Sharing Experience. Providing Perspective.

By Phil Bertram, Principal, Bertram & Associates LLC

I’ve been an operational auditor for over thirty years.  Asking questions in the proper sequence and combination often determined how effectively I performed an audit and generated value adding solutions. Therefore, as I prepare to offer a seminar entitled “Operational Auditing – Discovering Value and Improving Your Business”, I’ve been thinking about how to transmit this knowledge effectively.

A poem by Rudyard Kipling provides the basis through which to transmit that knowledge.  Mr. Kipling wrote the following:

I Keep Six Honest…”

“I keep six honest serving men, (They taught me all I knew):

Their names are What and Why and When and How and Where and Who.

 I send them over land and sea, I send them east and west;

 But after they have worked for me, I give them all a rest. …”

In the excerpt above, Mr. Kipling highlights key questions all internal auditors need to ask when performing any audit.  He also suggests that once one asks the questions, one must listen and think about the answers received before taking action.

As internal auditors, we use these questions daily.  However, many of us forget we can gain significantly more insight and perspective when we ask these questions in proper sequence and combination.

Gordon Smith, founder of CanAudit, taught me this almost twenty-five years ago.  In his early 1990’s seminar, “Auditing for Profit“, Mr. Smith shared that all auditors have the keys to understanding a business process fully.  After teaching us how to prepare a process flow chart properly, he challenged us to use these questions to learn the processes we review thoroughly.

He indicated that to obtain facts about a process, we ask the following questions in the order presented:

  1. What is done?  What is the purpose of doing it?
  2. Where is it done?  Where is the best place to do the detail?  Where else could it be done?
  3. When is it done?  When is the best time to do the detail?
  4. Who does it?  Who should do the detail?  Can less skilled people do the job?
  5. How do they do it?  Can we make the detail easier and safer to do for both personnel and equipment?

When we want to obtain ideas to improve the process, we then ask:

  1. Why is it done?
  2. Why is it done there?
  3. Why is it done then?
  4. Why does this person do it?
  5. Why is it done that way?

He then shared Kipling’s poem and showed us how using the questions in sequence and combination helps identify business process improvement opportunities.  Specifically, he highlighted the following combinations as the questions we can use to drive specific changes:

  1. Combine “What and Why” to identify non-value adding activities to eliminate. Expanding this combination further and asking “Why” five times, helps one identify a problem’s root cause and find a solution that eliminates that root cause.  It also helps eliminate the related “Make Ready” and “Put Away” steps.
  2. Combine “When, Where, and Who” to combine operations and eliminate time and cost.  Combining operations also eliminates the associated transportation and storage costs.
  3. Combine “Where, Who and When” to find the best place, time, and person for a job. This combination permits the auditor to suggest changes in place, sequence or person performing tasks.
  4. Use “How” after the prior three combinations to eliminate every other improvement possibility and develop a simple, straight forward solution that further simplifies a process.  When we ask this question, we begin to question how the entire process operates and determine the best approach, person, and equipment to do the job or may help eliminate the entire process.

Combining the six key questions as proscribed, an operational auditor can discover what process steps to eliminate, what steps to combine or change in terms of sequence, place, or person, and ultimately helps identify the root causes of problems and discover solutions for those problems.

If you are an operational auditor, I encourage you to practice using these questions in order and in combination when you perform your operational audits. You may be pleasantly surprised with what you find and the solutions you produce.  Then, you too can answer the article’s title question affirmatively.

If you wish to learn more about how your internal audit function can add value by designing and conducting more effective operational audits, I can help.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how I might help you, please contact me through this blog, at, or call me at 224.735.7472.  I look forward to serving you.

© Bertram & Associates LLC Published: January 23, 2015 on

“It Could Never Happen Here!”

May 15th, 2013 | Posted by IABlogAdmin in Fraud | Internal Control - (Comments Off)

By Phil Bertram, Principal, Bertram & Associates LLC

“It could never happen here!  Our remote unit heads are responsible for controlling their locations. They would find and stop any fraudulent activity.  Senior management trusts them.  We do not need additional monitoring processes, internal control training, or internal audits to prevent and deter fraud.  We do not need to teach the ‘red flags’ of fraud!”

