When Compliance is wrong

January 30, 2023 1 comment

As I said in my last post, I recently had the privilege of hanging out with a bunch of smart people: internal auditors.

They work for an organization with manufacturing facilities all over the world, each of which is subject to strict safety regulations. Compliance with those regulations is a major part of the internal audit plan, as it should be.

It did not surprise me to hear that the corporate offices had established similarly strict policies and standards designed to ensure compliance with the regulations.

However, these facilities produced a variety of products and were subject to different local laws and regulations.

But the corporate office valued consistency and every location was required to follow the same company standards.

What I heard was that sometimes a manufacturing plant would believe that a corporate standard was not the right practice for their specific business, in their locality.

Internal audit was expected to identify when a plant didn’t adhere to the corporate standards.

My view, which I shared with them, was that internal audit should follow a different standard: the standard of promoting what is best for the business.

That is not to say that we should not identify deviations from corporate policy, but we should not immediately call it a “finding”.

First, find out why management has not followed the corporate guidance.

Maybe there’s a good reason.

Maybe they have found a better way to ensure compliance with the laws and regulations that apply to their business.

Maybe they believe the corporate policy doesn’t need to be followed because the laws and regulations are different in their area.

Their arguments might be persuasive.

But we shouldn’t immediately agree with them either.

This is a great opportunity for us to add value.

Find out whether other facilities agree that the corporate policy is imperfect. Perhaps management of this facility has talked to them.

If several facilities have the same issue with the corporate mandate, it strengthens the notion that it should be changed.

We should discuss the deviation and the underlying corporate policy with the owners of that policy.

In fact, it might be useful to facilitate a discussion between corporate and the local management team (or teams, if several facilities believe change is needed).

Maybe there’s a great reason for the local teams to adhere to the corporate policy. A reason the local management teams are not aware of.

On the other hand, maybe the corporate policy should be revised.

We won’t know until we hear from all sides, and especially when all sides have talked – and listened – to each other.

One of the problems that we may uncover is that the corporate staff are not listening. Maybe they don’t know the business as well as they think, and there are better ways to address the risk of non-compliance.

Maybe new systems and technologies enable a better way to assure compliance, and the corporate policy should be brought up to date.

We should be careful about second-guessing either local or corporate management on such issues. They are more likely than not to be more knowledgeable both about the laws and regulations and about the business that we are.

But where we see an opportunity to add value, where there are better practices than mandated by corporate policies, we should bring that to the attention of the people best able to make an informed and intelligent decision.

I can recall a couple of situations where the corporate mandate was at least questionable.

In the first, a corporate standard required a separation of two functions (something that auditors love). But the unit my team was auditing was too small to have that separation. We determined that the underlying risk was adequately addressed by other means. I think there was after-the-fact monitoring by management. We worked with the corporate team to grant local management an exception.

In the second, the corporate procurement team had obtained an agreement with a global manufacturing company for the supply of critical components. It established prices for materials used in most of our manufacturing units around the world. However, the procurement team in Malaysia had negotiated a deal with the supplier’s local subsidiary that was far superior. Corporate wanted us to slam the local team for failing to use the global contract. Instead, we suggested that they consider renegotiating the global contract and we considered the local procurement contract a best practice that could be followed by other business units.

It is easy to audit for compliance without thinking about whether the policy or standard is the best practice for the organization, given the risk it is intended to address.

I call that “blind compliance”.

The auditors should think about what they see, listen to all sides when there is a deviation, and seize any opportunity to add value to the business.

If we don’t understand why the policy is written the way it is, we should ask, listen, and seek to obtain that understanding.

There have been times when my team has asked why the policy is the way it is and management has been surprised. They thought about it, with our help, and changed it.

Policies get out of date, and we have an opportunity to add value by bringing that to management’s attention.

Does the policy meet the needs of the business?

Let’s not encourage compliance with policies that don’t.

I welcome your thoughts.

Advertisement

Wasting money with audit reports

January 26, 2023 10 comments

This week, I had the privilege and pleasure of spending time with a number of smart and curious professionals who are dedicated to adding value to their organization.

I am talking about internal auditors, of course.

I was a speaker at a multi-national company’s annual internal audit conference (something I enjoy doing). I touched on a number of themes from my book, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.

The attendees not only asked me about some of those themes, but we discussed other topics, some of which I will cover here today and in later posts.

X

My topic today is the significant time and money wasted by internal audit functions when it comes to audit reports.

As we know, the IIA’s Standards do not require a formal, written audit report – even though almost every function prepares them.

Writing, reviewing, rewriting, debating with management, amending, re-reviewing, and then publishing an audit report can take a lot of time. My teams might spend anywhere from 10 to 50 hours on the task. I have heard of others spending as much as 600 hours on their average internal audit report.

If you say that the average internal auditor’s salary is about $90,000 (based on Accounting.com figures) and you add about 30% for benefits and other costs, the average internal audit hour (based on 2,080 productive hours per year) costs roughly $60.

That puts the cost of an audit report, in addition to the cost of planning and performing an audit, at between $600 (my minimum) and $36,000.

What is the cost of a typical audit report in your organization?

Now let’s consider whether the value exceeds the cost.

The value should be expressed from the perspective of the organization, in this case that means our customers and stakeholders.

There are essentially three groups:

  • Operating management, including process and control owners, and their direct management
  • Senior and executive management
  • The board of directors, especially the audit committee

When it comes to the first group:

  1. The audit team should have discussed any potential audit ‘findings’ with them as they arise, certainly by the end of that week.
  2. Any issues are again discussed, this time with a broader group including some levels of management, at the Closing Meeting.
  3. They should already be working on corrective actions as needed.
  4. They will derive little value from seeing the same information in the formal audit report.
  5. Their interest in the report will be focused on whether they are being treated fairly, and whether the report is inconsistent with what has previously been discussed.
  6. If useful, send the group a memo confirming the issues and actions agreed upon at the Closing Meeting. Then you don’t have to worry about using the formal audit report for that purpose.

There really is little value in the final audit report for that group.

X

The second group will not have been at the Closing Meeting, so they will neither know what the audit assessment is nor whether there are issues of significance.

The value to them is in the communication of information they need to know to perform their jobs.

The value is in what they need to know, rather than what internal audit wants to say.

What do they need to know?

  • Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
  • Is there anything they have to do?
  • Are their teams taking appropriate corrective actions?
  • Can they rely on their organization, people, processes, and systems to perform as needed for success?

There is value in providing that information.

But they don’t need to read, in the audit report, about issues that don’t represent a risk of significance.

In fact, cluttering up the audit report with stuff they don’t need to know reduces the value of the report. It makes it harder to consume.

If you only tell them what they need to know, when they need to know, they will listen.

But if you are constantly telling them stuff that is not relevant to their success, they won’t necessarily listen when there is something important they should know.

Tips:

  • Tell them what they need to know when they need to know. If its important, it can’t wait until the report is perfect.
  • Eliminate the stuff they don’t need to know. It is wasted, even negative value space.
  • Make it easy for them to read and understand what they need to know. Don’t hide it among a pile of trivia they don’t need to read, such as who did the audit, whether it was performed in compliance with IIA standards, what the objectives were, whether there were other issues, whether prior minor findings have been corrected, etc., etc., etc.
  • Recognize that the best communications (and the report is a communication device, not documentation of the work that was done) take very little time.
  • The best reports are less than one page, with attachments that are optional reading.
  • Don’t spend $36,000 to issue an audit report.

X

Then there’s the audit committee of the board (and perhaps any compliance committee).

They need even less than top management, although their needs are very similar.

  • Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
  • Is there anything they have to monitor themselves?
  • Can they rely on the executive team?
  • Can they rely on their organization, people, processes, and systems to perform as needed for success?

The same tips apply.

X

Now that we have an idea of the value, we can decide whether internal audit reports cost more than they are worth.

Can and should they be streamlined, so that the cost is lower and (especially) the time to deliver the information people need is fast?

You can’t consider your internal audit function as agile if important information is delayed.

Information loses value as it ages.

So re-examine your audit reporting process. Eliminate non-value work.

Consider doing more communication to leaders face-to-face, as that stimulates constructive discussions about the issues, their implications, and any necessary actions. It also speeds up the communication process.

X

I welcome your thoughts.

Internal Audit and ESG: My Opinion

January 19, 2023 6 comments

I have seen several articles and blog posts lamenting the apparent fact that internal audit teams are not spending a large percentage of their audit plan addressing ESG risks.

CIO.com defines ESG as:

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

  • Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.
  • Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.
  • Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

My reaction is similar to what it was when I read opinions that internal auditors were not spending enough time on cybersecurity.

