Interesting initiative to combat corruption

I urge you to visit a site (after reading the rest of this post),
http://www.ipaidabribe.com/
, and see how citizen voices can start to be louder in the fight against corruption and bribery.

First, see this article in the Economic Times as a gentle introduction to the site and its purpose.

Then, watch this video by one of the founders.

Don’t think that this is limited to bribery and corruption in India, although that is where this all started. When you go to the site (now is fine), you will see that 8 other countries are now represented and 9 more are ‘coming soon’.

Bribery and corruption are not limited to these 16 nations. Can we get something started for the US, UK, and other nations?

I invite you to support this initiative and welcome your comments.

CIOs are stepping up as business innovators at long last

I have been writing about the need for CIOs and technology executives to step up and demonstrate through their ideas and leadership how technology can be used to transform their organization. I am not talking only about transforming business processes, but communication with and understanding of customers and the delivery of new or enhanced products and services to them.

Research by Cutter (the May 21^st issue) indicates that the tide of progress seems to have started to turn. CIOs are not just relying on business leaders to set the direction and then advise on the technology that might help. They are not just reacting. They are starting to lead.

Over the last couple of years, the number of CIOs who see themselves as “key enablers for business innovation” has doubled to about 60%. The number who are reactive to business innovation has not changed much; it remains at about 30%. The difference lies in the number of those who don’t see business innovation as an important role for IT, and where IT is even seen as an impediment for business innovation.

But while CIOs may see themselves as key enablers, they still haven’t embraced a leadership role in “creating new opportunities for business innovation”.

I am an optimist. I believe the potential for technology to transform is immense. I also believe that if the current set of CIOs don’t step up they will be replaced – as CEOs realize they are being left behind.

Congratulations to Protiviti on 2013 SOX Survey

After a few years of criticizing Protiviti for the lost opportunities represented by prior years’ surveys, I am happy to say that this year’s publication (available here) is very much better and a useful read for boards, senior financial management, internal auditors, and external audit firm partners and lead managers.

I was pleased to see Protiviti was able to report that:

• More organizations are refining their scope using a top-down and risk-based approach to identify the combination of key controls to test. Prior reports indicated that management at many organizations had become complacent and accepting of their unrefined scope
• External auditors were increasing their reliance on the work of internal auditors. I like how Protiviti separated the results of reliance on management testing, first by whether it was performed by internal auditors, and then based on the size of the company

The tables showing the extent of reliance are useful, although they should have asked about reliance on management testing for high-risk key controls rather than assuming it was zero.

However, the extent of reliance is disappointing. Why do so few external auditors place reliance on management testing (especially when performed by internal audit) of at least 75% of both low and moderate-risk controls? I was able to achieve 80% reliance for all key controls at my last two companies!

SOX managers, internal auditors, executives and boards will find other information of use. For example, some will be interested in the analysis of automated key controls.

What do you like/dislike? Are you encouraged, discouraged, or left unmoved?

Further reflections on the updated COSO Internal Control Framework

I think it is time for all of us to recognize that the time for criticism of the updated Framework, and the bemoaning of lost opportunities, is past.

The update has been completed and the Framework is not going to be changed anytime soon.

So, let’s not just recognize the reality but celebrate the improved guidance. Yes, it is a net improvement over the 1992 version.

Bits I like:

• The update emphasizes that effective internal control is achieved when there is reasonable assurance that the risk of not achieving objectives is at acceptable levels.
• The definition of internal control is essentially unchanged. The differences are minor wording changes only.
• The need for judgment is also emphasized, not only in designing but in assessing internal control.
• Organizations can continue to use the top-down, risk-based approach to the assessment of internal control over financial reporting discussed in SEC and PCAOB guidance (and in my book)
• The description of Monitoring is unchanged from the 1992 edition. Although COSO has not withdrawn their guidance on Monitoring, they did not adopt the definition in that publication that includes (incorrectly in my view) the monitoring of transactions. That type of monitoring is a detective control activity.

Tell me. What do you like in the update?

Reflections on the updated COSO Internal Control Framework

I am still in the process of my detailed review of the update. However, I have already formed two opinions:

1. The assertion that “an effective system of internal control reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives” is excellent and I am pleased that it comes before any discussion of principles
2. The assertion that follows, that this (reducing risk to an acceptable level) requires that “each of the five components and relevant principles is present and functioning” creates a serious problem

Let’s examine the problem created by COSO saying that effective internal control requires that all relevant principles are present and functioning. I say ‘principles’ because the Framework asserts that no component can be assessed as present and functioning if there are major issues with any of the related principles.

Rather than taking an approach that requires that risks to the achievement of objectives be identified, and then an assessment made as to whether the combination of controls across all components of the Internal Control Framework reduces the level of risk to acceptable levels (i.e., a top-down, risk-based approach like those recommended in PCAOB, SEC, and IIA guidance), the assessor is directed to assess the principles. This creates a high risk, highlighted by many commentators on the drafts submitted earlier for review, that the assessment will be based on a checklist: a checklist formed by the principles.

Now an argument can be made, requiring some contortions of logic, that the same result as a top-down and risk-based approach is achieved because the principles include the required steps of a risk-based approach (principle 7 refers to the identification of risks, principle 10 identifies control activities that “contribute to the mitigation of risks to the achievement of objectives to acceptable levels”, and principle 11 talks about IT general controls – though they should be included in principle 10). Then, so the logic goes, the assessment is made as to whether there are any major deficiencies (i.e., one that “severely reduces the likelihood that the entity can achieve its objectives”). Does this, in fact, result in the same assessment?