How often have you heard a senior executive issue that disclaimer, only to follow it with:

 “However, if only we had paid attention to our processes and monitored his location, we would not have be victims of fraud and lost all that money.” 

Several years ago, one company had that experience.  The company sold a remote business unit to another company.  The acquiring company took several months to integrate the remote unit into its control system.

Then “IT” happened.  “IT” was the unexpected discovery of fraud imbedded in the acquired remote business unit.

After integrating the remote unit, an accounts payable clerk received calls from a vendor serving the newly-acquired remote unit.  The vendor repeatedly asked for payment for invoices for inventory shipped shortly before the acquisition.  Upon investigation, the clerk discovered the invoices lacked proper receipt and proof of delivery support.  The clerk became suspicious and communicated her concerns to management and internal audit.

A fraud investigation ensued.  The investigation identified a multi-million dollar fake invoice and over-pricing fraud between the remote unit general manager and the vendor’s owner.  The fraud occurred over the three and one-half years prior to the remote unit’s acquisition.

Why did this fraud occur?  Several reasons exist.  The former owners did not:

  1.  Identify their fraud risks and implement appropriate internal controls.
  2. Question their trust of their remote long-term employees.
  3. Perform internal audits of the remote location.
  4. Complete their due diligence when remote location concerns arose.
  5. Implement internal controls over the purchase to pay and inventory management processes at the remote location.
  6. Establish proper segregation of duties, limiting the location general manager’s authority to control the vendor master file or monitor his vendor relationships.
  7. Notice the ‘red flags’ of fraud exhibited by the remote unit’s general manager.

The Fraud Triangle’s three legs existed in this fraud.

  1. Opportunity existed in the former owners’ management structure, its implicit trust in a long-term employee, and the lack of effective internal controls.  It also existed due to the unmonitored relationship between the remote site general manager and the vendor.
  2. Justification resulted from two factors.  First, the general manager felt he did not receive fair remuneration and appreciation for his work.  Second, the vendor felt he did not receive a fair price for the services and products he provided.  He also wanted to recover funds from the remote unit’s parent company due to the excessive entertaining he provided to obtain the business.
  3. Motivation came from the general manager’s need to fund his extravagant lifestyle and the alimony payment required after his divorce.

What surprises me is not that the internal control weaknesses and Fraud Triangle’s symptoms existed, but that the former owners did not detect them, letting this activity continue for over three years.  They failed to identify their fraud risks.  They did not design, implement, and monitor the controls necessary to prevent or discover fraud.  They were not vigilant.  They did not consider reviewing remote site internal controls periodically as important.

Needless to say, the former owners learned a costly, multi-million dollar lesson.  They could have prevented or minimized the fraud had they identified their fraud risks, implemented mitigating controls, and monitored their remote location’s internal control system!  They truly thought that “It could never happen here!”


Consider the following questions: Does your company know and take its fraud risks seriously?  Has your management conducted a fraud risk assessment?  Has your company identified and implemented the internal controls necessary to prevent fraud and identify it when questionable activities occur?

If not, you can help your company identify its fraud risks and the controls necessary to prevent fraud or alert you to its potential occurrence with help from Bertram & Associates LLC.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how you might prevent your management from experiencing fraud, please contact me through this blog, at, or call me at 224.735.7472.  I look forward to serving you.

© 2013 Bertram & Associates LLC.

By Phil Bertram, Principal, Bertram & Associates LLC

Today’s business executives demand more value from their internal auditors after years of receiving only Sarbanes-Oxley compliance and internal controls reviews.  Besides asking for improved assurance services, they ask internal auditors to conduct more audits that address the effectiveness and efficiency of business operations and processes.  Many of today’s internal auditors, however, have yet to receive training in the essential skills and operational audit approaches necessary to deliver that value.

