I am often encouraged by surveys of the attributes executives look for when they hire.
An increasing number recognize that education, certifications, and even experience are insufficient. The so-called soft skills are of critical importance.
The surveys say that hiring managers look for communication skills and an understanding of the business as well as, or even ahead of, what the resume has to say about the candidate.
But I don’t see these attributes rated highly enough:
- The ability and willingness to challenge traditional thinking
There’s an old story about the candidate who told the hiring manager he had ten years’ experience performing a particular job. After a few questions and answers, the hiring manager observed that “You don’t have ten years’ experience; you have one year, repeated ten times.”
I have been very fortunate over the years to have brought onto my team some exceptionally talented, intelligent, curious, imaginative, leaders.
I like to think that I was able to select these stars with an unconventional interviewing technique that enabled me to see whether they would be able to think. This excerpt from World-Class Internal Audit: Tales from my Journey, describes my experience and approach.
Too many auditors are trained not to think. They are told to follow an audit program or checklist that somebody else created (in some cases, the checklist may have been developed some years earlier when the environment was different, and in other cases taken from a textbook without specific tailoring for the organization being audited). One of my tasks, as a manager and developer of these people, was to break those chains and insist that they think for themselves.
I had to find a way to assess each candidate’s intellect, curiosity, imagination, and ability to learn during my interviews with them. The standard questioning based on the resume would not work, especially as candidates were generally prepared and trained by the executive recruiter on how to answer such questions.
When I interviewed with the chairman of the Tosco audit committee, Michael Tennenbaum, I learned a lesson in non-traditional interviewing. It didn’t help that I had been told that this brilliant man was eccentric, driving a pink Rolls Royce Corniche to and from his aerie office near Beverly Hills (he was a Vice Chair with Bear, Stearns) and at the age of 74 skied a grand slalom course at Vail. I entered the meeting with the great man already a little intimidated, but I was somewhat prepared for the barrage of questions about why I had twice postponed my interview. He tested my ‘mettle’ and whether I could stand up to him and for myself. (This helped him assess whether I would be able to stand up to management should the need arise.)
I was not ready for the next line of questioning. Instead of asking about my prior experience, he asked me what I read. He explored how my mind worked, whether I was open to new ideas, could work with management and not just be a thorn in their side, and whether I had the intellectual ability to contribute as a direct report to the audit committee and an advisor to top management.
When I interviewed potential new hires, I wanted to obtain the same kind of insights into their mind – brilliant or stale. So, I developed a style of interviewing that many find unusual. It has multiple benefits: in addition to helping assess people’s ability to think, it gets past the barriers created when recruiters train their candidates how to answer questions during an interview because I ask questions they cannot predict.
The essence of the interviewing technique is to help the candidate first become comfortable by asking them questions about their resume and why they have applied. They are ready for this and confident in their replies.
Then, I describe a situation (based on a real life experience that they should understand, at least in principle) and ask how they would approach an audit. If they ask for an audit program, that would conclude the interview. But, if they ask questions to improve their understanding of the underlying risks they would earn points of respect.
It doesn’t matter whether they come up with the same approach that I would take, or even if they overlook an important issue. What matters to me is whether they are able to think through a situation they have never encountered and suggest an audit approach that makes sense and demonstrates that they have an intellect and can use it.
I have been told that candidates are not able to read whether I am satisfied with their answers and whether they are doing well in the interview. But they do say that I make them feel comfortable and stretch their ability to think ‘on the fly’. That is what I am trying to achieve and it seems to have worked well over the years.
In hindsight, I have been blessed to have had the support of some brilliant people over the years. I am very proud of the teams I have led. Of course I have made mistakes and some of the hires didn’t work out as well as I had hoped. But, most of the mistakes occurred when I made the mistake of placing too much trust in an individual’s resume and too little on their intelligence, or placed too much trust in a direct report to hire well without ensuring that they understand how to assess intellect, curiosity, and imagination.
I welcome your comments.
How do you hire?
When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.
With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.
My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.
Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.
The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)
Let’s look at what they did well:
“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”
This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.
