Risk in two rooms

September 24, 2020 6 comments

The twins, J and K, want a hot tub. They decide to approach their parents, A and Z, but separately rather than together.

J finds A washing the car in the driveway. A is interested in the idea and they share dreams of soaking in the hot tub after a long day at work and school (after homework, of course). They think about the possibilities of inviting friends and family over for a party with the hot tub at the center. Ahhh!!!

Meanwhile, K is chatting with Z in the garden. Z immediately thinks about the cost. They will have to cancel the planned purchase of new laptops for the twins. Then the hot tub will have to be cleaned, and that will fall to J and K. As they talk about how disruptive it would be to have new water and power lines installed for the hot tub, they hear a car – their car – driving away.

A and J are on their way to the store, excited at the opportunity to buy a hot tub with installation included. After all, there’s a sale on that ends today!

Did anybody make an informed and intelligent decision?


Each pair only considered one side, either the risks or the opportunity. Nobody considered both or found a way to see whether one side weighed heavier than the other.

This is what happens with traditional risk management. It provides a list of risks. It doesn’t help you figure out which risks to take.

This is what happens with the traditional board. The risk or audit committee talk about risks while another group talk about strategy and performance.

I am working on a new book that will talk about moving from managing risks to managing for success.

Is this something you do? Is it something you want to do?

I welcome your thoughts.

The latest information on cyber

September 20, 2020 1 comment

The Australian Cyber Security Center (ACSC) has published its annual Cyber Threat Report. The ACSC is an operational arm of the Australian government. It is responsible for “strengthening the nation’s cyber resilience, and for identifying, mitigating and responding to cyber threats against Australian interests. The ACSC also manages ReportCyber on behalf of federal, state and territory law enforcement agencies, providing a single online portal for individuals and businesses to report cybercrime.”

Over the year ended June 30th 2020, they “responded to 2,266 cyber security incidents and received 59,806 cybercrime reports at an average of 164 cybercrime reports per day, or one report every 10 minutes.”

Of the cyber security incidents, 803 (35.4%) were reported by government agencies. Healthcare was the sector with the next highest level of incidents at 164.

To put those statistics into context, according to the Australian government, as of June 30, 2019 there were “2,375,753 actively trading businesses in the Australian economy”. Of those, 141,628 were in healthcare.

So there was roughly 0.6 security incidents reported per thousand businesses, 1.2 per thousand in healthcare.

Cybercrime is a very broad category, including not only fraud but also online bullying and the sharing of intimate images or videos. It is not clear from the report how many of these targeted individuals rather than businesses or government agencies.

It is also unclear what the impact has been of cyber breaches, ransomware attacks, etc.

The ACSC report references a Microsoft-commissioned study from 2018. That study said:

…more than half of the organisations surveyed in Australia have experienced a cybersecurity incident (55%) in the last five months while 1 in 5 companies (20%) are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

…a large-sized organisation (over 500 employees) in Australia can incur an economic loss of AU$35.9 million if a breach occurs. The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

Fear and doubt surrounding cybersecurity incidents are undermining Australian organisations’ willingness to capture opportunities associated with today’s digital economy, with 66% of respondents stating that their enterprise has put off digital transformation efforts due to the fear of cyber-risks.

Microsoft says “the potential direct economic loss of cybersecurity incidents on Australian businesses can hit a staggering AU$29 billion per year, the equivalent of almost 2% (1.9%) of Australia’s GDP. Direct costs refer to tangible losses in revenue, decreased profitability and fines, lawsuits and remediation.”

But that is simply the potential, a projection of some sort. But is that a credible or a scare number? What is the likelihood of losses that high? You can decide for yourself, but I just don’t see 2% of a nation’s GDP being lost to cyber.

Microsoft bemoans “fear and doubt” but they are stoking it!

We need, as I have said many times, to assess for ourselves how a breach could affect our businesses and the achievement of our objectives.

There will be a range of potential effects, from trivial to major. Each point in that range has its own likelihood.

Don’t assess cyber or any other source of business risk using a single point in that range. Consider that entire range and whether it is acceptable.

If it is not acceptable, then consider what defense, detection, response, and preparedness you need to bring it down to where you are willing to take the risk. Consider whether the cost is justified based on the risk reduction – given that there are other uses for those resources.

Everybody should gauge the level of resource that should be applied to cyber based on their organization’s specific circumstances.

Don’t spend more than the risk merits – but spend enough.

What do you think?

When risk management began

September 15, 2020 4 comments

Recently, I read an article that said risk management had been traced back to around 2,000 BC when there had been some commodity trading in India.

I think it dates back to at least the dawn of the human era, and was probably practiced in some fashion before. (I am not getting into the question of whether God thought about what might happen when he created the heavens and the earth.)

Consider the first people to discover fire. They soon realized not only the opportunities it presented for heat and safety but also for cooking. They also learned what happens if you are not careful and get burned by it.  They acted accordingly.


The fire discoverers had objectives: safety, food, heat, etc. They considered the current situation and what might happen, then decided whether or not to take the risk.

That was risk management.

Arguably, it was more effective than some practices today as the potential for harm was weighed against the potential for gain, and a calculated decision made.

