Can you use an ERM standard or framework to assess internal controls over financial reporting?

The short answer is “no”, because SEC rules require that the evaluation of internal control over financial reporting be based on a “suitable evaluation framework”. They have only recognized a limited number of internal control guides, including the COSO Internal Controls Framework (not the COSO ERM Framework, although it had been published when the SEC published its rules), the Canadian Institute of Chartered Accountants’ Guidance on Assessing Control (also known as ‘COCO’), and the Institute of Chartered Accountants in England and Wales’ Internal Control: Guidance for Directors on the Combined Code (known as the Turnbull Report). They have not recognized any risk management standard or framework to my knowledge.

But should we be able to use the COSO ERM Framework, the ISO 31000:2009 risk management standard, or another risk management framework/standard? What if the restriction was lifted?

Certainly, the assessment is supposed to be based on a top-down, risk-based approach. It should assess whether the risk of a material misstatement is very low (perhaps 5%). In other words, management’s risk tolerance (or criteria) is less than 5% likelihood for an impact that is material to the financial statements.

The typical approach includes:

a)      Understanding the business

b)      Identifying the potential sources of risk: accounts and disclosures  that might include a material misstatement

c)       Identifying and assessing the combination of controls that ensure that the likelihood of a material misstatement  is very low

d)      Obtaining evidence that those controls were operating effectively as of the end of the year such that the likelihood of a material misstatement was very low

This approach is certainly consistent with the guidance in a risk management standard or framework.

But the better question is whether that risk management standard or framework provides sufficient guidance for management in assessing internal control over financial reporting.

The answer is “no” (again).

A risk management standard, such as ISO 31000:2009, talks about understanding the internal and external context. It certainly does as least as much as the COSO Internal Control Framework when it comes to identifying potential sources of risk. But it doesn’t provide the detailed and practical guidance necessary to understand how internal controls address those risks.

It is true that COSO has evaluation tools but lacks (IMHO) useful guidance on how to select an effective and efficient combination of controls to address each potential source of risk. But that’s not sufficient reason to discard it. It does explain the nature of internal controls and how they can be found within the organization – and that has value.

I have yet to see a risk management framework or standard that provides sufficient detail about how internal controls operate to be used as the sole basis for an evaluation of internal control over financial reporting. While some may assert that because the COSO ERM Framework incorporates and extends the COSO Internal Control Framework, it can be used. But I think too much has been lost in the translation into an ERM framework and that the SEC was right only to recognize the COSO Internal Control Framework.

I am fine sticking with COSO Internal Controls Framework, supplemented by SEC guidance and other works (see below).

Do you agree?

If you are interested in optimizing your SOX program, please have a look at this new book from the IIA. It is the significantly expanded third edition of my Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners that has been downloaded about 200,000 times since the first edition was published in 2006.

The piece COSO and ISO forgot

Both COSO (their internal control and enterprise risk management frameworks) and ISO (risk management standard) focus on the reliable achievement of objectives.

But is that right?

Let me tell you a personal story. Many years ago, in a time lost to the ages, I was a young IT audit manager at a major public accounting firm in London. I was fascinated by the new microcomputers and had purchased a TRS 80 Model II from Radio Shack. I taught myself some Basic and was working late many evenings trying to write simple programs on this 16k device that used a portable table recorder for external storage. I thought I could see how consumers and businesses of the (then) future would use devices like this and the new Apple II (for which I yearned). My senior manager suggested I bring the microcomputer into the office and show the IT audit partners. I was both excited and nervous, knowing that this embryonic device would only wow somebody with imagination. Sure enough, the senior partner huffed and mumbled something about wasting time on something that would never take off.

Now fast forward about three years. I am now the IT audit manager with the US part of the firm, responsible for the Los Angeles office. I am working with a client and talking to the CEO, who tells me that he can’t get his controller to use this new program called VisiCalc (one of the first spreadsheet programs). The CEO is fed up getting schedules from the controller with math mistakes that could be avoided if he used a simple spreadsheet. When I talk to the controller about getting microcomputers such as an Apple II or IBM, he huffs about “these toys” and sticking with what works.

Finally, let’s consider the mobile phone companies, like Nokia, that owned major shares in the global cell phone market. Nokia had about a 40% share of both revenue and profits. Their vision of the future did not include the dominant position that Apple would take with its iPhone. Nokia want from dominance to a 15% laggard.

The partners at my firm retained a vision that businesses would continue to run on IBM, Honeywell, ICL, DEC, and other mainframes. They were late to realize and be ready to develop capabilities and tools for the mini and then personal computers.

The controller at the Los Angeles company continued to use his adding machine and provide schedules with math errors. Not only was his boss frustrated, but the audit team was always finding errors in the financial statements.

Nokia failed to see the future as well, and its strategies had to be changed in crisis mode.

