ERM & Internal Controls
Auditing the Human Resources Function
By José Tabuena of pay-for-performance principles while the internal audit and compliance func-
Compliance Week Columnist seeking to avoid policies that encourage tions. When rewards are misaligned with
excessive risky behaviors) by providing core objectives, including complying with
W orkforce issues such as recruit-
ment, retention, diversity, and busi-
ness conduct are often the expression of a
independent and objective assurance that
compensation at the organization works
rationally and effectively.
laws and staying within the company’s in-
ternal risk appetite, substantial risks can
emerge that need to be recognized and
company’s commitment to good values. A Internal control experts like Tim Leech agreed to by the board.
company with poor values is probably go- have commented we need to pay more at- For example, the auditor can evaluate
ing to have confused and disgruntled em- tention to how rewards can affect the be- whether an existing compensation model
ployees. So it should be no surprise that havior of senior executives and staff. A (say, fully commission-based compensa-
human resource (HR) issues have been at misaligned reward system can hurt cor- tion) for sales staff pressures employees
the forefront of major business frauds or porate culture and can even create the op- to engage in unethical business practices
reputational breakdowns for years. portunity for management and the board so they can meet individual or company
Internal auditors already evaluate parts to collude. financial targets. Recommendations can
of the HR function when they evaluate the Consider examples from recent events. be developed for alleviating these pres-
“control environment” Were the incentives of executives in the sures, or at least bringing some of them
under the COSO frame- auto and mining industries properly into balance, while recognizing that such
work, including tone at aligned to ensure that safety objectives pressures will remain inherent to the busi-
the top, the organiza- would get proper consideration? Or was ness.
tion’s ethical climate, and the reward system heavily skewed toward
management’s philoso- meeting financial targets? If incentives Don’t Forget the U.S.
phy and operating style. aren’t balanced, it becomes more likely Federal Sentencing Guidelines
All of those collectively
comprise the corporate
culture. Reviewing them
that an environment of safety falters,
leading to injuries and fatalities.
Internal auditors don’t seem to focus
A uditors also still neglect the Federal
Sentencing Guidelines, although
their principles on discipline and reward
is critical and challeng- adequate attention on the reward system agree with the concept of commitment
ing, yes, but auditors dimension. COSO touches on some of controls. The success of a corporate com-
must also examine other emerging risk the elements of the reward system within pliance and ethics program depends to a
areas in the HR function if they want to the control environment; Tim Leech sug- large degree on understanding why em-
achieve the best culture possible. gests that auditors look to the Criteria of ployees behave as they do. This is where
There are distinct risks involving HR Control (CoCo) model from the Cana- the concept of rewards (the carrot) and
departments such as non-compliance dian Institute of Chartered Accountants, punishments (the stick) enter.
with employment regulations, inadequate issued in 1995, for more specific guidance Disciplinary action is generally well
compensation and benefit plan design, on commitment controls. OCEG’s Red understood, and internal auditors can
inappropriate staffing levels, and lack of Book 2.0 (GRC Capability Model) is an- evaluate whe