evaluation Techniques
• Whistleblower Hotlines
• Staff Focus Groups
• Employee Surveys
• Customer Surveys
• Internal Control Evaluations
• Audits (Internal, External)
• Studies

11
Evaluating Soft Controls
COSO Model The Organizational Culture

• Integrity Ethical Values
• Commitment to Competence
• Board or A/C Oversight
• Managements Philosophy Operating Style

• Organizational Structure
• Assignment of Authority and Responsibility
• HR Policies and Practices

12
Evaluating Integrity Ethical Values

• Has a Code of Conduct/Ethics been adopted that
  promotes
• Honest/ethical conduct, including internal and
  external dealings, and the handling of conflicts
  of interest?
• Accurate accounting records and reporting?
• Compliance with applicable laws, rules, and
  regulations?
• Prompt reporting of violations of the code?

13
Evaluating Integrity Ethical Values

• Is the Code of Conduct Operating Effectively?
• Communicated effectively (know to staffs)?
• Annual certification by everyone covered?
• New hire and periodic reinforcement training?
• Management involvement and oversight?

14
Evaluating Commitment to Competence

• Are employees properly trained to carry out their
  work?
• Evaluation Techniques
• Employee Surveys
• Internal Control Evaluations
• Audits
• Staff Focus Groups

15
Evaluating Commitment to Competence

• Is employee morale good?
• Employee Surveys
• Staff Focus Groups
• Studies (e.g., sick leave patterns, turnover)
• Audits
• Investigations

16
Evaluating Management Oversight3

• Are there established procedures for an Ethics
  Hotline/Whistleblower Program?
• Evaluation Techniques
• Is there a procedure for receiving and retaining
  information?
• Do procedures provide whistleblower protection
  and provide for anonymous tips?
• Are any calls coming in?

3 Adapted from COSO, the Sarbanes-Oxley Act of
2002 and PricewaterhouseCoopers white papers.
17
Evaluating Management Oversight

• Is Top Management providing oversight?
• Evaluation Techniques
• Are they periodically evaluating internal
  controls and antifraud programs?
• Assessing whether control activities over fraud
  risks are adequate and effective?
• Are fraud audits and are investigations conducted
  fairly and objectively?

18
Evaluating Managements Philosophy and Operating
Style

• Does management evaluate and test the design and
  operating effectiveness of antifraud controls on
  an annual basis?
• The potential for fraud should be considered as
  part of the agency-wide risk assessment.
• Antifraud programs and controls should be in
  place that are appropriate to the likelihood and
  impact of potential fraud

19
Evaluating Management Philosophy and Operating
Style

• What is the way in which management responds to
  any significant deficiencies and material
  weaknesses that are identified by the agency,
  internal audit or OIGs?
• Are matters thoroughly investigated? Disclosed?
• Are internal controls assessed and improved?
• Is there communication and training to reinforce
  values, policies, etc.
• Are violators treated in a consistent and
  appropriate manner?

20
Evaluating Assignment of Authority and
Responsibility

• Are unit and individual performance linked to
  organizational goals?
• Evaluation Techniques
• At the most senior level are executive
  performance agreements used?
• Are executives held accountable for results?
• Are expectations set so that staff understand how
  their daily activities contribute to
  results-oriented programmatic goals?

21
Evaluating HR Policies and Practices

1. Are targeted investments in professional
   development being made?
2. Is a results-orientated culture encouraged?
3. For sensitive positions, are background checks
   being performed?

22

• What Makes Soft Controls So Difficult?

23
Understanding Soft Controls

• What Makes Soft Controls So Difficult? 4
• With hard controls both theory and practice are
  provided (technical skills)
• Early contributions to behavioral sciences seemed
  to provide knowledge without effecting changes in
  behavior. (Elton Mayo)
• The challenge is to identify social skills that
  are usable in ordinary human situations.

4 Paul Hersey and Kenneth H. Blanchard,
Management of Organizational Behavior Utilizing
Human Resources, Third Edition (Englewood Cliffs
Prentice-Hall, Inc., 1977) p. 1
24
Understanding Soft Controls

• What Makes Soft Controls So Difficult? 5
• The Nature of Change

Time and Difficulty involved in Making Various
Changes
Group Behavior
High
Individual Behavior
Difficulty Involved
Attitudes
Knowledge
Low
Short
Long
Time Involved
5 Ibid. p. 3
25
Understanding Soft Controls

• A Behavioral Approach to Management 6
• Our greatest failure as human beings
• has been the inability to
• secure cooperation and understand with others.

6Ibid. p.1
26

• Soft Controls A New View

27
Understanding Soft Controls

• How can I better understand employee motivation?

Are the things that make people satisfied and
motivated on the job either the same as or
different from the kind of things that make them
dissatisfied? Answer Theyre different
28
Understanding Soft Controls

• How can I better understand employee motivation?

The . . . factors involved in producing job
satisfaction (and motivation) are separate and
distinct from the factors that lead to job
dissatisfaction. 7
7 Frederick Herzberg, One More Time How Do You
Motivate Employees?, Harvard Business Review 81,
no. 1 (January 2003), p. 91
29
Understanding Soft Controls

• How can I better understand employee motivation? 8

• Job Satisfaction
• (Motivation)
• Achievement
• Recognition
• Work itself
• Responsibility
• Advancement
• Growth

• Job Dissatisfaction
• (Environment)
• Company Policy and Admin.
• Supervision
• Interpersonal Relationships
• Working Conditions
• Salary
• Status, and Security

8 Ibid. pp. 87 96.
30

• Contact Information
• Mark B. Mitchell
• Director of Internal Audit
• NYSERDA
• (518) 862-1090
• mbm_at_nyserda.org