So, what essential skills and operational auditing tools and approaches must an internal auditor possess to perform an operational audit successfully?

First and foremost, an internal auditor requires proficiency in four soft skills.  Those skills include: Active Listening, Interviewing, Facilitation, and Change Management.

  • Active Listening – An auditor must know what techniques to employ to ensure he or she actively engages their counterparts when trying to learn about a process.
  • Interviewing Skills – An auditor must understand the questions to ask and how to ask them when conducting interviews to gain information and understand how a process operates.
  • Facilitation – An internal audit must know how to set up and lead meetings that get results.  This requires knowledge of facilitation techniques and skills.
  • Change Management – An internal auditor needs to understand how to catalyze change.  Change occurs by helping management set the Tone at the Top and helping everyone buy into the beliefs, behaviors and actions necessary to achieve improved results.

Secondly, an internal auditor needs to understand the internal controls necessary to operate a business process effectively.  In addition, they must understand that evaluating a business process requires the identification of the business process’s goals and objectives first, then the risks to achieving them, as well as the tactics used to mitigate the risks.  The auditor also needs to understand the policies, procedures, and controls management uses to achieve its objectives.  Also, an internal auditor needs to understand the tools management uses to operate its business processes.  These tools include inventory planning, production management, warehouse design, and cash flow management.

Thirdly, an internal auditor needs to master the selection and application of a variety of analytic tools and approaches to perform an operational audit effectively.  The tools available exist within the Six Sigma / LEAN / DMAIC methodologies, as well as approaches like Root Cause Analysis, Business Process Reengineering, Control Self-Assessment, and Economic Value Added.

An inquisitive internal auditor will deliver valued-added results for his or her company.  These results occur when the internal auditor uses essential soft skills effectively; understands internal controls and basic process design; and selects appropriate operational audit approaches and analytic tools for a specific operational audit.

Seminar Presentation

If you wish to learn more about “Operational Auditing – Essential Skill for Internal Auditors”, please attend the seminar I will present for the IIA NW Metro Chicago Chapter on January 31, 2013.  The seminar will teach the essential skills outlined above, as well as some of the tools and approaches necessary for internal auditors succeed when performing an operational audit.

RSM McGladrey will host the seminar at 20 North Martingale Rd., Lower Level Training Room, Schaumburg, IL 60173 on January 31, 2013 from 8:30 AM to 4:45 PM.  Registration begins at 8:00 AM.  Seminar attendees will earn 8 hours of CPE.  The seminar costs $150 for IIA members and includes a light breakfast, lunch, and snacks.  To register, click here: January 31st – Operational Auditing

If your organization would like me to present a similar seminar, please contact me through this blog, at, or call me at 224.735.7472.  If you wish to learn about Bertram & Associates LLC and the services I offer in other areas of Internal Audit Leadership, please visit the web site:  I look forward to serving you.

© Bertram & Associates LLC Published: January 15, 2013 on

Fraud Investigations – Tactics to Consider

November 20th, 2012 | Posted by IABlogAdmin in Fraud | Fraud Investigation | Leadership - (Comments Off)

By Phil Bertram, Principal, Bertram & Associates LLC

Last month’s article asked internal audit leaders to consider three maxims when their CFO presented potential fraud scenarios for them to investigate.  They were: Predication, Reverse Proof, and No Opinions Offered.  In discussing them, I shared that adhering to the maxims could help one conduct a fraud investigation effectively.

In this month’s article, I ask internal audit leaders to consider four key tactics to help them complete that fraud investigation successfully.

Key Tactics

Legal Supervision.  Ideally, internal fraud investigations should occur under the guidance and supervision of legal counsel.  By doing so, the internal audit leader helps maintain the corporation’s attorney-client privilege and permits internal investigators’ work to receive some consideration as attorney work product.  It also permits internal counsel to seek the assistance of outside legal counsel to aid the investigators as necessary.  Finally, it provides the internal audit leader with a coach, who can instruct investigation participants how to document and maintain evidence chain of custody, protect the rights of those under investigation, schedule the reporting of a fraud to insurance companies and law enforcement authorities properly, and provide a sounding board during the investigation.  An organization can set up this structure in advance by developing and implementing Whistleblower and Investigations policies.