“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”
Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.
“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”
The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.
“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”
If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.
Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.
While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.
What did they miss?
- The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
- The audit committee should challenge any audit activity that is not designed to address a risk that matters.
- The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
- The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
- The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
- The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
- Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.
The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?
That’s my challenge to you – in addition to welcoming your comments.
As we near the gift-giving season, here are some books on risk management you might consider as gifts for yourself, your team, or a friend with a passion for risk management.
First, here are two from one of the gurus of risk management.
Felix Kloman styles himself “a long-time student of the discipline of risk management” despite being a risk management practitioner, author, and thought leader for the best part of half a century. If you are interested in the views of this sage and especially the development of risk management over time, you might want to look at these (both are available in paperback and for the Kindle):
- Mumpsimus Revisited: Essays on Risk Management (2005)
- The Fantods of Risk: Essays on Risk Management (2008)
John Fraser has co-authored two massive tomes, each a collection of contributions by highly-regarded risk management practitioners and academics (including Felix). They are full of useful information with chapters such as Enterprise Risk Management: An Introduction and Overview; ERM and its role in Strategic Planning; How to Plan and Run a Risk Management Workshop; and more.
- Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (2010)
- Implementing Enterprise Risk Management: Case Studies and Best Practices (2014)
Finally, Paul Sobel has made a contribution that merits consideration, especially by internal auditors. Paul brings an excellent mind to the topic, even though he may not have the many years’ experience that Felix (in particular) and John possess.
Have you read any of these books? I would like to know what you think of them.
I am also interested in whether there are other books on risk management you would recommend. (Taleb is a controversial author and holds views that I don’t fully endorse, so am not recommending him here.)
A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.
I think there are some key ingredients to an effective audit committee that are often overlooked. They include:
- The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
- The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
- They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
- They need to be willing to ask a silly question.
- They need to persevere until they get a common sense response.
- No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
- Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.
What do you think?
I welcome your comments.
PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.
PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.
Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).
Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.
PwC shares their approach, which I don’t think is correct as it is not risk-based.
Here is mine:
- Do you understand the risks to your mission-critical objectives?
- Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
- Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
- As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?
I welcome your views.
I congratulate Larry Carter for his new e-book, published by Compliance Week, on the topic “Segregation of Duties and Sensitive Access: Leveraging System-Enforced Controls”.
This is a timely discussion and explanation of a difficult topic and it includes useful information on the differences between manual and automated controls, preventive and detective controls, and more.
I believe it will be a useful read for internal auditors and application developers who are relatively new to the area, and a reminder to more experienced individuals of some of the key points to consider when designing automated controls to prevent individuals from having more access than they need – which can lead not only to fraud, but disruption, errors, and accidents.
For example, when I was leading the internal audit and SOX programs at Maxtor Corporation, the external auditor asked for access so he could examine some of the SAP configurations as part of his control testing. IT inadvertently provided him not only with the access he requested, read-access to the tables involved, but the ability to change the accounting period. Without realizing what he was doing, the auditor closed the accounting period while our financial team was still posting quarter-end journal entries!
Larry makes the excellent point that we need to consider not only inappropriate combinations of access privileges (i.e., Segregation of Duties, or “SOD”) but inappropriate access to a single capability. He calls this latter Sensitive Access, although the more common term is Restricted Access (“RA”).
As he points out, it is good business practice to limit everybody to the access they need to perform their job. Although it may be easier to establish the same access ‘profile’ (a set of access privileges) for several people, care has to be taken to ensure that nobody has more access than they need. If they do, that creates a risk that they may deliberately or inadvertently use that access and create a problem.
Some years ago, my internal auditors found that an individual in Procurement had the ability to create a vendor in the system and approve payment, as well as approve a purchase order. This creates a risk of fraud. The IT manager said there was a control: “We don’t tell people what access they have”. As you might imagine, we didn’t accept that argument.
This brings me to the critical topic of risk.
Larry makes the excellent and key point that you need to design your controls to address risk. You don’t design and operate controls for any other reason. With SOD, the primary reason for limiting inappropriate combinations of access is to prevent fraud. As he says, it is important to perform a fraud risk analysis and use that to identify the SOD controls you need.