They were not listing all the things that can go wrong with fire, holding a meeting to discuss them, and comparing each harm to a risk appetite.

Instead, they decided that if they were careful the benefits outweighed the risks.

How can we move risk management practices forward, away from enterprise list management to enterprise success management?

I welcome your thoughts.

The State of SOX Compliance

September 11, 2020 5 comments

For 5 years, the software company Workiva has partnered with a LinkedIn group, SOX and Internal Controls Professionals Group to survey companies about their SOX compliance program.

Their 2020 State of the SOX/Internal Controls Market Report has some interesting content. 428 professionals responded, making it quite credible.

One of the early observations in the report is about the number of key controls and how many are labeled as ‘entity-level’.

Unfortunately, while they say “there is a correlation between the number of controls and the size of the company’s revenue”, their graphic makes it hard to see the average number of key controls for different size organizations.

One of the points I make in my SOX Masters training[1] is that as revenue grows, so should materiality. As a result, the number of ways in which an error could occur that would cause a material misstatement of the consolidated financials shrinks. The correlation between the number of key controls and revenue should not be anything like a straight line.

While 48% of the respondents have 250 or fewer key controls, 15% have more than 1,000.

No wonder that one of the observations in the survey is that people are looking to drive efficiencies into the program.

In my book and class, I talk about the fact that there are multiple levels in any organization. Each may have controls that can be relied upon, whether at corporate, business unit, country, or location. So the term ‘entity’ level can take you in the wrong direction.

There is a section on deficiencies, but it does not help us understand the cause of material weaknesses or significant deficiencies.

59% had no significant deficiencies and 83% no material weaknesses. That indicates, IMHO, too many had issues that had to be reported to the board or, worse, led to an assessment of ICFR as ineffective.

As you might expect, there is a section on the use of technology.

It is interesting that 12% say they have implemented continuous control monitoring for SOX and 56% are considering it.

I hope they realize that there’s a huge difference between monitoring data and activities and monitoring controls. If their software does not provide assurance that the controls are performing consistently as intended and are adequately designed, they have a problem. Just because the data is without error doesn’t mean that any controls were performed.

The role of internal audit is confusing to me. They say 45% are in charge of managing the SOX compliance program but only 33% are in charge of project management.

Setting that inconsistency aside, 77% have internal audit performing the testing.

One highly troubling result is that 31% of internal audit teams are spending more than half their time on SOX. That may be OK if they are still able to perform audits on the more significant sources of risk to enterprise objectives. 44% of companies have very small audit teams (less than 5) and 74% have fewer than 10 auditors. So it is not possible to draw any conclusions from the survey’s figures on the number of ‘operational audits’ (presumably all the non-SOX audits, but that is a misuse of the term ‘operational audits’).  If they have 5 auditors performing 10 audits, that may be appropriate.

As I said, I am encouraged that the respondents recognize the need for improved efficiency. 60% say they are focused on control optimization and 53% on control rationalization.

Overall, this has a few good points but the survey and its analysis have significant deficiencies.

I welcome your comments – and ask that you consider my upcoming virtual SOX class. I recommend (of course) the IIA’s book on SOX.

[1] The next course will be a virtual one in October. Please see the link for information.

What do you think of heat maps?

September 8, 2020 12 comments

Heat maps are one of the most popular ways of comparing individual sources of risk.

A heat map is suggested as a way of reporting in the COSO ERM Framework.

But I dislike them, as do many practitioners. My reasons include:

  • There is a range of possible effects from a possible event or situation, not a single point, and each point in the range has its own likelihood.
  • It doesn’t help you to determine whether to take a risk, because it is without any context of potential reward.
  • Decisions should be based on the big picture. An objective may be affected by multiple sources or risk and opportunity (things that can happen with positive and/or negative effects). Making decisions one source of risk at a time is clearly sub-optimal.
  • It focuses on risks while I want to focus on achieving objectives, what I call success management.
  • There are better methods, which I have described in this blog and in my books.

Grant Purdy shared an article with me (he dared me to write about it) that takes a more satirical view.

An exciting new lexicon for the professional risk manager has a different way of describing heat maps.

What do you think?

Let’s talk about assumptions and risk

September 4, 2020 13 comments

When we make a decision, we normally make a number of assumptions about what we expect to happen.

My view of risk management, or should I say risk management that adds value and helps an organization succeed rather than just avoid failure, is all about what might happen.

Anticipating what might happen, evaluating and assessing it, then taking appropriate actions through informed and intelligent decisions, leads organizations to success.

It helps them take the right risks, considering both upsides and downsides, to achieve enterprise objectives.

An assumption is made when you state that you think this or that will or will not happen. If you are smart, you define what event or situation that is, how it could affect your objective, and your assessment of its likelihood.

In other words, you are assessing a risk (if adverse) or opportunity (if favorable).

A forecast is also an assumption, or at least based on a set of assumptions about what will happen.

What we should do with assumptions is monitor them.

But, as Estell and Grant say in Deciding, not all assumptions are equal.

There are some that are incidental and some that are critical.

Critical assumptions are those that, should they not bear out, mean that your objective will probably not be achieved.