Skill Sets Required.  Internal Audit functions may require additional personnel to conduct an effective fraud investigation.  As you plan an investigation, consider whether your staff possesses the requisite skills.  If they do not, reach out to Certified Fraud Examiners (CFEs), attorneys, forensic IT specialists and accountants, and private investigators as necessary.  They possess the experience, insights, and tools to help you.  When hiring them, ask your general counsel to authorize the engagement of their services to help protect attorney-client privilege.

Evidence Chain of Custody.  Chain of custody refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic in a fraud investigation.  Many internal auditors inexperienced in fraud investigation experience problems maintaining chain of custody.  As a result, should their company seek legal remedies via criminal prosecution or civil suit, they inadvertently corrupt the evidence and damage their case.

Please consider the following to maintain proper a chain of custody.

  1. Maintain an evidence log of key documents and other evidence.
  2. Secure the evidence promptly when obtained.  Know where your evidence is at all times.  Maintain control over where the evidence resides and who uses it and when.
  3. Avoid excessive handling as you could destroy its credibility.
  4. Always work with copies.  Never work with or markup original documents.
  5. For computer evidence, never move or turn on a suspects’ computer, tablet, or personal communication device. Moving it or turning it on destroys chain of custody and your case.  Secure the location of the computer or electronic device.  Then ask a Forensic IT Specialist to document the device’s location and condition first.  After doing so, ask them to mirror hard drives and related storage devices.  You can then use the copies to perform your investigative work.

Fraud Examination Approach.  When presented with a fraud investigation, many internal auditors seek to solve the problem by attacking it directly.  They gather evidence and approach the investigation target too early.  They forget to properly develop and interpret evidence, forget to interview enough people to gain a full understanding of the situation, and fail to effectively prove or disprove their fraud theories before confronting the investigation target.  As a result, they tip their hand to the investigation target too early, increase the risk evidence may be lost, fail to understand the potential impact of what they seek to prove or disprove, and risk not proving or disproving their fraud theory.

Experienced fraud examiners generally employ the following approach, adjusting it as necessary.  They gather and analyze evidence before conducting interviews.  They develop and execute an interview plan that progresses from least likely to be involved to most likely to be involved and from least culpable to most culpable.  As a result, their interviews start with neutral third parties, corroborative witnesses, potential co-conspirators, and finally the investigation’s target.


When your next opportunity to conduct an internal fraud investigation occurs, I hope considering these tactics contributes to your success.

As with any specialized effort, consulting experienced subject matters experts and information sources increase your chances for success.  Consulting a Certified Fraud Examiner (CFE) and referring to the Association of Certified Fraud Examiners, Inc.’s Fraud Examiners Manual helped me design and conduct effective fraud investigations.


If you wish to learn more about how your internal audit function can add value by designing and conducting more effective fraud investigations or you require assistance conducting an investigation, I can help.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how I might help you, please contact me through this blog, at, or call me at 224.735.7472.  I look forward to serving you.

© Bertram & Associates LLC Published: November 20, 2012 on


By Phil Bertram, Principal, Bertram & Associates LLC

Consider the following scenario.  Your CFO reports that one of your plants’ accounts payable departments have received repeated requests from a vendor to pay an old invoice.  Accounting and inventory management personnel cannot locate the inventory, nor can the vendor provide proof of delivery.  The CFO requests that you and your internal audit function investigate.  What do you do?

Most internal audit leaders view this scenario as a potential fraud.  They will honor the CFO’s request, but might they perform an internal audit, instead of a fraud investigation?  And if they plan to conduct a fraud investigation, would they consider the maxims necessary to plan and conduct one effectively?

This article highlights three maxims internal audit leaders need to consider when planning a fraud investigation.