When it comes to controls relating to sensitive or restricted access, the controls you need should also be determined by risk. For example, you will probably want to ensure that only a limited number of people have the ability to approve a journal entry, not only because of the risk of fraud but because you want an appropriate review and approval process to occur before they are posted. Similarly, you will want expenditures over a certain value to be approved by a more senior manager, and that is enforced through a restricted access control.
While Larry makes it clear that risk should drive the determination of what controls you need, I wish that had been how he designed his process for identifying necessary SOD and RA controls. Instead he identifies the total population of potential controls and only then considers (although it is less clear than it should be) whether the risk justifies having a control.
In fact, sometimes there are other controls (other than automated SOD or RA controls) that mitigate or even eliminate the risk. When the design of internal controls is based on a risk assessment that considers all the available controls, you are more likely to be able to design a more efficient combination of controls to address important risks. For example, let’s say you have a risk that individuals with inappropriate access to the spare parts inventory might use that to steal materials critical to manufacturing. At first blush, a control to ensure only authorized people have access might seem mandatory – and it would certainly be good practice. But, if the manager of the warehouse had an inventory taken of that area of the warehouse twice each day, the personnel working there could be relied upon to challenge anybody entering the space, and cameras detected any access, the value of an automated RA control is significantly diminished.
A related issue that Larry unfortunately doesn’t mention is the need to limit the access capabilities of the IT staff – not only to functions within applications, but to functions within IT business processes. For example, you need to limit who can change application code or bypass all your controls using “superuser” capabilities.
Another area that is often overlooked is the need to limit ‘read-only’ access to confidential information. Access privileges that allow unauthorized individuals to view customer or employee’s personal information, or confidential corporate information, may be required to comply with laws and regulations as well as to address the risk of theft or misuse of that information.
Overall, this is an e-book with a lot of useful information and it is an easy read.
Norman Marks is a semi-retired internal audit executive, author of World-Class Internal Audit and How Good is your GRC? (both are available on Amazon), and a frequent blogger on the topics of governance, risk management, internal audit, and the effective use of technology in running the business. He can be reached at email@example.com.
How do you assess the risk of missing the opportunity to leverage disruptive technology?
Does being on the “bleeding edge” still scare you?
Are you scared of cyber risk that you are rooted in place?
With incredible advances in technology coming at us from all sides, the potential for organizations to offer new products and services, as well as make dramatic improvements in how they run the enterprise, is huge.
Yet, each of these new technologies also introduces new risks that are of concern to information security, risk, and assurance professionals.
I am concerned that organizations are not prepared to survive let alone thrive in this environment.
I want to share some questions for your consideration, but let’s look first at one new technology that is emerging as disruptive to manufacturing and other sectors: additive manufacturing, commonly known as 3-D printing. These two sites explain some of the potential:
For most of us, 3-D printing is something from the world of science fiction or TV series. But, it is real and it is now.
Do you think every organization that could be affected by this technology has taken the necessary steps to determine how it should affect their organizational objectives and strategies? Do they even know how it could affect them?
- Is your organization monitoring new technology and able to identify how it could affect your organization?
- Do you know what your competitors may be doing with it?
- Do you know what other organizations are doing or planning to do that might turn them into competitors (think Apple and Rolex)?
- Are the right people thinking about how the technology could affect your organization?
- Do they have the ability to come up with ways to use the technology that are novel and different from others?
- When new technology is considered, does your organization have reliable processes to assess related risks?
- Is the voice of risk heard – and understood?
- Is your organization prepared to take the risks necessary to succeed?
- Do you understand the risk of not taking the risk?
- Is your organization sufficiently agile to cast old ideas aside and seize the opportunities?
- Is your organization willing to wait when the (adverse) risk exceeds the opportunity?
- Do your information security, risk management, internal audit, and other assurance providers steer you to take the right risks or are they only a drag, pointing out the negative?
Do you agree with this list? What would you change?
I welcome your comments.