I continue to be concerned that accounting firms are providing poor guidance to their clients and other organizations.
Let’s look at new guidance from PwC’s Canadian firm, “What does it mean to me? Frequently asked questions about the COSO Updated Framework”.
PwC asks and provides their answers to a few questions, including:
Q: What might happen if my company does not update to the 2013 Framework?
A: There are indications that the SEC will take a close look at any company that doesn’t make this transition. We’re encouraging our clients to transition before December 15, 2014.
Norman: PwC fails to point out that this only applies to the SOX assessment of internal control over financial reporting for organizations subject to that compliance requirement. There is no requirement to adopt COSO 2013 for any other business objective.
Q: Are there new/updated requirements for effectiveness?
A: While the fundamental requirements haven’t changed, there’s greater clarity around what management should assess in determining effectiveness. The requirements are that:
- Each of the five components and relevant principles are present and functioning
- The five components are working together in an integrated manner
Norman: I find it unforgiveable that PwC omits the first and most significant requirement: internal control is effective when it provides reasonable assurance that risk to objectives is at acceptable levels. Unforgiveable because this is the primary and overriding way to assess internal control; it comes ahead of the requirements relating to components and relevant principles in the COSO section on Effectiveness; and PwC really should get this right as they wrote the COSO 2013 update! (By the way, I give PwC kudos for pointing out that the “fundamental requirements have not changed”.)
Q: Isn’t this just a mapping exercise? Can’t you just use the template?
A: The mapping of controls based on the 1992 Original Framework to the updated 2013 Updated Framework is a key part of the transition. Many companies seem to think it’s just a mapping exercise and that there’s little they need to do to apply the update. We’ve heard of other organizations who think that because they had a clean certification last year, there won’t be any challenges this year. However, once they start this mapping, many companies are finding that updates are needed to their system of internal control. The mapping templates help draw this out, and management should expect some level of added effort to the update.
Norman: There is no requirement to map your controls from last year to the Principles. This is a creation of consultants.
The requirement is to demonstrate that the Principles are present and functioning, which will serve to demonstrate that the components are present and functioning and working together in an integrated manner.
I give credit to Deloitte for including this distinction in their firm’s internal training (according to the lady who runs it for them). Companies don’t need to take all their existing controls and map them to the new Principles. Instead, they need to identify the controls that satisfy the Principles.
I again give credit to Deloitte for training their people that there is no need to identify controls for every Point of Focus. The latter are provided to assist in addressing the Principles.
The other major problem, and this applies to every guidance I have seen on COSO 2013, is the failure to note that the requirement to assess internal control over financial reporting using a top-down and risk-based approach has not changed. This is mandated in Auditing Standard Number 5 (which has not been changed), included in the SEC’s Interpretive Guidance (which has not been changed), and strongly reinforced in the PCAOB’s Staff Alert 11 of October, 2013 (published after the release of COSO 2013).
The assessment of the Principles should be based on whether any gap represents what COSO calls a major deficiency: one which represents a significant risk to the achievement of the objective of reliable financial reporting to the SEC. Absent such a major deficiency, which basically translates to a material weakness, the Principles can be assessed as present and functioning. I haev confirmed this with COSO and several audit firm partners.
Finally, the mapping templates can be and generally are misused. When consideration of risk is not included, these templates are just checklists. This is why many organizations are warning against the checklist approach to COSO 2013 adopted by firms and registrants alike.
I like how the PCAOB Board Member Jeanette Franzel advised organizations to avoid the checklist approach and use the 2013 Update as an opportunity to revisit the system of internal control’s design, effectiveness, and efficiency.
I have talked to a number of PwC partners about the COSO 2013 update and its effect on SOX. They “get it” so this failure to talk about providing reasonable assurance that risk to objectives is at acceptable levels is not pervasive across PwC. I hope it is limited to this guidance.