Other things are often documented as assumptions, but the desired outcome is not dependent on them.

Monitor the critical assumptions and be prepared to respond at the first indication that they will not hold up. If you want, you can refer to this as the monitoring of key risk indicators (KRI). But KRI normally refer to things that might happen to hurt you, and you should also be monitoring for things that might help you.

If the assumption is that a new product will be ready for market on June 1st, you need to be prepared to take action not only if readiness is delayed but also if it is early!

Understanding assumptions that have been identified as critical to achieving an objective is essential to effectively managing for success.

Do you agree?

Is this what your organization does?

Good news about data breaches

August 30, 2020 2 comments

Protiviti has shared a useful summary of the latest Verizon Data Breach Investigations Report (DBIR), which is available from Verizon here.

The good news was put well by Protiviti:

One of the surprises in this year’s report is that organizations are discovering 60 percent of data breaches in days or less and containing 80 percent of breaches in the same timeframe.

As Protiviti says:

Verizon highlights that this is due to more breaches being detected by managed security providers, and not necessarily an improvement of internal detection and containment capabilities.

The Verizon report has a wealth of detail but it is awkward to navigate. So I suggest reading the Protiviti summary first.

One of the Verizon points which is of tremendous importance, although it is hidden in the middle of the Results and Analysis section[1], is this:

Last year, we looked at the median impact cost for incidents reported to the FBI IC3. With regard to business email compromises (BEC), we noticed that most companies either lost $1,240 or $44,000 with the latter being slightly more frequent (Figure 32).

Also, last year we stated that when “the IC3 Recovery Asset Team acts upon BECs, and works with the destination bank, half of all U.S.-based business email compromise victims had 99% of the money recovered or frozen; and only 9% had nothing recovered.” They continued to record that metric and this year it improved slightly, indicating that 52% recovered 99% or more of the stolen funds and only 8% recovered nothing.

They have this useful chart. It shows that the range of loss per incident was from below $1,000 to less than $200,000.


One of the commenters on my last post stated that “cybercrime is the biggest risk facing most organizations today”.

That doesn’t seem to be borne out by the facts – neither in this nor in prior years.

However, it remains essential (as I said in the last post) for each organization to perform a careful risk assessment: what is the likelihood of a breach that is so damaging that it threatens the achievement of enterprise objectives?

Other points in the Verizon report include:

  • 45% of the breaches featured hacking
  • 22% were the result of errors
  • 22% involved social engineering
  • 55% were by organized crime
  • 8% were misuse by authorized users
  • 72% were of large businesses
  • 58% involved compromising personal data
  • 86% were financially motivated
  • Less than 20% were cyber-espionage
  • Around 10% was by state actors
  • 85% of victims and hackers were in the same country
  • About half of the incidents were discovered by 3rd party security providers
  • Another ~15% were identified by other 3rd parties

The report reinforces an opinion that I have held for several years.

If cyber is in fact a major risk and you simply cannot afford to have a serious breach, then you should very seriously consider using a 3rd party security service provider rather than hoping that you can handle this yourself.

This is an area where you need experts and experience as well as all the tools – and the flexibility to adapt to the changing threat landscape.

But if it is not such a serious business risk, recognize the hype and invest your scarce resources accordingly.

I welcome your thoughts.

[1] Perhaps because it undermines the value of their consulting business.

Treat Cyber as a Business Risk

August 26, 2020 8 comments

I continue to be frustrated by articles and so-called expert advice on how organizations should address the risk of a cyber breach.

It’s just one of the reasons I wrote Making Business Sense of Technology Risk. The book not only explains how problems related to the use of technology should be considered when making strategic and tactical business decisions, but uncovers fatal flaws in the cyber standards and frameworks.

It’s one thing to say that “cyber is a business risk like any other” (quoting a new article by a partner with Schillings) and another to actually treat it that way.

If you want to treat cyber as another business risk, then it needs to be assessed and evaluated in a way that you can compare it to and aggregate its effect with other sources of business risk.

The author of that article gets several things right:

  • What businesses need is a new type of CISO. A CISO who can get involved in digital transformation, but who also has executive management skills and understands that security is an enabler.
  • Cyber security is about more than just building and maintaining threat resistant systems. It is both a strategic and risk management issue.
  • A CISO today needs to understand business impact and resiliency and have the ability to present clearly and in non-technical language (without acronyms), to the Board. Skill sets need expanding to include risk, enterprise risk management and knowledge of the business.
  • CISOs who can’t think strategically have been given the wrong title.
  • Boards want to see the impact security has had on the business itself — not just how you improved things on an operational level.
  • Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services. Risk management is about informing and improving that decision-making process.
  • …governing risks to technology systems is no different to governing other business activities. You just need to use the right people, structures and processes to make sensible risk management decisions to achieve your business goals and objectives.

So far, this is excellent. The author is asking the right questions, especially “Boards and senior leadership teams have to make difficult decisions about how much time and money to spend on protecting technology and related services.”

But then it goes terribly wrong.

