Risk Leadership: A review by Felix Kloman of a new book by David Hancock
Felix Kloman is one of the most respected gurus of risk management, someone whose views always merit thoughtful consideration. He recently sent a group of us this review and graciously agreed to let me share it with you, here.
Dave Hancock’s ideas are stimulating and I hope you will share your comments after reading Felix’s summary of the highlights.
Felix’s Review
Last October I submitted to a whim and bought a new UK book, simply on the strength of its title: Tame, Messy and Wicked Risk Leadership (Gower, Farnham 2010) by David Hancock, the Head of Project Risk of London Underground and a visiting Fellow at Cranfield University.
Now admit to me, that title is intriguing! So I opened its 88 pages and thought, a “walk-through.” Unfortunately, other, better-written tomes intervened and I’ve only now finished it.
Hancock starts by re-defining risks as four types: (1) tame – “straight-forward, simple, linear causal relationships” that can be “solved” by analytical methods; (2) messes: with “high levels of system complexity”; (3) wicked problems: ”with high levels of behavioral complexity”; and (4) wicked messes: in which “behavioral and dynamic complexity coexist and interact. While I like these titles better that the ones we’ve been using, I really wonder: are not all risks “wicked messes?” Do we over-simplify too many situations?
But after trudging through these redefinitions, Hancock does come up with a few zingers:
- “Behavioral and societal aspects of risk are under-represented in risk management processes.” True!
- “Risk management, constructed in accordance with the rules of probability, can give the illusion of control and understanding when in fact there is only further confusion.” We think we know what we are doing!
- “The general perception among project and risk managers that we can somehow control the future is, in my opinion, one of the most ill-conceived in risk management.” Agree!
- “Risk in our world is nothing more than uncertainty about the decisions that other human beings are going to make and how we can best respond to those decisions.”
- ” . . . remember that risk can be considered our friend (opportunity), not just our adversary.” We must always consider the plus side.
- ” . . . risk (is) an illusory concept that exists in the consciousness of individuals developing a solution.” It is inherently a human perception.
It is Hancock’s summary on page 88 that makes this book worthwhile. He suggests a new title — Risk Leadership — inasmuch as we cannot “manage” risk, with the following characteristics (all direct quotes):
- Recognizes the possibility of different outcomes and tries to ensure that risk activities are directed towards making an acceptable set of outcomes more likely.
- Uses concepts and images which focus on social interaction among people, understanding the flux of events and human interaction, and the framing of projects within an array of social agenda, practices, stakeholder relations, politics and power.
- Develops behaviours (sic!) and confidence in teams through scenario planning and team-building to identify and respond to risks and opportunities. (my italics)
- Understand the ‘many acceptable futures’ proposition and manages risk to produce the changes needed to achieve acceptable outcomes.
- Practitioners as reflective listeners (great point!). Learning and development facilitate the development of reflective practitioners who can learn, operate and adapt effectively in complex project environments, through experience, intuition and the pragmatic application of theory in practice.
- Applies concepts and frameworks which focus on risk management as value creation, whilst aware that ‘value’ and ‘benefit’ will have multiple meanings linked to different purposes for the organization, project and individual.
- Adapts the risk process to overcome major political, bureaucratic and resource barriers to develop change in behaviours (sic again!) through trust and managing expectations.
- Based on the development of new risk models and theories that recognize and take cognizance (sic) of the complexity of projects and project management at all levels and that the model is only part of the complex terrain.
- Has learned to live with chaos, complexity and uncertainty, and leads through example to a successful conclusion.
Isn’t this the beginning of a restatement of the [risk management] discipline? We can certainly simplify and abbreviate these nine points, but I see some new ideas at last. And “risk leadership” is a positive approach in contrast to the heavy burden of negativism that weighs down our discipline these days!
What do you think?
A more radical view of what the Audit Committee should worry about in 2012
I want to refer you to two pieces. The first is a set of 10 questions for audit committees from PwC. It’s the 2012 version of their annual publication. The second is a challenging interview on BBC with governance and board thought leader Lucy Marcus.
PwC has a fairly vanilla, traditional set of questions, and I have no problem with any audit committee and their advisors making sure these are addressed.
But, is this enough?
Lucy and the BBC interviewer, rightly, address the question of whether boards (and audit committees) are doing enough to represent stakeholders and their interests. I suggest that is a question every board and committee should be asking.
In other words, go beyond the tactical questions such as in the PwC piece, and take on the strategic issue of audit committee performance.
I suggest audit committees consider these questions:
- Do the members and the committee as a whole have sufficient expertise and understanding of the issues facing the company and the committee to provide effective oversight? Is everybody an active or former CEO, except for a single retired CFO who fills the ‘financial expert’ requirement? Does that really meet the needs for a diverse committee with an understanding of the business environment (including regulatory matters); risk management; how to ensure quality external audit (more below) and internal audit performance; ethics; information technology; and compliance?
- Does the committee have sufficient, timely, reliable, and current information? As Lucy and the interviewer ask, are you reliant solely on the information provided by top management? Is that sufficient? How will you know if it is incomplete? Are you getting the information you need when you need it to meet your governance responsibilities?
- Is the committee sufficiently active, asking appropriate penetrating questions of management – and following-up to ensure actions are taken? Referring back to the BBC interview, are members of the committee willing to challenge the CEO, CFO, and general counsel?
- Does management have effective risk management programs in place that provide reasonable assurance that risks (including opportunities) will be identified, assessed and evaluated, and then treated promptly to ensure they remain within acceptable limits? Ask clarifying questions about whether (a) the company is sufficiently nimble and agile so that it can respond when conditions in the market change, and (b) risk is an integral part of how decisions are made – including how strategy is set by executives and approved by the board. Unfortunately, the PwC commentary on risk management focuses on disasters and preparedness rather than the management of risks across the organization.
- How can the committee ensure that the external audit team is (a) objective, (b) comprised of quality individuals in every geography, (c) basing their work on a solid understanding of the company’s financial reporting risks, and (d) working effectively with management and leveraging the insights of the internal audit team? Rather than wait for and rely on SEC actions, the committee should consider whether it has the means to evaluate the above and how the external audit firm measures up. There have been too many ‘audit failures’ over the last year or two for this not to be on the audit committee agenda.
- Are the organization’s external reports driven solely by the need to comply? Do they meet the needs of the stakeholders for clear information? How far should the organization go to improve transparency and the use of plain English? Will the company disclose social responsibility and other information that is not yet required by regulation, but is increasingly sought by investors, the community, and other stakeholders?
- Is the committee getting the most from internal audit? Does internal audit understand and provide assurance on the more significant risks? Do you get an annual opinion? Is internal audit helping you understand and address the maturity and effectiveness of governance and risk management processes?
- With so many changes in economic conditions, indicators of a risk in fraud, and a continuing emphasis by so many on short-term results, how does management – with your oversight – monitor the culture of the organization? Consider not only the risk of fraud (in all forms), but the risk-taking culture of managers. Are they rewarded (at all levels, not just at the top) for success without being penalized for failure? Are they always penalized for failure and barely rewarded for success?
- Are the systems and processes used to run the business, monitor and optimize its performance, and report its results ready for the future? Does management rely on old information to make decisions, or does it have real-time information (including risk information) so it can make quality decisions?
- How are you measuring the performance and effectiveness of the finance function?
What do you think of these 10 questions? What would you change or add?
The inter-relationships of risk, objectives, strategy and performance
Every so often, I read an article or guidance that talks about risk and strategy, risk and achieving objectives, or risk and performance management. For example:
- Enterprise performance management: towards profit
- Integrating risk appetite into business strategy
- Why integrating risk and strategy is important
Then there are the risk management standards (such as ISO 31000:2009) and frameworks (such as COSO ERM), which address the need to manage the effect of uncertainty on business objectives so the latter can be achieved (or surpassed).
What I want to do in this post is share my personal perspectives on the flow and relationships between these items. As you will see, it is not a simple relationship at all!
Objective and Strategies
Organizations exist to create value for their stakeholders. Governments provide public services for residents while corporations generate profit and share value for shareholders. (Simplistic version)
Objectives are established to create that value, and strategies are how the objectives will be achieved. They are best set with a solid understanding of risks (I use the word to include potential events that could have either positive or negative effects, as well as the uncertainty around forecasts and projections).
