Unchallenged authority beyond Sarbanes (1).

Authority, power and responsibility generally increase as you climb the career ladder in any organization. The Chief Executive Officer is on the highest rung and typically holds the greatest authority within the organization.

And while authority is needed at every level to carry out an organization's mission, it can be abused. To reduce risks associated with the misuse of authority, organizations create internal controls over procedures and processes. In addition, those in higher positions are expected to challenge the individual ideas, decisions and actions of their subordinates.

[ILLUSTRATION OMITTED]

Challenging the top dog

So, who is in a position to challenge the authority of the CEO? A quick response would be the Board of Directors, or Trustees in a nonprofit organization, since the final authority for corporate governance rests with the Board. Whether or not Boards exercise their authority depends on a wide range of factors, such as whether the organization is publicly or privately owned. It also depends on the CEO and Board relationship. And it depends on the willingness of the Board, both individually and collectively, to challenge the CEO.

In recent years, public company Boards have been under great scrutiny for their perceived lack of financial and strategic oversight. Sarbanes-Oxley (SOX) has led to many changes in the Board/CEO relationship and in how organizations govern themselves. SOX has also added emphasis on internal controls as well as internal and external auditors.

The long-term effectiveness of SOX, compared to its short-term costs, is still unknown. And no matter how effective SOX is judged to be, the CEO and senior management will still be held responsible for many operational decisions. Who challenges the CEO in privately owned companies? That can depend on whether the CEO is also an owner. Increasing numbers of privately-held companies are creating Advisory Boards to provide guidance to the CEO. However, as their name implies, these Boards can only advise the CEO. Their ability to challenge depends on the individual courage of their members.

What about nonprofit (community) organizations? Boards of Trustees often have unique relationships with their CEOs, as Board members frequently see their purpose as serving both the community and the organization. Unlike advisory and public company Board members, nonprofit Board members are generally not compensated for their service. Quite the opposite. Frequently, Board members are major fund raisers for the organization. In addition, nonprofit boards are often larger than those in for-profit business organizations. As a result, individual board members may be unable or unwilling to challenge the decisions of the CEO.

listening to those closest

The most important day-to-day source of challenge to the CEO must come from those on the CEO's team who are direct reports. Some would assert that the greatest failures resulting from unchallenged authority have occurred when those who report directly to the CEO lacked the courage to challenge their boss.

Effective leaders want to be challenged. Our experience and service to many great leaders confirms this point of view. Learning to challenge others and having the courage to do so is a critical component in leadership.

It is important to have people around who can recognize a "bad" idea when they hear it. While many people can improve an idea, fewer stand up for their convictions and challenge and idea. It should be noted that many CEOs can be strong-willed. For that reason, it is crucial that they surround themselves with equally strong people. Some might think that people with strong convictions prefer "yes men" around them. Maybe some do, but we think most CEOs need, and want, people with courage on their team.

Courage and leadership go hand-in-hand in challenging authority in any organization. Would you follow someone who lacked the courage to stand up for their own beliefs? In many ways, weak leadership should be of great concern to an external or internal auditor and raise questions about what those leaders might be unwilling to challenge. No person in any position can know everything that is going on at all levels of the organization. Management and auditors must rely on others to challenge authority from above and below.

In every position, we need others to prevent unnecessary mistakes. Personal integrity, character, courage and effective leader ship can be stronger deterrents than internal controls or legislation, such as SOX, especially when considering the authority that rests in top management. We strongly suggest that auditors add a review of this authority to their internal control review procedures. It should be a critical part of any auditor's assessment of risk.

This view is consistent with the recent PCAOB Release No. 2006-2007 that proposes a "top down... company-level... controls approach" and the importance of "risk assessment at each of the decision points in a top-down approach." As noted above, the highest level of authority rests at the top of an organization.

If no one is willing to challenge the CEO, a high level of risk exists. If others in the organization are unwilling to challenge authority at any level, there is a greater potential for errors. Not that people are basically bad, but good people sometimes have bad ideas that should be challenged.

What does this mean for internal controls?

Does your internal control approach consider the authority vested in top management and its impact on risk? Should it? We think so. Do your internal control review procedures include determining (and verifying) what individuals in an organization are willing to challenge their boss? They should.

You may be thinking that this is why organizations have added policies and procedures to protect "whistleblowers." While whistle-blowers can identify problems and may even expose some wrongdoings such as misuse of company funds, it's almost always done

Good people sometimes have bad ideas that should be challenged.

after the fact. What we are proposing is different. We are encouraging those responsible to question ideas and prevent errors. Challenging an idea before it becomes a mistake is an element of effective internal controls. Having people with the courage to stand up and say, "The emperor isn't wearing any clothes," reduces risk.

Heading off a problem by saying an idea may lack merit, or better yet, turning it into a good idea, can often save an organization from a disastrous result. An idea doesn't have to be a potentially big mistake or have significant financial implications to be challenged. In their book, Ideas Are Free, Robinson and Schroeder note the problem with programs that encourage new ideas, such as "suggestion boxes," is that the larger the reward, the fewer the number of ideas generated. Why? Because it makes people believe their ideas must be big and have significant financial implications to be worthy of suggesting them.

The same can be said about challenging authority. Many of the breakdowns in controls, as well as increased risks, can begin as very small, immaterial operational transactions. With today's computer systems, the smallest dollar item repeated many times over can easily have material results. People who fail to challenge authority because of the perceived immateriality on an individual transaction can ignore the growing impact on the financial statements. We may all have heard auditor's stories of how immaterial issues ("waived adjustments") on the income statement can, over many years, ultimately have a material impact on the balance sheet.

In a recent article in National Underwriter, operational risk was defined as "the risk of loss resulting from inadequate or failed internal processes, people and systems." The article, "Operational Risks Cited By CROs As Next Frontier," supports the view that operational risks are a critical component of overall risk assessment.

Effective leaders want to be challenged.

Auditors, internal and external, have for years been reviewing internal control systems to assure that operational transactions (no matter the dollar amount involved) are recorded correctly. it's time we do the same with the "people." Start by recognizing the importance of authority and challenging that authority at all levels. It begins with your next audit. [

1. A revision, with permission, of the article "Unchallenged Authority" from Franklin University Leadership Center, Leadership Lessons

2. PCAOB Release No. 2006-007, Dec. 19, 2006, pages 5 and 7.

3. Operational Risks Cited By CROs As Next Frontier, National Underwriter, January 15, 2007, page 25

Paul Otte and Tom Seiler, JD, CPA

Paul Otte is executive director of the Franklin University Leadership Center.

[ILLUSTRATION OMITTED]

Tom Seiler, CPA is accounting program chair at Franklin University.

[ILLUSTRATION OMITTED]