I strongly disagree with this statement:

The worst reporting line, in my opinion, would be to the CIO, followed by the COO and perhaps the CFO. Better the CEO, Chief Risk Officer or General Counsel. Encouragingly, in the UK’s FTSE350, the majority now have CISOs reporting directly to the Board.

This shows a total lack of understanding of the role of the CIO.

Consider these descriptions:

The role of the CIO is to help to set and lead the technology strategy for an organisation, in concert with the other C-level executives. As such one of the many roles of the CIO it to provide an executive-level interface between the technology department and the rest of the business. (ZDNet 2019)

Due to the reliance on technology to grow and succeed, the CIO will become a fundamental part of the business, have a seat at Exco / Board table and report directly into the CEO. They will be expected to guide the board in the use of IT (aiding King IV™ compliance) and contribute to business performance at a strategic level, seeing the role becoming less technical and operational. (PwC 2017)

As digital becomes a core competency, the CIO plays a key leadership role in the critical strategic, technical and management initiatives — from information security and algorithms to customer experience and leveraging data — that mitigate threats and drive business growth. (Gartner, 2020)

The CIO’s primary role is to make sure the organization is making the best use of technology to both drive and protect the organization. In order to do that, they need a solid understanding of the business and an excellent working relationship with other business leaders.

Make no mistake. Cyber is a technical issue and the challenge is seeing it within the context of the business – making business sense of it.

The CIO is in the perfect position to understand cyber and its potential to affect the business. He or she can understand the damage it can cause, as well as the likelihood of that damage being severe.

This is because they understand the business, how it operates, and the extent to which it relies on technology.

The CIO can appreciate what can and should be done to minimize the possibility of severe damage and be in a position to respond appropriately when (not if) there is a breach.

The CIO is also in a position to contrast the value of an investment in cyber to an investment in new technologies, or even new marketing initiatives or the opening of a new manufacturing facility.

I talked to a NIST Fellow in the process of writing my book. He said that it is disastrous for the CISO to report to the CIO because the CIO will favor spending money on new functionalities over cyber. He had no answer to my reply that maybe the CIO can see there is more value to the organization in those systems.

So let’s empower rather than disembowel the CIO.

Business and not technical decisions need to be made.

One of the problems, which I illustrate in the book, is that few cyber professionals are able to effectively explain the business impact of a breach. Instead, they provide a list of high risk information assets (following NIST, ISO, and FAIR guidance).

That is not actionable information. It is of very little value, limited to deciding where to invest your cyber budget rather than justifying getting a budget in the first place.

If you want money for your area, you have to explain why it makes good business sense – and better business sense that any other investments.

The Schillings author has ten questions the board should ask the CIO.

He misses the top 3 or 4:

  1. If we have a breach, how would it affect the business and our ability to achieve our objectives for the year?
  2. How likely is it that we would have a breach that has such a serious impact that we would miss one or more enterprise objectives?
  3. Is that an acceptable position?
  4. Is there a business case for investing more in cyber? What would be the effect, in terms of achieving our objectives, of an incremental $1 million, $2 million, etc.? Is this the best use of our resources?

Just to explain the focus on achieving objectives:

  • This is how pretty much every organization defines success and what it works towards
  • The significance of a breach can be measured in terms of monetary loss or data exposed. But while that may be in the millions or even tens of millions for larger organizations, the greater concern is whether it will have a lasting effect on revenue, profits, etc.

Making Business Sense of Technology Risk should, IMHO, be essential reading not only for CISOs and their staff, but also for CIOs, CFOs, IT auditors, CROs, and all who want to treat technology-related risks (including but not limited to cyber) as a business risk.

I welcome your thoughts.

The State of Decision-Making

August 20, 2020 5 comments

An UK software company, Board, has shared a perceptive report on the woeful quality of decision-making in the banking and finance sector, at least in the UK.

The State of Decision-Making is summarized in an article in Global Finance and Banking that says decision-making is making progress.

Some excerpts with my highlights:

  • Organisations need to be able to plan, adapt, and react with speed. The importance of breaking down data silos to gain a complete view of performance, connecting financial and operational planning and enabling the accurate simulation and testing of scenarios has never been greater.
  • Leaders need to think beyond survival and concentrate on how they can thrive in the “next normal”, and have the tools in place to enable better decision-making for a better, more profitable tomorrow.
  • However, across the world, business decisions are still being made across multiple functions of a business, and all too often the process is disconnected, modular or fragmented. Business critical information sits in silos, processes are disjointed and compounded by over-reliance on error prone, outdated tools such as spreadsheets – causing a disconnect between departments, a misalignment of people and resources and a lack of a single version of the truth.
  • No business can afford to waste time and talent on bets that may or may not come off. Effective decision-making requires integrated, real-time reporting, planning, forecasting, scenario-modelling and predictive analytics.
  • Despite many organisations making decisions that are implemented globally, the decision-making process is not joined up across the business, with 33 percent of businesses making decisions in departmental silos – potentially leading to a lack of cohesion between units and wasting of resources.
  • Just over half (54 percent) of respondents said they were making business decisions based on data and insights, while ‘gut feeling’ decisions are still made by up to 45 percent of companies – a concern in an unpredictable market.
  • When it comes to the tools businesses are using to inform their decision-making, 57 percent of companies rely on spreadsheets and 72 percent predominantly refer to internal company reports. Interestingly, the favoured tools differ depending on the level of decision being made. Those responsible for operational decisions are more likely to rely on spreadsheets (69 percent) than those making strategic (60 percent) or tactical (59 percent) decisions.
  • Research shows that up to 90% of spreadsheets could contain a critical error.