Possible, but unlikely.

1. As we know from PCAOB and SEC guidance and our experience on SOX assessments, indirect entity-level controls do not necessarily result in a higher risk of failure to achieve objectives (in the case of SOX, the objective is a set of financial statements free from material misstatement). Indirect entity-level controls only create a higher risk that direct controls will fail. Then it is up to the assessor to determine whether, especially considering the quality of monitoring controls,  the risk to objectives is greater than acceptable levels
2. The determination of a major deficiency (see above) is not whether the risk to achievement of objectives is greater than acceptable levels. That assessment, requiring judgment, still has to be made but is not referred to as far as I can tell in the updated Framework
3. I believe it is likely that an assessment based on the principles rather than risks to the achievement of objectives will result in (a) assessment of principles that are not relevant to the assessment of risk to achievement of objectives, and (b) a failure to consider all the key controls (using SOX language) relied upon to reduce the level of risk to objectives to acceptable levels

Why do I believe this? Just look at the COSO (or PwC) suggested templates for assessing internal control. Do they take a top-down, risk-based approach, or do they instead ask for an assessment of the principles, with yes or no answers and no reference to acceptable levels of risk?

I suspect that over time we will learn how to use the updated Framework while remaining true to the top-down and risk-based approach. But, in the meantime I fear that many will lose their way.

Until now, the choice has been rules-based or principles-based. I always thought that in the case of internal control, principles-based referred to the principle that internal control is not perfect and only provides reasonable assurance that risks to the achievement of objectives are at acceptable levels. PwC and COSO have blurred, in my opinion, the distinction between rules-based and principles-based. I just wished they had gone for “risk-based”.

I welcome your comments.

SAP’s Secret Recipe for GRC

It is true that SAP has been selling a number of what it calls GRC solutions. (Now that I have retired from SAP I can tell you that I wish they didn’t call them that – which I will explain later.)

It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:

• The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
• In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
• I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
• SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

1. What is GRC?
2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

Why it makes sense to consider GRC

I recently criticized organizations’ focus on GRC, suggesting instead that they ensure the individual building blocks of risk management, compliance, strategy, and performance management are brought up to at least a moderate level of maturity.

But, there is true value in considering GRC within your organization – without taking away from the points I made in that earlier post.

GRC refers to “a capability to reliably achieve objectives (governance & performance) while addressing uncertainty (risk management) and acting with integrity (compliance)”.

The message behind GRC is that all of the different pieces described and included in that definition of GRC need to work together, in harmony and an orchestrated fashion, if the organization is to optimize performance and reliably achieve objectives. For example:

• If strategy is developed and only then is risk considered (instead of formulating strategy after understanding risks and opportunities both within the organization and in its business environment), you may set the wrong strategies and objectives.
• If performance is evaluated, monitored, and managed without an integrated understanding of risks or compliance considerations, you are unlikely to optimize results.
• If politics and other factors cause the organization to fail to share information and resources, have redundant and siloed operations, you are unlikely to perform.
• If the compliance function is always chasing after initiatives and plans so it can add compliance bandaids, instead of being on the bus from the beginning, failure is likely.

I think organizations need to build out the maturity of the individual pieces of GRC while ensuring that they don’t result in silos, and with a vision of orchestration and harmony across the organization.

Since the failure to harmonize is most often the result of the sickness we call internal politics, this needs to be monitored, diagnosed, and treated aggressively.

I welcome your views and comments.

John Fraser talks sense about risk management

John Fraser is a highly-respected Canadian risk and audit practitioner. He introduced and then for 13 years led the risk management program at Hydro One. John shares his wisdom on effective risk management with both common sense and humor. I like his book on ERM, which you can find on Amazon.

In a new piece, John uses the scenario of a board chairman addressing the board to explain enterprise risk management. It is an easy read, useful for directors, executives, and practitioners.

I particularly like and agree with these comments:

• [The Chief Risk Officer (CRO)] will report directly to the chief executive officer (CEO) and will champion and coordinate our approach to ERM. Accountabilities for managing risks will remain with line managers as before. The CRO role will provide ways to help us view risks from across our company and to better allocate our resources. The CRO will be a support function helping the management team with reporting to the board, and in coordinating risk activities across the organization
• [Risk criteria] will help decision makers across the company understand how much risk is tolerable, what is intolerable and where further action is required. These criteria (often referred to as risk appetite, risk attitude or risk tolerance by some) will be updated by management and reviewed by the board at least annually
• ERM will also involve better and more explicit integration of risk considerations into the strategy development, business planning and execution processes. Everything we do as a company should be done to treat and optimize the risks and uncertainties to achieving our long-term strategic plan
• We expect that the use of ERM will make everyone’s job easier by leading to greater transparency and foresight into how we manage risks across the organization and this in turn will lead to us achieving our goals with even greater success in the future

John is a big believer in risk workshops, which he used at all levels of the organization including with the board. I agree that they are essential and very valuable, but also believe that some decisions need to be made at speed – when there is little time to convene a workshop. My philosophy is that risk workshops should supplement but not replace a management that is trained and equipped to manage risk as part of everyday decision-making.

One interesting aspect of the risk management program at Hydro One was the edict by the CEO that capital would be allocated based on risk prioritization. Every request for capital had to identify the risk(s) being addressed. This worked well for them in their environment. I am not sure it would work as well in other business environments, but it remains a though-provoking idea well worth careful consideration.