I even saw one post by an eminent (and unnamed) thought leader that pointed out that while internal auditors saw cyber as perhaps the top risk to their organization, they were only spending 10%-15% of their time on it. They were spending more time on financial, compliance, and other operational risks.

My principle is this: perform the audit engagements that address the more significant risks to the organization and its enterprise objectives.

You can do a great deal with 10%-15% of your audit resources!

X

When it comes to ESG, we need to recognize the huge breadth and depth of it.

It is much more than sustainability or corporate social responsibility (CSR).

It’s not something you can say you audit in totality. At best, you can audit elements.

Much of it is not new, and governance is covered in the IIA’s Standards as an area requiring consideration when building the audit plan.

X

My friend, Dr. Rainer Lenz (whom I am looking forward to meeting at a company’s annual internal audit team meeting next week), has written a piece with Florian Hoos on the issue: The Future Role Of The Internal Audit Function: Assure. Build. Consult.

He says:

[Richard] Chambers recently raised “a red flag” by pointing out that internal auditors have been unduly placing Environmental, Social, and Governance (ESG) risks on the back burner. Internal auditors currently do not play a significant role as assurance providers and are absent from potential advisory services about ESG – on both sides of the Atlantic. We diagnose an “ESG helplessness syndrome.” Like in the world of animals, the internal audit function is in a state of freeze response when it comes to ESG topics. The ESG challenge is so big, and the threats for the role of the Internal Audit Function (IAF) are so real, that the profession reacts like animals in the face of a threat: they freeze. We discuss and challenge the professional demand for “objectivity” and “independence” in the ESG context as they might represent obstacles to the IAF playing a significant role in the ESG agenda. We suggest practitioners consider widening the repertoire of internal auditing. We suggest an ABC-Model © of Internal Auditing, adding “Building” as a new third pillar of internal audit value creation which complements the traditional assurance and consulting services. We encourage internal auditors to become “builders” when tackling the ESG challenge in their respective organizations. Metaphorically speaking, we borrow from Yvon Chouinard, the founder of Patagonia which is often used as an ESG role model company when we suggest “Let Internal Auditors Go Surfing” as our call to action.

Later in the piece, they say:

ESG seems to be far from being well integrated into the internal audit function’s work. Referencing the World Economic Forum and other organizations, [Richard] Chambers concludes that “overall, ESG is one of the fastest-growing risks this year (…)”; “a top risk for 2023”. At the same time, his survey among 188 CAEs and internal audit directors in organizations based primarily in North America show that ESG risks are at the bottom of their priority list for 2023 audits, with significantly lower priority than for instance cyber and data security, attraction and retention of talent, macroeconomic conditions, regulatory changes, supply chain-related issues, etc.

Let’s think about this.

  1. ESG is not “a risk”. It is something you do. But you can have risks to the ESG-related objectives of the enterprise.
  2. Talent management and compliance are part of ESG. Saying that they get more attention than ESG makes little sense to me.
  3. Surveys are telling us that while organizations may be giving more attention to ESG today than in the past , they have started to lower their related investments given the change in economic conditions.

If management and the board have not given a priority to ESG, and by that I am referring to the social responsibility elements, and included it in the objectives they set for the period, why should we be concerned that internal audit is doing the same?

Should internal audit be the conscience of the organization?

No.

We can make sure the board and top management understand the risks that a failure to be socially responsible can mean to their success.

But it is not our job to tell them, bluntly, that they are making a mistake.

Our job is to provide assurance, advice, and insight.

The emphasis here is on advice.

But when management and the board set objectives, we can provide assurance as well.

For example, some years ago I visited the internal audit leadership of Adobe in San Jose, led by Eric Allegakoen. In the reception area, there were multiple displays showing the clean energy and other sustainability achievements of the company. Eric told me that his team audited and provided assurance on related reporting, some of which was included in public filings.

Rainer goes much further. After discussing and trying to set aside obstacles like objectivity and independence, he and Florian say:

We advocate that addressing ESG may be an opportunity for internal auditors and the internal audit profession to consider going beyond their core remit of rendering assurance and consulting services, to help building an ESG program – before it can be audited (by external auditors, as seems likely).

On the ESG journey, internal auditors can be most valuable as co-creators, as builders, as members of the ESG team.

When I first read this, I thought they were going too far by talking about internal audit building anything. That is a management responsibility! But then they say:

We see potential in positioning internal auditors more clearly as enablers of learning and change. We regard a promising path forward to be overcoming hurdles, including those set by professional demands for independence and objectivity. The more effective internal auditor can be “a hinge, a connector, a relation facilitator”.

Not only do I accept that, I don’t think it is anything new!! It’s just the advice part of our mission!

CAEs and their teams have been champions and enablers for many things over the years, including:

  • Risk management
  • Information security
  • Controls over derivative trading
  • Controls and security over new computer systems
  • Whistleblower and ethics programs
  • And much more

Here’s my take on the topic:

  1. ESG is about paying more attention to the role of the enterprise in society.
  2. ESG is a broad spectrum of activities and related processes and activities.
  3. Internal audit should be aligned, where possible and practical, with management and the board.
  4. When the leadership has established ESG-related objectives, risks to those objectives should be considered when developing and maintaining the audit plan.
  5. When leadership has not established ESG-related objectives, the CAE should work to understand why not. This may be an opportunity to lead a discussion among the management team.
  6. Internal audit should be a champion when that is the best use of their time. (There are so many issues to champion, so our time should be prioritized.)
  7. Internal audit should build and maintain an audit plan that addresses the most significant sources of risk to the enterprise and its objectives. They may or may not include ESG-related issues.
  8. If management and the board have not prioritized ESG, we should be careful about prioritizing it ourselves at the expense of other areas that they have prioritized.
  9. It would be better to break down the topic into meaningful parts, such as environmental compliance, human capital management, compliance, sustainability, and so on.
  10. Focus on what matters to your organization, not what others are doing.

I welcome your thoughts.

When the IS auditor identifies a lack of segregation of duties

January 16, 2023 8 comments

Chinmay Kulkarni has asked people on LinkedIn a question that appears to be from the ISACA Certified Information Systems Auditor (CISA) exam. He posted (I have included the current poll results, with 941 voting):

CISA Question 3

As an IS auditor, what is the FIRST step you will take upon identifying lack of segregation of duties [“SOD”] within the organization?

Document as audit finding 18%

Implement SODs 7%

Review Compensating Controls 46%

Review Access Controls 30%

I am not a CISA, although I could have “grandfathered” into it when ISACA first set up the CISA certification.

One of my problems with these exams is that I always question the question, and frequently think the available answers are wrong. (I was able to pass both the UK’s Chartered Accountancy and the US CPA exams.)

I have a problem with the available answers to this question.

1. Document as an audit finding

The auditor has “identified a lack of segregation of duties,” but:

  • Has the auditor confirmed the facts with management?
  • Does the auditor understand whether it matters? Where is the risk? Even if there is a deficiency, does the risk justify corrective action? If so, there is no “finding”.
  • Does management already know? Have they assessed the risk and believe it is acceptable, given the cost, etc.?
  • Are there other controls over the risk? Maybe controls within the business or elsewhere are being relied on, not the ones the auditor is considering.
  • Compensating controls may reduce the business risk, but by how much?

I have seen a couple of situations where an external auditor came to me (I was the head of internal audit) to inform me that there was an issue with segregation of duties. In the first case, he said individuals in China’s HR department had access to SAP payroll, so they could add and then pay a fictitious employee. However, the company did not use SAP payroll in China. In the second, a different auditor said there were individuals in China who had the ability to post an inventory adjustment to cover up the theft of inventory and hide it further with their ability to post a GL entry. I questioned him and found out that the inventory in question was in Romania while the employee and the GL were in China. There was no real risk.

Moving directly to documenting an audit finding is not a good option for the first step the auditor should take.

In fact, depending on the organization, the IS auditor should discuss the issue with the team lead or audit manager as a first step – which is not an option provided in the question.

2. Implement SODs

The auditor doesn’t implement segregation of duties or any other control for that matter. If that is to be done, it is done by management.

3. view compensating controls

As noted above:

  • There may not be a business risk justifying corrective actions.
  • The auditor hasn’t confirmed the facts or their implications.
  • The business may not be relying on these controls, but on controls within the business, (Technically, these not compensating controls. They are the primary controls and are not designed to compensate for any SOD deficiency.) In fact, it is possible that the controls tested should not have been in scope for the audit!

Of all the options provided, this may be the best but it is seriously flawed.

  1. Review access controls

I am flummoxed! How do you determine that there is a lack of SOD if you haven’t already assessed access controls?

If I was presented in an exam setting with these four options and had to choose one, I would go with #3.