- If you understand the risks inherent in different objectives and strategies, you can decide which among them to adopt. Which is more likely to succeed and create value (and how much), and can the risks be kept with acceptable limits?
- If you understand the risks inherent in an objective or strategy, you can set appropriate targets. For example, you might slow down the target date for a product launch so you have time to manage the risk of quality defects and allow a vendor time to ramp up production of a new component.
- You can also plan to execute in a way that will minimize harmful and maximize potential positive results (which includes planning and resourcing any required actions such as new controls to treat the risks).
So, objectives and strategies are set with an understanding of related risks and how they can be managed to remain within acceptable limits.
Objectives, Strategies, and Risk – Part 1
As advocated in both ISO and COSO guidance, organizations need to manage risks related to the achievement of their objectives. So, organizations should (IMHO) ensure they have a top-down process for identifying, assessing, evaluating, and treating risks to each objective.
So, risks are ‘managed’ within the context of the organization’s objectives and strategies.
Performance Management and Risk
Monitoring and optimizing performance should include consideration of risk levels. Kaplan has recommended that balanced scorecards include not only key performance indicators (KPI) but key risk indicators (KRI) as well.
It’s not enough to know that you are proceeding down the freeway at 80 mph (seemingly ahead of targets) if you don’t know that there is dense fog ahead and a high risk of accidents if you don’t slow down.
Objectives, Strategies, and Risk – Part 2
Risk management includes monitoring and generally keeping tabs on what is happening, whether new risks are emerging, and whether risk levels are changing.
What is often overlooked is that management should consider modifying objectives and strategies based on new assessments of risk and whether they can be managed within acceptable limits. Has the danger of the current course increased? Is there a new potential for a faster route?
If objectives/strategies should perhaps be modified, go back to the start.
In my mind,
- Risk and objective/strategy-setting are, or should be, inseparable
- Performance management without considering risk is flying blind
- Risks are managed within the context of achieving objectives
What say you? Does this make any sense?
Integrating business planning, performance management, and risk management
This morning, I came across an excellent article from the UK’s Institute of Chartered Management Accountants. Written by two people from Capgemini Consulting, Enterprise Performance Management has some excellent points, but one gaping hole: a very significant omission that I will comment on at the end.
I thoroughly endorse and like these points:
- Even in the good times organisations can be caught out by the unexpected. Businesses that can’t respond in a controlled and profitable way will fall behind the competition and ultimately fail.
- Achieving financial forecasts takes more than luck and good foresight. It requires a planning model capable of detecting changes in customer demand and sales trends and then flexing the sales activities and production to secure the targeted financial result.
- Integrated business planning refers to the alignment of planning, budgeting and forecasting across an organisation’s key functions of sales and marketing, supply chain and finance. In executing this process effectively, an organisation can arrive at a planning result that fulfils its overall strategic goals.
- Integrated business planning is about understanding what makes money for your business and ensuring you are equipped to make profitable responses to both market changes and unexpected events. It starts with obtaining a good understanding of which channels, customers and products make money, not just in terms of direct margin, but full end to end costs.
- The benefits of getting the organisation pulling in the same direction, supported by reliable information, cross functional governance, technology and master data management, are substantial
What is the hole? What is the omission?
A four-letter word: RISK
Risk management has to be part of the integrated processes for business planning and then performance management. Risk management is how you consider and respond to uncertainty in the business.
If this article had included the risk management function as one that needs to be a core contributor to enterprise performance management, then I would praise it to the skies.
Have you integrated business planning, performance management, and risk management?
How to assess the effectiveness of internal control
The new draft internal control framework (ICF) from COSO includes guidance on how to assess whether the system of internal control is effective.
In this post, I am going to try to summarize what the document says. I then will ask your views on whether you agree with this way of assessing the adequacy of internal control. (BTW, I am going to limit the discussion to COSO lingo and not introduce any ISO or other terms.)
We have to start with the definition of internal control, which is unchanged from the 1992 edition:
“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
- Effectiveness and efficiency of operations.
- Reliability of reporting.
- Compliance with applicable laws and regulations.”
Before taking on the issue of evaluation, let’s look at two key phrases in the definition above: “reasonable assurance” and “objectives”:
Reasonable assurance
The discussion in the draft of “reasonable assurance” (in paragraphs 21-22) does not use risk management terms. (What I mean by that is that it doesn’t talk about ensuring the risk to the achievement of objectives is acceptable, within organizational tolerances). It simply acknowledges that factors outside the system of internal control (such as human error or judgment) can affect achievement of objectives. As a reminder, here is the definition of enterprise risk management from the COSO ERM framework:
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Objectives
In paragraph 30, the ICF draft provides a nice summary:
“An organization establishes a mission, sets strategies, establishes the objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity.”
It is arguable whether objectives such as obtaining a 30% operating margin, growing revenue by 10%, or improving customer satisfaction by 10% can be readily placed within the three categories of objectives identified in the draft.
The COSO ERM framework adds a fourth category of objectives to the three in the ICF. It describes the four as:
- Strategic – high-level goals, aligned with and supporting its mission
- Operations – effective and efficient use of its resources
- Reporting – reliability of reporting
- Compliance – compliance with applicable laws and regulations.
The examples of business objectives I listed earlier would presumably fit under “Strategic”. I can’t explain why the ICF draft does not include this category. In lieu of a Strategic category, they would have to fit in the Operations group.
Assessing internal control effectiveness
The draft ICF starts the discussion at paragraph 71:
“An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. To have an effective system of internal control relating to one, two, or all three categories of objectives each of the five components must be present and operate together in a manner that reduces, to an acceptable level, the risk of not achieving an objective.”
As a reminder, the three categories of objectives are Operations, Reporting, and Compliance. The five components are the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
The assessment flow continues at paragraph 76:
“In assessing whether the system of internal control is effective, senior management and the board of directors determine to what extent the principles and, in turn, the corresponding attributes associated with each component are present and functioning.”
For each of the five components, the draft ICF describes principles: 5 for Control Environment, 4 for Risk Assessment, 3 for Control Activities, 3 for Information and Communication, and 2 for Monitoring – a total of 17.
Moving to 78:
“When a principle is deemed not to be present or functioning, an internal control deficiency exists. Management applies judgment in evaluating whether a deficiency prevents the entity from concluding that a component of internal control is present and functioning.”
The key
As I read it, the draft is saying:
- To have an effective system of internal control, the risk of not achieving an objective is reduced to an acceptable level. CHECK
- For the risk to be acceptable, all 5 components must be present and functioning. QUESTIONABLE
- The way to assess whether each component is present and functioning is to examine whether the related principles are achieved. OK IN PRINCIPLE (pun intended)
- If any of the principles are not achieved, you need to assess the deficiency as to whether the related component is present and functioning. OK
The issues
My major issues are:
- I struggle with the categories of objectives. I think we are better off talking about achieving the organization’s strategies and objectives to create value, rather than confusing the issue with 3 categories that don’t clearly match to an entity’s strategic plan.
- I am not persuaded that all 5 components must be present and operating effectively for the risk to be considered acceptable. I am sure that one or more may be ineffective, but the nature of the objective and the other controls mean that the risk level is not excessive.
- I fear that the 17 principles will become a checklist.
My preference
- Eliminate the three categories of objectives and replace them with one: the achievement of the entity’s strategies and objectives for creating value. Failures in reporting or compliance, if significant, will result in a failure to achieve strategies and objectives (via penalties, loss of share value, etc.)
- The system of internal control – as a whole – may be considered effective if the risk to the most significant objectives (i.e., not necessarily all of them) is reduced to an acceptable level. It may be effective even if:
- The risk of non-achievement of minor objectives is higher than acceptable, or
- The risk of non-achievement is only marginally high for a limited number of objectives, and acceptable when considering the overall success of the organization
- Require judgment as to whether the overall risk to achievement of strategies and objectives is acceptable, considering the combination of controls within and across all 5 components.
- Retain the principles, but change the language to say that these should be considered if there is a desire to assess each component individually. Remove the inference that we now have a checklist of 17 items.
In other words, simplify the assessment flow to answering one question:
Does the system of internal control provide reasonable assurance regarding achievement of the entity’s objectives?
This question can be applied to the strategies and objectives for creating value – as a whole, for a group of strategies/objectives, or for individual strategies/objectives.
Do you agree? If not, please share your views.
Norman’s most popular 2011 posts
These are the posts on my personal blog that obtained the most views. The #1 post, on risk appetite, garnered nearly 3,000 views.