I welcome your consideration of John’s piece and my comments.

Is serving on an audit committee a job to love or fear?

Lucy Marcus is recognized as a governance expert and has served as chair of audit committees for many years. In a piece for Reuters, she called serving on an audit committee “the toughest job you’ll ever love”. I recommend reading her post and listening to the video that shows her answering questions about the HP and Autonomy affair.

I have worked with audit committees for over 20 years, with many directors for whom I have admiration and great respect, and a few who contributed less than they should.

It is a tough job, and I have some pieces of advice for those willing to take it on:

1. Ensure you make the time the job requires. Unfortunately, some fail to read their briefing packages until (at best) the day of the meeting or (at worst) during the meeting. If you cannot afford the time, it is time to leave.
2. Don’t treat it as something you do only when there are board meetings. Stay on top of issues and talk to members of management as often as it takes.
3. Don’t be afraid of asking questions and demanding answers. If management says “we will get back to you”, make sure they do.
4. Make sure you, as members, own the committee agenda. It’s is your committee and you should not permit management to dictate either the time, duration, or content of meetings.
5. Make sure management understands what you need and expect in terms of information: what, when, how, and in what manner it will be delivered – and also ensure you have sufficient detail to understand the issues and ask the right questions.
6. Make the time to get to know the key players, including not only top management such as the CEO, and CFO, but other critical sources of information such as the Corporate Controller, Treasurer, Head of Taxes, Chief Risk Officer, and the Chief Audit Executive. Spend time with them and their staff as necessary – and listen, listen, listen.
7. While it is important to build a relationship with the external audit partners and make sure you have confidence in their abilities, recognize that their level of insight into daily operations and risk-taking is limited. I had a CFO who told the board that “If you want to know what is really going on, ask the internal auditor”.
8. Ensure you understand the business, its strategies, financial information, risks, key personnel, etc. How can you govern effectively if you don’t?
9. Get to know the other directors and talk, without management present, about the issues and challenges.
10. While it is easy to bond with management, the job of the board and especially of the members of the audit committee is to provide oversight. Clothe yourself with an appropriate level of professional skepticism and ask questions until you are satisfied with the answers.

I welcome your views, especially additional advice for audit committee members.

EY gets a “B-” for their IT audit guidance

Recently, Ernst & Young published advice for internal audit functions regarding their IT audit work. Ten key IT considerations for internal audit starts out in brilliant fashion by pointing to the need to:

• Identify and understand the “risks that matter” (an expression I have been using and advocating for some time)
• Invest in the risks that are “mission critical”  to the organization, and
• Effectively assess risks across the business

Three positive and excellent points towards a high review score!

But, then they falter:

• They focus on the weeds of IT audit, instead of making sure that internal audit as a whole is focused on the risks that matter, including those relating to technology. Guidance should not be aimed at the senior IT auditor, but to the chief audit executive (CAE) and the board
• They talk about traditional so-called “IT risks”, such as information security, cloud, social media, and privacy, instead of upgrading their (and our) thinking by reflecting on risks to the business as a whole – the risks that matter and are mission critical to the organization – and how they are affected by failures to use and manage technology well
• They suggest a separate IT risk assessment, rather than a fully integrated business risk assessment

These days, as InformationWeek (March 18 issue) proclaims in its cover page, its “Goodbye IT, Hello Digital Business”. When CEOs are looking to technology as the #1 way to reach customers, deliver new products and services, and grow the organization, internal auditors and the boards they serve should be thinking large: what are the mission critical organizational objectives and how might they be affected (positively or adversely) by the use or misuse of technology. Instead of, as EY suggests, talking about ‘availability’, talk about the potential that new mobile payment applications might be unavailable, resulting in customers moving to competitors.

EY missed some major issues as well:

• With technology being the #1 enabler for growth and strategy, the CIO needs to step up. He needs to change from being the janitor, responsible for maintaining the IT infrastructure, to the strategic visionary that helps guide the organization to new heights built on some of the latest technology. The CAE and the IT audit team need to be concerned with whether the full potential value is being obtained from technology – a major aspect of IT governance
• With more code being written for mobile than any other platform, and more and more mission-critical functionality being delivered on (not just through) mobile devices, mobile app change management moves to be one of the greatest technology process risks

This week, I will be speaking at the ISACA North America CACS Conference. My main message is that when 80% of business risks relate to technology (a situation which is not far away), the IT audit function will have to be mainstream – and resourced to address 80% of the audit plan.

It is time to rethink the whole idea of IT audit as a specialization. Maybe it should be mainstream and finance becomes the specialization!

I welcome your thoughts and comments.

Boards should be concerned about their CEOs

A recent post on the Harvard Business Review site, What CEOs Really Think of Their Boards, makes interesting reading.

While the author’s early message is that boards need to tone down their oversight and “not adopt an adversarial, ‘show me’ posture toward management and its plans”, I think the real lesson to be learned from hearing what CEOs have to say is that careful, skeptical, oversight by the board is an absolute necessity more often than not!

But, before going further I should pay homage to some of the fine CEO’s I have worked with, including Tom O’Malley (Tosco), C.S. Park (Maxtor), and John Schwarz (Business Objects). Each was a fine balance of vision, leadership, entrepreneurship, and integrity.

