A Call For Internal Audit Change

July 21, 2014 21 comments

The IIA has released a new report calling for change. Enhancing value Through collaboration: A call to action has a lot of value, drawing on the results of IIA, KPMG, and PwC surveys and reports among others, together with insights and comments from IIA leaders and CAEs.

Change is needed because “ Fewer than half (49 percent) of senior management responding in PwC’s survey believe that internal audit is performing well at obtaining, training, and/or sourcing the right level of talent and the right specialists for its needs.”

The IIA report references five strategies that internal audit leaders should adopt for success:

  1. Improve Upon Alignment With Expectations of Key Stakeholders
  2. Assume a Leadership Role in Coordinating the Second and Third Lines of Defense
  3. Enhance Internal Auditing’s Capability to Address Critical Strategic Business Risks
  4. Develop and Implement Knowledge and Talent Acquisition Strategies
  5. Become a Trusted Advisor to the Audit Committee and Executive Management

Some of the excerpts with which I agree include:

-  There is a need for “a global shift toward greater coverage of risk management, business strategy, and governance” by internal audit.

-  Sprint CFO Joe Euteneuer tells PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”

-  The first step, according to KPMG’s report, is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risk and related controls — not just compliance and financial reporting risks.”

-  Internal audit needs to shift its mindset and be cognizant of an ever-changing operating environment.

-  Presuming maturity of the company’s internal control structure, the CAE should present a strategic internal audit plan, spanning three to five years and showing a reduction in assurance services and an increase in advisory services — in accordance with what the internal control structure will permit. The CAE should not lose sight of the need for flexibility and adaptability in response to emerging risks. Such a plan should present in detail how those advisory services will be performed and how they tie into the company’s business plan.

-  “It becomes incumbent on CAEs to communicate clearly where within their audit plans they have identified and addressed the organization’s key strategic and business risks. Explicit rather than implicit communication with full transparency is needed to avoid any misunderstanding of this critical risk coverage.” — Richard Anderson, Clinical Professor of Risk Management, DePaul University

Some believe I speak for the IIA – that is not correct. From time to time, I disagree (sometimes strongly) with official IIA positions. That happens to be the case with some of the advice in this IIA paper.

The IIA “advocates educating key stakeholders on the three lines of defense model, comprising management controls, risk management, and internal audit. Communicating this model and coordinating with other assurance providers has made slow progress.” I disagree, but will cover my issues with the three lines of defense model in another post.

Today, I want to comment on the first of the five strategies, “Improve Upon Alignment With Expectations of Key Stakeholders”.

The paper talks about understanding the expectations of the board (and top management), agreeing with them on what constitutes value, and then delivering that value.

At first glance, this seems reasonable and appropriate.

The trouble is that most boards and top management have no idea what internal audit is capable of doing – which is why so many insist on internal audit focusing on financial and compliance risks, rather than expanding into strategic and operational areas. It is also why boards are not demanding that internal audit provide assurance on risk management or address the risks of failures in governance processes.

If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past.

Instead, we must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, and so on.

Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities. Where needed, we must expand our capabilities so we address these key risk areas in a professional and competent manner.

For example, Lord Smith of Kelvin told the International IIA Conference in Kuala Lumpur that “the fish rots from the head down” and that the greatest risk to an organization relate to defects in the CEO and his executive team.

Where we are witness to failures at the C-suite level, should we behave like the three monkeys because the board and management do not expect us to address that risk?

Or, do you disagree?

Understanding Governance Risks

July 14, 2014 4 comments

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?

Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..

But governance risks extend well beyond that

Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.

Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.

The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.

Do you agree? I welcome your comments.

Guidance for Directors on Disruptive Change

July 7, 2014 3 comments

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

  1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
  2. Who is responsible for the assessment process?
  3. Who determines whether existing strategies, objectives, or plans should be adjusted?
  4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
  5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
  6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
  7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.

New Technology for Internal Auditors from SAP

July 5, 2014 3 comments

My good friends at SAP have shared the good news with me. They’re releasing a new technology solution for internal auditors at the IIA International Conference in London. I only wish I could be there to join the celebration.

As the head of internal audit departments at major global corporations for twenty years, I  always looked for ways to upgrade our effectiveness and efficiency. For example, I used analytics software for data mining (especially when it came to fraud detection) and risk monitoring. However, the technology solutions developed specifically for internal auditors were often not supported by my company’s IT department and were difficult to use against core enterprise financial and other systems. I got around this by hiring proficient programmers (in one company, all they did was develop and run reports for our audit engagements).