I will later share the top posts on the IIA blog.
Tips from Norman on a Lean audit function
The UK’s Chartered Institute of Internal Auditors (affiliated with the global Institute of Internal Auditors) has published an interesting article by James Paterson on “Lean auditing – what, how, and why?”
James starts out well in this section, with a quote from GE:
“General Electric Corporation once described lean as “the relentless pursuit of the perfect process through waste elimination”, but in an IA context it is about ensuring that IA resources are focussed on delivering value to key customers, streamlining the processes and behaviours that support this, and eliminating those that don’t. Lean principles would define value as “any action or process that a customer would be willing to pay for”.
He goes on to explain how the internal audit team should give a priority to the voice of the audit committee, and not be pulled off track by trying to meet all the demands from management – at the expense of focusing on the needs of its primary stakeholder. That is well said, and I agree 90%.
I differ with James, though, when you move on from there. I would also like to share some tips for achieving lean auditing.
I have worked in companies where the margins were extremely low, resources were thin, and we had to make sure there was no wasted effort (muda in Japanese, the language of Lean). I have also worked at a company that used Lean Six Sigma (see here for a high level explanation) to drive efficiency in its manufacturing and other processes, and received training on the techniques and principles involved. So, I have been thinking about ‘lean auditing’ for many years and would like to share some ideas that extend beyond James’ piece.
- While we need to listen to the voice of our primary stakeholder (for most of us this is the audit committee), we also need to recognize that sometimes the audit committee’s insights into the value we can provide are limited. If they are bound by traditional experiences to believe that internal audit should focus on financial processes and compliance, together with fraud detection, we should work with them to move their expectations up the value chain. We should (IMHO) be providing them with assurance that the more significant risks are managed within acceptable limits, augmented by consulting services to enable improvements to that level. It is not sufficient to listen to the voice of the audit committee when that voice is sending an incomplete message.
- We should look very carefully at all our internal audit processes and drive out activities (muda) that are waste, because they carry cost and provide little value – relative to the cost. One technique is to capture, for a sample of audits, how long people spend on different tasks: planning (generally not enough), testing (frankly, often past the point where you know the results), documentation (see #5 below), reporting and communication (too much of the first and too little of the second), supervision and management, etc.
Here are some of the areas where I have identified muda in the past:
- As James points out, we should only be auditing what matters. If we are trying to audit a key risk to the business as a whole, the materiality for defining the scope of an audit of processes pertaining to that risk at any individual location should be based on the business as a whole, not based on the risk to the objectives of the individual location.
- Do we continue auditing after we have identified a weakness? Why? Is it so we can prove the weakness in a court of law? How likely is that? Once management has agreed to the fact that the control is ineffective, why keep auditing it?
- Do we keep auditing after it is obvious that everything is in great shape and the risk is low? Where is the value in that? (See the Tosco link later on and the reference to “stop-and-go-auditing”.) Once you know the risk is managed within acceptable limits, stop – even if you haven’t finished everything in the audit program!
- Are we auditing an area where the issues are well-known and are being addressed? It may be high risk, but an internal audit engagement would have low value.
- Do we spend too much time on working papers? Make sure you understand the value and only spend the resources appropriate to the value. For example, my approach is to review people’s work by talking to them and focusing on the report (the key end product we manufacture). The working papers are not where I spend a lot of time, especially when I know the auditor is experienced and I have no reason to suspect they didn’t perform the tests. If there is a lot of value (for example, the working papers will be re-used the next year to streamline a repeat audit, if management is expected to challenge the results, if a regulator needs to review the work, or if there is a possibility of related litigation) then there is merit in allocating scarce resources to working papers. But, if they are consigned after supervisory review to a file drawer (physical or electronic), never to be seen again, then why spend money creating them? Do enough, not more than enough. [As an aside, years ago I had a benchmarking discussion with the internal audit team at Atlantic Richfield (then a major oil company). They told me that they spent 40% of their time on documentation. How do you stack up? How much time do you spend?]
- Are you reporting issues that don’t matter (except to your pride)?
- Are your reports timely? If not, then where is the value?
- Are you driving change? If management is not accepting your points and making appropriate changes, then you are wasting resources. Something is wrong in your internal processes, and you should look in the mirror for the root cause.
- Does your audit report get to the point? Does it say more than would be required to explain the results to the CEO in 2 minutes? Say what needs to be communicated, and then stop. Anything else can be handled in memos to operating management.
- Do you have the staff to be lean? Do they have sufficient experience to perform stop-and-go auditing? Can you trust them to know when the risk is acceptable? Are your managers spending more time on reviews and training of junior staff than they would spend if they did the work themselves?
Years ago, the Journal of Accountancy published a piece about my program at Tosco. As I reread it today, I think I got it mostly right. The only point I would add for a 2012 perspective would be a focus on using the available tools to be efficient and effective. Do you agree?
What do you think of this approach? It is not the ‘traditional’ approach to internal auditing, but I think it necessary if you are to make the best use of resources.
Should the head of the internal audit function also direct the risk management program?
For a number of reasons, management at several companies have asked the head of internal audit (CAE) to start up and manage their risk management program – in addition to internal audit. Reasons can include:
- “It was your idea. Congratulations on the new job.”
- “You really understand risk and risk management, so you are the best person to lead the department.”
- “There is synergy between risk management and internal audit, and we have limited resources.”
- “Risk management and internal audit fit together and we don’t have a better place for it right now.”
Back in 2004, The IIA issued a Position Paper on The Role of Internal Audit in Enterprise-wide Risk Management. That paper, which included the famous fan (below), distinguished between roles that are (a) core internal audit roles, (b) legitimate internal audit roles as long as certain safeguards are in place, and (c) roles internal audit should not undertake.
Activities related to providing assurance on risk management (the left side of the fan) were considered core, but those that involved taking ownership for how the organization assesses and responds to risk (the right side of the fan) are ones that internal audit should not take. The ones in the middle were determined to be acceptable activities as long as these safeguards were in place:
- It should be clear that management remains responsible for risk management.
- The nature of internal audit’s responsibilities should be documented in the audit charter and approved by the Audit Committee.
- Internal audit should not manage any of the risks on behalf of management.
- Internal audit should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves.
- Internal audit cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties.
- Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.
Has this position paper stood the test of time? Can it be applied successfully to the current situations where the same individual (formerly the head only of internal audit) runs both internal audit and risk management?
I believe that the fan is in decent but not perfect condition. I would move two roles from the ‘legitimate with safeguards’ group to the group of roles internal audit should not undertake:
- “Maintaining and developing the [enterprise-wide risk management] ERM framework”. Because this would typically include the organization’s risk management policy, at best internal audit should only be involved as a consultant and advisor when management develops and later maintains the framework.
- “Developing [the risk management] RM strategy for board approval”. While internal audit can be a valuable contributor, the strategy for implementing risk management and growing its maturity should be a management responsibility.
I would add another element to the fan (on the right) to the effect that the processes of assessing and evaluating risks are also a management responsibility. I would also add a seventh safeguard:
7. Assuming responsibility for risk management activities should not adversely affect the level or quality of internal audit services. It is too easy for the CAE to shift her time and attention away from internal auditing to establishing the risk management function.
The following dictum in the Position Paper remains the ‘acid test’:
“The key factors to take into account when determining internal audit’s role are whether the activity raises any threats to the internal audit function’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.” If a CAE was asked today to assume responsibility for risk management in addition to internal audit, my advice would be:
- Make it clear to management and the board that you cannot assume any responsibility that would represent a real or perceived threat to your independence or that of your team when it comes to your internal audit responsibilities.
- All of the safeguards described above, especially the first five, must be in place.
- All of the activities on the right side of the fan, plus the three I have added, are management responsibilities.
- In order to maintain both the reality and perception of internal audit independence and objectivity, I would separate the staff involved in internal audit tasks from those involved in risk management. If at all possible, I would hire a dedicated risk officer.
Some companies have positioned the internal auditing function under a Chief Risk Officer (CRO) who does not have the title of CAE or a background in internal auditing. The CAE in those companies reports functionally to the audit committee and administratively to the CRO.
Is this different from the situation where the CAE assumes responsibility for the ERM program? I believe the most important distinction is that there is a possibility that the CRO might attempt to influence internal audit’s reporting of deficiencies and the risk they represent. After all, in many companies the CRO is responsible for assessing the level of risk and ensuring it is within approved tolerances. So internal audit would be auditing their manager’s work.