Boards should tune their skepticism to each situation. When an executive has built and earned their trust, they will dial it down. Yet, when a proven executive floats an ambitious idea, they should exercise their oversight responsibilities with care and diligence.

What was it that rang some alarm bells for me? First, let’s consider that the great majority of board members are former or active CEOs themselves, followed by CFOs and others highly experienced in executive leadership. Any criticism of these people for being overly cautious, when their backgrounds and experiences are similar to the CEOs delivering the criticism, does not ring true. In fact, when natural risk-takers become cautious, I have to believe they have good reason.

Some quotes:

• In theory, a board should serve as a check on a “cowboy CEO,” as one executive puts it. In reality, it can rein in boldness too tightly.
• CEOs complain that boards often lack the intestinal fortitude for the level of risk taking that healthy growth requires. “Board members are supposed to bring long-term prudence to a company,” as one CEO says, but this often translates to protecting the status quo and suppressing the bold thinking about reinvention that enterprises need when strategic contexts shift.
• CEOs are especially frustrated when directors’ risk aversion is driven by fears of bad press. They note that the rise in stakeholder and proxy-analyst pressures has made directors sensitive to any decision that might provoke a negative reaction from the media, proxy-advisory firms, institutional analysts, or activist investors.

Later in the paper, the author covers some important, but well-known, points about feeding the board with relevant and timely information, diversity, constructive and open dialogue, and the need for mutual respect. On balance, this is an interesting and useful read.

I welcome your views and comments.

The Barriers to Effective Risk Management

Earlier this year, an interesting article on CFO.com considered the risk management practices at 10 major global banks. While they found that each of the banks considered risk management (or, ERM in the words of the author) a strategic priority and recognized that “risks of all kinds — not just credit, market, and liquidity risks — can threaten their performance and even their viability”, translating the intent into practice ran into several significant barriers:

• Operating in default mode. By this, the author refers to the board deferring to the CEO, who in turn defers to the CRO (chief risk officer). While the author seems more concerned that the board is not actively involved, I am more concerned that risk management is left to the CRO rather than being seen as the responsibility of every manager at every level of the organization. The responsibility for managing performance should not be separated from the responsibility for managing risk, and this is exactly what is likely to happen when the CRO is seen as responsible for risk management
• Ambiguous mandates and limited resources. Budgets are allocated for operational activities, with no time left for holistic risk management. Again, my point is that operational activities must include risk management
• Risk is siloed in functional and business verticals. The article expresses this well: “Below the level of CRO, risk officers oversee tightly defined areas of an organization’s risk — and lack the authority and credibility to influence the wider organization. In fact, the risk function itself is often a silo, largely devoted to setting and monitoring quantitative risk parameters and leaving holistic risks, such as reputational risk, to others”
• There is no mechanism for addressing risk holistically. This is a continuation of the prior point: nobody is considering the interrelationship and potential aggregation of risk across the organization

As a result, says the author, risk management “remains fragmented and provides poor visibility of risks”.

I like the point that appointing a CRO is just consolidating the risk silo into one organization, still separated from operating management’s responsibility.

Although I differ from the author’s opinion that risk management should be driven from a board perspective down, I wholeheartedly support the article’s ideal:

Everyone comes to own enterprise risk individually. Over time, the institution creates — and continually refreshes — a culture in which it becomes second nature to strive for the ultimate goal of ERM: an enhanced capacity to increase stakeholder value by more effectively dealing with the risks and opportunities offered by uncertainty”

My opinion is that while the article has detailed some important obstacles, the most important is that those who direct and manage the organization, including the risk officers, have not fully appreciated the true value of risk management. It lies in these two statements:

1. Risk management informs and enables better decisions, not only at the board and executive levels but every day by operating management
2. Risk management helps you take the right risks

I welcome your views.

Financial services firms confused about risk management

Last year, I heard a senior consultant from one of the large firms explain their approach to risk management. It focused on ‘risk and reward’ and why it is important to understand risk so you can balance it against the potential for reward. Her presentation was entirely about the positions her financial services clients might take in the financial marketplace, and how to determine which ones were desirable and within the firm’s ‘risk appetite’ and which were not.

Today, I was sent a link to the Law and Public Policy blog at Wharton and a piece Re-thinking Risk Management: Why the Mindset Matters More Than the Model. The authors try to extend the thinking about risk management in financial services organizations and make a few good points, including:

• Experts at Wharton and elsewhere argue that too much blame is being placed on the risk management model and other tools of the trade, in banking and beyond. The models are not necessarily broken, but instead are only as good as the decisions that get made based on them, they say. As a result, the current crisis may represent an opportunity for companies to re-visit and re-think historical approaches to risk management. When it comes to planning for the future, the new thinking goes, it is not just the model that matters, it is the mindset.
• Risk taking remains what managing is all about, and not just in financial services but in every industry. Indeed, from an economic perspective, all firms fundamentally are in the business of taking risks based on their core capabilities.
• Whatever industry you consider, it is always the same pattern. Things are getting faster, and therefore we need to make decisions faster, but based on information that we often don’t have.
• The definition of “business intelligence” is expanding from a focus on operating performance to increasingly include monitoring risks, both inside and outside the organization.
• “Strategy is making choices under conditions of uncertainty. And you cannot make the right strategic choices without understanding your industry and how much risk you need to take on.”
• Risk management promises to become an even more central part of managing any business. In Danone’s case, for instance, risk considerations are now embedded at multiple stages during the course of business — at the strategic planning stage, the budgeting stage, etc. — and should be discussed more often during quarterly reviews and whenever there are major changes or new projects.

