Bailey Naples (firstname.lastname@example.org) is Chief Compliance Officer for Berkshire Farm Center and Services for Youth in Canaan, New York, USA.
Employees acting on their own accord have multiple responsibilities owed to their employer. These responsibilities have a broad range, from showing up on time to not committing fraud. It’s the gray area of this range that deserves further discussion and analysis on what the employee’s responsibilities are compared to those of the organization.
When determining the appropriate accountability for the responsibility in question, a review and analysis must be completed. Depending on the situation, this could come from a comprehensive internal audit, an internal investigation, or a simple inquiry through a desk audit.
An internal audit is a review of a company’s accounts or adherence to regulatory guidelines. This may be required if the situation is suspected to have a wide impact, there is limited internal written guidance around the situation, or many individuals and/or departments are involved in the process. The outcome of the audit is presented in a report that evaluates the thoroughness and identified deficiencies and/or risks in the process.
An example of this could be the termination process. If the organization’s termination process is suspected to be failing at meeting regulatory standards, a comprehensive internal audit could assist in determining whether the process is failing, and if it is, if it falls within the responsibility of an individual employee, a department, a process, or of the organization’s culture.
An internal investigation is a process completed by the compliance department that involves gathering and reviewing extensive documentation, including organizational policies and protocols, and conducting comprehensive interviews. This may be required if the situation is suspected to be related to a specific individual or department. The investigation is documented in an investigatory report that provides a detailed review of the documents, a detailed outline of the interview, and a conclusion stating whether the allegation is substantiated or not and, if substantiated, where the responsibility falls.
An example of this could be repeated Health Insurance Portability and Accountability Act (HIPAA) breaches. If an individual or a specific department is suspected or confirmed of having multiple HIPAA breaches, an internal investigation could assist in determining where within the process the breaches are happening or whether an employee is performing their duties irresponsibly.
A desk audit is a mini version of an internal investigation or internal audit. This may be required if there aren’t any high-risk violations suspected, but there may be a need for clarification around a process. Specific questions and documentation are requested from the employee or department, with verification from the auditor. The outcomes are communicated in a summarized format with reference to the material reviewed and participants of the desk audit. Any recommendations noted are usually minor in nature; however, the outcome of a desk audit may be to complete an internal audit or an internal investigation if more information is necessary.
An example of a desk audit is a concern or a misunderstanding of time card record-keeping for exempt employees. Some exempt employees are instructed to record their time worked even though they are salaried, and some are recording their time scheduled to work. Others are rounding to the nearest 15-minute marker at their beginning and end times, and others are recording down to the minute.
No matter whether it is an internal audit, an internal investigation, or a desk audit, there will be considerations needed across all mediums to determine the responsible party.
Considerations would include:
Does the organization provide written guidance from start to finish for all departments?
If there is written guidance, is there evidence that the employee was trained on it?
Has the organization provided the necessary tools for the employee to effectively perform their job duties?
Has the employee received any supervision around this process?
Employees should be trained on and able to reference different written materials related to their job duties. Written guidance to be made available to employees includes their job description, organizational policy, organizational protocol, organizational standard operating procedures, and other tools as applicable. Without these written documents, employees are relying on word of mouth and interpretation of process communications.
An example of a situation that requires clear written guidance is, “Employees must submit their work-related expense receipts to finance.” This does not provide when, nor how, nor to whom, so an employee would not be wrong to submit year-old expense receipts to the payroll clerk in a shoe box.
Organizational training needs to be based on written material. Without the written material to support the training being offered, employees are unlikely to remember even the key concepts taught, and trainers are likely to teach the material differently every time.
Likewise, having the written material available to the employees is almost a moot point without the associated trainings. Employees need to be made aware of the material available to them to reference for job-related duties, or they will work based on what they observe as or assume is the right thing to do. This is setting up the employees and the organization for failure.
Training cannot encompass all scenarios, but it can put forth enough nuggets to allow for employees to employ critical thinking in obscure situations.
Employees require effective and appropriate tools to complete their jobs. You cannot expect a modern accountant to balance the organizational books with an abacus and a green ledger, nor can you tell a maintenance person to fix the broken bathroom pipe with a garden shovel and a hammer. Employees need the right, effective tools to be able to perform their duties efficiently and accurately.
Regular supervision of an employee can be seen as extended training. Supervisors should be using regular interactions as an opportunity to remind employees of the training they’ve attended and the written materials available to them, not just as a check-in for the status of assignments.
Supervision is also a tool to catch potential misunderstandings or growth opportunities early on. If an employee misunderstands how to submit their mileage for reimbursement and the error is caught by their supervisor soon after the process was discussed in a training, it shows the employee that the reimbursement process is important and that their supervisor is attentive and helping to prevent accidental mileage submission fraud.
Supervision should be documented to support all the training and guidance provided to employees by the organization via the supervisor, and these documented interactions should be placed within the employee’s human resources file. If an allegation arises, the investigator will review the employee’s file to identify if this has or has not been an ongoing concern. The documented interaction will support the allegation one way or another.
Putting it all together
If the organization has failed to provide the employee with proper training on written guidance and support through supervision, the organization would be responsible for the process failure; however, if the employee has been appropriately trained, given the support and tools needed to effectively complete the process, and still failed to do so, the employee would be at fault. If the organization has weak points, management needs to make decisions as to where they are willing to invest to correct these failures. Risk assessments and project planning will help management identify these weak points and prioritize their process for correction.
Document and communicate
Employers and employees have responsibilities to each other. The organization will function more efficiently with recognition and accountability properly assigned to these duties. Compliance professionals are the unbiased reviewers and assessors in identifying the responsible party. As you take the time to determine the proper process to review the potential risk, be sure to document your process, allowing for peer review and questioning. Have those open communications and be open to feedback on questions or areas possibly missed. The organization and the employees will have a better appreciation for the review process if they are able to understand the steps taken and all that was considered.
There’s a broad range of workplace responsibilities, so it’s important to have procedures in place that help mitigate misconduct, such as training and regular supervision.
When a concern arises, it takes time and effort to properly identify where the process failed.
Without written guidance, employees and the organization have little to reference for support.
It is the compliance professional’s role to remain unbiased and assess responsibility in association with risks or concerns.
There are different processes to determine responsibility just as there are different levels of risk.