But in real life, I would have an issue with any auditor who hadn’t first made sure of their facts, discussed the issue and its implications with management, and confirmed this was a real business risk that needed to be addressed.

What do you think?

The risk is assessed as high. So what?

January 12, 2023 17 comments

While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.

Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.

It doesn’t answer the questions of:

  1. Should I take the risk?
  2. How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)

These are simple questions to ask, but not so simple to answer.

They are essential questions to answer.

If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.

There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.

People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).

But in real life, whether personal or business, you need to answer both of my questions.

Resources are limited.

Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.

Every penny spent on mitigating risk comes at the expense of investing in opportunity.

Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.

So I end this short post with another question:

Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?

  • Cybersecurity
  • Regulatory compliance
  • Safety
  • Marketing
  • Product development
  • Employee morale and development
  • Sales
  • Acquisitions
  • And so on

I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.

I welcome your thoughts.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There seems to be some confusion about this post. Let me clarify with an example.

At Tosco, our Marketing division (which operated about 6,000 Circle K convenience stores and and Union 76 gas stations) had a monthly meeting of its executive team to review and approve capital spending requests. They ranged from $10,000 to $10,000,000.

Management at lower levels would prepare a request that would be reviewed by a team in Finance to make sure that the numbers were correct. Let’s assume (because I don’t remember) that each had a section on assumptions and risks.

A request could come from any one of the stores (such as spending to improve the facility that would generate revenue or improve compliance), or from any of the corporate functions (such as IT, Marketing, and so on).

Each month, there could be fifty of more requests.

The management team had to decide:

  • How much, in total, could they spend
  • Which, if any, of these requests would generate an acceptable return
  • How they should allocate the available funds among the requests
  • Whether any of the requests should be partially funded or modified
  • Whether they should defer spending, even on ‘profitable’ requests, to save funds for requests they knew were coming, or because there was uncertainty about cash flow, etc.

Coming up with a risk quantification (a number or a range) for each request is only a step in the process. It is not sufficient to evaluate each request by itself. The business decision is complex and requires judgment as well, considering the big picture not just the pieces.

I hope that clarifies my point.

Do your leaders see the big picture, or just pieces?

December 27, 2022 6 comments

Let me share a story (based on a real event) that you are watching on multiple monitors.

On the first screen, management of the company’s largest oil refinery are planning a major capital project to build a new processing unit. One of the refinery’s existing units produces not only highly valuable jet fuel, diesel, and gasoline, but also a variety of medium and low value byproducts (“midstream”). The new unit will reprocess the low value midstream products and convert them to medium value midstream or even gasoline and diesel.

You can see the refinery’s risk officer consulting with the management team. He is helping them with safety, compliance, and a variety of other sources of risk to the project.

The second screen shows the trading floor, where management is monitoring both the prices they will have to pay for the crude oil that is the raw material for the refinery, and the prices that the different products of the refinery can obtain in the market. You can see the trading floor risk officer, monitoring futures and derivative trading and other risks.

In response to a question from refinery management, the traders share the projected prices for the range of products that the new unit will produce.

Using that information, refinery management designs the new unit to generate the optimal mix of products.

Screen three has the financial team preparing forecasts for the rest of the year. They get a projection from refinery management that includes when the new unit will come online, its operating costs, and projected revenue.

The fourth screen shows the Treasury department. They are managing short-term investments and cash flow, based at least in part on forecasts and projections from Finance. The Finance risk officer is tracking and reporting currency, interest, and other sources of risk.

Four months pass.

Turning your attention to the refinery, you see that excellent progress is being made. The new unit is close to 70% complete. It is on schedule and on budget. The refinery risk officer is reporting that all remaining risks are within acceptable limits.

The traders continue to monitor raw material and product prices. They decide to change their derivatives trading strategy, as they are seeing a significant shift in the market.  Product prices are shifting. The low value midstream products are increasing in value, while prices for gasoline and the medium value byproducts are falling. But while they (with the help of their risk officer) report that to senior management, they are focused on their own operations. They optimistically project no change in revenues, although there is a significant possibility that total revenues will fall.

Finance and Treasury continue as before.

Another two months go by.

The traders raise the alarm that revenue is dropping. Product prices have fallen steeply and are not expected to come back in the near future. They apologize for not warning everybody earlier.

Finance hurries to update the forecast and the executives meet to decide whether to change the projections they have shared with analysts and others.

Management at the refinery are innocently continuing to work on completing the new unit, which is scheduled to start operations in thirty days. Everything is looking good.

Meanwhile, Finance has shared its updated forecast with Treasury. With the drop in projected revenue, Treasury alerts the CFO and top management that cash flow is drying up. They will have to cut back 100% on capital spending, at least for the next month or more.

You see the CFO meeting with the refinery manager, asking him to defer any capital spending for three months. Words are exchanged, and the CFO is told that the money has already been committed on the new unit. Canceling or deferring the remaining construction will delay opening by three to six months, increasing costs, and reducing revenue.

The CFO replies that there is no cash to spend, and he cannot obtain new funding quickly.

Reluctantly, the refinery manager calls in his team and they figure out how to cut back work on the new unit.

Three months later, the executive team meet to celebrate the opening of the new unit.

However, refinery management and Finance tell them that it will not generate the anticipated return on investment that had been expected due to the change in product prices.

The refinery manager informs the CEO and the rest of the executive team that had they known, months earlier, that the prices for the mix of products of the new unit were changing, they could have modified the design. They could have made some adjustments to increase the volume of what were now higher value products.

But they didn’t know. Nobody told them, and they didn’t ask.

The Lesson Learned

People talk about the problem created when risk is managed in silos. That problem is what enterprise risk management (ERM) is intended to address.

But while it is true that risk is interconnected and so on, I would express the problem differently.

In this tale (again, based on a true story from my time at the oil refining and marketing company), the company was being managed in silos.

I have seen this time and time again.

When management is managing just their piece of the puzzle, they may optimize that piece at the expense of the whole picture.

I have seen:

  • Two divisions of one company competing against each other for the same contract
  • The three business units of another company fighting against the CIO’s proposal for a company-wide ERM. As a result, each business unit purchased their own systems that were not connected or integrated in any way.
  • A factory that made enclosures for the company’s products deciding to sell them to a third party instead of their sister factory. The enclosure factory generated more revenue but forced their sister to purchase their enclosures from a third party at much higher cost.

When we see this, we need to ensure top management and, if necessary, the board know what is happening.

Managing the company in silos, perhaps enabled by addressing risk in silos, is a serious inhibiter of success.

Is this something you see in your organization?

I welcome your comments.

My Duel with Richard Chambers on Audit Opinions

December 24, 2022 1 comment

I recently debated with Richard Chambers (thank you to Jon Taber) the value of an audit opinion.

You can find it here: https://www.youtube.com/watch?v=b1lHX5SRjMg

Please share your thoughts.

Internal audit and risk management

December 23, 2022 2 comments

The results from my recent survey (thanks to the 75 internal audit practitioners who responded) are interesting. (You can see the results of the earlier survey here.)

First, I will review the answers about auditing risk management.

Q1: Does your internal audit function audit the organization’s management of risk?

62 (83%) indicated that they do, in one form or another. That’s good news.

Skipping the next two for a moment:

Q4. If you audit risk management, which of these is your approach? Check all that apply.

  • 37 (50%) said “We assess whether risk management practices meet the needs of the organization for decision-making”. That is my favorite answer.
  • 42% (56%) audit compliance with policies and procedures. Maybe necessary, but not sufficient IMHO.
  • 29 (39%) assess the accuracy of management’s risk reporting. I have an issue with this if internal audit is seen as knowing better than management what the level of risk is. It’s also a moving target, so I would have to see what these functions are doing.
  • 22 (29%) use a maturity model. I like this approach and included one in Risk Management for Success.
  • 36 (48%) use a standard or framework:
    • 16 use the ISO 31000 risk management standard
    • 13 prefer COSO’s ERM Framework
    • 7 use a different framework

Q5. If you don’t audit risk management, why is that? Answer all that apply.

  • 12 said there is no risk management function to audit. However, IMHO that just changes the audit. It shouldn’t be an audit of the function; it should be an audit of how well management addresses risks to objectives.
  • 7 said they don’t have the support of management for such an audit. I don’t think that should be a sufficient deterrent.
  • But 7 said they don’t have the support of the board! I hope the CAE made sure the audit committee understood why this is a problem.
  • 5 said that other functions, such as the external auditor, assesses risk management.
  • 5 said it’s not a priority. Hopefully, that’s because the CAE has confidence (such as from a prior audit) that the risk of poor risk management is low.
  • 3 don’t have sufficient experience. I hope they work around that.
  • 1 doesn’t have the budget. Hopefully, the CAE is discussing that with the audit committee.
  • 9 cited other reasons.