The authors are on the right track, in my opinion, but still have a long way to go. They have recognized two major issues with ‘traditional’ risk management at financial institutions: (a) an over-reliance on models without adding a layer of common sense, and (b) risk management is about far more than just the potential for loss on financial instruments and positions. It’s about all the uncertainties in the path of the organization, both internal and external, and their potential effect on the ability of the organization to achieve its objectives.

Think of a driver traveling along the freeway. While navigating heavy traffic, he is on his iPad: reading the news, monitoring the market, and trading puts and calls. He is the ‘traditional’ risk manager, managing risk to his portfolio but blind to the risks around and inside his vehicle.

Where the Wharton piece fails, in my opinion, is implying that it is adequate to manage the non-financial risks once or twice a year. Consider this quote from an executive at Danone: “Top managers are convinced of the necessity to use enterprise risk management. We now have an effective working session with part of the executive committee twice a year. And we continue to rely on yearly updates of the risk maps of all major business units worldwide.”

Executives and boards of financial institutions should, in my opinion, understand that risk management is about making more intelligent decisions every day – not only with respect to the trades the driver should make on his iPad, but to avoid braking cars and navigate icy conditions on the freeway of business.

Deloitte Provides Advice on Risk Assessment

A new Risk Angles issue from Deloitte, Five questions on risk assessment, takes a few commonly asked questions about risk assessment and provides short answers to each. The two page document is an easy read and I recommend it for boards and executives, as well as practitioners.

I particularly like these quotes:

• “Your risk assessment process should incorporate monitoring activities as dynamic as your business and the threats and opportunities it faces”
• “Some organizations are developing near real-time monitoring capabilities for internal and external conditions using big data mining, text analytics, and data visualization techniques. These mission control centers can feed actionable information to decision makers and form the basis for a dynamic risk assessment process”
• “An effective risk assessment may equip leaders with the information they need to take advantage of value-creating risks”
• “Technology can make it easier to micro-target particular audiences and risk challenges, analyze large amounts of data from different parts of the business, and develop actionable intelligence. But technology is only as good as the underlying processes you have in place, and the people running them”
• “Trying to define a single risk appetite for an organization is usually not practical. In reality, different organizations have different appetites for achieving certain types of objectives — or not achieving them at all”

The piece is fine as far as it goes. I only wish it would ask and answer questions that would help ensure the risk assessment process is capable of addressing all significant risks to the achievement of objectives. For example, few consider the uncertainty inherent in operating assumptions and the actions necessary to optimize potential outcomes. This is discussed in an earlier post of mine, Why I worry first about Uncertainty and then about Risk.

I welcome your comments.

Audit reports should be written in the language of the business

Most internal audit departments have evolved from reporting on controls to reporting on how well risks are managed. But when they discuss issues, they usually still talk in terms of the controls failing, perhaps rating them as “high risk”, “medium”, or “low”.

But what does that mean?

Does “high risk” mean something important to the members of the board and executive readers of the report?

They will understand that internal audit thinks it is important, but how do they relate it to their activities, responsibilities, and goals?

Lets turn to a metaphor.

If a city inspector knocked at your front door and told you he had been inspecting the road near your house and needed to inform you that the surface was ‘high risk’, what would it mean to you?

I think you would reflect on how this might impact you. You will think about how you use the road, how others use it, and your responsibilities for maintaining it.

You might ask the inspector questions, such as “how is it ‘high risk’? Is it unsafe for me or for others? Are you going to close the road so I can’t leave my home? What needs to be done, by when, and how does that impact me?”

In other words, you are trying to find out how the finding represents a risk to your objectives, and which ones are affected. Then you will form your own opinion of the severity of the risk.

So, when it comes to an internal audit report, shouldn’t internal audit discuss issues in terms of the level of risk to specific management objectives?

If internal audit says “this is ‘high risk’, they are not communicating in a way that is helpful to readers of the report.

If instead the report says the issue represents a “high risk to accounts payable”, they still leave the reader ill-informed.

But, what if they say that a potential impact of the control failure is that there is a “high risk that vendors will not be paid in time, leading potentially to delays in receipt of materials required in manufacturing, damage to the company’s credit rating, and delays of shipments to customers”?

Now internal audit is talking in the language of the business, communicating effectively, and enabling management and the board to act.

I welcome your comments.

Aligning the board, risk management, and internal audit

What is the executive leadership team (ELT) and the board worrying about? What are the topics on their agenda?

They are discussing these topics because they represent either opportunities to add shareholder value (such as major projects, acquisitions, etc.) or threats to that value – to the achievement of corporate goals, strategies, and objectives (such as the actions of competitors). They determine what actions to take and measure progress.

When the ELT and the board evaluate these opportunities and threats, then decide what actions to take, they are managing risk. They are understanding and responding to uncertainty with the objective of optimizing outcomes: increasing the likelihood of positive results and minimizing the negative.

If the ELT and board are to be successful, they need both the risk management and internal audit functions to be aligned with them. Risk management helps ensure they have all the information they need to steer the organization. Internal audit provides assurance that the processes involved in obtaining information can be relied on, and that the ship will respond to directions from the bridge.

Do the leaders of risk management and internal audit always understand what is on the ELT and board agendas? Do they have access to the bridge of the organization, so they understand what the captain is trying to do?