I saw this in person when I interviewed for a position as CAE of a major credit card company several years ago. The position would have reported to the CRO and when I met him I was impressed with his knowledge of the business and his working relationships with the top executives and the board; I enjoyed his very personable style. But when the discussion turned to reporting the results of audits to the audit committee, I asked him what would happen if the risk office had assessed the level of risk as low and the internal audit found deficiencies implying the risk was high. He left no doubt that the risk level that would be reported to the audit committee would be that determined the risk office. In fact, he was clearly concerned that internal audit would want to report on risk levels at all.
Some internal audit leaders think that the CAE should only ‘own’ risk management in two situations:
- When the company is starting the program, or
- When the organization is too small to have a separate risk management team
I am going to disagree. If handling both areas meets all the tests described above, all the required safeguards are in place, and (especially) this is good for the organization, then I see no reason why the CAE should not take it on. It represents an opportunity for growth, not only for the CAE but also for the rest of the team. Moving into risk management is a new and interesting career progression opportunity for internal auditors.
What are your views? Do you agree with what I suggest, above/
Note: this article first appeared in the December 2011 issue of the Internal Auditor, in the Governance Perspectives column, which I edit.
2011 in review
The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.
Here’s an excerpt:
The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 79,000 times in 2011. If it were an exhibit at the Louvre Museum, it would take about 3 days for that many people to see it.
What kind of auditor are you? Are you an assurance professional?
I am struck by how many think the job of internal audit is to find defects.
I believe that is the road to ruin.
Our job should be to help the organization succeed, and we do that by helping PREVENT defects. Our primary role is ASSURANCE, not performing audits to report issues.
Contrast these situations:
1. The auditor strolls into the room, which is full of cops, and points to the body. “You have a dead body on the floor.”
2. The auditor works with the building architect and critiques the provision of fire and smoke detection and alarm systems, as well as the fire suppression system and availability of exit routes. She advises on the need for fire safety training and drills.
Which is more valuable to your company?
Which are you?
Training the audit committee
The article below was first published in the Internal Auditor magazine in 2003, winning the Thurston Award for the best feature of the year.
I believe it is just as meaningful today and am interested in your views.
TRAINING THE AUDIT COMMITTEE
Because internal auditors must stay current on trends, legislation, regulations, and risk management, they are the ideal organizational resource to develop and manage an education program for directors.
By NORMAN MARKS
“WHERE WAS THE AUDIT COMMITTEE?” has been a question asked by many over the past few years. With their next breath, those same people should be asking why gilt-edged audit committees with members acknowledged as having financial accounting and reporting expertise and who were often directors, chief executive officers (CEOs), or chief financial officers (CFOs), allowed management to take aggressive accounting positions or, even worse, falsify financial statements.
Some point to the limited time that directors are able to spend attending to their duties, and to their reliance on management and the external and internal auditors to provide the information they need to do their jobs. Others say that directors will always be at risk of unethical practices by management. Yet, investors and regulators look to the directors — and especially those on the audit committee — to be the watchdog for shareholders.
Clearly, more is expected from today’s audit committees. The U.S. Securities and Exchange Commission (SEC) may say that the new rules and business climate do not impose any additional legal liability on the committees, but directors cannot assume that to actually be the case and continue with business as usual.
Audit committees — with management’s assistance — need to examine not only their practices as a committee but also as individuals. Each director needs to assess whether he or she has the knowledge, experience, dedication, and time to perform the job effectively. Looking at some of the recent accounting scandals, one must ask whether audit committee members, individually or collectively:
• Had a sufficient understanding of their responsibilities. For example, why were some officers allowed a waiver from the ethics policy?
• Had a sufficient understanding of the key accounting and financial rules affecting their company’s financial statements?
• Understood the company’s business, including not only how it made money but also how it monitored and measured success?
• Had discussed and understood the more significant risks to the company’s financial statements, its business, and its reputation?
• Had sufficient knowledge and understanding to ask the right questions and to assess the adequacy of the answers they obtained?
Every corporate board should examine the need for training its members. New listing standards from the New York Stock Exchange (NYSE) and NASDAQ require continuing board member training. Additionally, there is public pressure for boards to keep up with their training. For example, Institutional Shareholder Services (ISS), a provider of proxy voting and corporate governance services, has developed a well-publicized measure for “evaluating the quality of corporate boards and the impact their governance practices may have on performance.” ISS’ Corporate Governance Quotient, announced in June 2002, bases its calculations — for the top 3,000 U.S. companies — on seven core categories, one of which is “director education.”
Although every director needs to understand the changing nature of corporate governance, the needs of audit committee members are broad and therefore more difficult to meet. According to KPMG’s Audit Committee Quarterly Fall 2003 issue, “while audit committee members value the depth and breadth of myriad external programs and seminars available, an increasing number of audit committees are also asking for tailored in-house programs.”
Because internal auditors must stay current on trends, legislation, regulations, and the risk management process to effectively perform their duties, they are the ideal organizational resource to develop and manage such an in-house program. Solectron Corp., a $12 billion global provider of electronic manufacturing services, used its internal audit department to develop a program to meet the specific needs of the company’s audit committee. Although internal auditors may need to tailor the specifics of the program depending on how their audit committee is organized, the basics can be used for any committee, regardless of its composition.
Assessing Needs
At Solectron, the audit committee recognized early the need for tailored training for its four members in addition to the training program already in progress for the full board. However, especially after the U.S. Sarbanes-Oxley Act of 2002 was passed, the committee already had a very full agenda and little time to dedicate to training sessions. The committee chairman asked me, the vice president of internal audit, for assistance.
Initially, we thought each audit committee member should have training focused on understanding the accounting standards and how they apply to the company. However, as we delved deeper, we realized committee members needed to understand not only accounting, but also risk management, the work of the external and internal auditors, and more.
The audit committee charged me with developing a training needs assessment program and meeting with each member. As a result, I compiled a list of topics, broken down according to areas of concern, to review with each member of the committee. The topics were driven by the committee’s charter and what I, with over a dozen years’ experience working with audit committees, believed each director required to be effective.
We immediately recognized that the directors do not need to be experts in every area. Instead, they need sufficient knowledge to be able to access pertinent information, ask the right questions, and assess the answers they receive. Rather than requiring detailed explanations and analyses for every new Statement of Accounting Standards (SAS), members need only understand the broad sense of the SAS and its implications, so they can ask management and the auditors the right questions about its adoption. [Note: SAS have now been replaced by PCAOB Standards.]
I sent the list to each member and met with them one-on-one to either complete or discuss their responses. Their responses helped us decide what type of training the audit committee members needed and in what areas they felt they had a sufficient level of knowledge and understanding.
Area of Concern 1: Roles, Responsibilities, and Relationships
- The audit committee’s charter, the committee’s responsibilities, the expectations of investors and regulators — including related laws and regulations — the role the committee plays in corporate governance, and the relative responsibilities of the board as a whole and company management. This first topic provided an opportunity to discuss and confirm that each member had a good understanding of his or her job, especially in light of recent changes in expectations. One issue for directors to consider is how much detail they are expected to dive into and what decisions require their oversight and approval. Where does governance end and management begin?
- The responsibilities of the external auditors to the company, the board, and the committee, including the type and scope of work they do, the extent of assurance they provide to the company and the committee, and the limitations to that assurance. The investing public has great expectations of public accountants, but are they justified? The external auditor’s opinion in the annual financial statements is limited, because its work is risk based and only provides assurance that the likelihood of material error is low. Directors need to understand how much work the external auditor does and, especially, the limitations of the assurance the auditor provides.
- How the external auditors do their work, and how they reach their conclusions on the company’s financial statements and related disclosures and internal controls. How many directors understand how much — or little — testing of internal controls is done by the external auditors? How many transactions do they review to confirm the controls are in place and effective? How do they decide which locations’ inventory to audit? What is the level of experience of the staff performing the work in the field, and is it sufficient? How does the partner decide, at the end of the day, that he or she can sign off on the accounts?
- The responsibilities and obligations of management to the audit committee. Is there a clear understanding of when management has to bring issues to the board and how much information will be provided? Is there too much reliance on management’s integrity?