Going back to the second question:

Q2. Who completes the risk identification and assessment that management and the board rely on? Answer all that apply.

This is a question that will interest Tim Leech. The answers will probably surprise him as much as they surprised me!

  • 19 (25%) said management and the board rely on internal audit’s assessment. I am surprised that it’s so many, and Tim will be surprised that it’s so few. Risk assessment is a management responsibility, and the CAE should be telling the board and CEO that this is a huge problem. As CAE, I would not be comfortable if management relied on my assessment instead of their own. (Of course, internal audit can gain an understanding of the more significant risks when building and maintaining the audit plan.)
  • In 45 (60%) cases, a risk management function is responsible.
  • 24 (32%) said they have separate risk assessments in different parts of the business.
  • 4 don’t have a risk assessment, and 2 didn’t know.

Q3. When you perform an audit, do you review management’s risk assessment of the area and provide an opinion on its accuracy?

  • 35 (47%) not only said that management has a risk assessment for the area under audit, but it is reviewed as part of the audit. That is encouraging – more than I expected.
  • 21 (28%) said management doesn’t have a risk assessment for the area being audited.
  • 18 simply said No, and 1 didn’t know.

The next two questions are important.

Q6. Do you use management’s risk assessment in building the audit plan

12 replied that management doesn’t have a risk assessment, so they can’t use it. Of the 63 who do:

  • 40 (63%) said Yes.
  • 20 (32%) said that rely to a limited extent.

Q7. Is your audit plan based on an assessment of risks to the enterprise?

  • 32 (43%) said that they “audit the controls over the more significant risks to the enterprise and its objectives. We don’t perform full scope audits of processes or units”. This is my preferred approach.
  • 31 (41%) audit “those business units and processes that represent the greatest risks, and then audit the controls over the risks to those units and processes”. This is the traditional approach that I hope people are starting to realize is misguided. You will audit risks that matter only to middle management, if that, and not limit your work to what matters to the success of the enterprise.
  • 6 (8%) still use the antiquated cyclical approach.
  • And another 6 have taken a different approach (undefined).

Q8. Are you changing your approach in 2023 and beyond?

  • 34 (45%) are staying with the same approach.
  • 23 (31%) are definitely changing.
  • 19 (25%) might change.

I welcome your thoughts on the results.

My opinion of audit opinions

December 19, 2022 4 comments

Last week, I was in a duel with Richard Chambers on the topic of internal audit opinions.

Neither of us had much time to express our views, so I am taking the opportunity of today’s post to share some insights that might be useful.

Last month, I ran a survey that asked internal auditors “How do you communicate your overall opinion?” The answers were:

  • We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
  • We use traffic lights, such as red/yellow/green… 19.0%
  • We use language like “the controls are effective, adequate, or ineffective”… 41.3%
  • We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
  • Other… 7.9%

Consider four identical manufacturing companies where internal audit has completed an audit of their inventory management processes. This is a critical activity for them (as it is for businesses in many sectors, such as retail and wholesale, oil and gas, and more).

Imagine that you are on the boards of each company and reading the audit reports.

All the audits found the very same six issues. But they reported them differently.

The auditors of Company A wrote that they had completed their audit of inventory management processes and found a number of issues of concern. In their Findings section, they explained that six controls were not functioning as designed. The auditors went on to recommend that management ensure they function properly in future, and management responded that they would.

Company B’s auditors had a different report. While they also reported that they had completed their audit of inventory management processes and found a number of issues of concern, they commented that the controls over inventory management “needed improvement”.  They listed the six findings in the Executive Summary and put a traffic light color next to each, indicating their opinion of the severity of the finding.

Company C was different again. The report was similar to that for Company B, but this time the opinion specified the risks that had been audited, not just the controls. The auditors’ opinion was that the controls over inventory-related risks, such as ensuring the accuracy of inventory records and the quality of materials, needed improvement.

Finally, there is Company D. This time, the audit opinion was:

“Several controls were not operating properly, and management has agreed. As a result, there is an unacceptable level of risk that insufficient raw materials will be on hand when needed for production. In addition, what material is in inventory may not be of the appropriate quality. Should that occur, sales and customer satisfaction will be severely impacted and the company’s revenue targets for the quarter (if not the year) might not be achieved.

“Management has agreed with this assessment and has already started the process of upgrading the controls, scheduled for completion next month.”

My survey indicated that less than a quarter of internal audit departments (if the survey is representative) would include an opinion like that of Company D.

In the duel, Richard and I both agreed that we needed to provide the assurance, advice, and insight that management and the board need.

Which of the four company’s audit departments did that?

The auditors at Company D had to do more work, primarily sitting down with management and having a constructive discussion to (a) confirm the facts, (b) agree on what the facts meant, (c) consider options for addressing the risks, (d) review the language that will be in the report, and (e) discuss how best to communicate the situation to senior management.

But there is huge value in that additional work.

Where are you?

Are you going to adopt Company D’s approach?

I welcome your comments.

By the way, if you haven’t responded to my second survey, please do so.

Designing efficient and effective audits

December 16, 2022 7 comments

Before I start today’s post, may I ask the internal auditors who haven’t already done so to respond to my latest survey, here?

 

Yesterday, I fought a duel (up to you to decide who won) with my good friend, Richard Chambers. It was hosted by Jon Taber (see footnote for the links) on the topic of audit opinions.

At one point, Richard made the excellent point that you shouldn’t provide an opinion without having done the work to support it.

My reply was that you should start the audit with the end in mind.

If you plan to express an opinion at the end of the planned audit on the adequacy of controls to manage specific risks, then the scope of the audit should be designed to provide to enable that opinion.

Do enough work to reach and support your opinion – and no more, unless you desire to audit controls and processes that are not relevant to your audit objectives (“muda”).

One of the fights I have been engaged in for a long time now is against full scope audits, especially those performed on a cyclical basis.

We should (as guided by the IIA’s Standards) be performing risk-based auditing.

That means that we should be auditing the controls over the more significant risks to the achievement of enterprise objectives. That is not the same as auditing the controls over a business process!

When you audit an entire process or business unit, you are going beyond the things that matter (controls over significant enterprise risks) to things that don’t matter to leadership (risks to the process or business unit that don’t have much effect on the achievement of enterprise objectives).

The key to efficient and effective auditing is focusing exclusively on what matters; stop auditing what doesn’t matter to the achievement of enterprise objectives.

Audit the controls over enterprise risks, not controls over local risks.

The excellent magazine of the IIA features a piece by my pal, Dave Salierno.

Brief, highly focused internal audits can produce rapid results for audit clients features comments by Hassan Khayal, an internal audit manager at Scope Investment (based in Dubai). The CAE there is Vijesh Ravindran.

Dave tells us:

…one internal audit function has fundamentally transformed its approach to audits. Responding to the need for increased agility and speed, auditors at a private investment firm based in Dubai, United Arab Emirates, began performing fewer large-scale, traditional audits in favor of faster engagements with a much narrower scope. These “burst audits” enabled the audit function to conduct operational risk assessments quickly and on short notice, and provide near-immediate feedback.

He continues with:

“Throughout the company, people were trying to address new challenges and quickly find solutions,” Khayal says. Clients asked how internal audit could help them. “Many of our clients suddenly needed quick assessments and recommendations.”

Providing those assessments through traditional audits could take months for each engagement. To meet the moment, the internal audit team began performing short, operational risk reviews that gave clients the rapid recommendations they needed. As small issues began arising throughout the firm, auditors started performing these reviews regularly — one- to two-week engagements that each covered a narrow, highly focused area. The approach enabled practitioners to make a quick impact and then swiftly move on to the next area in need of attention.

Unfortunately (in my opinion), the company continues to perform “large-scale, traditional audits” that cover an entire process or business activity.

If you can narrow your focus to providing an opinion (an “evaluation” per the Standards) as to whether controls are adequately designed and operating effectively over specified risks to objectives, ALL your audits can be “burst” audits that last weeks instead of months, delivering the assurance, advice, and insight that leadership needs, when they need it.

Why is it necessary to perform fast, efficient, focused audits?

Every hour saved by not auditing what doesn’t matter is an hour that can be spent on an additional audit that addresses something that does matter.

Can we eliminate full scope audits?

Can we move to enterprise risk-based audits?

I welcome your comments.

 

Footnote:

You can find the duel on LinkedIn (which is where you can vote for the winner), Apple podcast, or Spotify.

A survey of internal auditors and their approach to risk management

December 13, 2022 5 comments

I would appreciate your help with another short survey.