If the craft is to successfully navigate treacherous waters, taking advantage of tailwinds and clear channels:

1. The ELT and board must ensure they communicate to risk management and internal audit leaders what items are on their agenda
2. The latter leaders must ensure that they receive they receive and act on that information

Do you agree?

Advice on scoping SOX work on segregation of duties (SOD) and restricted access (RA)

Many organizations do far too much work on these areas, primarily because they scope the work in isolation from their top-down approach to the identification of key controls. They base their scope on good business practice, and/or a list of ‘rules’ from a consultant or software vendor, rather than focusing on the access limitations necessary to prevent an action that might lead to a material misstatement of the financials.

The following discussion is taken from my book, Minimize Costs and Increase the Value of Your Sarbanes-Oxley 404 Program: Management’s Guide to Effective Internal Controls, published by and available from the Institute of Internal Auditors (just $35 for members in hard copy, $25 as a PDF download).

Segregation of duties and restricted access controls must be identified, assessed, and tested where they are key controls. (A key control is one that is relied upon to either prevent of detect a material misstatement of the financials.) Key SOD and RA controls include those that:

• Are required for an authorization control to be effective. For example, if the business control requires that all purchase orders be approved in the system by the purchasing manager, it is critical to ensure that only the purchasing manager has that capability.

• Reduce the risk of a material fraud that could be reported incorrectly in the financial statements.

With restricted access and segregation of duties, there is a risk of doing more work than is required for Sarbanes-Oxley. While there are excellent business reasons for restricting access to only those functions individuals need to perform their assigned tasks, it is important to remember that only fraud risk that is both material and also misstated in the financials is within scope for Sarbanes-Oxley.

This last point is important. Many companies test SOD using a standard set of “rules” (combinations of access privileges deemed inappropriate) that have been provided by a consultant or vendor. While they may represent a risk to the business (at least in theory), they may not represent a risk of material misstatement for your organization. The rules used to drive SOD testing should be based on the top-down, risk-based approach described above, to support a key control or reduce the risk of a material fraud.

As an example, at a company where I was responsible for the Sarbanes-Oxley program, both the external auditor and the internal auditor (at that point, the internal audit activity was outsourced) had tested user access consistently for several years. They each used a standard set of more than 150 rules to identify (a) access to important ERP transactions, and (b) SOD conflicts where one individual would have the ability, using a combination of ERP transactions, to commit a fraud. When the Sarbanes-Oxley team changed to a risk-based approach, concentrating on testing access rights that represented a risk of material misstatement, the number of rules was cut to about 20.

Is your SOX scope based on a top-down, risk-based assessment when it comes to SOD and RA?

Please share how many rules you test (tests of SOD and/or RA).

Why I worry First about Uncertainty and then about Risk

One of the reasons I prefer the ISO 31000:2009 global risk management standard to COSO’s Enterprise Risk Management – Integrated Framework is the difference in the way they each treat the concept of uncertainty.

The ISO standard’s Introduction starts with this:

“Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objectives is ‘risk’”.

COSO’s ERM Framework’s Executive Summary similarly and appropriately starts with a discussion of uncertainty:

“The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept [italics added for emphasis: ndm] as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”

So both discuss uncertainty, but I struggle with the idea that you accept different levels of uncertainty (per COSO) rather than decide whether the potential effect is acceptable (i.e., the ISO approach).

This is especially true when you consider that uncertainty may have a range of possible effects, some of which may even enhance your ability to perform.

As an organization looks to its future, it establishes a vision, goals, and objectives together with strategies and plans for achieving them. But, the path to achieving those objectives is always uncertain. Factors that may be external or internal to the organisation create sources of uncertainty.  Successful organisations consider and respond to these sources.

For example, an organization may have uncertainty about:

• The future demand for its products and services, especially if it plans to introduce new products
• The actions of its competitors
• Whether its suppliers will be able to provide the materials required to meet customer demand, with the required quality, when they are needed, and at affordable prices
• The activities of regulators and other agencies
• Whether it will be able to retain key employees
• Whether its employees will comply with the law or follow procedures.

Risks are not events. But we characterize risk by using descriptions of what might happen and what it could lead to in terms of the effect on our objectives.

A single area of uncertainty, such as the level of customer demand following the introduction of a new product, may have several possible outcomes. Those outcomes will have different effects on the ability of the organization to achieve or surpass its objectives. Some outcomes will have a beneficial effect, enabling the organization to perform at or higher than plan. Others will have a detrimental effect, calling into question the achievement of the plan.

We can compare and evaluate risks by considering the range of potential outcomes, whether they are beneficial or detrimental, and the likelihood of the effects.

Assumptions and presumptions (for example, with respect to how people or systems will behave or how events might occur) are a common source of uncertainty.  It is necessary, therefore, to be aware of assumptions inherent in plans and forecasts, and to address the underlying uncertainty. For example, a forecast or plan may assume that the new product will generate demand in line with prior predictions. But that is not certain, and if the new product launch is to be successful actions may need to be taken to improve the likelihood of success. I believe the process in the ISO standard is the one to follow to identify the actions required.

For an organization to be successful, it must:

1. Understand the sources of uncertainties in its path to achieving its vision and objectives
2. Assess the significance of the potential effect(s) by considering what could happen, what it could lead to, and the likelihood(s) of those outcomes
3. Evaluate if the level of risk is acceptable and, if not what steps should be taken to modify the risk
4. Act to modify the risk – by creating or changing controls
5. Continuously monitor and periodically review the sources of uncertainty and the related controls to ensure that the level of risk remains acceptable

One of the strengths of the ISO 31000:2009 standard is this focus on uncertainty and the effect that it has on an organization’s objectives. It enables an organization to recognize and respond to uncertainty so that it optimizes the likelihood that it will be successful.

