Reflections on the updated COSO Internal Control Framework

May 17, 2013 7 comments

I am still in the process of my detailed review of the update. However, I have already formed two opinions:

  1. The assertion that “an effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives” is excellent and I am pleased that it comes before any discussion of principles
  2. The assertion that follows, that this (reducing risk to an acceptable level) requires that “each of the five components and relevant principles is present and functioning” creates a serious problem

Let’s examine the problem created by COSO saying that effective internal control requires that all relevant principles are present and functioning. I say ‘principles’ because the Framework asserts that no component can be assessed as present and functioning if there are major issues with any of the related principles.

Rather than taking an approach that requires that risks to the achievement of objectives be identified, and then an assessment made as to whether the combination of controls across all components of the Internal Control Framework reduces the level of risk to acceptable levels (i.e., a top-down, risk-based approach like those recommended in PCAOB, SEC, and IIA guidance), the assessor is directed to assess the principles. This creates a high risk, highlighted by many commentators on the drafts submitted earlier for review, that the assessment will be based on a checklist: a checklist formed by the principles.

Now an argument can be made, requiring some contortions of logic, that the same result as a top-down and risk-based approach is achieved because the principles include the required steps of a risk-based approach (principle 7 refers to the identification of risks, principle 10 identifies control activities that “contribute to the mitigation of risks to the achievement of objectives to acceptable levels”, and principle 11 talks about IT general controls – though they should be included in principle 10). Then, so the logic goes, the assessment is made as to whether there are any major deficiencies (i.e., one that “severely reduces the likelihood that the entity can achieve its objectives”). Does this, in fact, result in the same assessment?

Possible, but unlikely.

  1. As we know from PCAOB and SEC guidance and our experience on SOX assessments, indirect entity-level controls do not necessarily result in a higher risk of failure to achieve objectives (in the case of SOX, the objective is a set of financial statements free from material misstatement). Indirect entity-level controls only create a higher risk that direct controls will fail. Then it is up to the assessor to determine whether, especially considering the quality of monitoring controls,  the risk to objectives is greater than acceptable levels
  2. The determination of a major deficiency (see above) is not whether the risk to achievement of objectives is greater than acceptable levels. That assessment, requiring judgment, still has to be made but is not referred to as far as I can tell in the updated Framework
  3. I believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in (a) assessment of principles that are not relevant to the assessment of risk to achievement of objectives, and (b) a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels

Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?

I suspect that over time we will learn how to use the updated Framework while remaining true to the top-down and risk-based approach. But, in the meantime I fear that many will lose their way.

Until now, the choice has been rules-based or principles-based. I always thought that in the case of internal control, principles-based referred to the principle that internal control is not perfect and only provides reasonable assurance that risks to the achievement of objectives are at acceptable levels. PwC and COSO have blurred, in my opinion, the distinction between rules-based and principles-based. I just wished they had gone for “risk-based”.

I welcome your comments.

SAP’s Secret Recipe for GRC

May 2, 2013 4 comments

It is true that SAP has been selling a number of what it calls GRC solutions. (Now that I have retired from SAP I can tell you that I wish they didn’t call them that – which I will explain later.)

It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:

  • The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
  • In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
  • I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
  • SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

  1. What is GRC?
  2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
  3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

Why it makes sense to consider GRC

April 29, 2013 1 comment

I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.

But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.

GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.

The message behind GRC is that all of the different pieces described and included in that definition of GRC need to work together, in harmony and an orchestrated fashion, if the organization is to optimize performance and reliably achieve objectives. For example:

  • If strategy is developed and only then is risk considered (instead of formulating strategy after understanding risks and opportunities both within the organization and in its business environment), you may set the wrong strategies and objectives.
  • If performance is evaluated, monitored, and managed without an integrated understanding of risks or compliance considerations, you are unlikely to optimize results.
  • If politics and other factors cause the organization to fail to share information and resources, have redundant and siloed operations, you are unlikely to perform.
  • If the compliance function is always chasing after initiatives and plans so it can add compliance bandaids, instead of being on the bus from the beginning, failure is likely.

I think organizations need to build out the maturity of the individual pieces of GRC while ensuring that they don’t result in silos, and with a vision of orchestration and harmony across the organization.

Since the failure to harmonize is most often the result of the sickness we call internal politics, this needs to be monitored, diagnosed, and treated aggressively.

I welcome your views and comments.