This time its about how internal auditors address risk management, including whether and how they audit it; who performs the risk assessment for management and the board; and how the audit plan is built.

You can find it here.

Thanks in advance. I will share the results in a future post.

Some auditors need to kick bad habits

December 12, 2022 7 comments

The Institute of Internal Auditing is in the process of updating its International Professional Practices Framework (IPPF), which includes the International Standards for the Professional Practice of Internal Auditing.

It is necessary, as some in the profession need a kick.

A friend recently told me that they connected with audit leaders at peer organizations (other mid to large, complex organizations) to understand how long/large their audits typically are. They perform cyclical audits of auditable entities (an audit universe) that last up to 12 weeks. 

So cyclical audits are alive and well, even though the practice should have died off decades ago.

Also alive and well are long audits of an entire process or business unit.

Too few are taking a risk-based approach to internal auditing.

Audit the controls over the risks, not entire business processes!

Don’t waste your or management’s time auditing more than you need to provide the assurance, advice, and insight management and the board need.

I have asked the IIA to use the opportunity of the IPPF update to jolt people out of these poor practices.

They replied, “That is our goal too, business objective-based and risk-based audit”.

Excellent!

Let’s have a quick look at what the IIA currently says about the role of internal audit.

The Definition of Internal Auditing is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Mission of Internal Audit takes the ideas to a higher and more active level:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

This is supported by the last three of the IIA’s Core Principles for the Profession of Internal Auditing:

  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I don’t think you achieve these through full scope, cyclical audits of business processes or units.

I think you achieve them through audits that focus on the more significant risks to the enterprise: enterprise risk-based auditing.

That is what the current Standards say:

2010 – Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

 

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

    • Achievement of the organization’s strategic objectives.
    • Reliability and integrity of financial and operational information.
    • Effectiveness and efficiency of operations and programs.
    • Safeguarding of assets.
    • Compliance with laws, regulations, policies, procedures, and contracts.

Frankly, I don’t understand how an internal audit function passes a Quality Assurance Review when they practice cyclical or full scope auditing.

Moving on, the IIA has shared a draft Purpose statement. I’m not sure how a Purpose statement differs from a Mission statement, and why you need both. But here it is:

Internal auditing enhances the organization’s success by providing the board and management with independent advice and assurance.

Tim Leech doesn’t like it (see here). He prefers:

Ensure the board and CEO are receiving reliable information on the likelihood/risk top value creation and preservation objectives will be achieved with a level of uncertainty acceptable to the board

I prefer something more active, more than providing assurance on risk reporting. Frankly, the draft is weaker than the existing Mission statement.

I would like to see something like:

Provide the risk-based assurance, advice, and insight that leaders of the organization need for success.

Why this?

  • It talks about risk, while the current draft does not. It just talks about advice and assurance, but does not say on what.
  • The current and proposed guidance allows for any level of assurance. Mine requires a more complete level of assurance. An Interpretation statement would explain that the assurance should be on the risks that matter to the achievement of enterprise objectives.
  • I have added “insight”, which is an important source of value to our customers.
  • It makes it clear that we should provide what our customers need, not just what we think is valuable or would contribute to their success.
  • Independence is a given, and anyway objectivity is more important.

What do you think?

  1. How do we persuade CAEs to discard cyclical auditing and full scope auditing, replacing them with risk-based auditing?
  2. How would you modify the Purpose statement?

Excellent points made by a prominent CRO

December 8, 2022 3 comments

Earlier this week, I enjoyed a conversation with Joshua Rosenberg, Executive Vice President and Chief Risk Officer of the Federal Reserve Bank of New York.

I was great to chat with a gentleman who has a prominent position, and whose thinking on risk management appears to be well aligned with mine (with a few exceptions, like risk appetite and risk registers).

His October speech to the Central Bank of Nigeria’s Second National Risk Management Conference made some excellent points, including:

  • …by integrating risk management into plans, decisions, and actions, we can succeed over a wider range of possible futures, not just the future we expect (or hope for).
  • … potential misunderstandings that might prevent us from getting the most out of risk management. The first is that risk management is mainly a way to stop bad things from happening. Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur. But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively.
  • Second, risk management could be misunderstood as primarily the responsibility of risk management specialists. Actually, effective risk management is a way for everyone in an organization to help things go right. From the economic analysts to the cash processing operators to the software engineers, we can make better plans, decisions, and actions when we are prepared for change and have the capacity to adapt to surprises. So, most of the risk management that occurs in an organization will be done by people who don’t have the word “risk” in their job title.
  • And third, risk management could be misinterpreted as an attempt to create a contingency plan for every possible thing that could go wrong. It is important to prepare by scanning the horizon, exploring the range of possible futures, and understanding how those futures could help or impair desired outcomes. We do want to invest in effective responses to key scenarios. However, no organization has the resources to prepare for all possibilities. And, no matter how creative we are, we still can’t imagine every one of them anyway. As it is said, “Things that have never happened before happen all the time.” So, effective risk management is more than planning. It is creating the capacity to adapt to and recover from unexpected shocks, which is what we often mean when we talk about resilience.
  • To me, successful risk management is as much about culture as it is about structure…. To me, there are four central aspects of culture that support effective risk management: learning, listening, helping, and speaking up. In a learning culture, we think about and plan for what might happen. And, we learn from experience, what went well and what didn’t, so we can improve for next time. In a listening culture, we seek advice, appreciate a fresh perspective, and are open to new ideas and feedback so we can improve. In a helping culture, we work together across the organization, building on each other’s strengths, and helping when we have an opportunity. And, in a speaking up culture, we let our colleagues know when we see a problem or after something goes wrong so that we can get started fixing it. Risk management is a creative, social process. It is a way of thinking, doing, and interacting. To bring it to life, we need to work together across the organization, staying continuously curious about the changing risk landscape and possible futures.
  • A foundational component of resilience is that an organization can operate as a coordinated system in order to successfully adapt to changes in the environment.
  • Here’s the realism: while we might prefer never to be surprised, we will be. The optimism is: effective risk management can help us be less surprised and respond better when we are. And, a strong risk management ecosystem will be self-sustaining because it generates demonstrable value – that is, practical and timely solutions to material problems – to help our organizations succeed in all environments.

In his role, Josh is naturally focused on the downside of risk, rather than the need to take the right level of the right risks so you can seize opportunities and achieve objectives.

Setting that aside, he has a practical approach to risk management that sees huge value in helping his organization and its leaders succeed – and not just manage and mitigate risks.

I welcome your comments.

When the board insists on a list of the top risks

December 5, 2022 3 comments

Recently, Tim Leech asked this question in a LinkedIn post:

What should a CRO or CAE do if the board insists they still want a list of “top risks” plotted on a color risk profile; and soundly reject the ISO view “risk” is “effect of uncertainty on objectives”, and COSO position “risk” is “the possibility that events will occur and affect the achievement of strategy and business objectives.”

My comment in response was:

The roles of the CRO and CAE should not be mixed up like this.

If the company is managing a list of risks instead of the business, the CRO has a clear opportunity and obligation (IMHO) to show a better way.

Continue to provide a list of risks (it still has some value), but team with performance management to provide (as I explain in my books) a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.

The CAE is in a very different position, unless they are also CRO (in which case, the above applies).

The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.

Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and success.

While it is difficult, as Tim points out, to tell the boss that they are wrong, whether we are the head of risk management (CRO) or internal audit (CAE), we have a professional responsibility to provide leaders with what they need.

Sometimes, they don’t know what they need!

Their experience, which may be at other organizations, has put them in a box. If they liked what they had before, it can be difficult to change.

As I said in my comment, we shouldn’t mix up the roles and responsibilities of the CAE and CRO.

The CRO is responsible for helping management and the board understand what might happen, so they can make the appropriate strategic and tactical decisions necessary for success.

The CRO helps management and the board take the right level of the right risks.

While a list of top risks has some value, it is not enough to inform decision-making.

In fact, it is rare for a decision-maker to refer to the list of top risks in making an important business decision – whether strategic or tactical.

In fact, a list of top risks is going to be out of date very soon after it is prepared, since business conditions and risks are changing all the time.

A list of top risks has value when it comes to making sure the risks that merit specific and continued attention are getting it.

But the business is run every day.

Every day, decisions have to be made that not only need to consider what might happen (risk and opportunity) but will also create or modify existing sources of risk and opportunity.

The CRO and their team add more value when they enable daily activities and decisions to be of high quality.

I have advised CROs, management teams, and board to integrate performance and risk management. The CRO should work with the CFO and others to ensure leaders understand whether, considering current status and what lies ahead, the organization is likely to achieve its objectives for the period.