This should be a concern for all of us.

Perhaps it is an issue that should be evaluated at your organization, its condition assessed, and actions taken as appropriate?

Are you aware of it as a problem?

Are you doing something about it?

I welcome your thoughts.

From top-down to tools-down internal auditing

August 16, 2020 4 comments

Our friends at Protiviti, led by Brian Christensen, have given us yet another interesting piece.

Exploring the Next Generation of Internal Auditors makes some interesting points. Here are a few with my highlights.

  • It’s time for internal audit leaders to stand up and ride their own wave of transformation and innovation.
  • Innovation in internal audit is driven by a next-gen, trailblazer mindset, along with a willingness to make bold decisions, learn from mistakes and never stop asking, ‘How can we get even better?
  • Internal audit certainly has not been immune to the effects [of COVID-19] on their organizations, with audit plans shifting dramatically and assurance and compliance activities requiring multiple changes and adjustments to meet objectives and deadlines in this new status quo.
  • The foundation of next-generation internal auditing lies in principles such as agility, real-time risk and controls monitoring, dynamic risk assessment, and the effective leveraging of data and advanced technologies.
  • Risk assessment should be structured to respond to risks as quickly as they change. This requires agile methodologies supported by a more in-depth understanding of risks, as well as the ability to quantitatively measure and monitor those risks. Next-generation internal audit functions have moved beyond annual or quarterly risk updates to obtain a real-time view on changes to risks, their impact to the organization and the impact on the assurance needed from internal audit.
  • Next-generation auditing capabilities, processes and tools — from strategic vision, agile auditing and dynamic risk assessment to artificial intelligence (AI), machine learning and process mining, among others — should be pressing priorities for the internal audit function to build and grow as their organizations continue to transform and stakeholder expectations for these capabilities rise. Our results show that audit committees certainly hold this to be true. At present, too many internal audit teams are not adequately prepared to commit to difficult but necessary transformation.
  • Internal audit departments have achieved the most progress in next-generation governance, indicating improvements in their strategies and resources as well as their efforts to align resources to risks. This is a good start.
  • CAEs and internal audit leaders need to develop both a mindset and skillset oriented toward becoming more technology- and data-enabled. Those that fail to focus on incorporating analytics, RPA and other emerging technologies into their auditing practices will fall behind not only their counterparts in the profession, but also the business stakeholders they advise and support.
  • Of the four next-generation methodology competencies, agile auditing has the lowest self-assessment rating and the highest “need to improve” rank. This needs to change. Next-generation audit functions deploy agile audit approaches to work collaboratively with stakeholders on a series of mini-projects and continuous audits in which feedback is shared early and often to add value to the audit.
  • Capabilities in dynamic risk assessment and high impact reporting also need to improve. A dynamic risk assessment approach enables internal audit groups to be increasingly precise in assessing and adapting to emerging risks. This capability, in turn, helps the organization identify changing risk trends in real time, quantitatively measure and prioritize risk, and drive the most effective use of assurance coverage. High-impact reporting occurs when audit groups optimize their risk assessments, audit execution methodology, use of data and more aesthetically visual components to deliver timely communications that are relevant, risk-informed, concise and insightful.
  • Internal audit groups have taken a step back in implementing enabling technologies. Far too few internal audit functions are undertaking initiatives involving AI, machine learning, process mining and RPA. Moreover, far too many internal audit groups indicate they have no plans to adopt them. Each of these advanced technologies received some of the lowest competency level self-assessments in the entire survey.
  • Thus far, internal audit functions have achieved the most progress with advanced analytics: More than half are currently undertaking advanced analytics projects or planning to do so in the coming year.

There are a good number of excellent points, especially the need to continuously update the audit plan as risks and business conditions (inside and outside the organization) change.

But I have some disagreements:

  1. As Brian Christensen knows, and has told me he agrees, monitoring and assessing risk is a management responsibility. We should be reporting a failure to do so to the board. Internal Audit can, with board approval, facilitate a periodic review, but it is an ongoing need. Internal Audit should be striving to rely on management’s review (once we have concluded that it is reliable).
  2. Maybe instead of ‘risk monitoring’, talking about ‘monitoring the business and its environment’ is healthier.
  3. Protiviti has embraced a top (enterprise) down approach, with which I agree.
  4. Protiviti’s approach to the use of technology, however, is tools down. They are suggesting that Internal Audit should be adopting these new (or not so new, frankly) technologies without first understanding whether they are needed. I have seen too many Internal Audit teams invest in tools and people, purchasing sexy products and dedicating a team to using them, and only then looking for something to audit with them.
  5. They advocate, as I do, a dynamic audit planning and execution approach. They are also embracing the word “agile” without, in my opinion, making it agile. Being agile means you are able to move fast, change direction as needed, and complete engagements at speed. It’s far more than using techniques like SCRUM. Only in a few cases have I been able to deploy technology (and I have a technology background myself) fast enough to be an effective way to perform an audit.
  6. If you have a dynamic and agile audit approach, you do not audit the same area, process, or risk every year – or at least not in the same way. So an investment in continuous auditing is hard to justify.
  7. RPA and most of these other technologies are beautiful ways to monitor transactions and, infrequently, controls over them. They should not be deployed, except in cases like fraud detection, by Internal Audit. They should be deployed as detective controls by management!

