I learned a hard lesson in 1996. I was managing a provincial office for an international NGO, serving internally displaced people in southern Africa. I paid a surprise visit to a food distribution site, and saw beneficiaries were not getting their full rations. I checked the warehouse and discovered our food distribution manager had been selling food aid on the side. I informed the country director, and the distribution manager was fired. When I explained to my deputy what had happened, he shook his head and said, “The boss is always the last to know.”
As I worked in microfinance as a consultant, manager and board member, I worried about how CEOs, boards and shareholders learned what was really going on in their institutions, instead of just hoping managers got away from their desks, actually found fraud, and reported it.
I began supporting independent internal auditors, meaning they report to boards of directors. Internal auditors are permanent employees and review all aspects of a microfinance company; they are different from external auditors who review financial statements. After several years of experience I am confident of three main reasons to have strong internal audit units.
First, they give boards and the network an independent assessment of what is really happening in the institutions. They show whether staff understand new policies or loan products. Some auditors found loan procedures were so complicated that they could be simplified. For example, does the photocopy of a client’s ID really need a stamp from the municipality on it? Their reports also help identify strong departments or branches. As a general rule, branches with poorly performing portfolios have more internal audit findings, pointing to management issues that need to be fixed.
Second, they advise management on compliance issues before they are found by a regulator. As MFIs come under greater scrutiny, either with new regulators or more active supervisors, catching issues and solving them internally is much better than explaining them to a central bank.
Third, they incentivize staff to be more conscientious because someone is checking up on them. Once an independent internal auditor is put in place, the number and severity of findings go down after two or three years.
Internal auditors rarely catch frauds, which is certainly a shortcoming. But they can identify how frauds happened and how to strengthen controls to prevent them. The largest fraud case I have seen was not caught by the internal auditor, but he gave the board an independent assessment of how it happened and how to prevent it.
What works: an auditor who listens (the word ‘auditor’ comes from the Latin ‘to listen’) and earns professional respect from all departments. If an internal auditor can recommend changes to procedures to serve clients better, then branch staff will not see her as a police officer, but as someone who can make the company better. I once had a department manager thank the auditor for a report because it told her how she could improve her department.
Beyond the internal auditor, boards’ audit committees must be engaged, and probe beyond the writing in the reports. They need to carefully think about when to emphasize an issue to management, and when to communicate concerns to the full board. Committee members should also meet auditors, in person, to ensure they have a full picture of the auditor’s work, and to build a stronger relationship with her. The auditor also should have someone she can call, preferably a committee member, if she has a question or a sensitive situation. The audit committees I serve on have a mix of board members, professional staff in a network, and a near-outsider, such as a CFO of a sister institution.
The main challenge I have found has been ensuring that the internal auditor, management and staff build solid working relationships. The board needs to define roles of management and auditor, and enforce them. If the first auditor is independent, objective, and has a committee supporting her, management should quickly respect her work. There have been some conflicts in the first year, but these have been resolved over time.
Regulations often require MFIs to have independent internal auditors, but if they are only checking the box, the institutions, its shareholders and board have missed an opportunity to use them to build a stronger company. If internal auditors are solely focused on compliance, then boards and networks won’t benefit from learning more about what really happens in an MFI.
Have you read?