by Pamela Meyer
Rayman and the secretary agreed on a severance-canceling deal in which she left the firm with the understanding that she would pay back the money she’d stolen. She later reneged on the deal.
Various studies have shown that with as little as one hour of liespotting training, people can improve their lie-detection skills by 25 to 50 percent, conceivably raising their overall accuracy rate to nearly 75 percent.2 Paul Ekman claims accuracy rates of 95 percent are possible with training in his Facial Action Coding System,3 which we discussed in Chapter 3. It is an unusually valuable tool that can bring about such immediate results.
Many lies, however, are symptoms of deep, even systemic, problems. This can be said for deception in most aspects of life. Often, divorces are not a direct result of a marital affair come to light; the affair can be triggered by fundamental problems already affecting the marriage. Thieves rarely steal for the thrill of it. Theft is more often a misguided way to cope with any number of perceived threats to one’s personal, professional, or financial survival. It is easy to see how deception can take root in a pressure-cooker business environment, where ambition, innovation, and a desire for financial gain—the very elements that can make work so exciting and rewarding—can become inflamed, causing people to forget an organization’s raison d’être.
When faced with an act of deception, like Rayman, you could use your entire arsenal of liespotting knowledge to find a culprit, but the very next day you may confront similar or worse dilemmas. You speared a shark, but there could be more out there since sharks thrive where the conditions are just right. Ideally, then, you should make it your mission to create a work environment so inhospitable to sharks that they are unable to survive; in fact, they won’t even approach. You cannot police an entire organization, and you can’t be everywhere at once. You can, however, conduct an audit to look more systematically for clues that there might be a trust deficit in your organization.
DEFINING THE DECEPTION AUDIT
A deception audit is an in-depth investigation performed by an objective external set of experts who analyze your organization’s susceptibility to fraud and deception at three levels—policy, infrastructure, and human. It can also be used on a smaller scale to detect vulnerabilities within a department, a project, even a board. Through a comprehensive series of interviews, questionnaires, relationship maps, and systems analyses, deception auditors can give you a clear view of your organization’s vulnerabilities, and make concrete recommendations to ensure that deception is thwarted at every turn. Once the retrospective analysis is complete and improved procedures are implemented, the seeds of a trust-based infrastructure will be in place. You’ll be prepared to begin the process of building an organization staffed by individuals who share your commitment to honesty and integrity. Your infrastructure will encourage mutual respect, trust, teamwork, and problem solving. You’ll have a keen sense of how information is protected and flows. You’ll be confident that the messages you disseminate regarding company priorities and goals are clear and consistent. Teams will be empowered to confront dishonesty when they see it. Your employees will instinctively avoid doing business with others whose cultures and values don’t mesh with yours.
Some might say the ambitions of a deception audit are impossible to achieve, that business by its very competitive, goal-oriented, financially motivated nature lends itself to dishonesty. Certain fields, it might be pointed out, have earned reputations for breeding sneaky, unethical, deceptive behavior, and there is a reason why so many public companies have been caught fudging numbers to keep investors happy. But it need not be so. It’s a fallacy that the only way to maneuver or get ahead in shark-infested waters is by becoming a shark oneself. The many successful, profitable organizations with impeccable track records, led by fiercely competitive, goal-oriented individuals, prove there can be a better way to do business.
A DECEPTION AUDIT IS GOOD BUSINESS
In fact, evidence shows that companies that actively foster the ideals aimed for by an audit often perform higher than those that don’t. According to a white paper published by authors of the Fortune 100 Best Companies to Work for in America list, “great workplaces, with high levels of trust, cooperation and commitment, outperform their peers and experience as a group [with]:
Stronger long-term financial performance
Lower turnover relative to their industry peers
More job applications than their peers
An integrated workforce in which diverse groups of people create and contribute to a common workplace culture of benefit to all.”4
More evidence that a culture of trust leads to profitability can be seen in data gathered by the Russell Investment Group. In the longest study of its kind, RIG found that a hypothetical portfolio of publicly traded companies, all of which scored high on the Great Place to Work Trust Index, an employee survey tool, regularly beat the market from 1984 to 2005.5
Consider, too, that in a 2008 “Report to the Nation” by the Association of Certified Fraud Examiners (ACFE) that compiled data from almost a thousand cases of occupational fraud—defined as enriching oneself through “deliberate misuse or misapplication of [one’s] employing organization’s resources or assets”—survey participants estimated that fraud costs U.S. organizations 7 percent of their annual revenues; that’s approximately $994 billion.6
*
DECEIT? PRICEY…. TRUST? CHEAP!
