The effective audit committee

November 22, 2014 6 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leveraging the COSO Internal Control Update for Advantage

November 15, 2014 4 comments

PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.

PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.

Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).

Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.

PwC shares their approach, which I don’t think is correct as it is not risk-based.

Here is mine:

  1. Do you understand the risks to your mission-critical objectives?
  2. Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
  3. Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
  4. As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?

I welcome your views.

New E-Book on Segregation of Duties: A Review

November 12, 2014 Leave a comment

I congratulate Larry Carter for his new e-book, published by Compliance Week, on the topic “Segregation of Duties and Sensitive Access: Leveraging System-Enforced Controls”.

This is a timely discussion and explanation of a difficult topic and it includes useful information on the differences between manual and automated controls, preventive and detective controls, and more.

I believe it will be a useful read for internal auditors and application developers who are relatively new to the area, and a reminder to more experienced individuals of some of the key points to consider when designing automated controls to prevent individuals from having more access than they need – which can lead not only to fraud, but disruption, errors, and accidents.

For example, when I was leading the internal audit and SOX programs at Maxtor Corporation, the external auditor asked for access so he could examine some of the SAP configurations as part of his control testing. IT inadvertently provided him not only with the access he requested, read-access to the tables involved, but the ability to change the accounting period. Without realizing what he was doing, the auditor closed the accounting period while our financial team was still posting quarter-end journal entries!

Larry makes the excellent point that we need to consider not only inappropriate combinations of access privileges (i.e., Segregation of Duties, or “SOD”) but inappropriate access to a single capability. He calls this latter Sensitive Access, although the more common term is Restricted Access (“RA”).

As he points out, it is good business practice to limit everybody to the access they need to perform their job. Although it may be easier to establish the same access ‘profile’ (a set of access privileges) for several people, care has to be taken to ensure that nobody has more access than they need. If they do, that creates a risk that they may deliberately or inadvertently use that access and create a problem.

Some years ago, my internal auditors found that an individual in Procurement had the ability to create a vendor in the system and approve payment, as well as approve a purchase order. This creates a risk of fraud. The IT manager said there was a control: “We don’t tell people what access they have”. As you might imagine, we didn’t accept that argument.

This brings me to the critical topic of risk.

Larry makes the excellent and key point that you need to design your controls to address risk. You don’t design and operate controls for any other reason. With SOD, the primary reason for limiting inappropriate combinations of access is to prevent fraud. As he says, it is important to perform a fraud risk analysis and use that to identify the SOD controls you need.

When it comes to controls relating to sensitive or restricted access, the controls you need should also be determined by risk. For example, you will probably want to ensure that only a limited number of people have the ability to approve a journal entry, not only because of the risk of fraud but because you want an appropriate review and approval process to occur before they are posted. Similarly, you will want expenditures over a certain value to be approved by a more senior manager, and that is enforced through a restricted access control.

While Larry makes it clear that risk should drive the determination of what controls you need, I wish that had been how he designed his process for identifying necessary SOD and RA controls. Instead he identifies the total population of potential controls and only then considers (although it is less clear than it should be) whether the risk justifies having a control.

In fact, sometimes there are other controls (other than automated SOD or RA controls) that mitigate or even eliminate the risk. When the design of internal controls is based on a risk assessment that considers all the available controls, you are more likely to be able to design a more efficient combination of controls to address important risks. For example, let’s say you have a risk that individuals with inappropriate access to the spare parts inventory might use that to steal materials critical to manufacturing. At first blush, a control to ensure only authorized people have access might seem mandatory – and it would certainly be good practice. But, if the manager of the warehouse had an inventory taken of that area of the warehouse twice each day, the personnel working there could be relied upon to challenge anybody entering the space, and cameras detected any access, the value of an automated RA control is significantly diminished.

A related issue that Larry unfortunately doesn’t mention is the need to limit the access capabilities of the IT staff – not only to functions within applications, but to functions within IT business processes. For example, you need to limit who can change application code or bypass all your controls using “superuser” capabilities.