Looking at these, each demonstrates a failure to adapt business objectives and adopt new strategies while the old ones continue to work.

Where am I going with all this?

Addressing risks to strategies, and the controls that minimize those risks and help you achieved your objectives, will fail when those are the wrong objectives and strategies.

I am a big fan of PwC’s 2007 report on the State of the Internal Audit Profession, looking forward to 2012. I criticized them when new firm leadership took a different slant in the next years’ reports, but have to give them credit for one thing: they suggesting focusing on the value-drivers of the organization.

Whatever the type of organization (for-profit, not-for profit, government, etc.), it exists to provide value to its stakeholders. Sometimes that is profits and dividends; other times it is waste disposal and other public services. PwC suggested that internal auditors understand the sources of value, and then assess whether the organization has good processes and controls to develop objectives and strategies to create and preserve value. Only then do you assess risks and related controls to achieve the objectives.

The Singapore paper on risk oversight also starts with understanding “the mission of the company and of the reasons it exists in relation to all its stakeholders”. It advises that:

“Effective risk governance provides the appropriate level of direction and control in:

• determining the goals and strategy of the company;
• pursuing those goals;
• identifying the risks which are present or which may arise when the company pursues its goals; and
• determining measures to mitigate the risks.”

When COSO and ISO guidance starts with the achievement of objectives, it misses the point that the objectives may be wrong. Risk and control managers may be helping the organization drive at speed towards and then over a cliff.

Risks need to be considered in setting objectives and strategies that are create value. There are also the risks that the objectives and strategies are misguided, ineffectively communicated, and so on.

Controls exist (even though COSO advises otherwise) within the objective and strategy-setting processes. There are controls to ensure the right people are involved, have access to the information they need to set appropriate and achievable objectives and strategies, and then communicate them across the enterprise.

So what does this all mean?

• Let’s collectively urge those responsible for the COSO and ISO guidance to address the setting of objectives and strategies to create value
• Let’s consider the risks that the objectives and strategies are sub-optimal (which includes their being outdated), and
• Let’s consider the consideration of risk as part of the objective and strategy-setting processes, and the controls that address those risks

What do you think?

OCEG GRC Maturity Survey

OCEG is now collecting data for their 2012 GRC Maturity Survey. This research study, which they conduct every two years, collects responses from individuals who serve in all of the relevant roles that make up a GRC capability.

Join the hundreds of executives and staff in compliance, risk, finance, audit, legal, HR, IT, operations and other core functions as a participant in the survey. Encourage your board members, corporate secretary and CEO to also part;icipate in the short survey so that OCEG can report back to you on our findings based on both management and governance roles, industries, entity size and global regions. Participation is also encouraged from governmental bodies and a separate government report will be prepared if sufficient data is collected.

The survey addresses issues such as:

• The level of integration of risk, compliance and performance activities and controls
• The degree of confidence in ability to identify and manage risks and requirements
• The use of technology to support GRC capability
• GRC roles and organizational structures
• Metrics and measurement of capability operation and outcomes
• Realized benefits of integrated capability and negative effects of siloed operations

The full survey report will be available at no cost to everyone who completes the survey. Segmented analysis will also be developed with assistance from the University of Texas – Dallas Corporate Governance Center, and will be presented in a series of free OCEG webinars. This survey will provide information that you can use to build a business case for improving your organization’s approach to GRC. And, if you encourage all key GRC players in your organization to participate, you can use the questionnaire and the report as a tool for internal discussion as you seek to understand each other’s views.

Please pass this email along to your colleagues and contacts. OCEG had about 400 global participants in the 2010 survey and would like to expand our reach this time around.

One last note, you can start the survey now and return to finish it at another time, so don’t delay – just click the link below and begin.

START THE SURVEY NOW

(By Carole Switzer, President of OCEG)

The updated Malaysian Code on Corporate Governance – an interesting read

With the notable exception of the US, countries around the world have developed corporate governance codes. The typical approach is to require companies listed on the major exchanges to either comply with the provisions of the code or explain why they do not. Some, as in Malaysia, require companies to explain how they have complied.

The Securities Commission Malaysia has released an update of its code, first issued in 2000 and updated in 2007. It “sets out the broad principles and specific recommendations on structures and processes which companies should adopt in making good corporate governance an integral part of their business dealings and culture”. The code “advocates the adoption of standards that go beyond the minimum prescribed by regulation”.

The code defines corporate governance as:

“The process and structure used to direct and manage the business and affairs of the company towards enhancing business prosperity and corporate accountability with the ultimate objective of realising long-term shareholder value, whilst taking into account the interests of other stakeholders.”

Most of the code is straightforward and to be expected.