John Fraser talks sense about risk management

April 24, 2013 3 comments

John Fraser is a highly-respected Canadian risk and audit practitioner. He introduced and then for 13 years led the risk management program at Hydro One. John shares his wisdom on effective risk management with both common sense and humor. I like his book on ERM, which you can find on Amazon.

In a new piece, John uses the scenario of a board chairman addressing the board to explain enterprise risk management. It is an easy read, useful for directors, executives, and practitioners.

I particularly like and agree with these comments:

  • [The Chief Risk Officer (CRO)] will report directly to the chief executive officer (CEO) and will champion and coordinate our approach to ERM. Accountabilities for managing risks will remain with line managers as before. The CRO role will provide ways to help us view risks from across our company and to better allocate our resources. The CRO will be a support function helping the management team with reporting to the board, and in coordinating risk activities across the organization
  • [Risk criteria] will help decision makers across the company understand how much risk is tolerable, what is intolerable and where further action is required. These criteria (often referred to as risk appetite, risk attitude or risk tolerance by some) will be updated by management and reviewed by the board at least annually
  • ERM will also involve better and more explicit integration of risk considerations into the strategy development, business planning and execution processes. Everything we do as a company should be done to treat and optimize the risks and uncertainties to achieving our long-term strategic plan
  • We expect that the use of ERM will make everyone’s job easier by leading to greater transparency and foresight into how we manage risks across the organization and this in turn will lead to us achieving our goals with even greater success in the future

John is a big believer in risk workshops, which he used at all levels of the organization including with the board. I agree that they are essential and very valuable, but also believe that some decisions need to be made at speed – when there is little time to convene a workshop. My philosophy is that risk workshops should supplement but not replace a management that is trained and equipped to manage risk as part of everyday decision-making.

One interesting aspect of the risk management program at Hydro One was the edict by the CEO that capital would be allocated based on risk prioritization. Every request for capital had to identify the risk(s) being addressed. This worked well for them in their environment. I am not sure it would work as well in other business environments, but it remains a though-provoking idea well worth careful consideration.

I welcome your consideration of John’s piece and my comments.

Is serving on an audit committee a job to love or fear?

April 18, 2013 2 comments

Lucy Marcus is recognized as a governance expert and has served as chair of audit committees for many years. In a piece for Reuters, she called serving on an audit committee “the toughest job you’ll ever love”. I recommend reading her post and listening to the video that shows her answering questions about the HP and Autonomy affair.

I have worked with audit committees for over 20 years, with many directors for whom I have admiration and great respect, and a few who contributed less than they should.

It is a tough job, and I have some pieces of advice for those willing to take it on:

  1. Ensure you make the time the job requires. Unfortunately, some fail to read their briefing packages until (at best) the day of the meeting or (at worst) during the meeting. If you cannot afford the time, it is time to leave.
  2. Don’t treat it as something you do only when there are board meetings. Stay on top of issues and talk to members of management as often as it takes.
  3. Don’t be afraid of asking questions and demanding answers. If management says “we will get back to you”, make sure they do.
  4. Make sure you, as members, own the committee agenda. It’s is your committee and you should not permit management to dictate either the time, duration, or content of meetings.
  5. Make sure management understands what you need and expect in terms of information: what, when, how, and in what manner it will be delivered – and also ensure you have sufficient detail to understand the issues and ask the right questions.
  6. Make the time to get to know the key players, including not only top management such as the CEO, and CFO, but other critical sources of information such as the Corporate Controller, Treasurer, Head of Taxes, Chief Risk Officer, and the Chief Audit Executive. Spend time with them and their staff as necessary – and listen, listen, listen.
  7. While it is important to build a relationship with the external audit partners and make sure you have confidence in their abilities, recognize that their level of insight into daily operations and risk-taking is limited. I had a CFO who told the board that “If you want to know what is really going on, ask the internal auditor”.
  8. Ensure you understand the business, its strategies, financial information, risks, key personnel, etc. How can you govern effectively if you don’t?
  9. Get to know the other directors and talk, without management present, about the issues and challenges.
  10. While it is easy to bond with management, the job of the board and especially of the members of the audit committee is to provide oversight. Clothe yourself with an appropriate level of professional skepticism and ask questions until you are satisfied with the answers.

I welcome your views, especially additional advice for audit committee members.

EY gets a “B-” for their IT audit guidance

April 14, 2013 4 comments

Recently, Ernst & Young published advice for internal audit functions regarding their IT audit work. Ten key IT considerations for internal audit starts out in brilliant fashion by pointing to the need to:

  • Identify and understand the “risks that matter” (an expression I have been using and advocating for some time)
  • Invest in the risks that are “mission critical”  to the organization, and
  • Effectively assess risks across the business

Three positive and excellent points towards a high review score!