I also spent a number of years as an executive in IT and experienced first-hand the problems created when an organization’s technology environment is fragmented, with applications from multiple vendors using different platforms, languages, database systems, and so on. It not only made supporting customer needs tough, especially when they wanted rapid change, but expensive.

What I like most about the new SAP solution is that if the organization already uses SAP systems it won’t have to introduce new technology just to support internal audit. Because SAP audit management is built on the SAP HANA platform, it will be easier to integrate the audit planning with the enterprise’s risk management information and with analytics for data mining, fraud detection, and risk monitoring. Internal auditors will be able to use the same analytics as business managers use to obtain information and run the business.

Furthermore, the new SAP audit management system will allow auditors with a simple internet connection to perform and document the audit wherever they are. I‘m a huge fun of running the business from the palm of your hand  using mobile applications that work easily and in real time with the enterprise systems, whether in the cloud or in company data centers.

I am all for technology that helps extend the value of the investment organizations make in internal auditing. I believe the new technology solutions from SAP are worth a careful look. They’re built on some of the very latest, innovative ideas in technology, such as SAP HANA, and will enable internal auditors to perform their work at speed, upgrading their effectiveness and efficiency.

The days of running internal audit from spreadsheets and using audit data mining techniques developed in the last century should be left behind.

By way of full disclosure, I used to work for SAP and have a continuing relationship with them. However, my thoughts are my own and are not influenced by SAP’s management.

Risk Management Challenge – The Answer

July 1, 2014 Leave a comment

The Question

In a recent blog, I said I had asked one of the leaders of a CPA firms’ ERM consulting practice this question:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

As Arnold Schanfield predicted, the individual did not provide an answer to the question – although he agreed with the premise in the blog post.

In that earlier blog, I asked:

“…what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?”

I shared another situation:

“Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?”

I asked “Which is the right risk to take? How can she know?”

A number of people provided their thoughts – and I thank them for sharing.

The Answer

I believe the answer can be obtained using risk management principles (using the guidance of your choice – mine is ISO 31000). You can also consider, as I do, that these are principles for effective management and decision-making. Here is my thought process:

  1. The owner of an objective is also the owner of any risks to those objectives
  2. Where the owner of a risk is not responsible for all the actions and activities that affect the risk, he needs to communicate his needs to all whose actions he is dependent upon. In other words, he needs to make sure they know how their actions will affect him
  3. But that responsibility is not one-way. Managers should take responsibility for the effects their actions will have on others
  4. In the first example, every organization whose objectives are dependent on the new service center should ensure that their needs and expectations are known and understood by the managers of the new service center
  5. The manager of the service center needs to know how any failure to meet those needs and expectations will affect the business
  6. The manager of the service center needs to work with HR and ensure they not only understand that he wants to hire for the new operation but how critical that need is to the business. For each position, he needs to agree on requirements such as timing, experience, location, and so on
  7. The HR manager must go beyond any paperwork (e.g., staffing requisition) to ensure he understands all expectations, including  the risk to the business should there be either delays or compromises in hiring
  8. The HR manager also needs to understand any legal, company policy (such as not discriminating based on gender, age, or race), or other requirement when deciding how, when, and where to hire the recruitment officer
  9. The HR manager should consult with other business managers, including the manager of the service center, before making any decision that could impact his service to them
  10. The manager of the service center should monitor progress in hiring the recruitment officer as a delay represents a risk to his and his customers’ objectives
  11. Any manager should be able to ask for assistance from the risk manager, such as facilitating a workshop to discuss the situation and agree on actions
  12. Each player should communicate any changes in the situation
  13. In the second example, the managers whose objectives are impacted by the procurement decision should ensure that the procurement manager fully understands their priorities (such as quality vs. cost vs. reliability, etc.)
  14. The procurement manager similarly needs to take responsibility for knowing his customers’ (within the business) priorities
  15. Where appropriate, in the opinion of the procurement manager or the managers of manufacturing or finance (for example), the decision should be made collaboratively
  16. The risk manager may be of value by facilitating a discussion

The bottom line is that in neither case should the decision-maker base their decision on their own objectives. They need to understand and consider the objectives of those affected by their decision.

Similarly, everyone whose objectives are “at risk” to decisions and actions made by another should seek out those others and work to ensure their and the organization’s objectives are known and considered.

Where possible, decisions should be made collaboratively with all those potentially affected.

Do you agree?

Board Oversight of Cyber-Risks

June 29, 2014 3 comments

Over the last few years, “cyber” has moved from science fiction to business reality. I am not sure why we changed from talking about information security to cyber, but I am told (yet not convinced) that there is a difference.