These partners know that the assessment of effective internal control over financial reporting is still based on whether there are no material weaknesses. Translating this into COSO language: the objective is to file financial statements that are free of defect; the acceptable level of risk is that they do not contain any material errors or omissions; if there are no material weaknesses, then it should be possible to show that the principles are free of major deficiency and thus present and functioning.
I welcome your comments.
By the way, this is addressed in more detail in the guidance to management on SOX published by the IIA (written by me).
From time to time, I get into trouble with the IIA.
Here’s another opportunity.
The IIA has embraced the Three Lines of Defense Model and in 2013 issued a Position Paper (identified as strongly recommended guidance[i]) The Three Lines of Defense in Effective Risk Management and Control. Since then, IIA leadership has advocated the model, including in its recent Enhancing value Through collaboration: A call to action (see this related post).
The idea of the model has some merit. It distinguishes between functions that own and manage risk (operational[ii] management: the 1st line of defense), those that “oversee risk” (including risk management facilitation and monitoring of risk management practices: the 2nd line of defense), and those who provide independent assurance (primarily internal audit: the 3rd line of defense).
Distinguishing the roles of management, risk management, and internal audit has merit. It is also useful to talk about the need for coordination.
However, I believe the IIA has made a grave mistake.
Risk management is not about defense.
It’s about management making informed decisions and taking the right risks.
If anything, that is offense.
Defense implies you are defending against risk. If you don’t take risk, you wither and die.
Defense implies that risk is bad. It is not. It can be positive or negative and, as one sage individual commented on my blog, there is often an opportunity to change a potential negative into a positive.
Last week, I met a top financial services risk management expert in Singapore (Martin Davies of Causal Capital). He told me about a situation where a trader submitted a proposed transaction for risk management review and approval. It was rejected because it fell outside the organization’s “risk appetite” (used in this context, it really referred to risk criteria[iii] rather than risk appetite as defined by COSO ERM). The risk manager rejected it. Martin explained how if he were in this situation he would sit down with the trader and work with him on how the deal could be restructured such that it is acceptable[iv].
This is offense, not defense.
In any event, my view is that when you put responsibility for managing risk in the hands of a siloed risk management function you are at the same time removing that responsibility from operating management.
This is not a good thing.
Management needs to own risk, with risk management serving as facilitator.
The IIA paper talks about risk management “overseeing” and “monitoring” risk management practices – which sounds awfully (and I mean awful in every sense) like corporate police and a siloed, adversarial risk management function.
No. This is a practice that will only stifle an organization and limit achievement.
Let’s talk about the lines of offense instead of defense.
How can risk management enable the organization to take the right risks, optimize outcomes, and not only achieve but surpass objectives?
I welcome your comments.
PS – controls help the organization go faster, not just preserve value
[i] Why this is considered guidance escapes me. I understand how it can represent the IIA’s thinking but it is information in nature rather than guidance for the professional practice of internal auditing. I contrast this with the Position Papers on the role of internal audit in risk management and governance, which did provide guidance.
[ii] IIA refers to risk management as being owned by operational management. I don’t understand why they don’t include executive management and the board. They refer to senior management as setting strategies and objectives and defining the governance structure, but that is taking risks and making decisions is not limited to operating management.
[iii] Follow the links to a paper by Martin on risk appetite that relies on ISO 31000:2009 rather than COSO ERM.
[iv] I am with Martin and would fire the risk manager who simply stamps reject the proposed trade.
The IIA has released a new report calling for change. Enhancing value Through collaboration: A call to action has a lot of value, drawing on the results of IIA, KPMG, and PwC surveys and reports among others, together with insights and comments from IIA leaders and CAEs.
Change is needed because “ Fewer than half (49 percent) of senior management responding in PwC’s survey believe that internal audit is performing well at obtaining, training, and/or sourcing the right level of talent and the right specialists for its needs.”
