The risk of an ineffective CIO

February 28, 2015 1 comment

According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.

Why worry about the “big” risks on the WEF or Protiviti list when the “small” risks that let your business survive and thrive are huge?

For example, the survey behind the report found that:

  • “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
  • “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
  • “In the 2012 survey on business and tech­nology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”

With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:

  • Managing IT infrastructure – 43%
  • Governing IT performance – 26%
  • Driving technology enablement or innovation in business processes and operations – 24%
  • Actively managing IT organization’s health and culture (not only its performance) – 22%
  • Introducing new technologies faster and/or more effectively than competitors – 18%

There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:

“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”

The report closes with some suggestions. I like the first one:

“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”

Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?

Is this a risk that is understood and being addressed?

I welcome your comments.

KPMG and I talk about changes at the Audit Committee meeting

February 21, 2015 11 comments

I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.

That title not only sets the expectations high, but sets KPMG up for a fall.

This is how they start us off, with an astonishing headline section:


These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.

My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.

KPMG continues:


Sorry, KPMG, but the world does not spin around the axis of the CPA firm.

Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:

“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”

In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.

So what are the changes that should be happening at the audit committee? Here are six ideas:

  1. The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
  2. The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
  3. With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
  4. Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
  5. The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
  6. With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?

If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.

I welcome your comments – especially on these six suggestions.

Going crazy with COSO 2013 for SOX

February 18, 2015 17 comments

For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.

PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.

The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.

I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.

The key is to be able to demonstrate that.

We need to remember these facts:

  1. Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
  2. COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
  3. COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.

Now let’s have a look at what PwC has to say.

“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”

I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.

“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”

They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.

“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”

While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.

In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.

“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”

Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).

Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.

But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!

“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”

Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.

It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.

“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”

I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.

“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”

If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!

While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.

I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.

“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”

The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.

PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.

However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.

“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”

We are back on solid ground.

The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.

Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.

But let’s not go crazy!

I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.

By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.

Do you agree?


Drive business results by harnessing uncertainty

February 7, 2015 4 comments

I am very pleased to see new guidance on risk management from Ernst & Young (EY) that recognizes that risk management is not a defensive activity designed only to protect value. It can and should be used to drive business performance and results.

I usually have significant criticism for the consulting and auditing firms when it comes to their risk management guidance, so I was surprised to see so much “good stuff” in their latest.

Drive business results by harnessing uncertainty, appropriately subtitled “Expecting more from risk management”, is important reading for board members, business executives, and risk practitioners.

EY doesn’t say directly that it is not nearly enough to limit risk management to a periodic review of a list of risks (the practice at the majority of risk management functions). But their description of what risk management needs to do and look like makes it clear that they, at least, have moved on.

Here are some excerpts, but I encourage you to read the three-part piece (just click ‘Next’ at the foot of each page to get to the next one).

They start with this commentary:

In an increasingly competitive, fast-paced world, organizations need to continually advance their risk management practices, building on the strong foundation of protection and compliance into an expanded focus on risk factors that impact strategic decision-making and operational performance.

For many global organizations, risk management is still seen as only a high-level compliance exercise to educate the board and audit committee. As a result, there are often no clear lines of sight from the boardroom to the operations themselves.

Risk management approaches need to change to better reflect the dynamics of today’s rapidly evolving global marketplace. What carried companies through in the past is not good enough anymore.

We believe a paradigm shift in risk management is beginning, which is:

  • Tied to the increasingly complex world in which companies now operate
  • Based on the awareness that uncertainty is embedded in (and impacts) everything we do
  • Focused on both capturing upside opportunities as well as protecting the business

EY includes a meaningful list of questions. Here are the first four:

  • Does your company view risk management as a key component in managing business performance?
  • Is there continuity of understanding in the risks associated with your plans and objectives, which carries through from strategic planning to capital allocation and operational execution?
  • In addition to protecting your business, is your risk management providing direct benefit to your growth efforts as well?
  • Is risk management integrated into the “rhythm” of your business processes, versus a later lens or add-on?

They make this key point:

You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.

There are several key business processes, and structural and functional components that make up this rhythm of the business, working together to deliver business value creation. Within these components of the business, we see four basic business process suites:

  1. Strategic oversight and planning — board and executive management level activities
  2. Business level planning/budgeting — management translation of strategies into business plans and allocation of capital
  3. Operational execution — value creating implementation of plans and strategies
  4. Monitoring and compliance — audit and compliance activities

I like their reference to “risk-enabled decision making”. It recognizes that risk is created or modified with every business decision; only when all options are considered, with an understanding of not only the uncertainty that exists as managers make decision but the uncertainty that will result from the decision, will great decisions be made that drive improved performance and results.

Is this a perfect piece of guidance? No, and much of what it has to say is not new to many risk thought and practice leaders (especially some of the more advanced advocates of the ISO 31000:2009 global risk management standard). However, it is great to see one of the firms talking this way instead of focusing on the “risk de jour” and how important it is for the board to discuss it.