Of note are:

• Boards must ensure management has processes in place to manage the appropriate taking of risk, within an approved level of ‘tolerance’

• An internal audit function is required, reporting to the audit committee of the board

• Sustainability must be promoted

• The board must oversee and disclose diversity targets and policies

• Independent directors may only serve for 9 years, after which (if they continue) they are considered non-independent

• The CEO and chairman of the board must be separate individuals, the latter being an independent director

• Internal audit should not only provide assurance that the internal controls are operating effectively, but assess the effectiveness of governance, risk management, and internal controls processes

Here are some excerpts:

• The role of the board is to review, challenge and approve management’s proposal on a strategic plan for the company. The board brings objectivity and breadth of judgment to the strategic planning process as they are not involved in day-to-day management of the business. The board should satisfy itself that management has taken into account all appropriate considerations in establishing the strategic plan for the company. The board is also responsible for monitoring the implementation of the strategic plan by management.

• A basic function of the board is to oversee the performance of management to determine whether the business is being properly managed. The board’s obligation to oversee the performance of management contemplates a collegial relationship that is supportive yet vigilant. Therefore, the board must ensure that there are measures in place against which management’s performance can be assessed.

• The board must understand the principal risks of all aspects of the company’s business and recognise that business decisions involve the taking of appropriate risks. This is intended to achieve a proper balance between risks incurred and potential returns to shareholders. The board must therefore ensure that there are systems in place which effectively monitor and manage these risks.

• A key role of the board is to establish a corporate culture which engenders ethical conduct that permeates throughout the company. The board needs to formalise and commit to ethical values through a code of conduct and ensure the implementation of appropriate internal systems to support, promote and ensure its compliance. The code of conduct should include appropriate communication and feedback channels which facilitate whistleblowing. The board should periodically review the code of conduct. A summary of the code of conduct should be made available on the corporate website.

• The board should establish a policy formalising its approach to boardroom diversity. The board through its Nominating Committee should take steps to ensure that women candidates are sought as part of its recruitment exercise. The board should explicitly disclose in the annual report its gender diversity policies and targets and the measures taken to meet those targets.

• The Remuneration Committee should consist exclusively or a majority of, non-executive directors, drawing advice from experts, if necessary.

• it is important for the board to undertake an annual assessment of the independence of its independent directors. When assessing independence, the board should focus beyond the independent director’s background, economic and family relationships and consider whether the independent director can continue to bring independent and objective judgment to board deliberations. The Nominating Committee should develop the criteria to assess independence. The board should apply these criteria upon admission, annually and when any new interest or relationship develops.

• The board should determine the company’s level of risk tolerance and actively identify, assess and monitor key business risks to safeguard shareholders’ investments and the company’s assets. Internal controls are important for risk management and the board should be committed to articulating, implementing and reviewing the company’s internal controls system. Periodic testing of the effectiveness and efficiency of the internal controls procedures and processes must be conducted to ensure that the system is viable and robust. The board should disclose in the annual report the main features of the company’s risk management framework and internal controls system.

Isn’t it time for the US to put a comprehensive governance code together, replacing the various elements in Sarbanes-Oxley and elsewhere with a simple law that mandates compliance and disclosure?

Technology continues to change our personal and work lives

One of the fascinating aspects of my job is the ability to watch and wonder at the new ‘stuff’ that is coming out. I use it in my presentations, trying to alert governance, risk, and assurance professionals that while it is only right and proper for them to be concerned about the risks being created, they should be excited at the opportunities that they have for enhancing their own effectiveness.

I continue to be astonished when I ask an audience of professionals two questions:

1. Are you worried about the risks from social media, cloud, mobile, etc? Everybody puts the hands up. Then I ask:
2. Are you using or planning to use social media, cloud, mobile, etc. in your own work? Almost nobody raises their hands

My presentations continue with a discussion of how we can use this technology to improve governance, risk management, controls assurance, etc. I tell people that the future is only limited by their imagination – how creative they are in using the new tools.

I want to share some great videos that offer a glimpse into the future.

• Today I watched a new video from SAP that shows people using mobile technology to run the business, from people on the production line, to professionals in their office, and then to shoppers and shop assistants.
• Corning has another fine piece. While the SAP video showcases current technology (rapidly being enhanced), this one is more futuristic.
• Google’s contributions includes this one about augmented reality, using glasses
• IBM has another version of augmented reality, featuring Watson

There are quite a few more on You Tube. Which are your favorites?

Final results of COSO vs ISO risk management survey

For the last few months, I have been running a survey of risk experts on which risk management guidance they prefer: the COSO ERM – Integrated Framework, or the ISO 31000:2009 risk management standard. I am fully aware that there are others, but these appear to be the prevalent ones. The purpose was to obtain an independent view; prior surveys have been run either by COSO or by individuals clearly linked to ISO advocacy.

The survey went out through my blogs and also through Twitter and LinkedIn.

Although only 180 risk practitioners answered the survey (meaningful but not authoritative), the results were interesting and the comments even more so! So much so that I have made all the comments available for you to peruse in detail.