I agree that many if not most Internal Audit teams need to change. They need to embrace dynamic audit planning and agile execution. They need to understand the potential of new technology and work with management to implement it in business processes where justified.

My teams made the most of technology. I can go back to the 1970’s when our IT audit group in London (of which I was a manager) used analytics extensively to support the financial statement audits. In 1979, I developed software that provided an audit trail of changes, especially emergency changes, to a client’s application systems. I charted the exponential growth of emergency changes to show operating management the scale of their problem. Over time, we moved from COBOL and other languages to report writers and then to desktop and mobile analytics. As CAE, 25% or more of my team were IT auditors. Each of my financial audit team had, and frequently used, mobile analytics that they could deploy rapidly.

But the key was that we deployed technology when it made business sense.

We didn’t invest in a sexy toy and look for nails to hammer.

So, I agree with Brian and his team that change is needed for many Internal Audit teams, but I am actually pleased to see that few have been drawn to the false honeypot of RPA, ML, AI, and the rest.

I welcome your thoughts – and will be looking for a response from Brian or his team.

SOC Compliance and Service Providers

August 12, 2020 3 comments

I always read advice and guidance from Protiviti, especially when Jim DeLoach is involved in it. The firm is a prolific source and they often have good advice – but not always.

A couple of weeks ago, they published Preparing for Annual SOX Compliance Amid COVID-19:  Outsourced Processes and Use of Third-Party Providers Remain Relevant to ICFR.

First, let me reset your expectations. Their article and this post have next to nothing to do with COVID-19. They are using that as a hook; the only point they make relative to COVID is that the SOC-1 reports might be delayed.

Protiviti has been pushing this article on social media, so I am going to share my thoughts before people start down the wrong path.

They outline and discuss these steps:

  1. Inventory your providers
  2. Obtain SOC reports
  3. Map controls from the SOC report to management’s processes
  4. Evaluate deficiencies identified in the SOC report and assess potential impact to your business
  5. Obtain bridge letters
  6. Determine impacts from the pandemic
  7. Take appropriate actions

Now why is this the wrong path?

It is not top-down and risk-based. It is fundamentally bottom-up.

Here’s a better series of steps:

  1. When you perform your SOX scoping, identify where you are relying on key controls performed by a service provider to provide reasonable assurance on an ICFR risk identified in your scoping. Just because you are using a service provider doesn’t mean you don’t have adequate key controls to rely on that are performed by your company’s staff. You may or may not be relying on key controls performed by the service provider. (Adequate means that you can rely on the controls to prevent or detect a material error or omission in the filed financial statements.)
  2. Identify the specific controls performed by each service provider on which you need assurance and include them in scope as key controls.
  3. Make sure – in advance – that these controls will be included in the scope of the SOC-1 audit of the service provider. Where you can, use prior reports but supplement them with inquiries of the service provider to make sure the controls at the service provider that will be audited match your needs. Be prepared for step 5.
  4. Obtain the SOC-1 reports.
  5. Review the description of the controls they tested and make sure that the design of the controls meets your needs.
  6. Confirm that the SOC-1 report indicates that the controls were operating effectively. Pay attention to the timing of the report and the testing.
  7. Review the list of controls that the SOC-1 auditor has indicated they expect the company to perform. Confirm that either they are among your key controls, are unnecessary, or take action to include additional controls.
  8. Evaluate any deficiencies in the same way you evaluate deficiencies in controls performed in-house.
  9. Discuss with the service provider the actions they are taking to address any deficiencies and when those will be completed and rested.
  10. Determine what additional actions should be taken given the deficiencies and the remediation planned by the service provider. This may involve identifying and testing additional compensating or mitigating controls.
  11. If necessary, obtain bridge letters or otherwise roll forward the assessment.
  12. Discuss with management the performance of the service provider and determine if any actions should be taken.

All of this should be carefully documented and discussed with the external auditor through the process, especially where issues are identified or anticipated.

I welcome your thoughts.

I will be leading (virtual) training on SOX in October. See here for details.

Internal Audit and Fraud Risk Management

August 10, 2020 10 comments

Described as a “joint research report by the Internal Audit Foundation and Kroll” (Kroll is a major investigation firm), Internal Audit’s Role in Fraud Risk Management has some truly excellent content.

It lays out extremely well the IIA’s position and guidance on this important topic. However, Kroll pretty much ignores that and continues with a report that pushes what I assume is its own opinion.