- The role and responsibilities of internal auditing, including the scope of its charter, how it performs its work and reaches conclusions on internal controls (and the limitations thereto), how it works with the external auditor, and its reporting relationships to management and the audit committee. Today, directors, especially those on audit committees, should be placing more and more reliance on the company’s internal auditors. They should know whether or not the internal auditors have an open, unimpeded line of communication to them. Is internal auditing sufficiently independent? For example, can the auditors audit the CFO and CEO and report their conclusions to the audit committee without personal risk? Does internal auditing provide a report on the overall system of internal control? If so, how do the auditors make their assessment? Does internal auditing use a generally accepted internal controls model or framework?
Do the internal auditors work effectively with the external auditor, so that total quality is enhanced without unnecessary duplication of effort? If used correctly, the internal auditor provides directors with an independent set of experienced and knowledgeable eyes into the company’s operations.
Area of Concern 2: Risk Management and Internal Controls
- The principles of enterprise risk management (ERM). Few U.S. companies — except in financial services — have embraced ERM as a way to manage the business. However, ERM provides an excellent framework for audit committees, management, and external and internal auditors to assess the adequacy of internal controls. It is impossible to evaluate and test every control, but ERM helps directors determine whether the controls most likely to prevent or detect a major problem have been assessed. The American Institute of Certified Public Accountants (AICPA) requires external auditors to base their audit on a risk assessment, and The Institute of Internal Auditors (IIA) mandates the same for internal auditors.
- The principles of internal controls, the internal controls model used by the company, including controls that provide reasonable assurance of the efficiency and effectiveness of operations, the integrity of financial reporting and disclosures, and compliance with applicable laws and regulations, whether the committee is responsible for all internal controls, whether the external and internal auditors review them all, and what constitutes a “major” internal controls weakness or deficiency? The principles of internal controls extend beyond simply accounting or financial reporting — the audit committee’s primary responsibility at most organizations. Audit committees need to decide whether they have oversight responsibility for all controls or just financial reporting and ethics. At Solectron, we have chosen The Committee of Sponsoring Organizations of The Treadway Commission’s (COSO) model as a company standard, not only for financial reporting and Sarbanes- Oxley Section 404, but also for all controls assessment. Only through an understanding of internal controls can directors understand and evaluate the comments by management and the two sets of auditors on internal controls. The COSO model provides a common language among management, directors, and auditors in assessing controls and managing risk.
Another important point is what constitutes a “significant” or “material” weakness or deficiency. Both the external and internal auditors are required to report to the audit committee all weaknesses in the systems of internal control that they consider to be significant. But, what does that mean? Do the directors want to be informed of weaknesses that do not meet that threshold? Frequently, the internal and external auditors have different interpretations of what should be reported, and that may be of concern to audit committees.
- Accounting basics, including the principles of accruals, reserves versus write-offs, etc. Because audit committee members are required to be financially literate, with the ability to read and understand financial statements, some will need at least a refresher in these subjects. Certainly, many reported cases of earnings management involved companies’ use of reserves and accruals to smooth earnings from period to period. For example, the company might inflate reserves — whether for inventory, receivables, or goods received not invoiced — when times are good, and draw the reserves down when operating results are not as positive.
- In broad terms, the more significant laws, regulations, and accounting rules that have to be observed in preparing and filing the company’s financial statements and disclosures. Generally, the external auditors will provide the audit committee with a summary of new accounting rules as they arise, and the general counsel or external auditor will discuss new laws and regulations of significance. However, committee members need a broad understanding of the more significant rules applicable to their business to enable a quality review of the financial statements and questioning of management and auditors before the quarterly and annual reports are filed with the SEC.
Area of Concern 3: Consolidating, Clarifying, and Reporting Financial Results
- The organization’s processes for consolidating financial results — starting from the site, through region and business unit, to corporate level — and the nature and extent of any adjustments that may be made at each stage. This background information will help the audit committee understand the process and therefore the risks associated with financial and SEC reporting. It will enable the directors to ask penetrating questions not only of management but also of the auditors.
- Each topic and line item in the financial statements and other SEC filings, including the Notes, MD&A, etc. There are several sources of training, particularly from colleges and business schools, that will enable directors without any financial background to acquire the necessary knowledge. A review of the 10-K and explanation by an expert can be very useful. The National Association of Corporate Directors — an association for boards, directors, director-candidates and board advisors — is one organization that offers, through a consultant, on-site training for audit committees on this topic. An experienced director who is also an ex-CFO talks the members through a review of the financial statements.
- What is “material” to the financial statements. The external auditors provide an opinion as to whether the financial statements are free of material error, but what is material? There cannot be assurance that the financial statements are 100 percent correct, but the audit committee needs to understand the level of tolerance. The committee needs to question both groups to ensure they are comfortable with the judgments on whether that tolerance level has been exceeded.
Area of Concern 4: Recognizing Risks
- The major risks to the accuracy of the financial statements. This topic flows from the others: understanding the business, the process of developing the financial statements, and the legal and accounting requirements. The directors’ review and questions by the directors should be focused on the areas where there is more risk to the integrity of the financial statements. In addition, the directors should ensure that both the external and internal auditors are devoting sufficient resources to the major risk areas. This will include those areas where there is a greater degree of judgment (e.g., reserves), complexity (e.g., derivative transactions), or less-than-robust systems.
- The major risks to the success of the company’s business. Directors need to be concerned with the possibility that management is tempted to cover up problems in the business. Understanding where a company is most at risk allows the audit committee to be alert and ask for detailed analysis and additional information in areas that matter. Committee members can also provide better oversight of the auditors, verifying that their planned scope will address these critical areas.
- The “red flags” that may indicate a problem with the financial statements. Research has shown that most financial statement frauds could have been detected if attention had been paid to certain changes in trends — red flags. The audit committee should receive a list of these red flags and may require a focused discussion on which are most significant to the company. The directors may require the financial statements to include additional information, such as trend and fluctuation analyses.
- The legal risks presented by the company’s business operations, including risks pertaining to compliance with international tax, trade, human resources, and business practices laws and regulations. In some industries — such as chemical and banking — this is a significant issue. The committee should ensure not only that these risks are addressed, but also that the departments responsible for auditing those areas provide reports to the committee. For example, in many companies, groups other than internal auditing perform audits of environmental, health, and safety compliance.
Area of Concern 5: Understanding and Assessing the Business
- The principal businesses the company is engaged in, and how the company achieves and then measures success in each. Although directors will probably have a broad understanding of the business, their knowledge may not be sufficient for them to understand all the risks and opportunities and ask the right questions of management and auditors. Directors should visit and be familiar with the company’s principal business locations. Without that personal, firsthand knowledge, it is questionable whether they can fully understand and evaluate the financial statements, ensure the disclosure of key nonfinancial information, or assess the auditors’ performance.
- The nature — in broad terms — of the more significant information technology (IT) systems and infrastructure, with particular reference to how they impact the financial statements. Companies are dependent on their financial IT systems. Not only do these systems accumulate the transactions and perform many calculations, but they also provide most of the analytical information — reports — needed to review the financials. The directors should know whether any of the IT systems are fragile and question the auditors on the level and quality of their IT audit work. A study by the Public Company Accounting Oversight Board’s Panel on Audit Effectiveness of the quality of external audits highlighted as areas of concern a lack of adequate IT understanding of many accounting-firm partners, a failure to adequately consider IT risks in audit planning, and insufficient attention to IT systems during the audits.
- The company’s philosophy and approach to ensuring ethical business practices and compliance with all applicable laws and regulations, and the significance of the tone at the top. One of the issues at Enron was the audit committee’s waiver of a conflict of interest under the company’s code of ethics. The audit committee should understand not only what the company’s ethics policy says, but how the company “walks the talk.” The way top management conducts its business and demonstrates day-to-day ethics — the tone at the top — has great influence on the way other management operates. The directors should understand the importance of tone at the top and have a sufficient knowledge of the subject to ask the appropriate questions of both management and auditors.
- How to assess the competence of financial management, the external auditor, the internal auditor, the corporate ethics officer (or equivalent), and others, as necessary. Audit committee members have to rely on what they are told by those they see at meetings: management and the two sets of auditors. However, the committee is also expected to be the watchdog and guardian for the shareholders against inappropriate acts and incompetence by the auditors. Thus, it needs to exercise professional skepticism at all times, ask the right questions, and assess the adequacy of the answers it receives. Assessing the competence of these key individuals is not easy, but the committee should seek help from those who are experts in each field. This may require external reviews, for example, of the internal auditor’s work. The external auditor should report on its own quality assurance practices and on quality assurance reviews by its peers. A process should be developed, typically led by the internal auditor, to help the committee assess the external auditor’s work.