But, then they falter:

  • They focus on the weeds of IT audit, instead of making sure that internal audit as a whole is focused on the risks that matter, including those relating to technology. Guidance should not be aimed at the senior IT auditor, but to the chief audit executive (CAE) and the board
  • They talk about traditional so-called “IT risks”, such as information security, cloud, social media, and privacy, instead of upgrading their (and our) thinking by reflecting on risks to the business as a whole – the risks that matter and are mission critical to the organization – and how they are affected by failures to use and manage technology well
  • They suggest a separate IT risk assessment, rather than a fully integrated business risk assessment

These days, as InformationWeek (March 18 issue) proclaims in its cover page, its “Goodbye IT, Hello Digital Business”. When CEOs are looking to technology as the #1 way to reach customers, deliver new products and services, and grow the organization, internal auditors and the boards they serve should be thinking large: what are the mission critical organizational objectives and how might they be affected (positively or adversely) by the use or misuse of technology. Instead of, as EY suggests, talking about ‘availability’, talk about the potential that new mobile payment applications might be unavailable, resulting in customers moving to competitors.

EY missed some major issues as well:

  • With technology being the #1 enabler for growth and strategy, the CIO needs to step up. He needs to change from being the janitor, responsible for maintaining the IT infrastructure, to the strategic visionary that helps guide the organization to new heights built on some of the latest technology. The CAE and the IT audit team need to be concerned with whether the full potential value is being obtained from technology – a major aspect of IT governance
  • With more code being written for mobile than any other platform, and more and more mission-critical functionality being delivered on (not just through) mobile devices, mobile app change management moves to be one of the greatest technology process risks

This week, I will be speaking at the ISACA North America CACS Conference. My main message is that when 80% of business risks relate to technology (a situation which is not far away), the IT audit function will have to be mainstream – and resourced to address 80% of the audit plan.

It is time to rethink the whole idea of IT audit as a specialization. Maybe it should be mainstream and finance becomes the specialization!

I welcome your thoughts and comments.

Boards should be concerned about their CEOs

April 6, 2013 4 comments

A recent post on the Harvard Business Review site, What CEOs Really Think of Their Boards, makes interesting reading.

While the author’s early message is that boards need to tone down their oversight and “not adopt an adversarial, ‘show me’ posture toward management and its plans”, I think the real lesson to be learned from hearing what CEOs have to say is that careful, skeptical, oversight by the board is an absolute necessity more often than not!

But, before going further I should pay homage to some of the fine CEO’s I have worked with, including Tom O’Malley (Tosco), C.S. Park (Maxtor), and John Schwarz (Business Objects). Each was a fine balance of vision, leadership, entrepreneurship, and integrity.

Boards should tune their skepticism to each situation. When an executive has built and earned their trust, they will dial it down. Yet, when a proven executive floats an ambitious idea, they should exercise their oversight responsibilities with care and diligence.

What was it that rang some alarm bells for me? First, let’s consider that the great majority of board members are former or active CEOs themselves, followed by CFOs and others highly experienced in executive leadership. Any criticism of these people for being overly cautious, when their backgrounds and experiences are similar to the CEOs delivering the criticism, does not ring true. In fact, when natural risk-takers become cautious, I have to believe they have good reason.

Some quotes:

  • In theory, a board should serve as a check on a “cowboy CEO,” as one executive puts it. In reality, it can rein in boldness too tightly.
  • CEOs complain that boards often lack the intestinal fortitude for the level of risk taking that healthy growth requires. “Board members are supposed to bring long-term prudence to a company,” as one CEO says, but this often translates to protecting the status quo and suppressing the bold thinking about reinvention that enterprises need when strategic contexts shift.
  • CEOs are especially frustrated when directors’ risk aversion is driven by fears of bad press. They note that the rise in stakeholder and proxy-analyst pressures has made directors sensitive to any decision that might provoke a negative reaction from the media, proxy-advisory firms, institutional analysts, or activist investors.

Later in the paper, the author covers some important, but well-known, points about feeding the board with relevant and timely information, diversity, constructive and open dialogue, and the need for mutual respect. On balance, this is an interesting and useful read.

I welcome your views and comments.

Follow

Get every new post delivered to your Inbox.

Join 3,851 other followers