So why do I say that I prefer to focus on uncertainty first? Because it is easier to talk to management about the uncertainty they face as they direct and manage the organization towards achievement of objectives. Once we know those sources of identity, we can assess their potential effects and the likelihood of those effects – and act to optimize the likelihood of achieving or surpassing objectives.

If we only ask about what management fears, I fear that our identification of uncertainty and its effects (i.e., risks) will be incomplete.

Is the audit committee to blame for defects in internal audit?

No sooner had I written a post about important recommendations about internal audit from the UK when I was sent a copy of an interesting paper from Belgium: Reflections on the internal auditing profession: what might have gone wrong?

While I encourage everybody either to buy the paper ($25) or contact the author, Dr. Rainer Lenz, for more information, I will try to summarize the primary thrust through excerpts.

• Internal auditing (IA) has not generally been seen to have a significant role in the financial crisis, neither as part of the problem nor as part of the solution. (This is a point I made in a post in 2010).
• IA has multiple customers to serve and IA aspires to render both assurance and consulting services
• Whilst the board’s/audit committee’s priority is focused on risk oversight and reducing the downside of risk, the growth and performance objectives of management require active risk-taking, seen as an inseparable element of strategy and a crucial driver in achieving objectives, including optimizing value over time. These different perspectives, different incentives and risk tolerances may mean that, if everyone expects something different from IA, no one is likely to be satisfied in full
• At present, IA is viewed as lacking both a clear chief stakeholder/“boss” and a clear role
• The more IA lacks a distinct chief stakeholder/“boss” and a clear and realistic role, the more it is principally exposed to over-promising and under-delivering
• To become a more relevant stakeholder in the corporate governance arena, the IA profession should consider clarifying both the perspective and the purpose of IA, that is, determining to whom IA should be accountable (the perspective from which its added value is judged) and clarifying/concentrating the IA’s service offering (its purpose)
• The IIA, the globally recognised standard setter of IA practice, may consider further reflecting upon the pros and cons when re-focusing the IA profession predominantly on assurance services, possibly progressive assurance services, on governance, risk management and control processes in order to more clearly contribute to increasing the long-term value of the organization it serves. More clearly for IA needs to stress the primacy of assurance service would give lower priority to consulting services.
• Consulting services would then be subordinated to assurance services and expected to support the latter.
• There may be subtle indications that the IIA is moving cautiously in the right direction, as there is a trend towards moving the reporting lines of IA into the board; and the IIA is de-emphasizing the role of consulting services when defining “added value”

The article closes with a number of recommendations, of which one stands out for me. The authors suggest that the IIA study “the implications of possible tensions with senior management if IA reports straight into the board or the audit committee and IA thus becomes fully the agent of that oversight body, whilst abandoning the reporting link into management”.

Now, I don’t personally believe that internal audit is ‘defective’. But there are too many departments that in my opinion fail to meet the challenge – because they do not provide a formal opinion to the board and top management of the adequacy of governance, risk management, and related internal controls. In fact, nearly half don’t assess and report on the adequacy of risk management, let alone governance processes.

Why do I point a finger of blame at audit committees?

The internal audit department does not select to whom they will report. While they may make suggestions, they are not the ones to set the expectations of the board and audit committee.

When the audit committee does not expect and, yes, demand that internal audit perform – and by that I mean provide assurance on what matters to the organization – then only they are to blame.

I recognize that members of the board do not have a lot of time to dedicate to the task, but if (as it should) the internal audit function reports to the board and owes its primary allegiance to the board, then the board needs to step up and own that responsibility.

I leave you with this question: does the chairman of the board (or of the audit committee) provide the same level of guidance and direction to the CAE that, as a senior executive, they gave to their direct reports? Does he take responsibility for the performance of the CAE as a direct report?

What should the board do when there is conflict between the CEO/CFO and CAE/CRO?

This could either be one of the most difficult or easiest tasks for a board or committee to handle.

The easy way is to show full confidence in the executive and agree to terminate the risk officer (CRO) or internal auditor (CAE).

The difficult way is to be objective and demonstrate independence from management, understand what is really happening, and then make a decision that is in the best interests of the organization.

(Note that I didn’t say that the board should decide who is right and discipline the other: sometimes the board needs to educate and mentor one or both. Sometimes, the sad truth is that the CRO or CAE is right but can no longer be effective because of the damage the dispute has done to relationships with the management team: damage that cannot be repaired by the board. In which case, he should be treated generously and moved into a new role, probably outside the organization.)

It is not easy for the board to set aside the natural inclination of directors to align with the executives, because:

• They generally share the same background, with the directors being active or former executives themselves
• The directors appointed the executives and are invested in them
• They play golf together and otherwise have built trusted relationships
• The executives know how to “work” the board. They are charismatic and persuasive. They have the ears of the board, spend many hours with the board in person and on the phone, and are able to make their case – sometimes through subtle repetition and hints
• The risk officer and internal auditor lack these strengths

A harsh truth, which board members need to recognize, is that executives are fully aware of the fact that it not easy to dismiss the CAE (because they report to the audit committee chair in most cases) or the CRO (because of the perception they might be hiding unpleasant truths). When they decide they want one of these people “gone”, they act carefully.