Delivering the Training
I compiled the results of the interviews and the responses to the survey into a summary training needs analysis. It included recommended delivery methods for each subject where a need was identified — such as presentations during meetings, additional reading materials, books or studies, and off-site training. I then reviewed the analysis with the chairman and later discussed it with the full committee. We reached an agreement on the priorities and developed a schedule for the next three meetings.
The needs analysis confirmed that the members of the Solectron Audit Committee already had most of the knowledge required to be effective. That finding was of value by itself, and it contributed to the self-assessment the members performed later. At the same time, opportunities were identified for improvement.
Much of the additional training was delivered by expanding on presentations already scheduled by auditors and management. For example, the external auditors were asked to review their risk assessment, general audit methodology, and staffing profile when they reviewed their annual audit plan with the committee. I included a discussion of internal controls and the COSO framework as part of my annual report and plan. Emphasis was placed on efficient delivery, because the number and length of meetings had increased significantly.
Customized Education
Each board of directors is different, with varying needs for training. The “areas of concern” list was effective in both identifying where Solectron Audit Committee members would benefit and in serving as a basis for the plan to deliver the required information and training. The list confirmed that a tailored program would be much more effective than sending committee members to generalized seminars.
Audit committee training is a continuous process. Solectron has now completed the first year of its training program and delivered in the areas identified through its needs analysis. Attention is now focused on maintenance, including discussions of new laws and regulations such as Sarbanes-Oxley and accounting rules.
The needs analysis will be repeated at some point to identify any specific area where the members believe a refresher would be useful. The analysis has enabled the training to be delivered, in areas where it was needed, without taking too much of the committee’s valuable and limited time.
We need your comments to upgrade the draft COSO internal control framework
COSO has released a draft for public comment of an updated Internal Controls Framework. You can see some of the highlights and links in this Journal of Accountancy article.
While I am pleased that COSO has been working to update and upgrade the framework, I am frankly disappointed with this draft.
I encourage you strongly to review the draft and submit your comments. A loud voice may be needed to persuade COSO to make changes.
I especially encourage compliance, risk, and governance experts and practitioners to comment. COSO membership is primarily composed of accounting and audit bodies, and a team from PwC is responsible for developing this draft.
My primary concerns at this point (I haven’t completed my review and will share my comments on this blog when they are finalized) include:
- The relationship between risk management and internal control is not explained well. The definition of risk only includes the adverse effect and is not consistent with the COSO ERM definition of risk management let alone the more current ISO 31000:2009 standard. Controls are needed to ensure that opportunities are identified and realized.
- I don’t believe the authors have represented accurately the relationship between residual risk and internal controls. The existence of internal controls are considered in the assessment of residual risk, but the draft says you only need controls if the residual risk is above tolerances.
- The draft suggests that you have an effective system of internal control if 17 principles are met across the 5 components of internal control. I disagree. You have an effective system of internal control if the risk of non-achievement of objectives is within organizational tolerances. You may fail to achieve one of the 17 principles in one of the 5 components without the risk of non-achievement being above acceptable tolerances.
- The draft states that strategy-setting is not included within the system of internal control, but does not address the fact that you need controls within the strategy-setting process: to ensure that the right people are making the decisions around strategy using reliable information.
- I simply don’t understand how board oversight of risk management is not a critical element of the Control Environment.
- Consistently through the draft, the need for controls to manage risks within tolerances is omitted. In fact, the draft says you can have a (minor) control deficiency even if there is no risk to objectives! The correct explanation is that deficiencies exist when the risk of non-achievement of objectives is higher than acceptable.
- Organizations have to, in many cases, work with governance codes/frameworks and risk management frameworks/standards as well as internal control frameworks. The draft should explain the inter-relationships and how organizations can manage compliance with multiple frameworks.
- There is insufficient emphasis on the need for an effective combination of controls to manage risks.
- The definition of a material weakness in internal control over financial reporting is inconsistent with guidance from the SEC and PCAOB!
- The draft says that there should be a minimum of 1 (yes, one) outside director for the board to have an independent voice. This is absurd.
- Guidance on technology-related controls and on the existence of controls at every level in the entity (including intermediate levels) is thin. The SEC and IIA both have better, more detailed guidance than is included in the draft.
- The discussion of Compliance is limited to mandated rules and regulations. However, companies need controls to ensure that business is conducted to their own standards, which may be more restrictive.
Please provide your comments here, which I will consider in my response to the public exposure. But, again, I strongly encourage you to be heard and submit your own comments.
Happy Holidays and thank you for your support in 2011.
Norman Marks
A challenge for risk management experts
The intent of this post is to present a more complex risk evaluation scenario for risk management experts to comment on. That advice should be valuable for all of us.
First, some background
In a simple situation, an event or situation may be assessed as having a defined likelihood and potential impact. People like to show this on a heat map.
But, events and situations are not always that simple. Any possible event or situation can have a range of likelihoods and impacts. Consider the potential for an earthquake to strike a town in California where your business operates. There is a range of likelihood (of an earthquake in that location) and impact (on the business):
- 1% $10 million
- 2% $5 million
- 3% $1 million
- 4% $100,000
- 4% $50,000
- 5% negligible
All told, there is a likelihood of an earthquake of 23%, but the range of impacts is wide.
For those who measure the risk based on likelihood multiplied by the potential impact, the range translates to:
- 1% $10 million $100,000
- 2% $5 million $100,000
- 3% $1 million $30,000
- 4% $100,000 $4,000
- 4% $50,000 $2,000
- 5% negligible negligible
An argument can be made that each of these is a risk situation that should be evaluated. Some would therefore focus only on the larger scenarios. I am fine with that in this case.
But what if the situation is different? Let’s say we are considering a decision on whether or not to expand into Ethiopia. There are multiple risks, extending from (for example) damage to corporate reputation if employees engage in bribery, the loss of facilities if they are damaged in periods of civil unrest, to the risk that employees will be harmed or even be killed. The aggregated range of likelihood and impact is:
- 1% $200 million
- 2% $100 million
- 3% $50 million
- 3% $10 million
- 4% $5 million
- 5% less than $1 million
Ours is a company with annual revenue of $2 billion and profits of $250 million, so these risks are significant. Why is management considering the initiative? The Marketing people estimate the potential upside (the reward or opportunity) as substantial as well:
- 10% $100 million additional profit
- 20% $80 million additional profit
- 25% $50 million additional profit
- 20% $10 million additional profit
- 5% $5 million additional profit
- 5% break even
- 5% $5 million loss
- 5% $10 million loss
- 5% $15 million loss
The challenge
- How would you evaluate the situation and advise management?
- Would your evaluation change if the potential upside estimate from Marketing changed:
- If the upside increased from 10% of $100 million profit to 15%?
- If the highest possible operating loss was limited to $5 million?
Please share your approach so all of us can benefit – and discuss.
Should executives be in jail for mortgage fraud and related reporting?
I didn’t see the 60 Minutes segment on Prosecuting Wall Street until this evening, but it is shocking to hear that not a single prosecution has yet been brought.
I strongly recommend viewing the segment (available in two YouTube segments) and I welcome your views on the following:
- Did the segment make the case that there should have been prosecutions under SOX? They didn’t explain how material the over-valuation of the mortgages were to Citi and Countrywide, but I suspect the numbers were material and the internal control weaknesses should have been classified as material.
- Do you agree that persuasive evidence of deliberate fraud might have been difficult to obtain?
- Should the board have taken action?
- Should internal audit have been more prominent?
- Shouldn’t the risk officer have been more actively engaged?
- There seems to have been a defect in the control environment, the tone at the top and the corporate culture. Shouldn’t this have been identified as an issue by the external auditor?
I don’t have inside knowledge and am not a lawyer. But I found the segment disturbing and suspect you will as well.
Managing Sustainability or Social Responsibility within the organization
The Canadian Institute of Chartered Accountants (CICA) has published a series of papers with guidance for directors on a variety of topics. Typically, they suggest 20 questions that directors can ask. I find that their content is valuable to management and others (such as auditors) in understanding the key issues in the areas.
Rather than 20 questions, a new paper on Sustainability from the CICA has 23 questions.