Here are some key points with my comments, but I strongly recommend a careful read with special attention to the IIA’s position laid out in the first three bullets below:

  • While the role of internal audit teams varies significantly across different industries, jurisdictions, and organizations, the predominant role of internal audit is, according to The Institute of Internal Auditors (IIA), “to provide independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” This includes assessing the design and effectiveness of controls in an organization, including controls involving fraud risk management, and providing assurance to management and the board that controls are designed appropriately and function effectively.
  • The IIA set out the following key points in relation to the role of internal audit in fraud risk management:
    • Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls;
    • The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situations. This should include digital data;
    • The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically;
    • The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls; [Note: The IIA needs to update this Standard. The risk of fraud should be considered in the development of the audit plan. As stated, the Standards imply that controls over fraud should be included in every audit, regardless of the level of risk.]
    • Internal auditors should not investigate fraud unless they have specific expertise and experience to do so.
  • In the UK, the Chartered Institute of Internal Auditors takes the view that “internal audit has a role to play in ensuring that management has effective systems in place to detect and prevent corrupt practices within an organization….But it is not the job of internal audit directly to detect or prevent corrupt practices. This is for executive management. Internal audit’s role includes promoting anti-fraud and anti-bribery best practice, testing and monitoring systems and advising on change where it is needed.”
  • In general, respondents were confident about the effectiveness of their fraud risk management programs, with 54% stating that they felt their organization’s fraud risk management was good, very good, or excellent.
    • Comment: 2.53% said their program was excellent and 16.54% very good. When evaluating on a 5 point scale, even“very good” indicates that there is significant room for improvement. Clearly, almost every respondent needs improvement!
  • 60% of those [where internal audit] had a leadership role [in enterprisewide fraud risk assessments said] they felt their organizations had good or better fraud risk management programs.
    • Comment: This is hardly a positive sign.
  • …the identification and management of other risks can … be enhanced by a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making.
    • Comment: Kroll ignores the IIA guidance and makes this assertion without evidence to support it. However, as I will discuss later, I tend to support a move in this direction in some organizations, with one very significant modification in approach.
  • Of all the teams taking a lead in fraud risk management within organizations, internal audit took the lead most frequently in organizations surveyed, with 41% of respondents stating that the internal audit team was the main leader in fraud risk management. Additionally, 91% of respondents stated that they had at least some involvement in enterprisewide fraud risk assessment.
    • Comment: Kroll did not ask why Internal Audit was taking the lead, only what the barriers were to doing so – a major failing in my opinion. They clearly started with the position that Internal Audit should be the driver, rather than management. They ignored the guidance which very clearly says that the program is a management responsibility.
  • The majority of survey respondents (80%) felt that there were barriers to internal audit involvement in fraud risk management. The most common barriers noted were lack of appropriate resources, lack of mandate and potential conflict of interest, and to a lesser extent the lack of adequate skills to undertake such work.

The lack of mandate is perhaps the area most prevalent in current debate, with approximately a quarter of survey respondents considering this as the largest barrier. It is common in our experience that business leaders do not perceive that it is the primary mandate of internal audit teams to take a leadership role in fraud risk management and operational activity for prevention, detection, and response. The business objectives, structural priorities, and risk appetite of individual organizations will impact whether or not internal audit is the appropriate place for fraud risk management to sit.

  • Comment: Following the IIA Standards and guidance is a barrier, true, and it should be an effective barrier to taking on a management responsibility!

As a retired CAE and CRO, I believe every organization should consider the risk of fraud. The consideration should not only consider the financial impact but, even more so, the potential to affect the achievement of enterprise objectives.

ACFE surveys consistently report every year that, on average, organizations lose about 5% of revenues to fraud of one kind or another. However, that number includes a cost attributed to employees’ use of corporate assets (like doing their taxes on company laptops), theft of time, and so on. So I tend to slice that 5% down in my mind.

Nevertheless, fraud can be a significant source of risk and every organization should complete and then maintain an enterprise-wide fraud risk assessment with appropriate controls and other risk responses in place.

Management’s risk assessment and the related controls and responses should be assessed on a periodic basis by Internal Audit.

The potential for fraud (including cyber breaches) to affect the achievement of enterprise objectives should be a consideration in developing and maintaining the audit plan – in the same was as other sources of business risk.

We should not assume that controls and practices related to fraud must be included in the audit plan or in any audit engagement. That diverts resources and attention from more significant sources of business risk.

Now for the question I said I would come back to.

Should there be, as Kroll says, “a stronger mandate for internal audit to drive risk analysis and frame how this feeds into senior management decision-making?”

  • In many organizations, there is no good alternative to Internal Audit when it comes to leading a fraud risk assessment. Even in those situations (typically large companies) where there is a corporate security, investigations, or similar function, they may not have the experience and skills to lead the initiative.
  • Reporting to management and the board that an assessment is not being done, or is being done poorly, when there is no natural individual or function to do so, is pointing to a problem without offering a practical solution. The CAE should point out both the issue and a solution to that issue.
  • Somebody needs to do it, and the board and top management will generally support a CAE who is willing to take the lead.
  • Internal Audit may lead and facilitate the assessment with operating management making the assessment with IA help and guidance. They should make every effort not to be the assessor themselves. As CAE, this is the position I took. If there was nobody else to put the assessment together, I developed a draft after discussions with operating management and used that to elicit and facilitate senior management’s assessment.
  • Internal Audit should not “frame how this feeds into senior management decision-making.” No. Nyet. Nein. Non. Not on your life.

