One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.
I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.
“Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.
“Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.
Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.
Stuff happens and it changes or creates risk.
The organization must be responsive to change, nimble and agile in modifying strategy and execution.
All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).
Is your internal audit function “dynamic, iterative, and responsive to change“?
For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?
Or are they slow, scattered, and stubbornly reluctant to change?
Is that a risk to which we must respond?
I welcome your comments.
A conversation I just had with Michael Corcoran left me wondering which companies have now or in the past had what one might consider “world-class” internal audit departments?
My personal view is that the CAE is the last person to say his or her internal audit department should be considered world-class.
Instead, that should only be awarded by members of the audit committee or top executives (although I am not sure I would give as much credence to the opinion of a CFO who wants IA to focus on financial and compliance risks).
I would allow members of the audit team to make the award based on what they hear from senior operational executives.
As a former CAE, I am going to hold to my word and not name any of my prior teams. If they want, they can speak for themselves.
So, please use the comments to identify the IA departments you think are world-class and why.
I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.
SEC Charges SOX 302 Violation
Here are the key points in the SEC’s remarks:
The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report. The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.
The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls. However, Sherman did not actually participate. The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors. On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations. They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time. The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.
According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting. And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.
What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.
I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.
But here they are now.
In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:
“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:
- Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
- Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
- Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
- Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and
“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):
- All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
- Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”
In the book, I say:
“…. prudence suggests that management:
- Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
- Confirms that the external auditors do not disagree with management’s quarterly assessment.
- Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”
Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?
Mapping of Controls to COSO 2013 Principles is Wrong
I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.
I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.
It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.
The head office leader made a comment that I like very much.
She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.
This is wrong.
There is no such requirement, nor is it useful.
What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.
I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.
Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.
I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.
Please share through comments or private email to me at email@example.com.
I welcome your insights and observations.
Over the years, I have had the privilege of leading world-class internal auditors – world-class people who deliver world-class internal audit services to our customers on the board and in management.
I hesitate to call the teams I have led world-class. There has always been room for improvement.
But our customers and peers have called us world-class. For example, executives and audit committee members have said:
- “Internal audit provides us with a competitive advantage”
- “You have yet to perform an audit I wouldn’t gladly pay for”
- “You help the audit committee sleep through the night”
- “You are not a typical internal auditor”
When Arthur Andersen (and then Protiviti with KnowledgeLeader) built their on-line repository of best practices, ours was the first internal audit function profiled.
Now that I am retired (even if still busy), I have found the time to collect stories from my professional life in a new book: World-Class Internal Audit: Tales from my Journey (see below for links to the book). These are stories about experiences that have shaped me as a leader as well as how I approach internal audit.
My hope is that the book will not only be an easy and entertaining read, but my successes and failures, together with my reflections, will help you as you consider your own career.
Some stories are, I hope, amusing. Some are about learning experiences (i.e., mistakes and embarrassments) from which I grew.
I have also included comments and observations from members of my teams, some of whom followed me as I moved to other companies. For example, a current chief audit executive who worked with me at two different companies had this to say:
“Norman had a unique leadership philosophy where he adapted to the demands of the situation, the abilities of the staff and the needs of the organization. He was able to move between leadership styles utilizing the one needed for the challenges that the company was facing. He was at times visionary along with a coaching emphasis while not micromanaging. Norman set high standards, was democratic but occasionally would utilize a classic authoritarian style when needed with certain employees and situations. Norman moved easily between leadership styles which resulted in developing World Class departments. As the Chief Audit Executive for a semiconductor company I still consult Norman on various audit topics and practice leadership techniques I learned under his tutelage.”
Here’s one of the stories in Chapter 5 on the topic of “the value of writing and teaching”. The ‘David’ referred to was my boss at Coopers, David Clark.
My next adventure took me into a new and smaller world: the world of microprocessors.
People I knew were buying do-it-yourself microcomputer ‘kits’ from mail order stores, and the technical computing journals were starting to hint that these devices had the potential to move from a hobby to a business tool. In 1974, a company called Zilog was founded and in 1976 they introduced the Z80, an 8-bit microprocessor that was a significant advance from the early Intel 8080 model. The Z80 allowed more powerful devices and the military, in particular, used it extensively. The Z80 powered early business computers, such as the Osborne, Kaypro, Xerox 820, Radio Shack TRS 80, and Amstrad. I purchased a Radio Shack TRS 80 Model II a little later – but that’s another story.
I believed in the potential and wanted to share that vision with the rest of CAG. After obtaining materials directly from Zilog and accumulating a number of pieces from journals, I started to write. I was smart enough to include diagrams, but not smart enough to please David with the initial drafts of my paper.
After I had exhausted my patience and wanted to give up, and David had nearly exhausted his patience with me, he gave me two pieces of sage advice:
- Tell him (in person) why this is important. Say it and then write what you said. As you are saying it, learn from the listener (David) how to express your thoughts in a way that will be understood – and learn what not to say because it will not be understood.