Research has shown that when a CAE has a conflict with an executive, typically because they report something the executive doesn’t like, they are able to obtain the support of the board and retain their position. But, most are forced to leave within a year (18 months at most).

Another harsh truth is that boards find it very difficult to tell a CEO or CFO they are in the wrong.

Finally, recognize that it is very hard for a CAE or CRO to discuss a lack of support or other problem (such as inappropriate expense reports – see the second situation, below) with you.

My advice:

1. Board members should remember their oversight responsibility and be ready to set aside friendships with the CEO and top executives. When one of them raises a concern with the performance of the CAE or CRO, be objective and impartial
2. Don’t shy away from the task. Even if the CEO or CFO says they have the matter in hand – maybe especially if they say that – make sure you have a full understanding of the matter. Be sure to give both sides an opportunity to explain, answer your questions, and help you figure out what is going on
3. Recognize that when the CEO or CFO says something to you that shows concern with the CAE or CRO’s performance, even when they say it is not important, it is important.
4. Be especially alert to repetition of subtle side comments or quiet indications of lack of support, such as when the CAE/CRO is delivering their report to the board
5. When you talk to the CAE/CRO, don’t be vague about the concern. They can’t answer questions that are not asked (see the first situation discussed below)
6. Sometimes, if not most of the time, the situation can be resolved with coaching and mentoring on both sides. The executive needs to understand that the CAE and CRO have jobs that cannot be discharged without sometimes having to be the messenger with bad news. The CAE or CRO may need coaching on how to deliver that bad news
7. When the CEO and/or CFO appear to be trying to “suppress” the CAE or CRO, dig deeper and understand whether the executive is just trying to exert their authority and understanding or has less than worthy objectives. For example, is he trying to control what the board hears? Or is he trying to control somebody who may look in places he doesn’t want looked at?
8. Finally, try to make it easier and less ‘intimidating’ for the CAE or CRO to share how they are being treated by executive management. While it is neither necessary nor appropriate to tell that person you are always on their side, give them the time and opportunity to be heard and make sure you actively listen. This may be the best way for you to find out how the executives really run the organization and treat employees. Coach and mentor the CAE and CRO so they can be effective in their dealings with you and with the organization’s leaders

Now, three true life situations that I am familiar with. All involved conflicts between a top executive and the CAE.

• In the first, the CAE and his team investigated and proved (with confessions) several accounting frauds by unit accounting staffs. Each was individually immaterial to the company as a whole, but material to the performance of the individual units. The motivation was less personal gain than it was either to help the company achieve its performance goals or to protect the unit from being targeted for closure as an unprofitable entity.

The CAE reported each investigation to the audit committee of the board, which reports continued for nearly a year as additional issues came to light. The CAE also reported, after the majority had been closed, that there was a pattern that concerned him. The CAE had discussed this with both the CFO and the chair of the audit committee prior to the meeting. Without saying it was deliberate, he said that each of the unit accountants said they had been told to “make their number” by corporate finance leaders. In addition, some of the accounting involved “rainy day” accounts where those involved felt pressured to use the accounts to help make corporate numbers. There was even an email from a top executive suggesting such a practice!

When the CAE reported the ‘pattern’ to the audit committee, the CFO was noticeably quiet and showed no support for the CAE, even when the CAE said that there was no evidence that the CFO or any of his direct reports had directed such behavior.

After the meeting, the CAE discussed the situation with the chair of the audit committee, in particular his concern that the CFO had not been supportive. The chair told the CAE to be careful, because the CFO had “a bigger business card”.

Within a few months the CFO was letting the audit committee know that he was receiving complaints from management about the internal audit team. However, none of the directors approached the CAE to hear the “other side”. When one director asked the CAE in an audit committee meeting how he got on with one of the top executives, the other directors quickly moved to tell him to stop.

About 6 months after the CAE reported the ‘pattern’ he resigned and left the company.

• The second situation was in some ways more complex. During a routine audit of executive expenses, the internal audit team identified inappropriate and excessive charges by the CFO. The CFO blamed the situation on his executive assistant and agreed that the excess was in the six figures.

The CAE felt obliged to report the situation to the audit committee, who directed the CFO to repay the company but took no further action.

The corporate controller then came to the CAE and attempted to negotiate down the repayment, offering that the CFO would repay about half of what had been demonstrated and agreed as excessive. The CAE declined.

Within a couple of months, the CAE accepted a new position within the company and a new CAE was appointed from within the ranks of the Finance team. The audit committee did not question the move. Ironically, the new CAE insisted on and was able to recoup all monies due.

• Finally, as in the first example, the internal audit team investigated and proved a series of frauds. However, the way in which the investigations were performed led to the loss of more than the individuals performed. They appeared more of a “witch hunt” than was appropriate: people were treated as suspects regardless of their position or relationship to the events, and interviews were conducted without empathy or respect. Many key managers left rather than remain in an investigation-ravaged environment.

Both the CFO and General Counsel were careful to show support for the investigations, but were concerned about the ‘collateral damage’. They shared with the audit committee that the CAE seemed to be obsessed with the investigations, approached everybody with what appeared to be suspicion, and was unable to work constructively with management.

The audit committee listened but took no action. In time, the CAE recognized that advancement would require leaving and took a CAE position at another company.

Were these situations handled well? I don’t think so.

Have you seen similar situations, where there is conflict between the CAE/CRO and CEO/CFO? Were they handled well or poorly?