When I have shown them examples of such reports, explained in my books (such as Risk Management for Success), they have embraced them.

A list of top risks becomes a secondary source of information.

The CAE is in a different position.

The CAE has a responsibility for providing assurance to the board and management that risk management practices are effective.

But that is not achieved when it is limited to the periodic review of a list of top risks.

When that is all the board receives, board oversight of risk management is insufficient.

My advice to the CAE is to work with the CRO first. Try to get the CRO to provide the board and top management with an integrated risk and performance report.

After all, it is risk to objectives that needs to be addressed, not risk in a silo, out of context of running the business.

I would also work with the CEO (or other top management influencer, but the CEO is going to be the decision-maker), helping them understand what is missing.

Help them understand how effective risk management helps them succeed, not just avoid hazards and tick the compliance box.

The CAE should audit risk management and report its deficiencies, the primary one being that a list of risks (or a heat map) is insufficient.

So much more value can be derived.

I welcome your thoughts.

New US government guidance on cyber risk

November 28, 2022 2 comments

I was surprised and pleased, surprised and flattered, and then disappointed by a new publication by NIST (the US Department of Commerce’s National Institute of Standards and Technology).

NIST published NISTIR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response this month.

I have been saying that in order to understand how a cyber breach might affect the business, a business impact analysis (such as contingency planners have been using for decades) should be performed. The analysis should be a joint effort between operating management (who understand the business) and the technical teams (who understand how a breach might happen).

I was surprised and pleased that NIST decided to respond with this new guidance, even to the extent of using some of my language.

The Abstract says:

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).

While I noticed that NIST remains focused on assessing risk to information assets, instead of to enterprise objectives or (as they say) the enterprise mission, I was surprised and flattered to read the following in the Acknowledgments:

The authors also thank… individual commenters Simon Burson and Norman Marks.

But the guidance is disappointing.

The Abstract continues with:

The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

There are some good sections, like this from the Executive Summary:

Risk is measured in terms of impact on enterprise mission, so it is vital to understand the various information and technology (IT) assets whose functions enable that mission. Each asset has a value to the enterprise. For government enterprises, many of those IT assets are key components for supporting critical services provided to citizens. For corporations, IT assets directly influence enterprise capital and valuation, and IT risks can have a direct impact on the balance sheet or budget. For each type of enterprise, it is both vital and challenging to determine the conditions that will truly impact a mission. Government agencies must provide critical services while adhering to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals and factors that might impact the next quarter’s earnings call. Therefore, it is highly important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

However, they continue to justify the use of a cybersecurity risk register and a focus on managing and mitigating risk to information assets:

The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. Another critical artifact of risk management that serves as both a construct and a means of communication with the risk register is the Business Impact Analysis (BIA) Register. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA Register. An asset criticality or resource dependency assessment identifies and prioritizes the information assets that support the enterprise’s critical missions. Similarly, assessments of asset sensitivity identify and prioritize information assets that store, process, or transmit information that must not be modified or disclosed to unauthorized parties. In the cybersecurity realm, the use of the BIA has historically been limited to calculations of quality-based and time-based objectives for incident handling (including continuity of operations and disaster recovery).

Because the BIA serves as a nexus for understanding risk (which is the measurement of uncertainty on the mission), it provides a basis for risk appetite and tolerance values as part of the enterprise risk strategy. That guidance supports performance and risk metrics based on the relative value of enterprise assets to communicate and monitor Cybersecurity Risk Management (CSRM) activities, including measures determined to be key performance indicators (KPIs) and key risk indicators (KRIs). The BIA supports asset classification that drives requirements, risk communications, and monitoring.

There is value in understanding what systems and data need to be protected, but NIST is still not assessing the risk to the mission (the business) of a breach: the range of potential effects and their likelihoods.

This is how I see the issue:

  1. The organization needs to prevent, to the extent that is reasonably possible, a cyber breach. However, the entrance point of a breach is not necessarily in a critical information asset.
  2. It should invest in cyber commensurate with the risk to the business. That requires understanding the range of potential effects and their likelihoods.
  3. The potential effects of a breach should be minimized where possible, using tools and techniques such as encryption, backup or even redundant systems, etc. Understanding the critical information assets is necessary to do this well.
  4. The organization needs to be able to respond and recover promptly from a breach, minimizing any damage. This requires knowing that a breach has occurred (a major problem since past breaches have not been discovered for up to a year), what has been affected (also a major challenge), and taking appropriate actions to restore service – including reprocessing transactions, etc., communicating with third parties, and more.

If there is a risk tolerance or other criteria that should be used to assess whether the level of cyber risk is acceptable, it should be based on the level of risk to the business, not to individual information assets.

I am concerned that a focus on risk to information assets will not enable:

  • An intelligent determination of the appropriate level of business investment in cyber risk prevention, resilience, and response
  • The ability to make an informed and intelligent decision on whether to take the cyber risk involved in an early rollout of a new product because of the potential for reward.
  • The protection of non-critical assets that can be a gateway to access to critical ones.
  • The consideration of all sources of business risk, including but not limited to cyber, when making strategic and tactical business decisions.

There is value in understanding which information assets are critical to the business, but only once the level of risk to the business of a breach is understood.

Once the level of investment in cyber has been determined, then and only then does understanding which information assets are critical have value. It can help allocate resources between them.

However, I return to the point that a vulnerability to a non-critical asset can lead to damage to a critical one.

It’s a long time since I was responsible for information security at a major financial institution, so maybe I am missing something.

Your comments and insights would be appreciated.

Putting cyber risk into business perspective

November 22, 2022 14 comments

I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.

I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.

I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.

They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.

Money, as we know, does not grow on trees.

Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.

As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.

I added a note to the PCH language for each of the four that puts the scale of the breach into business perspective.

  1. Solarwinds, a company that makes business software, was compromised at some point in 2020. This was an advanced persistent threat (APT) that proved very hard to detect. In total, the company reported losses of $25 million to its investors.

Note: Solarwinds revenue in 2020 was $1.1 billion, so the losses were 2.27% of revenue.

  1. Amazon was targeted with a DDOS attack earlier… and it succeeded. They were only down for a little over an hour, but the total losses were somewhere in the neighborhood of $75 million.

Note: Amazon’s revenue in 202o was $386 billion, so the loss was trivial by comparison.

  1. In May of 2021, Brazilian meatpacking company JBS was the victim of a ransomware attack. The ransom alone was $4.4 million, and the loss of revenue might have been even greater.

Note: JBS’s 2020 revenue was $71 billion.

  1. On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.

Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.

IBM has sponsored independent studies by the independent research organization Ponemon Institute of the cost of a data breach for 17 years. Their latest, Cost of a Data Breach 2022, “studied 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.”

Their insights included:

  • The average total cost of a data breach was $4.35 million ($9.44 million in the US); the average cost of a ransomware attack was slightly more, at $4.54 million.
  • 83% of organizations that had a breach had more than one incident
  • The average time to identify and contain a breach was 277 days. This is a reduction from the 287 days in 2021.

In general, costs are increasing – but that is not universal. Six countries (Germany, Japan, France, South Korea, Scandinavia, and Turkey) saw a year-on-year decrease.

When you look at the cost of a breach by industry, Healthcare suffered the highest average cost, at $10.10 million, with Financial Services next at $5.97 million.

My questions to all of you:

  1. How significant is cyber risk at your organization. Is it really a top ten source of risk to the business and its objectives?
  2. Are management and the board of your organization able to compare the level of risk to other sources of business risk and opportunity, so they can make informed and intelligent decisions about how much to invest?
  3. How confident are you that your organization is obtaining an acceptable return on its investment in addressing cyber risk, given the alternative returns on other investments?
  4. How confident are you that management understands the dynamic nature of cyber risk (and most other sources of risk to the business)? It is changing constantly.

I welcome your answers and comments.

The internal audit survey results

November 17, 2022 1 comment

I thank the 127 people who answered my survey. I think you will find the results interesting.

As a reminder, I had asked that only internal audit practitioners complete the form.

As with the earlier risk management survey, the results may be a little biased as the respondents are all people who follow me on LinkedIn and/or on my blog.

There are a great many questions I could have asked but limited this survey to 12 questions. If you would like a future survey to address other issues, please add a comment with your suggestions on the blog (i.e., all in one place).

The first two questions were about the length of audit engagements.

X

126 answered the first:

  1. What is the average length of an audit or consulting engagement in hours?
  • 40 hours or less… 5.6%
  • 41-100… 16.7%
  • 101-200… 19.0%
  • 201-300… 21.4%
  • 301-400… 18.3%
  • 401-500… 7.9%
  • Over 500… 11.1%

Over my two decades as CAE, I led teams with two different approaches to assurance engagements.

