Control Weakness Reviews Case Study
A major financial institutions investigation department primary remit related to investigating cases of staff malpractice. The unit was operated and run by a highly experienced team of investigators. On conclusion of the investigation, it was the norm to move to the next piece of work which ultimately highlighted that a root cause analysis was not being undertaken to understand the control failures that had led to the internal malpractice occurring.
In a number of cases, repeat offences of the same issues occurred. The bank's challenge was to put in a process within the investigation process that incorporated a control weakness review post an investigation, which at the same time provided expert and professional opinion in recommending control improvements.
What we did
The skill set of the investigation team in situ featured previous work experience within the audit and compliance functions, so therefore a review of controls and making recommendations to business areas was not alien to a number of the team. The challenge, of course, was installing a process and procedure that was fit for current and new staff members. In this regard, the first piece of work that was undertaken was to look at a historical investigation case and undertake a mind map session as to what the control issues the team could see. This was then repeated on a number of differing cases. An invitation was then given to the audit department to attend the meeting to comment on whether 1) these issues had been raised before 2) provide advice as what that audit methodology would be to document the issues highlighted and what recommendations and actions should be considered as well as rating and scoring the issues. The output of the workshop provided not only an initial process to understand what a control weakness looks like, but also created a relationship with the audit department who agreed on an advisory basis they would assist with confirming audit issues that could be delivered back to the business following all investigations. This included attending any meetings with the business from a transparency and technical perspective.
Initial thoughts of an additional task by the investigation team were adopted with trepidation, but following facilitation and step by step approach in the early stages the process was adopted with ease and skills were improved as a result. Value was also seen by the business in as far as repeat investigations /issues were going to be at best, reduced. Whilst audit methodology was adopted in the approach, ratings and actions to be taken, the investigation team report was a template of their own creation to differentiate an audit was not being undertaken which then provided extra importance that control failures led to an investigation being undertaken.