Whether you believe that Sustainability or Social Responsibility (CSR) should be a priority or not, the questions work for me. They start in the right place – with identifying which aspects of CSR apply and are significant to the organization. The questions continue through risk assessment, reporting, and governance.
The only question I can think to add is how assurance is being obtained that external reporting (in particular) on CSR is complete and accurate. That might be a role that internal audit can play.
I have questions for you:
- How important should Sustainability be in driving the actions of corporations?
- Should this be a factor in assessing the performance of the CEO and other top executives? If so, what are the metrics?
- Do you like these 23 questions (24 with my addition)?
I welcome your comments.
Advice on board oversight of risk management
BoardMember has a series in which it interviews experts on a variety of topics relevant to directors. Recently, they interviewed a good friend of mine (Brian Barnier). Brian (see here for his bio) works at a number of levels: with boards and executives, advising on several topics including risk management. In this video, he shares advice for directors on how they can effectively provide oversight on risk management and key questions they should ask.
Now, Brian is a good friend. He and I have partnered on presentations and we are both OCEG Fellows. But that doesn’t mean we always agree. This is one of those times where I would go further than Brian has in this discussion.
This is what I would say to a board:
1 Recognize that risk is the effect of uncertainty on objectives. Risk management is not just about how the organization is protected from adverse events, such as an earthquake, the loss of a top executive, a supply chain disruption, or a 60 Minutes piece on certain alleged waste disposal practices. It’s also about how the organization handles uncertainty in general, which includes its ability to respond with agility to minimize potential adverse effects and embrace potential opportunities. It’s not only about protecting corporate value; it’s about seizing the moment and achieving – or exceeding – objectives.
2. Ask penetrating questions of management about the more significant (adverse) risks facing the organization, including those that are emerging. How does management identify the risks and assess their likelihood and potential impact? Are those processes adequate? Does it have reliable processes for evaluating and responding to the risks? What assurance does it have that the risks are being managed at appropriate levels? Is the risk organization appropriately staffed and resourced? Does it report at a level where it will be heard?
It’s probably more important to obtain assurance that management has good processes than it is to understand and provide your counsel on the risks themselves! After all, management is relying on those processes between meetings and may only bring to your attention matters that are the result of the processes.
I would definitely ask the internal audit function to provide a formal report on the adequacy of the risk management framework and processes on at least an annual basis.
3. Work with management to agree on how they (and you) will determine when (adverse) risks should be accepted. Is there a way to set an acceptable risk level for each area so that not only can you and management monitor to ensure they are not exceeded, but operating management is able to apply the standards when they are making decisions – taking the risks?
4. Also ask about management’s readiness and agility to identify, evaluate, and respond when there are market opportunities? Can management move fast enough, yet in a thoughtful and considered fashion?
5. Ask management how they ensure that people on the front-line are trained to handle risk and make appropriate decisions. Do they understand the organization’s attitude towards risk (their inclination to take or avoid risk) and how do they ensure it is consistent with desired risk-taking practices? How is risk addressed when it comes to IT or other major projects?
6. Agree with management on when and how you will be informed that either risk levels have been exceeded or an adverse event has occurred.
7. Recognize that the board should take the lead on certain risk management activities, such as addressing risks relating to the performance of the CEO and other top executives, whether there are compensation or other risks that might influence executives to make decisions contrary to the long-term interests of the company and its stakeholders, and whether management’s process for determining strategies is sound.
8. Oversight of risk management can and probably should be allocated to several board committees, with an overall review by the full board. Be careful about overloading the audit committee. That team already bears a large burden and may not be able to give sufficient consideration to all areas if risk management is added. I would only assign financial and possible compliance risks (if there is no compliance committee) to the audit committee.
9. Don’t underestimate the need to obtain education and orientation in risk management. Have a look at the ISO 31000 standard, and have an expert on risk management present to the board.
10. Seek to continuously improve, assessing your performance annually. It would be useful, especially in the first few years, to engage an expert to assist in your self-assessment process.
Above all, the board needs to exercise common sense and not accept explanations that are not clear, or that it does not understand. While there is something of a science in quantifying certain risks (such as relating to currency fluctuations), most risk management functions have not failed because of that: they failed from a failure to apply common sense! (Just think of the assumption that house prices would never fall.)
Have I got this right? How would your advice differ? I would love to hear.
Mobile will bring both risks and opportunities. Is your company’s strategy optimized?
The Australian newspaper’s IT section ran a piece on October 25, 2011 a radical year of digital revolution. It started with two bold, short paragraphs:
Many observers have described this year as the most radical period of change in the history of digital technology.
“It has been the year cloud computing came of age, smash-hit consumer devices such as Apple’s iPad invaded the corporate computing arena and the market for mobile apps exploded.”
People over-use the adjective ‘disruptive’, but for once that word can be used correctly: when applied to 2011’s new technology and what we can see coming in 2012 alone. It will change the way people live their lives (how many people under 30 still wear a watch, and have you noticed that Starbucks accepts mobile payments – and has been all year) as well as how they work. Some say that mobile payments are “the future of banking” (see here and here).
It is not just information and analytics that are coming to mobile devices, but the enterprise applications themselves. This month, SAP announced (with partners) the availability of more than 200 new mobile applications! For example, workers can order supplies from their mobile device and route their ‘shopping cart’ to their manager’s smart phone or tablet for approval; directors are asking for their board briefing documents to be delivered to their iPad; and, CFOs (and other executives) have the ability to review real-time balanced scorecards and project status with KPI’s on their tablets, drilling down to see details and attaching the results to emails to their team asking for additional information. Oracle also has a mobile strategy.
The board and management, together with the CRO and CAE, should be concerned with two primary risks:
- The organization is late to use the disruptive technology available to optimize operations, losing ground with customers, the market, and in efficiency to its competitors.
- People embrace the technology in an unstructured and possible even unsafe manner, creating not only security and control risks, but inefficient business processes and a messy IT infrastructure.
A balance needs to be struck so that the organization can take advantage of the new technology, but not at the cost of lost confidential information or an IT infrastructure that is unmanageable. How can IT be expected to support five versions of essentially the same application but from different vendors (not all of which may be in business next year), running on every imaginable mobile device and operating system – that everybody wants connected to the corporate network?
The Aberdeen Group is a fine source for research on a variety of topics, and I have blogged about their reports in the past. I am a subscriber and I recommend your looking into them.
Recently, Aberdeen published a report, Enterprise B2E Mobile App Strategies: Design, Build, Deploy, Manage and Support that has some interesting content. While it said that “The global phenomenon of mobile applications has had a major impact on the enterprise; on its market-facing, business-to-business, and employee-facing activities”, the report focuses on the latter: enabling management and employees to be more efficient and effective. Here are a few of the more interesting points:
- The companies that Aberdeen call ‘best-in-class companies’ achieve:
- 90% success in accessing crucial business information within the time frame required to resolve the issue (time-to-information), 61% more than ‘laggards’
- 72% year-over-year improvement in operational efficiency, defined as the ratio of potential versus achieved productivity, almost 2.5 times greater than the industry average
- 42% year-over-year improvement in time-to-information, 20-times greater than laggards
- 47% increase in employee satisfaction, more than double the improvements in average companies and five times that achieved by laggards
- 38% improvement in employee productivity, 2.5 times average and more than 10 times laggard companies
- The best-in-class companies had this in common.
- Custom mobile software primarily intended for employee use
- IT standards for mobile software deployment
- Enterprise mobile software application stores (app stores)
- Executive-level support of mobile software initiatives
- Mobile app development was identified as one of the top priorities for IT spend, with 41% of respondents indicating that they had already designated a portion of their IT budget for mobile app development over the next 12 months
My advice is that corporate leadership (not just the CIO) with advice from the risk management and internal audit functions ensure:
- New technology is embraced in an organized fashion, so that all can benefit from the consistent use of new applications, devices, and ways of working. Aberdeen noted that the most successful companies had active CEO support for their mobile strategy.
- Devices are connected to the network only when it (reasonably) safe to do so.
- IT provides a secure infrastructure for the use of mobile devices (such as enabling the remote destruction – not just ‘wiping’ – of data on devices that are lost, left on planes, etc.).
- When enterprise applications move to mobile, there are reasonable controls to ensure that those applications can be relied upon (e.g., with effective application change management and controls to ensure communications between mobile and host systems are complete, accurate, and valid) and the appropriate level of security is in place (such as verifying that only my manager can approve my purchases, and only your company’s top executives can see your confidential information).