In any event, boards and top management need to be concerned with cyber-risks because of the potential harm an adverse incident can cause to the organization’s reputation and trust, intellectual property, and compliance with applicable laws and regulations – and the business disruption can be even greater.

But how much should boards get involved? Should we expect directors to ask for and inquire about details, or should they instead ask probing questions and satisfy themselves that management has appropriate mechanisms in place?

Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).

I like their five principles, especially the first two:

  1. Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.
  5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

While some would like to see information security (a.k.a. cybersecurity) as an issue that merits attention all by itself, the potential effect on the entire business and its ability to achieve its objectives justifies cyber being recognized as a business and not “just” an IT issue.

In fact, the level of risk associated with any cybersecurity failure should be measured like any risk, in terms of its effect on the achievement of enterprise objectives. This means that the interrelationship between cyber and revenue generation, customer satisfaction, and so on all need to be considered.

In addition, the investment the organization makes in cybersecurity should be commensurate with the level of risk and balanced against competing needs for capital from other aspects of the business.

Should there be an IT committee of the board? Should the board have several cyber experts who can understand and provide effective oversight? I think the answer is “it depends” – on the level of risk that cyber represents to the organization and whether the board can use the services of experts (such as within risk management and/or internal audit) to fill any knowledge gaps.

I agree with the NACD that the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. I believe they should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programs for managing it.

Do you agree?

 

Related articles

A Risk Management Challenge for You

June 21, 2014 22 comments

I hope I have been consistent in my message: that risk appetite and other top-level guidance only enables an after-the-fact answer to the question of “did we take the right risks”.

They don’t provide the guidance people need when they make decisions as part of running the business on a daily basis.

I am in the middle of an email discussion with a leader of one of the Big 4 CPA firms’ risk management consulting practices. He is one of the few from the Big 4 that I have heard say the same thing I do – that risk is taken every time you make (or decide not to make) a decision, and that those making decisions need guidance on which are the right ones to take.

This gentleman has developed a somewhat complex process that takes the organizations’ objectives, identifies the type and general source of risks to each of those objectives, determines at a high level the aggregate level of risk to each objective that would be acceptable, and then drives this down to the decision-makers whose actions create or modify those risks – and finally determines what would constitute an acceptable level of risk at their level.

It’s a valiant attempt to deliver guidance to those taking or modifying risk every day.

But is it enough?

I asked him this question, to which he has not yet replied:

“Maybe you can help me understand how you would ensure that an HR manager makes the ‘right’ decision when deciding whether to hire a recruitment officer to support a new service center in Bangkok (opening in 6 months) now or in 3-4 months; support recruitment for the service center from the office in Singapore; hire one with experience only in Thailand or with broader experience across SE Asia; hire a single female in her late 20s or a married male in his late 50s; pay more than the individual being replaced (and go over budget) or hire a less experienced individual at a lower cost; include one or more business managers in the recruitment process; probe deeply or in a standard fashion into his/her references and background, which might delay hiring; and whether to hire an individual that is looking to advance to a director’s position within 2-3 years.”

We say that risk is the effect of uncertainty on objectives and that you have to assess each risk within the context of objectives.

But what are the organizational objectives here? Which are “at risk” and how can the HR manager (a) know what they are, (b) understand the potential effect of his choice on their achievement, and (c) know which decision means taking the desired level of risk?

In practice, the HR manager has his own objectives, as does the HR department. For example, he probably believes that one of his primary objectives is staying within budget. Can he achieve that without adversely affecting another department’s objectives to an unacceptable extent?

It’s not only that delaying hiring or hiring somebody with insufficient experience may adversely affect the operation of the new service center, but problems at the new service center might result in failures to bill customers accurately, pay critical vendors on time, produce accurate financial and operational reporting, and more. The ripple effect could be substantial and affect multiple organizational objectives.

A (COSO) risk appetite statement or framework set by the top management team and approved by the board is of no help.

Are (ISO 31000) risk criteria any better?

Management decisions like this are made every day.

Another example, which I use a lot, is the procurement manager who has to decide how she will source critical components (i.e., components critical to the manufacture of one of its primary products). Does she select the lowest cost provider who may not have the best reputation for quality, responsiveness, or on-time delivery? Or is it better to allocate the supply among the top three vendors? Or is it better to select one vendor and negotiate a long-term contract with opportunities for shared profit and innovation? Or should the procurement manager suggest to her director that the company consider building (or buying) its own facility for manufacturing these components?

Which is the right risk to take? How can she know?

I welcome your comments.

Isn’t this the core, the heart of risk management?

Follow

Get every new post delivered to your Inbox.

Join 4,935 other followers