Another area that is often overlooked is the need to limit ‘read-only’ access to confidential information. Access privileges that allow unauthorized individuals to view customer or employee’s personal information, or confidential corporate information, may be required to comply with laws and regulations as well as to address the risk of theft or misuse of that information.

Overall, this is an e-book with a lot of useful information and it is an easy read.

Norman Marks is a semi-retired internal audit executive, author of World-Class Internal Audit and How Good is your GRC? (both are available on Amazon), and a frequent blogger on the topics of governance, risk management, internal audit, and the effective use of technology in running the business. He can be reached at nmarks2@yahoo.com.

Technology, Strategy, Cyber, and Risk

November 8, 2014 2 comments

How do you assess the risk of missing the opportunity to leverage disruptive technology?

Does being on the “bleeding edge” still scare you?

Are you scared of cyber risk that you are rooted in place?

With incredible advances in technology coming at us from all sides, the potential for organizations to offer new products and services, as well as make dramatic improvements in how they run the enterprise, is huge.

Yet, each of these new technologies also introduces new risks that are of concern to information security, risk, and assurance professionals.

I am concerned that organizations are not prepared to survive let alone thrive in this environment.

I want to share some questions for your consideration, but let’s look first at one new technology that is emerging as disruptive to manufacturing and other sectors: additive manufacturing, commonly known as 3-D printing. These two sites explain some of the potential:

For most of us, 3-D printing is something from the world of science fiction or TV series. But, it is real and it is now.

Do you think every organization that could be affected by this technology has taken the necessary steps to determine how it should affect their organizational objectives and strategies? Do they even know how it could affect them?

My questions:

  1. Is your organization monitoring new technology and able to identify how it could affect your organization?
  2. Do you know what your competitors may be doing with it?
  3. Do you know what other organizations are doing or planning to do that might turn them into competitors (think Apple and Rolex)?
  4. Are the right people thinking about how the technology could affect your organization?
  5. Do they have the ability to come up with ways to use the technology that are novel and different from others?
  6. When new technology is considered, does your organization have reliable processes to assess related risks?
  7. Is the voice of risk heard – and understood?
  8. Is your organization prepared to take the risks necessary to succeed?
  9. Do you understand the risk of not taking the risk?
  10. Is your organization sufficiently agile to cast old ideas aside and seize the opportunities?
  11. Is your organization willing to wait when the (adverse) risk exceeds the opportunity?
  12. Do your information security, risk management, internal audit, and other assurance providers steer you to take the right risks or are they only a drag, pointing out the negative?

Do you agree with this list? What would you change?

I welcome your comments.

Considering reputation risk

November 1, 2014 7 comments

An organization’s reputation is critical to their success (in almost every case). A smart CEO and her board pay attention to the organization’s reputation and take care to nurture, protect, and grow it.

A new survey by Deloitte reinforces that obvious truth and states one other truth that should be obvious to us all: “reputation risk is driven by other business risks”.

Miriam Kraus, a senior vice president at SAP responsible for their risk management program, is quoted in the report:

“Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”

The paper has many interesting numbers and charts but I think it leaves much left unsaid.

I wish that Deloitte had advised that when decision-makers assess risks they should consider and assess the potential impact on the organization’s reputation (which can be good, bad, or neutral) and add this to the assessment of other (more direct) potential effects.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the likelihood of other impacts such as fines, lost time, and so on.

In addition, the impact on reputation may be positive while the impact on, say cash flow, is negative!

For example, the decision to divorce the organization from a supplier who is found to have broken the law may adversely impact costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.

I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While they mentioned a few important areas, they omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures, and so on.

I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize the reputation of the organization.

Monitoring is key and Deloitte has a sidebar that talks to some of the ways to do this. They call it risk-sensing.

One aspect that I didn’t see mentioned is that the organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response to the attack would help or hurt.

In the same way, when there is violence in some part of the world, people look to the US, EU, and others for a reaction. It’s not only the action that can affect reputation, but the failure to act.