The IIA report references five strategies that internal audit leaders should adopt for success:
- Improve Upon Alignment With Expectations of Key Stakeholders
- Assume a Leadership Role in Coordinating the Second and Third Lines of Defense
- Enhance Internal Auditing’s Capability to Address Critical Strategic Business Risks
- Develop and Implement Knowledge and Talent Acquisition Strategies
- Become a Trusted Advisor to the Audit Committee and Executive Management
Some of the excerpts with which I agree include:
- There is a need for “a global shift toward greater coverage of risk management, business strategy, and governance” by internal audit.
- Sprint CFO Joe Euteneuer tells PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”
- The first step, according to KPMG’s report, is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risk and related controls — not just compliance and financial reporting risks.”
- Internal audit needs to shift its mindset and be cognizant of an ever-changing operating environment.
- Presuming maturity of the company’s internal control structure, the CAE should present a strategic internal audit plan, spanning three to five years and showing a reduction in assurance services and an increase in advisory services — in accordance with what the internal control structure will permit. The CAE should not lose sight of the need for flexibility and adaptability in response to emerging risks. Such a plan should present in detail how those advisory services will be performed and how they tie into the company’s business plan.
- “It becomes incumbent on CAEs to communicate clearly where within their audit plans they have identified and addressed the organization’s key strategic and business risks. Explicit rather than implicit communication with full transparency is needed to avoid any misunderstanding of this critical risk coverage.” — Richard Anderson, Clinical Professor of Risk Management, DePaul University
Some believe I speak for the IIA – that is not correct. From time to time, I disagree (sometimes strongly) with official IIA positions. That happens to be the case with some of the advice in this IIA paper.
The IIA “advocates educating key stakeholders on the three lines of defense model, comprising management controls, risk management, and internal audit. Communicating this model and coordinating with other assurance providers has made slow progress.” I disagree, but will cover my issues with the three lines of defense model in another post.
Today, I want to comment on the first of the five strategies, “Improve Upon Alignment With Expectations of Key Stakeholders”.
The paper talks about understanding the expectations of the board (and top management), agreeing with them on what constitutes value, and then delivering that value.
At first glance, this seems reasonable and appropriate.
The trouble is that most boards and top management have no idea what internal audit is capable of doing – which is why so many insist on internal audit focusing on financial and compliance risks, rather than expanding into strategic and operational areas. It is also why boards are not demanding that internal audit provide assurance on risk management or address the risks of failures in governance processes.
If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past.
Instead, we must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, and so on.
Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities. Where needed, we must expand our capabilities so we address these key risk areas in a professional and competent manner.
For example, Lord Smith of Kelvin told the International IIA Conference in Kuala Lumpur that “the fish rots from the head down” and that the greatest risk to an organization relate to defects in the CEO and his executive team.
Where we are witness to failures at the C-suite level, should we behave like the three monkeys because the board and management do not expect us to address that risk?
Or, do you disagree?
How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?
Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..
But governance risks extend well beyond that
Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.
Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.
The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.
Do you agree? I welcome your comments.
Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.
We talk about risk as if every uncertainty has a downside.
We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?
We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).
In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.
What distinguishes our times from years past is the pace of change.
Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:
“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”
“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”
“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”
Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.
I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:
- How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
- Who is responsible for the assessment process?
- Who determines whether existing strategies, objectives, or plans should be adjusted?
- Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
- Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
- Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
- Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?
Do you think these are the right questions? How would your organization fare?
I welcome your comments.
My good friends at SAP have shared the good news with me. They’re releasing a new technology solution for internal auditors at the IIA International Conference in London. I only wish I could be there to join the celebration.
As the head of internal audit departments at major global corporations for twenty years, I always looked for ways to upgrade our effectiveness and efficiency. For example, I used analytics software for data mining (especially when it came to fraud detection) and risk monitoring. However, the technology solutions developed specifically for internal auditors were often not supported by my company’s IT department and were difficult to use against core enterprise financial and other systems. I got around this by hiring proficient programmers (in one company, all they did was develop and run reports for our audit engagements).
I also spent a number of years as an executive in IT and experienced first-hand the problems created when an organization’s technology environment is fragmented, with applications from multiple vendors using different platforms, languages, database systems, and so on. It not only made supporting customer needs tough, especially when they wanted rapid change, but expensive.