 Three Key Maxims

Predication. To start a fraud investigation, one must establish that predication for the investigation exists.  Predication is the totality of circumstances that would lead a reasonable, professionally trained and prudent person to believe a fraud has occurred, is occurring, or will occur.  To determine predication, one evaluates the allegation and determines whether sufficient documentation and information exists to decide that one needs to conduct an investigation.  If proper predication does not exist, a fraud investigation should not occur.

Reverse Proof.  Fraud investigations seek to prove and disprove the fraud theories that fraud examiners postulate.  This occurs from two perspectives: to prove the fraud occurred, they seek to prove it did not occur, and vice versa.  The fraud examiners remember that, legally, proof of fraud must preclude any explanation other than guilt.  Therefore, when developing an investigation plan, fraud examiners develop a fraud theory or / hypothesis regarding the type of fraud and how it might have occurred.  They then define a high-level investigation approach to help them gather evidence and interviews that might prove/disprove the allegation.

No Opinions Offered.  Fraud examiners do not opine on whether or not fraud exists within a given environment.  They also do not offer opinions on the guilt or innocence of any person or party.  By stating opinions, fraud examiners can open themselves to legal risks unnecessarily.  Fraud examiners postulate fraud theories and gather evidence that leads others to conclude whether they proved or disproved their fraud theories.


When your next opportunity to conduct an internal fraud investigation occurs, I hope these maxims contribute to your success.

As with any specialized effort, consulting experienced subject matters experts and information sources increase your chances for success.  Consulting a Certified Fraud Examiner (CFE) and referring to the Association of Certified Fraud Examiners, Inc.’s Fraud Examiners Manual helped me design and conduct effective fraud investigations.

If you wish to learn more about how your internal audit function can add value by designing and conducting more effective fraud investigations or require assistance conducting an investigation, I can help.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how I might help you, please contact me through this blog, at, or call me at 224.735.7472.  I look forward to serving you.

©2012  Bertram & Associates LLC  All Rights Reserved.

Teaching Internal Audit Leaders to Fish

August 27th, 2012 | Posted by IABlogAdmin in Behavior | Internal Audit | Leadership - (Comments Off)

By Phil Bertram, Principal, Bertram & Associates LLC

For internal audit leaders, the challenge to remain relevant and deliver value grows more difficult daily.  Today, audit executives must not only understand internal control and compliance topics, but we must renew our focus on adding value practically.  That value comes from enhancing our business relationships, understanding our company’s business strategy and the associated enterprise risks, and developing a flexible assurance and consultative response.  To do so, we must connect business strategy with risk and the tactics, processes and controls necessary to achieve company goals and objectives.  This must occur while ensuring the business mitigates the risks and we contribute to improving processes that help achieve desired results.

As I reflected on how we can meet that challenge and add value more effectively, the following Chinese proverb came to mind: “Give a man a fish and you feed him for a day.  Teach a man to fish and you feed him for a lifetime.”  I hope the following thoughts help you fish and provide value more effectively:

  1. Build effective relationships.  Relationships built on trust and mutual respect get things done.  Get to know your Board, and Executive / Senior management.  Ask questions and listen, Listen, LISTEN!  By doing so, you can understand their strategies, goals and objectives, tactics, plans, and concerns.  You also might learn what interests them, how they operate, and how they view the help a partnership with you can provide.
  2. Develop a holistic, risk-based internal audit perspective.   By doing so, you can focus on the right high risk, high payback opportunities at the right time.  Use that perspective and develop a flexible internal audit plan that provides as balanced a mix of assurance, consulting and value-enhancing process oriented projects as possible.  When that occurs, you can include more corporate governance, ERM process, and operationally focused projects that address stakeholder needs timely.
  3. Develop business people first.   To be effective today, an internal auditor must think as a business person first, while maintaining healthy skepticism and objectivity.  Consider adding skills to your staff beyond traditional internal audit skill sets – industrial engineers, operations personnel, writers / communicators, etc.  For those originally coming to you as audit professionals, train them in ERM, facilitation, change management, LEAN Six Sigma, fraud mitigation, business process reengineering, project management, data analytics, etc.  Encourage them to listen and learn from those who actually operate the business processes.  Find opportunities to use these skills by doing audit projects in partnership with management.  Consider revising how you perform projects.
  4. Empower Your Staff.  Once you have equipped your staff, let them operate and complete projects in partnership with management.  Provide them the framework, standards, and guidance necessary to succeed.  Maintain control through the use of performance objectives and project check points and goals.  But let them do the jobs you trained them to do.  Do not micromanage!  Encourage and guide them to success.
  5. Catalyze Change.  Learn and practice effective change management skills.  Read the text books and find ways to employ the tactics to situations or projects that could improve the business.  Find both the logical and emotional triggers that work together to collaboratively develop and encourage implementation of practical solutions to business problems.  Do not perform projects in isolation, but perform them with an understanding of how the project connects with the process owners and their efforts to achieve company goals and objectives.
  6. Share knowledge with your auditees.  Transfer continuous monitoring routines to process owners and test their work at a later date.  Use Control Self-Assessment and train process owners how to monitor themselves more effectively.  Also, learn how to serve your stakeholders effectively by continually addressing their WIIFM (What’s In It For Me) questions when championing change and improvement.
  7. Walk the Talk!  People imitate what they see their leaders do.  Be Consistent.  Never forget that what you do and say impacts how others perceive you and the commitment you say you have to serving others and helping the business improve.  Learn how and when to say encouraging words and model the behavior you desire.  By doing so, you take the first step towards the results you and your stakeholders seek.

I hope this article provides food for thought.  Please take a step back and assess how you can serve your stakeholders more effectively by considering and acting on these suggestions.  Speaking from experience, I know they can help you add value and ensure your internal audit function remains relevant.

Happy Fishing!


If you wish to learn more about how your internal audit function can add value more effectively or train your internal audit staff in value-adding internal audit techniques, I can help.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how I might help you, please contact me through this blog, at, or call me at 224.735.7472.  I look forward to helping you.

© 2012  Bertram & Associates LLC  All rights reserved.

The Forgotten Internal Audit

July 2nd, 2012 | Posted by IABlogAdmin in Internal Audit | Operational Audit - (Comments Off)

By Phil Bertram, Principal, Bertram & Associates LLC

One might characterize it as the internal auditing profession’s unicorn.  For a time it occurred frequently, but seldom occurs today.  To experienced internal auditors, like me, we remember it fondly as something we did to collaboratively solve problems and improve business with our management partners.  It visibly added value to the businesses we served.

I refer to my favorite internal auditing tool: the “Forgotten Internal Audit”, otherwise known as the “Operational Audit”.

For over 35 years, corporate executives and audit committee members have challenged internal audit leaders to add value to the businesses they serve.  In the 1980’s and 1990’s, internal audit leaders embraced that challenge.  They made operational auditing a pillar of a balanced internal audit program.  Using approaches that integrated the best of business process re-engineering (BPR), Six Sigma, Control Self-Assessment (CSA), and auditing for profit, operational audits evaluated how efficiently and effectively management operated their business processes to achieve their stated goals and objectives.  Operational audits helped management eliminate non-value added activities and controls, shortened process cycle times, increased cash flow, eliminated wasteful spending, and even solved a fraud or two.  Conferences, like the IIA’s General Audit Management (GAM) Conference contained numerous presentations extolling the benefits obtained from operational audits.

Then, with the advent of the Sarbanes-Oxley Act of 2002 (SOX), internal audit functions put operational auditing on the shelf.  The functions focused on documenting and testing internal controls over financial reporting (ICOFR).  That effort helped their managements satisfy their external auditors, who had to opine on the adequacy of management’s assertion that their ICOFR as designed operated effectively.  They, however, had little or no time for operational auditing and collaborating with management to streamline processes or solve problems.