There were only two questions:

1. Have you read both the COSO ERM framework and the ISO risk management standard?

Yes. I have read both	76%
No. I have only read the COSO ERM Framework	12%
No. I have only read the ISO 31000:2009 standard	7%
No. I have not read either	6%

2. Which do you prefer?

I prefer the COSO ERM Framework	15%
I prefer the ISO 31000:2009 risk management standard	52%
I have no preference. Either can be used effectively	25%
I have no preference. I don’t think either can be used effectively	8%

The answers to the second question are not materially different if you exclude those who had not read both the COSO ERM framework and the ISO risk management standard.

As I said, the comments are illuminating (see link in the first paragraph).

The people who prefer COSO ERM did so because, in their view:

• It is comprehensive and has stood the test of time
• Is the standard that has been adopted by their regulators
• Their organization previously adopted it
• It links to the COSO internal control framework
• It has a better discussion of risk appetite
• It is stronger on corporate governance
• There is a better linkage to strategies and objectives

By way of contrast, those who prefer ISO 31000:2009 offered these opinions:

• Easier to understand and explain to others. User friendly
• Written by practitioners instead of accountants and auditors
• Clear, logical, intuitive, and practical
• A better ‘how to’ guide, easier to use when implementing risk management
• More focused on risk and less on audit and controls than COSO
• Represents best practice and the collective wisdom of global risk leaders
• Flexible, less prescriptive, easily tailored
• Has a top-down approach to risk management

Those who said that neither were effective had some strong comments, including:

• There is little evidence that either actually works. The best solution is to take the best of each and develop something that works for you
• Neither effectively articulates the difference between risk and uncertainty
• COSO ERM is too detailed and the cube is confusing. ISO 31000 is too high level

A number of people thought that the two should be combined, taking the best of each. One thought I liked was the need to consider risk management as an element of governance (including strategy and performance management) rather than as a separate and distinct activity requiring a separate and distinct standard or framework.

A few parting thoughts:

1. All risk management practitioners should (IMHO) read both sets of guidance
2. Board members and top executives responsible for risk management should be familiar with at least the executive summary of the selected guidance
3. Empirically, based on my contacts with practitioners, awareness of ISO 31000:2009 is building and so is adoption
4. I will write a separate post on my personal journey and share which I prefer and why

I encourage you to read the full set of comments and share your views.

Does your internal audit function really provide assurance?

When a young child wakes up, crying, a parent will gather it in his or her arms and say “it’s ok, dear. Everything is going to be all right”. He assures the child that there is no need to worry.

Does the internal auditor say the same thing to the members of the board? The image of the board is different from that of a helpless young infant. The board is a collection of mature individuals with extensive life experiences. But they share with a young child a need for assurance, a need to know that they don’t need to worry because the controls are in place, adequately designed and operating effectively, to manage risks at the desired levels.

Board members are not involved in the day-to-day operations of the organization. Yet they have oversight responsibilities regarding the management of risks and the provision of internal controls. Internal Audit’s assurance services should be designed to tell them whether they need to worry about those processes and controls.

Imagine your child has been taken to the hospital after a car accident. When the doctor approaches you, which of these would you like to hear?

Option 1: “David is going to be all right. He just has some bumps and bruises.”

Option 2: “We examined David. He has some bumps and bruises that are not high risk.”

If the doctor told me that he had examined David and found some bumps and bruises that are not high risk, I think I would immediately ask her “so David is going to be all right?” I would be worried until I heard that positive assurance.

When an internal audit report provides an opinion that spells out, clearly, that the controls over the risks covered by the audit are adequately designed and operating effectively (I.e., they manage the risk at acceptable levels), that is positive assurance that has high value to the board and to management stakeholders.

But when the audit report only provides a list of control weaknesses, even if the significance of those weaknesses is rated, that is called negative assurance. The board has to assume, because the report doesn’t say so, that “everything is going to be all right with these risks.”

Some internal auditors are reluctant to provide their formal written opinion, whether at the end of each audit for the scope of that audit, or at the end of the year for the overall system of controls over the risks that matter. There is more personal risk to the auditor when he or she provides a formal written opinion. That is true. But is it better to make the board and top management assume that because you only found certain control weaknesses that overall everything is OK and they don’t need to worry? Is it acceptable to make the board evaluate all the reported control weaknesses to see if they add up to a conclusion that the risks are not effectively managed? Shouldn’t that be our job?

If you were on the board or in top management and asked the auditor about the results of their audit of an important area, would you be satisfied with a list of their findings? Or would you insist on their professional opinion of the adequacy of the controls in managing the risks?

Why should the board be satisfied with “our audit found these weaknesses” when they can be told “we found these weaknesses, but you don’t have to worry because overall the controls are adequate?”