What I like most about the new SAP solution is that if the organization already uses SAP systems it won’t have to introduce new technology just to support internal audit. Because SAP audit management is built on the SAP HANA platform, it will be easier to integrate the audit planning with the enterprise’s risk management information and with analytics for data mining, fraud detection, and risk monitoring. Internal auditors will be able to use the same analytics as business managers use to obtain information and run the business.
Furthermore, the new SAP audit management system will allow auditors with a simple internet connection to perform and document the audit wherever they are. I‘m a huge fun of running the business from the palm of your hand using mobile applications that work easily and in real time with the enterprise systems, whether in the cloud or in company data centers.
I am all for technology that helps extend the value of the investment organizations make in internal auditing. I believe the new technology solutions from SAP are worth a careful look. They’re built on some of the very latest, innovative ideas in technology, such as SAP HANA, and will enable internal auditors to perform their work at speed, upgrading their effectiveness and efficiency.
The days of running internal audit from spreadsheets and using audit data mining techniques developed in the last century should be left behind.
By way of full disclosure, I used to work for SAP and have a continuing relationship with them. However, my thoughts are my own and are not influenced by SAP’s management.
In a recent blog, I said I had asked one of the leaders of a CPA firms’ ERM consulting practice this question:
“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”
As Arnold Schanfield predicted, the individual did not provide an answer to the question – although he agreed with the premise in the blog post.
In that earlier blog, I asked:
“…what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?”
I shared another situation:
“Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?”
I asked “Which is the right risk to take? How can she know?”
A number of people provided their thoughts – and I thank them for sharing.
I believe the answer can be obtained using risk management principles (using the guidance of your choice – mine is ISO 31000). You can also consider, as I do, that these are principles for effective management and decision-making. Here is my thought process:
- The owner of an objective is also the owner of any risks to those objectives
- Where the owner of a risk is not responsible for all the actions and activities that affect the risk, he needs to communicate his needs to all whose actions he is dependent upon. In other words, he needs to make sure they know how their actions will affect him
- But that responsibility is not one-way. Managers should take responsibility for the effects their actions will have on others
- In the first example, every organization whose objectives are dependent on the new service center should ensure that their needs and expectations are known and understood by the managers of the new service center
- The manager of the service center needs to know how any failure to meet those needs and expectations will affect the business
- The manager of the service center needs to work with HR and ensure they not only understand that he wants to hire for the new operation but how critical that need is to the business. For each position, he needs to agree on requirements such as timing, experience, location, and so on
- The HR manager must go beyond any paperwork (e.g., staffing requisition) to ensure he understands all expectations, including the risk to the business should there be either delays or compromises in hiring
- The HR manager also needs to understand any legal, company policy (such as not discriminating based on gender, age, or race), or other requirement when deciding how, when, and where to hire the recruitment officer
- The HR manager should consult with other business managers, including the manager of the service center, before making any decision that could impact his service to them
- The manager of the service center should monitor progress in hiring the recruitment officer as a delay represents a risk to his and his customers’ objectives
- Any manager should be able to ask for assistance from the risk manager, such as facilitating a workshop to discuss the situation and agree on actions
- Each player should communicate any changes in the situation
- In the second example, the managers whose objectives are impacted by the procurement decision should ensure that the procurement manager fully understands their priorities (such as quality vs. cost vs. reliability, etc.)
- The procurement manager similarly needs to take responsibility for knowing his customers’ (within the business) priorities
- Where appropriate, in the opinion of the procurement manager or the managers of manufacturing or finance (for example), the decision should be made collaboratively
- The risk manager may be of value by facilitating a discussion
The bottom line is that in neither case should the decision-maker base their decision on their own objectives. They need to understand and consider the objectives of those affected by their decision.
Similarly, everyone whose objectives are “at risk” to decisions and actions made by another should seek out those others and work to ensure their and the organization’s objectives are known and considered.
Where possible, decisions should be made collaboratively with all those potentially affected.
Do you agree?