When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more than a poorly-worded press statement.

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents, and even customers) can affect reputation. This needs to be identified, assessed, and monitored closely as well.

Reputation risk is critical. Deloitte doesn’t make it clear but since so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.

Every manager and decision-maker needs to own the risk, not the CRO.

One final point: one of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.

Do you agree?

I welcome your comments and perspectives.

Information Security and Risk

October 24, 2014 3 comments

Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?

I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.

Two points stand out for me:

  1. The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
  2. Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.

Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.

While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.

I welcome your comments.

Disruption and risk

October 19, 2014 18 comments

I like a very recent publication, Deloitte on Disruption.

They use a definition of strategic risk that I have not seen before (I don’t know whether they created the definition):

“Strategic risks are the ones that threaten to disrupt the assumptions at the core of a company’s strategy.”

I like it!

I also like these comments:

“Risk Is Not a Game: Because of the complex world in which companies now operate, strategic risk has earned a rightful position at the top of the executive agenda. Boards want to know that the executive team is “on it,” and CEOs want to make sure they’re not missing it.”

“We live in a world the U.S. Army War College has dubbed VUCA: volatile, uncertain, complex, and ambiguous.”

“You can be on top of the world today and hanging on for dear life five years from now.”

“Of course, the story is far from over: technological advances will only continue, and the speed of innovation will only increase, creating more and more opportunities to disrupt industries. Maybe even yours. The challenge facing organizations today is how to anticipate, adapt, maneuver, make decisions, and change course as needed in a VUCA world. And really, the only way to respond is by changing your approach to risk. You’re not out for a leisurely drive, sticking to the straightaway and steering clear of danger. You’re a Formula 1 driver, using every hairpin turn and unexpected development as an opportunity to secure the lead.

“The trouble with strategic risks is there’s often no historical precedent to draw from to assess their potential nature and impact. Sometimes they’re the product of a visible trend, but often they appear as a surprise. Subtle and difficult to quantify, strategic risks can’t be managed in the traditional ways with Enterprise Risk Management programs or software. And hard as they are to spot in time or manage, they are extremely difficult to recover from.”

“Spotted early and handled well, they can be the basis for game-changing moves that reorder the field. They can decimate what had looked like an indomitable leader, but they can also point the way to new options or the next market – the way BMW has launched its own car-sharing service DriveNow, or the way Avis is positioning its acquisition of ZipCar.”

Deloitte identifies 4 elements to the process for addressing these disruptive, strategic risks:

  1. Accelerate discovery. Make sure you have the ability to identify these risks early, so you can act quickly to embrace the opportunity or navigate the threat
  2. Confront your biases. As Deloitte points out, management and the board are composed of humans with all their frailties, such as bias from past experience, that can inhibit our ability to identify risks and act appropriately
  3. Scan ruthlessly (which I would have included in #1)
  4. Prepare for surprises

When I was leading risk management at Business Objects (prior to its acquisition by SAP), we were very much aware of disruptive risks. We identified competitor actions and the emergence of new technology, as well as regulatory changes and other shifts in our external business environment, as risks to monitor.

Part of our process for these risks was to assign to individual executives the responsibility for monitoring them – in addition to our teams specifically tasked with monitoring competitors and new entrants to the market.

One thing I would add to the Deloitte recommendations is this: ensure that your management and the organization are sufficiently agile to shift quickly when needed. Can you change strategy fast, accelerate or slow major projects, such as new product innovation? Or, are you so weighed down by short-termism, bureaucracy and legacy systems that it will be like trying to dance in the mud?

Is Deloitte correct in saying that traditional risk management is insufficient? My personal view is that if you follow guidance from ISO 31000:2009 and make risk management a dynamic activity that considers changes in the ‘external context’, you will have at least the skeleton of a process to follow that will work. But, if you have a periodic risk management process that is limited to a review of a limited number of risks, you are exposed and a candidate to be the next Blockbuster.

I welcome your comments.

Follow

Get every new post delivered to your Inbox.

Join 5,249 other followers