COSO is embarking on an update of their Enterprise Risk Management – Integrated Framework. They should give this document their careful attention. I think its thinking is far ahead of what the current framework promotes; I would like to see the project team and its advisors take careful note of the need to make risk management part of how you succeed rather than how you avoid failing.

What do you think of the piece? How could it have been improved?

What should the audit committee focus on in 2015?

January 31, 2015 1 comment

Every year, the audit firms provide audit committees with their ideas of what the agenda should include in the coming year. Their ideas are usually good, although typically (and understandably) focus on matters of interest to the audit firms. Each year, I have wondered (and blogged) why they don’t include any discussion of obtaining formal assurance from internal audit on the effectiveness of risk management.

This year, the publication from Deloitte is more interesting than usual. In their Audit Committee Brief, November/December 2014, they ask What’s on your agenda for 2015? They highlight:

  • Effectively managing IT
  • The audit committee report (as filed in the 10-K)
  • Internal controls, in particular the focus by the PCAOB on material weaknesses and the work of the external auditor, as well as the update of the COSO internal controls framework
  • Globalization and its effect
  • Finance talent
  • Anti-corruption
  • Risk oversight
  • Tax considerations

Addressing the risk oversight issue first, Deloitte has made some progress this year. They make the important statement:

“Regardless of who in the company is in charge of risk, the most important consideration is that the company has a clear view of where risk monitoring and related activities are housed and that risk issues are being adequately covered.”

All of the topics in the Deloitte document are food for thought, but none more, in my opinion, than the topic of IT.

While Deloitte understandably focuses exclusively on the negative risk from technology (cybersecurity and so on), they make the excellent point that they need to get face time with the CIO. I think it is an excellent idea for the CIO to attend every other audit committee meeting.

Deloitte suggests questions for the audit committee to ask about technology-related risk, I think additional questions should be considered, including:

  • How do you assess and manage business risk relating to technology? Are you engaged with the enterprise risk management process?
  • How much risk is enough and how much is too much?
  • How do you determine how much to invest to address technology-related risks?
  • Are you taking enough risk when it comes to new technology that might advance the business? How do you know? Who do you work with to assess whether and when to deploy new technology?
  • How do you know that the IT function is delivering the value it should to the business?
  • How involved are you with the company’s strategy-setting processes? Is this the right level of involvement?

I welcome your comments.

The Three Lines of Defense model is the Wrong model

January 25, 2015 37 comments

Last year, I wrote a post Risk Management is not about Defense. Unfortunately, while almost everybody I talk to agrees with me that we should be talking about offense instead of defense (or at least recognizing that you need offence, defense, and special teams), the silly model continues.

This month, RiskAudit published the transcript of a debate on the motion “The Three Lines of Defence (3LOD) Philosophy is not fit for purpose”. My good friend Richard Anderson spoke for the motion and he was able to move a sizeable people who initially supported the model to oppose it. I think he might have moved the rest by making an additional point.

What are we defending against? The model assumes that we should fear risk, but there is nothing further from the truth!

If we don’t take risk, we will wither away. The only path to success in this life is by taking risk.

The key is to take the right risk – and knowing what the risk is, understanding the options, and making an informed and intelligent decision as you run the business (and your life) is how you succeed.

The model perpetuates the silly idea that risk managers (and internal auditors) are there to stop operating managers from taking too much risk. That model is one of confrontation and not how the best risk managers work. They recognize that risk is owned by management and the role of the risk practitioner is to help them with tools, process, information, and so on – so that they can take the right amount (not too little and not too much) of the right risk.

We need a model that is much more positive and talks about how operating management, risk management, and internal audit collaborate to help the organization succeed. The three lines of defense model is about not failing.

I welcome your comments.

Risk and the effective manager

January 14, 2015 19 comments

If you are to be an effective manager and achieve your objectives, you need to be able to manage the risks to the achievement of your objectives. There can be no question about that.

Yet, many organizations separate the risk management function from operating management and designate a chief risk officer as responsible for the management of risk. Their boards establish a risk committee and have separate discussions about strategy, performance, forecasts, and risk.

Sorry, but this is nonsense.

The only risks we should worry about are those that might affect the achievement of objectives (and it doesn’t matter whether you prefer COSO or ISO; both sets of guidance say this).

The setting and execution of strategy and objectives and the consideration and management of risk go hand-in-hand.

The people who should own risk are the people who own performance and the achievement of objectives.

So, why do we talk about risk managers and a risk management function when the people who own and manage risk are in operating management?

Is it time to recognize that risk management should not be a separate profession but an essential element in effective management? Should we not establish risk managers as subject matter experts who are not there to own risk, but to advise and help those who do own risk?

I welcome your comments.


Get every new post delivered to your Inbox.

Join 5,515 other followers