Transactions lubricated with trust develop faster and more efficiently and are less expensive to conduct and to close. Consider these costs:
Research and product development
Partner surveys
Negotiation
Due diligence
Legal and closing costs
Financing costs
Litigation when things go awry
Planning for all contingencies in a contract
Implementation and monitoring costs
Trust reduces transaction costs.7 It can save resources when embedded in an organization’s culture. It can serve as a governing and organizing principle once deceit is rooted out.
*
WHO NEEDS A DECEPTION AUDIT?
A broad array of organizations can benefit from deception audits, but they prove particularly useful in three common circumstances:
Scenario 1: Crisis Management
Chief executives and managers in crisis are often sidetracked by an employee’s legal or ethical breaches. The discovery that a colleague has been embezzling funds, or that a CFO doesn’t have a graduate degree from the university he claims as his alma mater, or that a key manufacturing plant has been using substandard materials, can undermine everything a company stands for. The ACFE’s “Report to the Nation” cites the following statistics regarding its study of occupational fraud:
The typical fraud lasted two years.
Lack of effective internal controls was generally cited as a primary contributing factor.
The perpetrators were almost always first-time offenders.
Occupational fraud is much more likely to be exposed by a tip-off than by regulatory controls or any other means.8
Background checks are clearly not enough to prevent deceivers from infiltrating a company. Your best defense, therefore, is to stop a crisis before it happens.
One step you can take is to surround yourself with people who value truth as much as you do, and who are unafraid to speak out against deceptive and unethical behavior. When one is already combating the problems that arise from a dishonest culture—low morale, bad publicity, lost contracts, high turnover, disappointing productivity—an audit undertaken once a crisis has subsided can be a first step toward stemming the tide of trouble.
Scenario 2: Confronting Organizational Change
Even the most enthusiastically welcomed change can be hard to adjust to. And when it’s dramatic—a new president’s demand for a shift in strategy, or the outsourcing of a previously internal function such as sales or customer service—poorly managed change can result in
chaos. Messages get mixed, priorities shift, and new rules can make it hard to reconcile one set of mandates with another.
One of the biggest challenges facing a newly merged or acquired organization is the preservation of the strongest features and best practices of each of the prior entities, so that together they form a cohesive new unit. The acquiring entity typically performs extensive due diligence on its target, detailing personnel costs, mapping new organizational structures, reviewing contracts, projecting new costs and cuts. Little investigation, however, is ever done on the acquiring entity itself, leaving the newly merged entity only halfway “audited.” Though the acquisition target may have been analyzed by accountants and lawyers and specialists, the subtle details of the acquirer’s infrastructure may be somewhat hidden to a large portion of the newly merged entity.
How can you be sure that the inevitable organizational shuffling that occurs during a merger hasn’t bred resentment or fear? In this kind of emotionally charged, insecure environment, the possibility for deception increases, and trust is often at a low point, despite the usual calls by leaders from both merging entities for collaboration and cooperation. An organizational merger or acquisition, which usually brings about a sea change, should be an automatic trigger for an audit once the merged entity is stable.
Scenario 3: Testing the Health of Your Company or Team
The best time to run an audit is before you find yourself facing criticism and before implementing any major changes. In other words, for many leaders, the best time to run an audit is now. Every new headline that trumpets yet another scandal, sparking grief and anxiety and costing investors and consumers millions of dollars, should compel leaders to look around and wonder, “Could that happen here?” Even if you see no evidence of dishonesty, every conscientious leader occasionally needs to give his organization a check-up to make sure it remains strong, flexible, and disease-free. Proactive audits such as these eventually become “trust audits.” If an organization has already implemented systems that prevent deceptive practices, and it has fraud-proofed and bulletproofed its security systems, it eventually reverts to a trust-based culture. At that point, you’re no longer hunting for deception: you’re confirming the presence of trust.
THE THREE PHASES OF AN AUDIT
Whether the audit is done on a corporate, departmental, or project scale, the process is uniform. It is conducted in three phases—data collection, corporate incentive structure mapping, and committing to change—at the policy, infrastructure, and human level of the organization. The amount of time it takes will vary depending on the organization’s size.
Phase 1: Data Collection
The first phase is a process of information gathering involving questionnaires, relationship maps, and extensive interviews with key managers.
Policy Level. When examining the policy level, auditors might ask executives and managers to think about the following:
Does the company’s mission statement include a commitment to integrity or social responsibility?
Is the expense policy clearly articulated, for example setting a limit on how much can be spent on client entertainment?
Does the code of ethics specifically prohibit behavior that can ultimately lead to deceptive acts, such as accepting gifts or favors from vendors?