In the mid to late 2000’s, the cry arose again.  Internal Auditors must now balance their efforts and do more to add value.  That value now included assuring that management monitored and managed enterprise risks, operated internal controls effectively, and operated business efficiently.  Calls for more operational auditing, control self-assessment, business process improvement, or Six Sigma / LEAN projects echoed frequently throughout the halls of corporate America.  Few internal audit functions responded effectively.  Many others did not.

Today, the internal auditing profession remains unprepared to respond to that challenge.

According to a recent Institute of Internal Auditors, Inc. (IIA) operational auditing course introduction, “the concept of operational audit is somewhat misunderstood, the diversity of its scope curtailed, and a new generation of internal auditors are unsure of its application.”  One might go so far as to suggest that any internal auditor under the age of 32 may never have conducted or participated in an operational audit.  They may not know how to define, design, plan, execute, or report on an operational audit.  They can test ICOFR compliance to satisfy SOX and may understand how a process flows.  They, however, may not know how to connect the dots between strategy, goals and objectives, risks, actual performance, and the evaluation of the effectiveness and efficiency of that performance.

Operational Auditing education needs to occur now.

Bertram & Associates LLC, like the IIA and other internal audit leadership consulting firms, provides operational auditing training.  My firm also performs operational audits that help businesses improve internal controls, operational efficiency, cash flow, and profitability.  I serve as managements’ trusted partner, influencing change and aiding managements’ efforts to deliver operational excellence.

Let us raise awareness of operational auditing’s importance.  Let us promote its benefits and teach it to our internal audit practitioners and managements.  Let us reinvigorate the use of the “Forgotten Audit”, the “Operational Audit”, and increase the direct, visible value we add to the businesses we serve.

If you wish to learn more about operational auditing, need help educating your staff, or need help performing an operational audit, I can help you do so.  Visit the Bertram & Associates LLC web site: to learn more.  If you wish to discuss how I might help you, please contact me through this blog, at, or call me at 224.735.7472.

I look forward to helping you make the “Operational Audit” forgotten no more.

What Example Does Your Behavior Set?

May 28th, 2012 | Posted by IABlogAdmin in Behavior | Compliance | Ethics | Fraud - (Comments Off)

By Phil Bertram, Principal, Bertram & Associates LLC

During the last several weeks, newspaper and website headlines remain ablaze with stories of fraud, corruption, and misconduct.  A few examples:

  1. “Congress set to investigate ‘wasteful’ GSA spending” – Los Angeles Times – April 3, 2012
  2. “Investigation into Secret Service scandal in Colombia widens” – Los Angeles Times – April 16, 2012
  3. “$30 million theft case staggers small town” – Chicago Tribune – April 18, 2012
  4. “Ex-cop union leader admits $1 million theft” – Chicago Tribune – April 18, 2012
  5. “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle” – NY Times – April 21, 2012

Congress, the Department of Homeland Security, the Secret Service, the Justice Department, the news media, etc., either have held hearings or launched investigations.  In typical fashion, some even called for additional laws to regulate such behavior.

Where have we seen this response before?  The following laws might attest to government’s reaction when similar events occurred in years past: the FCPA of 1977, the Sarbanes-Oxley Act of 2002, the Dodd-Frank Act of 2010, etc.

Additional laws do not and will not stop such behavior.  Such a legislative response does three things:

  1. Provides law enforcement with additional ways to level multiple charges for one crime.
  2. Decreases everyone’s level of trust in authority, while increasing business and government costs.
  3. Provides politicians with cover and an easy way to say: “Look at me; I’ve done my best to stop the recurrence of such problems”.

Unfortunately, their admonitions do nothing to instill core values or encourage behavioral change.

As Chris Bauer, Psychologist and Corporate Ethics Trainer states in The Speed of Trust, (Stephen M. R. Covey with Rebecca R. Merrill, Free Press, 2006):

“What we’re really talking about here isn’t a law enforcement or regulatory issue.  It’s a psychological issue—an absence of core values, confusion about what is the right thing to do.  I see a lot of companies saying they’re going to tighten their rules.  I don’t see a lot of them saying that they’re going to work to be extremely clear about what their values are, and give people training on how these values translate into actual behavior.”