At Solectron, I would send a team of about 5 people for 2 weeks to one of our global sites (a manufacturing or assembly operation) where they would assess controls over a variety of significant enterprise risks: financial, operational, technology, and compliance. The average length was about 600 hours. However, we also performed audits of corporate functions that focused on a much more limited number of enterprise risks and averaged closer to 150 hours. Overall, the average length of an assurance engagement was probably around 400, about the same as the average consulting engagement.

At my other companies, consulting engagements (such as pre-implementation reviews) could extend over months (the length of the project), but assurance engagements averaged about 150 hours.

The assurance engagements were short because:

  • My team consisted of experienced business-savvy auditors, with no junior staff. They knew what they were doing each time and were able to use their initiative in performing the audit. They were respected by their client.
  • Each audit focused on a few risks of significance to the enterprise rather than to the business unit or process being audited.
  • We only tested and assessed the controls relied on to address those few sources of risk.
  • We were able to stop auditing once we had done sufficient work to form an opinion.
  • We talked with (rather than “to”) management throughout the engagement and we able to agree on the facts and their interpretations without difficulty. The fact that the auditors were business-savvy and practical helped a great deal.

You can read more about my approach to internal auditing in Auditing that Matters.

X

125 people answered the next question:

  1. What is the shortest audit or consulting project your team performs (in hours)?
  • 10 or less… 12.8%
  • 11-50… 40.8%
  • 51-80… 14.4%
  • 81-100… 11.2%
  • 101-150… 8.0%
  • 151-175… 4.8%
  • 176-200… 0%
  • 201-250… 3.2%
  • Over 250… 4.8%

I find this very encouraging. More than 79% of the respondents had engagements of 100 hours or less, with more than half spending 50 hours or less.

I may be wrong, but this tells me that most of the internal audit activities represented here have found a way to focus at least some of their audits on a single enterprise risk.

Very few are spending at least 200 hours on every audit.

Between these two questions, I am encouraged that “full scope” audits of a business unit or process are a dying breed.

The era of audits that extend over months with a team of auditors is starting to end, if not already over for many.

I will skip the third question for a moment and go to #4, which addresses this issue.

X

125 answered:

  1. Do you perform full scope audits or focus on controls over high risks?
  • Full scope audits, all the controls over risks important to the entity being audited… 42%
  • Our audits focus on controls over risks that are important to the enterprise as a whole… 53%
  • Other… 6%

Maybe I spoke too soon! It’s a slim majority in favor of audits that focus on enterprise risks.

X

Coming back to the third question, which was answered by 125 auditors:

  1. When do you discuss control deficiencies with management?
  • The day we find them… 16.0%
  • Within a day or two… 21.6%
  • Within a week… 25.6%
  • Within two weeks… 6.4%
  • At the end of fieldwork… 19.2%
  • After we share the draft report… 11.2%

This is again encouraging.

Nearly 80% discuss issues with management before the end of fieldwork, generally within a week or less.

Moving on.

The next question was answered by 126 people:

X

  1. Do you perform the same audits every year?
  • Never… 38.9%
  • Often… 40.5%
  • Frequently… 20.6%

When you take a risk-based approach, you don’t audit based on a cycle (designed to audit everything over a period such as five years). You include in the audit plan engagements to address the more significant enterprise risks of today and tomorrow.

This should lead to performing the same audit in consecutive years only on those few occasions where both the risk level and the value of an audit remain high, or where the audit is required by the regulators.

I am pleased to see a substantial number answering this, “never”.

X

The next question is about audit reporting, answered by 126 people:

  1. Do your reports include recommendations or agreed action items?
  • Recommendations and management responses are separate… 4.0%
  • Recommendations and management responses are both in the report… 67.5%
  • Agreed action items… 27.8%
  • Other… 0.8%

When I started, in the Stone Age of internal auditing, the audit report would be issued and management asked to provide separate responses. While there are still a few CAEs that haven’t discovered fire, most have moved on.

A significant number have progressed to including agreed action items, but the great majority continue to include both internal audit recommendations and management responses. My view on this is that it fails to demonstrate that internal audit and management are working together, and it leaves the reader to determine whether the two are in agreement, given what may be different language.

The audit committee needs to know whether internal audit and management are, in fact, working together effectively.

I will skip the next question to address another about the audit report. It was answered by 126 auditors.

X

  1. How do you communicate your overall opinion?
  • We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
  • We use traffic lights, such as red/yellow/green… 19.0%
  • We use language like “the controls are effective, adequate, or ineffective”… 41.3%
  • We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
  • Other… 7.9%

This is a very important topic for me.

Our objective as internal auditors is to provide “assurance, advice, and insight”.

“Assurance” comes first in that list, as it should.

That requires us to communicate clearly to our customers in top management and on the board whether the risks we addressed are being effectively managed by adequately designed and effectively operating controls.

When there are issues with the controls, our customers need to know what that means – in terms relevant to their running the business. What enterprise objectives, plans, and strategies are at risk, and by how much? Only then can they assess how those issues are being addressed by operating management and whether they need to get involved themselves.

What does “adequate” mean to someone leading the business? They know it’s less than “effective”, but should they be worried?

That is why I told my team to use the full breadth of the English language to communicate our assessment. What risks to what objectives are affected by identified control issues, and does this mean that my business, my strategies, my plans, and my success are at risk?

But I can see that only 23% have followed my example.

X

  1. How long is your Executive Summary in your typical report?
  • We don’t have an Executive Summary… 2.4%
  • One page or less… 65.1%
  • Two pages… 26.2%
  • More than two pages… 5.6%
  • Don’t know… 0.8%

It was answered by 126 people.

65% got it right.

X

Returning to question 7, which was answered by 126 practitioners:

  1. Do you change the scope of an audit after the Opening Meeting?
  • No… 7.1%
  • We listen to management and are open to changing the scope… 23.8%
  • We can change the scope of the audit at any time, depending on what we hear from management and see for ourselves… 68.3%
  • Other… 0.8%

No comment on this, other than it is encouraging.

X

Then we have this, with responses from 126:

  1. How often do you change the audit plan?
  • Our audit plan is for longer than a year and does not change… 0%
  • Our audit plan is for longer than a year, but we can change it annually… 5.6%
  • Our audit plan is for longer than a year, but we can change it more frequently than annually… 8.7%
  • We have an annual plan that doesn’t change… 4.0%
  • We have an annual plan with time for special projects to accommodate change. Otherwise it is a fixed plan… 55.6%
  • Quarterly… 7.9%
  • Monthly… 0%
  • Continuously, as risks and the business change… 18.3%

A number have an audit plan that is longer than a year (even in today’s disruptive climate), and a few still have a rigid annual plan.

The majority allocate a portion of the audit plan to accommodate changes, while a (hopefully) growing number have recognized the need to change the audit plan as the business and risks change.

X

Moving on, we have a question answered by 126:

  1. Does your audit plan only include financial and compliance risks?
  • Yes… 19.0%
  • No… 81.0%

This speaks for itself.

X

The final question was answered by 125 people:

  1. Do you use canned checklists or audit programs?
  • Yes… 5.6%
  • We use them as a basis but modify them as needed… 53.6%
  • We use customized audit programs… 35.2%
  • We don’t have audit programs… 5.6%

This also is encouraging. It tells me that people are thinking about what they are going to do, rather than doing automatically what was done last time or by someone else, somewhere else.

Overall, I can see progress in internal audit practices.

I hope everybody, whether they answered the survey or not, compares their activity to those reflected here – and put appropriate corrective actions in place where needed.

As I said, if you have questions you would like included in a future survey, please let me know in the comments.

Your thoughts on the above are welcome.

Is risk-based internal auditing a myth?

November 14, 2022 14 comments

Are internal auditors fooling themselves when they say they are using a risk-based approach?

My good friend and esteemed[1] risk management practitioner and thought leader, Alexei Sidorenko, challenged me to disagree and comment on one of his latest posts: Creating a risk-based audit plan, is it a myth?

Have a look at what he wrote and then come back to my comments.

You might be interested in a debate Alex and I had on ERM, integrating risk assessment into decision-making and success management.

Alex is correct with several of his observations, including several criticisms of the IIA’s May 2020 practice guide (PG), Developing a Risk-Based Internal Audit Plan.

He quotes the second part (italicized for convenience) of this section of guidance (recommended, not mandatory guidance):

Organizations that have implemented ERM may have created a comprehensive risk register (also known as a risk inventory or risk universe). Internal auditors may use management’s information as one input into internal audit’s organizationwide risk assessment. However, in alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately. 