The internal audit, risk management, and IT security teams should provide advice on the risks. However, care should be taken that excessive concern about risks does not result in being slow, or even late, to seize the opportunities.
Continuous auditing that should NOT be performed by internal audit
I have to admit to being a big fan of continuous auditing in general. One of my more popular papers (available for download here) is on the topic of continuous risk and control assurance. I wrote it to explain why I believe internal auditors should move from providing assurance on an occasional basis to providing assurance when it is needed by the audit committee and top management. In these days of rapidly changing risks, when businesses are moving faster and faster, internal audit needs (IMHO) to be able to provide prompt assurance on the more significant risks. Telling top management that internal audit can provide assurance in a month, after an audit is completed, is clearly sub-optimal (if not unacceptable).
But, I also believe that certain practices, generally described as continuous auditing, are NOT core internal audit practices. At best, they are consulting services; at worst, they are internal controls relied on by management – that should be performed by management.
Let’s start with a statement with which, hopefully, almost everybody will agree: the core internal audit mission is to provide assurance services related to the adequacy of management’s processes for managing risk, the organization’s governance processes, and the related controls. In addition (and to me, this is a clear secondary activity) internal audit provides value-add consulting services. Both the assurance and consulting services are intended to assist management improve the effectiveness of their processes.
I support:
- Continuous audit activities that are designed to provide assurance on a more continuous basis, for example by testing controls more frequently.
- Continuous audit activities that are recognized as value-add (rather than assurance) activities and are approved by the audit committee.
Let’s examine a few cases:
- The use of software to identify duplicate payments. To me, management should have controls to prevent, or at least identify promptly, duplicate payments. If reliance is instead placed on internal audit to identify the duplicate payments, internal audit is performing a management function. I would be reluctant to do this, unless management were able to make a convincing case that this was the best use of overall corporate resources, it did not take resources away from essential assurance activities, and was approved by the audit committee.
- The use of software to detect errors, typically the result of internal controls failing to operate effectively: for example, internal audit monitoring transactions to detect errors such as approved (or paid) vendor invoices not matching purchase orders or receiving documents. Some consider this a valid internal audit activity, but again I think that internal audit is stepping in and performing a control – a management function. Now, I am fine with audit providing a consulting function, developing the capability and turning it over to management to run. But, I am reluctant to see internal audit continuing to do it. I would do it if management could make a solid business case, it didn’t detract from essential assurance work, and it was approved by the audit committee.
- Fraud detection is an interesting case. While many internal audit functions have this in their charter, I believe that controls to prevent and detect fraud are a management responsibility – that internal audit can perform as a consulting service, with the approval of the audit committee. It should not divert resources away from essential assurance activities. In an ideal world, fraud detection is performed by management and assessed by internal audit. But, internal audit has independence and skills that may well make a compelling case for their owning fraud detection. Again, it should be approved by the audit committee and included in the internal audit charter.
My preferred continuous audit work consists of tests (that are generally but not always automated) that provide assurance that the controls relied upon to manage the more significant risks are working effectively. Testing data does not provide assurance that controls are working: when the tests identify exceptions, that implies the controls are not working – but the absence of exceptions does not provide evidence that controls are operating and effective.
What do you think? Do you agree that these forms of continuous auditing should be performed by management (and are really continuous monitoring)?
Study assesses the cost of a data breach
A new study by Ponemon Institute, sponsored by Experian, has some interesting observations. It is unclear what level of executive responded to their survey, although they said they were all at least managers, 40% report to the C-suite, and 26% are direct reports to the head of marketing or similar.
The interesting ‘bits’ include:
- The hit to the corporate brand value was $180m to $334m (between 17% and 31% of total brand value).
- As a percentage of their organizations’ annual gross revenues, the economic value of reputation and brand ranged from less than 10 percent to greater than 5X.
- In some cases it could take longer than a year to recover and restore reputation and brand image.
- When asked to rank the information if lost or stolen would result in a diminished reputation or image respondents say customer information would be most devastating. This is followed by confidential financial business information and confidential non-financial business information.
- The average diminished value of the brand as a direct result of losing:
- 100,000 customer records: 21%.
- 100,000 employee records: 12%.
- Trade secrets, new product designs, source code or strategic plans: 18%.
- 82 percent of organizations had a data breach involving sensitive or confidential information. On average, they had 2.7 breaches in the past 2 years. Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant. It is interesting to note that before having a data breach less than half had an incident response plan for customer data breaches in place. However, after the breach 76 percent say their organization put an incident plan in place.
- Data breaches involving confidential employee information are less frequent than data breaches involving confidential customer information. Less than half (46 percent) of organization in this study had a data breach involving the loss or theft of sensitive or confidential employee information. On average, organizations reporting such breaches had 1.5 in the past two years. Only 23 percent say such a breach had a moderate or significant impact on their organization’s reputation and brand image. While one-third say their organization had an incident response plan in place before the breach, 54 percent say they had such a plan in place following the breach.
- Most organizations have had a data breach involving the theft of sensitive or confidential business information. On average these have occurred 2.9 times in these organizations. It is interesting to note that of all types of breaches, the theft or loss of confidential financial information experienced by these organizations seemed to have the most significant impact. Forty-six percent say the impact was moderate and 29 percent say it was significant. Prior to having such a breach, 57 percent had an incident plan in place. However, after such an incident 80 percent say they put a plan in place.
The risk of poor investigations
The front page of the latest issue of ComplianceWeek (November 2011 issue) has a lead article entitled: “Shop Talk: Conducting Internal Investigations”. The article makes interesting reading and I want to supplement it with some comments about the risks created when investigations are not done well.
It is critical that the people who conduct investigations have the requisite skills and experience. This includes the ability to interview people (and know when the interview should or should not turn into an interrogation) without damaging employee morale, an understanding of the law, and an appreciation of the policies, laws, and regulations applicable to the alleged or suspected incident. I prefer investigators to be formally trained and, when it comes to fraud, prefer people with the CFE credential.
By the way, lawyers generally assume that they know how to perform investigations. They are very often mistaken. I have seen executives exonerated when it was obvious (to me) that the lawyers had not talked to everybody or seen all the evidence, and had reached the wrong conclusion.
It is also critical that the investigation be conducted with an open mind. Sometimes, evidence that the suspects are ‘innocent’ only comes to light late in the investigation.
Only the people who need to know about the investigation should have such knowledge. My favorite investigations are those I conducted without anybody – especially the ‘suspects’ – knowing, and where I was able to demonstrate that the allegation was without substance without damaging the ‘suspect’s’ reputation.
Finally, the investigation should be thorough – to the point that either credible evidence is present to dismiss the allegation or sufficient to take action that would be supportable if challenged in a court of law.
The risks include:
- Obviously, there is a risk that an employee may be inappropriately disciplined – with litigation to follow.
- The possibility of litigation by employees who believe their reputation has been damaged. This may apply not only to the ‘suspect’ but by their manager and co-workers.
- The loss of valuable employees. Poorly conducted investigations can cause such a mess and destroy morale that key employees (even those not directly affected by the investigation) may leave.
- Damage to an employee’s reputation. Even if exonerated, if a manager knows that his employee was suspected, it is hard not to have that cloud the manager’s opinion of the employee.
- There is a risk that allegations will be incorrectly considered unfounded.
- The company’s reputation may be damaged if the fact of the investigation becomes public.
- Finally, the investigation can disrupt business by diverting attention from normal activities. I have seen a major investigation result in a drop in revenue of about 25%.
What risks have I missed? What precautions need to be taken?
Share this blog
Recent Posts on Norman’s IIA Blog
- Don't Go to Talk to Somebody. Go to Listen January 26, 2012
- Amazing Technology and the Impact on Risks and Controls January 22, 2012
- COSO Contributes to Thought Leadership on Risk Appetite January 20, 2012
- What the CFO Should Expect From the CAE January 17, 2012
- Internal Audit and IT Governance January 16, 2012
- How IT Governance Is Changing as Technology Changes January 16, 2012
- How to Assess the Effectiveness of Internal Control January 10, 2012
- Excellent Guidance on Corporate Governance From Australia January 10, 2012
- My Most Popular 2011 Personal Blog Posts January 5, 2012
- Basel Committee Releases Draft Guidance on Internal Audit Function in Banks for Comment January 4, 2012