Those speaking in the public square forget that we need to teach values, encourage proper behavior, and lead by example.  We do not need additional laws encouraging check the box compliance.

Isn’t it time we change the conversation and focus on teaching people core values, the difference between right and wrong, proper behavior, and encouraging them to “Do the Right Thing” once again?

We need to consider what Cynthia Cooper wrote in Extraordinary Circumstances – The Journey of a Corporate Whistleblower (Cynthia Cooper, John Wiley & Sons, Inc., 2008, pages 365-366) after the WorldCom Fraud – Each of us needs to:

“Make the Right Choices:

  1. Know what you believe is right and wrong.
  2. When making decisions, apply the Golden Rule.
  3. Guard against thinking you’re not capable of making bad decisions
  4. Ask yourself: Would I be comfortable with my decision landing on the front page of the Wall Street Journal?
  5. Practice ethical decision making every day.
  6. Discuss tough, ethical decisions with those you respect.
  7. Find your courage.
  8. Apply the same Code of Ethics everywhere.
  9. Pay attention to your instincts.
  10. Above being loyal to your superiors, be loyal to your principles.”

We cannot legislate behavior.  More laws will not change behavior.  We need to change core values and beliefs before we can change behaviors and actions.

Therefore, let us resolve to focus on teaching core values and morals again!  Let us set clear expectations and expect everyone, including ourselves, to “Walk the Talk!  Only then might we have an opportunity to minimize the recurrence of such acts of fraud, corruption, and misconduct.


If you wish to evaluate the quality of your corporate culture and your compliance program, we can help you do so.  Visit our web site: to learn more.  If you wish to discuss how we might help you, please contact us through this blog, at, or call us at 224.735.7472.

By Phil Bertram, Principal, Bertram & Associates LLC

Internal Auditors continually receive challenges to deliver more value.  During the past ten years, we delivered that value through our Sarbanes-Oxley Act and other internal control assurance efforts, often to the exclusion of adding value through operational improvements.  Few, if any, internal audit functions performed operational audits.  As a profession, we missed many chances to add value in tangible, practical ways.

Today, we can lead and add value effectively by improving cash flow within the Order to Cash Process.  We can do so by eliminating the root causes of delays in generating cash by following these six steps:

  1. Understand the process.  Document the Order to Cash Process, its controls, and information flows.  Then, identify where delays could occur.
  2. Analyze policies, contracts, and payment terms.  Read contracts, credit & collection policies, and desk manuals; and review cash collection procedures.  Note terms, steps, and requirements that impact cycle time.
  3. Determine the actual process cycle time, including the time to collect the receivables.  Analyze the business process flow and the related financial reports, statements, and KPI’s. Determine the time it takes to issue an invoice and collect and record cash.  Consider delays in invoicing, payment terms, collections methods, and any monitoring controls.  This step helps prove or disprove any theories developed as to where cycle time delays may exist.
  4. Identify the causes of potential delays.  Identify where the delays occur and target them for elimination through process, performance, or terms improvements.
  5. Confirm your findings with management.  Discuss your findings with management.  Confirm that you have understood the process correctly and adequately supported your findings.
  6. Suggest improvements.  Identify the root causes of time delays.  Develop suggestions for reducing cycle time.  Use the data obtained above to support the improvement suggestions you make.  Discuss these with management.  Adjust them to ensure they solve the problems identified practically.  Seek to eliminate the root causes permanently, so the improvements produce sustainable results.

Bertram & Associates LLC faced this challenge many times.  One time, we delivered a $5 million cash flow improvement on a $100 million book of business for management.

We can help your business discover hidden value within your Order to Cash and other processes!  Visit our web site: and our Case Study: “Economic Value Audits Enhance Cash Flow” to learn more.  If you wish to discuss how we might help you find that value, please contact us through this blog, at, or call us at 224.735.7472.