The notion that internal audit should “validate that all key risks have been documented” is wrong- explained in a bit.

Returning to earlier in the PG, it says:

This practice guide describes a systematic approach to creating and maintaining a risk-based internal audit plan. The CAE and assigned internal auditors work together to:

    • Understand the organization.
    • Identify, assess, and prioritize risks.
    • Coordinate with other providers.
    • Estimate resources.
    • Propose plan and solicit feedback.
    • Finalize and communicate plan.
    • Assess risks continuously.
    • Update plan and communicate updates.

This ignores the fact that MANAGEMENT IS RESPONSIBLE FOR RISK ASSESSMENT AND MANAGEMENT of the organization.

Internal audit should assess whether MANAGEMENT is doing this sufficiently well to make informed and intelligent strategic and tactical decisions. That is not the same as doing “their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately”. Audit the effectiveness of the ongoing processes, not a single point-in-time assessment, as Alex points out towards the end of his piece.

If it reliable, internal audit should base their own audit plan on management’s risk assessments.

Some additional work will be needed to define audit activities at an appropriate level of granularity.

If management is not doing this well:

  1. Make sure senior management and the board realize the risk (pun intended) they are taking by not having an acceptable understanding of what lies ahead.
  2. Perform sufficient work (and no more) to understand the more significant risks where an audit project can add value, and base the audit plan on that.

Before continuing with Alex’s points, three more of my own.

The PG states:

Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.

A quarterly update, or a more continuous one that is limited to “minor changes”, is probably insufficient. As Richard Chambers and I have been saying for many years, the audit plan should be updated at the speed of risk and the business, i.e., continuously if needed. That may mean major changes!

It also says:

Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?

When will everybody understand that risks have to be taken and not necessarily mitigated if you are to succeed? Sometimes, the best business decision is to take more!

Then there’s this:

Once the major strategies and objectives have been identified, the CAE may want to create or review the audit universe, which is a list or catalog of all potentially auditable units within an organization. Auditable units may be any “topic, subject, project, department, process, entity, function, or other area that, due to the presence of risk, may justify an audit engagement.”

 An audit universe simplifies the identification and assessment of risks throughout the organization. It is a step toward discovering which auditable units have levels of risk that warrant further review in dedicated internal audit engagements.

The PG doubles down on this error with:

This organizationwide risk assessment enables the CAE to focus on those risks that rate among the most significant and to identify manageable, timely, and value-adding engagements that reflect the organization’s priorities. This typically results in a plan that addresses around 15 auditable units on average.

We are not in the business of auditing “auditable units”.

We are not in the business of auditing risks to those “auditable units”.

We are in the business of providing assurance, advice, and insight related to risks to the enterprise as a whole!

The concept of an audit universe should be discarded. It is not only obsolete but it is leading internal audit organizations astray, auditing risks that may be important to a unit but not to the enterprise.

Instead, we should have an (enterprise) risk universe.

Those are what we may audit. The risks in that universe may exist and depend on activities at one or more entities within the organization, but our objective is (should be) to provide assurance, advice, and insight on those enterprise risks.

Alex also criticizes the notion of ‘inherent risk’. While I share his concern, I can see situations where we need to know more than the current level of risk, which assumes that controls are adequately designed and functioning effectively.

The level of risk may be acceptable if quality controls are in place. But we need to audit those areas where the risk level would be unacceptable if the controls were deficient.

That’s my first area of disagreement, although it is mild.

Then he picks on another issue: the use of heat maps. He quotes the PG:

Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.

I have to smile when I read his response:

Ok, this is all you really need to know about IIA level of competency when it comes to risk managementHeatmaps have been scientifically proven to misprioritise risks and be “worse than useless”  Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea.

I also hate heat maps, and I have explained that multiple times in this blog and in my books.

But let me make one point.

Since it is a MANAGEMENT responsibility to assess risks to the enterprise, I did not share my risk assessment in any level of detail with management or the audit committee.

My responsibility was to share my audit plan and be prepared to explain why each project was included and others were not.

I did not want to lead management to rely on my risk assessment in running the business.

I did not follow the advice in the PG when it says:

CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.

I met with management:

  1. To obtain THEIR assessment of enterprise risks, and later
  2. To review and discuss the audit plan.

Alex asserts:

The biggest lie IIA ever sold business is that auditors understand risk management.

This is only partially true.

Many auditors understand risk management. (How many risk practitioners do, Alex?)

They understand it to the level needed to build and maintain an audit plan that will provide valuable assurance, advice, and insight on the more significant sources of risk to the enterprise.

The fact that the PG is seriously deficient is not proof that the whole profession is incapable of risk-based internal auditing.

In fact, the Chartered Institute of Internal Auditors (the IIA’s UK affiliate) shared an excellent position paper on Risk-Based Auditing in 2003. Why it hasn’t been updated and used by IIA Global escapes me!

There is, admittedly, a long way to go for many internal auditors, which I why I have written and urge them to read Auditing that Matters and the follow-up, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.

By the way, I 100% disagree with Alex’s checklist at the end of his post. He has forgotten to stress that risks should be assessed based on how they might affect the achievement of enterprise objectives.

I welcome your thoughts.

By the way: I have over time received criticisms for the way I have come down on guidance from others, whether it be guidance from the IIA, Grant Thornton, or someone else. I hear that. But when people are spreading misguidance, I feel an obligation to make it clear why it should not be followed.

[1] Alex has received extensive recognition from the risk management community, including, FERMA 2021 Risk Manager of the Year; 2021 RIMS ERM Award of Distinction – International Honoree; RUSRISK 2014 Best ERM Implementation; and RUSRISK 2014 Best Risk Management Training. He runs the Risk Awareness Week series of presentations, which I recommend.

Survey of internal audit practitioners

November 11, 2022 1 comment

I have a short questionnaire that I would appreciate those of you who are internal auditors completing. I will share the results next week.

You can find it here.

 

If there are issues you would like included in a future survey, please let me know.

Good and bad advice on cybersecurity audits

November 10, 2022 2 comments

It happens so often, its almost not worth my time writing about it.

Grant Thornton, like the other external audit firms, provides internal audit services as well. To promote them, they offer advice on matters such as how to perform audits of an organization’s cybersecurity measures and practices.

This week, they published It’s time to upgrade cybersecurity internal audits.

They do share a useful chart on the average cost of a data breach in the US. However, they fail to point out that at $9.44 million, it shouldn’t represent a serious risk to the achievement of an organization’s objectives, let alone its survival. Yes, its rising (a little) every year. But how much return on investment would an organization obtain from further investments in cybersecurity?

Is cyber really a top-ten risk?

In order to know, every organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.

Like so many other misguided consultants, Grant Thornton looks to internal audit to perform the risk assessment.

When will people get it?

ASSESSING RISK AND UPDATING THE ASSESSMENT WHEN IT CHANGES IS A MANAGEMENT RESPONSIBILITY[1]!

The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.

Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.

Yet, Grant Thornton tell us:

“You need to begin with a thorough and independent assessment of cybersecurity risk.”

If management has not completed that thorough and reliable assessment of cybersecurity risk, within the context of enterprise risk and the achievement of enterprise objectives,

REPORT A SERIOUS RISK AND CONTROL DEFICIENCY TO TOP MANAGEMENT AND THE BOARD

One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities.

If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.

The people at Grant Thornton who wrote this made another serious error. They said:

When the cybersecurity audit identifies your security risks, you need a well-defined plan to address them. Your plan needs to be clear and concise about your capabilities and goals, taking the organization’s performance and financial goals into account. It should align with leading practices and industry standards, and must have executive management support. Most importantly, it needs to be a dedicated multi-year plan that is part of your broader audit plan.

Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less!

How can you have a multi-year audit plan in these days?

Even an annual plan needs to be updated at the speed of risk and the business.

I’ve said enough about this foolish (yes, I will go that far) article.

I have explained my approach to auditing cyber several times in the past. It includes:

  1. Has management completed and properly maintained an assessment of cyber risk?
  2. Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
  3. Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed? Do they report at a level that enables them to get management attention and action as appropriate? Do they have a sufficient budget and tools? Do they talk in business language or in technobabble that management and the board cannot translate into business language?
  4. If one or more of the above are answered “no”, determine the value of further audit activity. A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk. Report the situation immediately to senior management and the board as a serious issue.
  5. Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
  6. Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
  7. Over time, help management build and maintain an acceptable information security activity and practices.
  8. Keep management and the board informed of the level of risk to enterprise objectives.

I welcome your thoughts.

[1]Even when the CAE is also the CRO, internal audit should not be assessing risks to drive management decisions. They should be facilitating management’s assessment.