How explicit is the confidentiality policy? Does it merely establish company ownership over information and documents, or does it also suggest ways in which employees can protect materials, such as refusing to accept faxes in public areas or hotel business centers—hotbeds for information theft?
Is there a document control policy?
Has a social networking policy been established? Sites such as Facebook and Twitter are treasure troves of private company information for anyone determined to find it. For example, a business could be severely compromised if the head of corporate development cheerfully posts a status update reading, “Just landed in Cleveland!” when everyone in the industry knows that a competitor in Cleveland is up for sale.
Are there any policies in place that contradict each other?
Infrastructure Level. An auditor might pursue the following line of questions when collecting data about a company’s infrastructure:
How strict is inventory control? Is there a system in place to prevent employees from reselling products at retail price after purchasing them at a company discount?
Are expenses closely and regularly examined? Small falsifications on expense reports can be warning signs of bigger problems.
How is organizational information classified? Are there strict requirements that employees must meet before being allowed access to information? Do those requirements become increasingly rigorous as information becomes more sensitive?
Who decides which employees are allowed access to specific data?
Who is held responsible when there is an information breach?
Have key suppliers and vendors been vetted, and do their confidentiality policies and data protection policies line up with yours?
Is there a standard set of confidentiality and data-protection requirements written into contracts signed with outside vendors?
How often is the corporate IT infrastructure subject to intrusion testing? Is it backed up, patched, and updated frequently enough?
How is third-party software monitored?
How are individual computers monitored?
How is inbound and outbound e-mail monitored?
Where is source code kept and how is it protected?
What is the disaster recovery plan?
How are programs, products, and ideas that are incubating in development but not yet on the market protected?
What gets shredded?
How are financial records, including documents such as sales records and purchase orders, kept, and can they be easily retrieved and sorted?
Human Level. When analyzing organizations at the human level, the third and final stage of the data collection process, an auditor will continue to probe for vulnerabilities in the way people control, contain, and disseminate the information to which they are privy. One of the first things an auditor will ask about is the level of secrecy necessary within an organization. Leaders have to be able to articulate what information must be guarded, and by whom, and what information can be shared. Some industries are necessarily more secretive than others, but secrecy need not be a precursor to deception and unethical behavior. As cultural anthropologist and director of Intel’s User Experience Group Genevieve Bell explained in a lecture at the 2008 Lift conference, the notion that all information should be available to everyone has been enthusiastically embraced, but the cultural ideal this represents clashes with practical reality. In business, keeping secrets is a necessary aspect of keeping information and employees safe.9 For when information lands in the wrong hands, or is incorrectly interpreted due to limited knowledge, it’s not just proprietary material or the bottom line that can be at stake—it’s the future of everyone connected to that organization. In many cases, therefore, secrecy is a matter of survival. As Bell says, secrecy differs from deception in that it does not spread untruths. Rather, it protects knowledge, generates trust, and preserves relationships.10
Therefore, it is not secrecy that breeds deceptive culture and erodes trust—it’s weak or inconsistent messages about who is allowed access to secrets and how they can be used. The mistakes caused by inadequate information control can cause perfectly innocent but perfectly disastrous mistakes. For example, a sales director may have only the best intentions when requesting a list of all the company vendors from the group’s project managers, so he can suggest to the vendors that they consider purchasing the company’s new software that’s about to hit the market. What neither the sales director nor the project managers realize is that a vendor list is valuable loot to anyone interested in stealing company secrets—it tells them where to dig for information and suggests targets for bribes. Still, the data is safe in the loyal sales director’s hands…until he accide
ntly leaves his flash drive at the coffee shop, and the list suddenly pops up on the Internet.
An audit will enable leaders to clarify where and why secrecy within their organization is imperative; in addition, it will identify any areas where transparency can be encouraged. Clearly delineating these boundaries will ultimately give everyone within an organization significant freedom to make decisions with confidence.
Other questions regarding information flow, security, and performance that leaders might be asked to consider from an organization’s human level are:
What kind of personal authentication is required to enter the building and what is the procedure for handling visitors without proper ID? For example, are employees required to meet food delivery services in the lobby? (The late-night “pizza boy trick” is a favorite of corporate intelligence firms who have been known to send in spies after hours who can then access empty office floors.)
Are employees allowed to bring data home? Are there limits on what kind and how much? Are they allowed to use portable drives?
How thorough are the reference checks on new hires? Do reference checkers gather information on applicants from sources other than the ones provided with their résumé or listed on their Web site or blog?
How much power and influence does the Human Resources department have? Do personnel consider this department an ally and a partner, or is it merely the first stop in and the last stop out during an employee’s tenure at the company? Can HR act as a safe buffer between employees and supervisors so that employees can express their concerns, or even report unethical behavior, without retribution?