- Avoid technical language and use ordinary English where possible. If you have to be technical, explain the terms clearly so that the non-technical person will understand.
I ended up writing a much longer piece, but it worked. While not everybody would share my opinion of the potential, everybody understood what I was talking about.
Later that year, I was asked to be one of the teachers at the off-site training session for people joining CAG. This was a wonderful learning experience for me. The task of teaching meant that I had to master the fundamentals of what I needed to teach. It was also essential that I avoided technical language when plain English could be used – and that I explain the technical in easy-to-absorb-and retain terms.
This set of experiences led me to require all of my staff to:
- Write and speak for the people who are listening, the people you are trying to influence, inform, or persuade
- Write and say what they need to hear, rather than what you want to say
- Use language they understand. If they don’t start with a decent understanding of the topic, explain any technical terms in ways they can understand
- Give examples and use diagrams; they are of great value in expressing ideas, especially to those who are visually oriented (i.e., absorb concepts from seeing better than they do by reading). I became used to getting up and using a chalkboard to diagram and explain what I was trying to communicate
- Master the fundamentals: you won’t get far explaining anything unless you have deep understanding of the topic yourself
I hope you enjoy this story and consider the book.
As I mentioned earlier, I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF).
One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing.
The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice.
For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program.
The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three).
10. Provides reliable assurance to those charged with governance.
11. Is insightful, proactive, and future-focused.
12. Promotes positive change.
What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.
They need our professional opinion.
I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management.
A list of deficiencies is not assurance.
#11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report.
Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future.
This means moving from hindsight to foresight with insight into current and foreseeable conditions.
We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls.
The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer:
“I skate to where the puck is going to be”
We need to audit where the risk is going to be.
The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.
In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings.
That is a 16% failure rate!
Where is the value when management only occasionally listens to us?
How will management see us if we frequently are unable to see business risks and needs in the same light as they see them?
There is zero value in recommendations.
There is only value in positive change.
We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward.
If the great majority of internal audit departments are able to say that:
- We provide our stakeholders with the assurance they need to manage and direct the organization with confidence
- We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and
- We work with management to effect positive change
the professional practice of internal audit will be one worthy of pride.
I welcome your thoughts and comments.
The IIA is asking for its members’ opinion on a set of proposed changes to the framework for its Standards (the IPPF). The detailed Standards are not changing, but the proposed changes are significant and merit every audit professional’s attention.
The proposal was crafted by a select group of practitioners called the “Re-Look Task Force”, and I was privileged to be a member.
The proposal explains the recommended changes and asks a number of questions to elicit members’ opinions and suggestions for improvement.
I encourage all IIA members across the world to read the proposal carefully and provide your input.
You should receive a copy of the proposal from your institute. You can also download it from either the IIA Global or IIA North America web site. In addition, Hal Garyn, a Vice President with The IIA, has recorded a video (http://auditchannel.tv/video/1321/The-IPPF-Is-Evolving-How-You-Can-Help).
I want to share my perspective on the changes, hoping that might be useful to you.
The proposal represents the consensus view. While there were, in a few cases, disagreements among the task force members, those disagreements were minor. The questions we included are designed to address those issues.
The task force discussed whether it was time to make a change to the Definition of Internal Auditing. Quite a few changes were suggested, but in my view they were only tinkering with the words and not changing the underlying message: that ours is an assurance activity (in my opinion this is our primary mission) that also helps our organizations succeed through consulting/advisory services that contribute to the improvement of governance, risk management, and related control processes.
We talked about changing “consulting” to “advisory”. We talked about ways to make the wording more succinct.
But in the end, it was tinkering and we recognized a change could lead to issues where the Definition has been incorporated into other standards, corporate governance codes, and so on.
I think the right decision was made, to leave the Definition unchanged.
We also talked about the Standards being “principle-based” rather than “rule-based”. If so, what are the principles?
Again, we spent a lot of time defining and then wordsmithing the principles.
I think the list included in the proposal is a good one. I will write separately about some of the principles and why I like them.
One of the questions is whether the principles are shown in the best order. This is one area where I was in the minority. While I see the logic of the proposed order, I would put the last three first as they represent what we are all about. The other nine are how we get there. You can share your opinion by answering a question on the order of the principles.
Although presented before the principles, the discussion of a mission came after. I like it! It is short and sweet and captures the essence of the purpose and value of internal auditing.
I like the other suggestions for supplemental guidance, guidance on emerging issues, and local guidance. The last should be useful where local practices are in a different environment than in other countries. For example, I work with IIA chapters and institutes around the world and know that in some nations there are many family-owned corporations; in others there are a lot of government-owned for-profit companies. There will now be a place for local IIA organizations to craft guidance that addresses local issues in ways global guidance cannot.
If you haven’t already seen the proposal, please watch for it and if necessary check the IIA web site.
Feel free to share your thought here for discussion.