Kroll finishes their Conclusions section (except for their detailed recommendations, with which I disagree) with:

This may be a good opportunity for the internal audit profession to reassess and reconsider where it fits into the broader umbrella of fraud risk management to ensure that internal auditors support their organizations on the road to recovery in the most efficient and effective way.

It is always a good time to step back and reassess prior practice and guidance. But I don’t see it the same way as Kroll.

  1. The IIA should update the Standards to focus time and attention on enterprise risks and the achievement of enterprise The Standard that requires a second risk assessment for every audit is redundant and should be eliminated.
  2. The IIA should make sure that fraud risk is considered and given attention in the audit plan and engagements commensurate with the level of risk to the enterprise and its objectives.
  3. The IIA should engage with regulators to ensure that they do not mandate an excessive level of attention to a relatively low source of risk.
  4. Every organization should consider the level of fraud risk to its objectives and integrate that into their enterprise-wide management of risk (and success).
  5. CAEs should be willing, with board approval, to facilitate management’s fraud risk assessment.
  6. Nobody should be willing to accept an average grade.

What do you think?

Opportunities to upgrade your skills

August 7, 2020 1 comment

This pandemic has shut down, as you might expect, all the in-person conferences and seminars that I had expected to participate in this year.

However, I will be leading some small group online training starting in October. If you are interested, please follow the links below to obtain more information.

Each event will be what we call 3X3: three hours each day for three days.

Sarbanes-Oxley s404 Master Class October 20, 21, 22

GRC – A Corporate Discipline November 3, 4, 5

Risk Management that Helps the Organization Succeed November 17, 18, 19

Auditing that Matters: Building a World-Class Internal Audit Function

Board members should discuss this excellent paper on Boards and the Taking of Risk for Success

August 3, 2020 2 comments

The ACCA published an excellent product a couple of years ago. Risk and the Strategic Role of Leadership might have been written by three UK academics, but reflects the practical thinking of board members as well as risk practitioners.

Here are some notable excerpts, with some highlighted by me:

  • Boards have always been involved in the management of risk. Without appropriate risk taking, organisations cannot exploit the full range of strategic opportunities that are available to them, nor can they hope to protect themselves from less positive outcomes.
  • Effective risk assessment, reporting and control help to enhance a board’s governance and internal control activities, reducing the probability that an organisation may deviate from its stated objectives and so fail to meet the needs of its stakeholders.
  • Risk may bring with it the potential for losses, but it also offers the potential for opportunity.
  • Boards are still finding it hard to understand and address softer factors, such as culture and risk appetite. Often, this is because of a lack of clear information and difficulties in connecting them to organisational performance.
  • Regulation and compliance remain key drivers for board-level involvement in risk management. Nonetheless, some organisations are increasingly aware of the strategic benefits of risk management in helping them to exploit opportunities and so exceed their stated objectives.
  • Factors such as lengthy risk reports and insufficient time devoted to risk management at board meetings create significant challenges for board-level risk-management activities.
  • Today’s board has a key role to play here, helping its organisation identify and exploit opportunities, which is as much a part of maximising the long term sustainable performance of the organisation as well as overseeing the mitigation of threats.
  • Risk comes with the opportunity for returns, and even seemingly adverse events such as regulatory change or political uncertainty can create opportunities that may be exploited.
  • …highly strategic risks, such as the development of a new product or market, or an acquisition or merger, very clearly combine a range of positive and negative outcomes.
  • exploiting opportunities is as much part of risk management as controlling downside outcomes.
  • Viewing risk as ‘bad’ means that the potential for better-than-expected outcomes may be overlooked. It may also foster high levels of risk aversion in boards, a problem that was identified by a number of the participants in both large and SME organisations. The consequence of this approach is that innovations may be missed.
  • “In some areas there should be a willingness to proactively take risk and indeed that to take no risk is potentially the biggest risk of all because there’s a possibility that people innovate around you, you’re left standing, and as time goes by you become the dinosaur in comparison to the rest of the sector” (non-executive director).
  • In a small number of organisations strategy setting and risk were integrated to a much greater extent. The directors of these organisations indicated that their boards considered the risks associated with choosing or not choosing specific strategic options at the strategy setting phase, as well as the organisation’s risk-management competencies and capabilities.
  • …an extremely prescriptive [ndm: the paper talks about two approaches, prescriptive and principled] risk-management approach may cause board-level risk-management activities to become static and reactive, with board members getting lost in operational detail (a potential problem made worse by lengthy risk registers) and taking an overly negative view of risk.
  • …an extremely principled approach may make inconsistent decisions and may pursue upside opportunities at any cost, exposing an organisation to excessive amounts of risk
  • “So the classic thing, zero harm – we’ve got no appetite for something – it’s a complete misunderstanding of what risk appetite is. There is a wealth of metrics and information out there that you can tap into to articulate statements in a way which will actually add practical guidance to a business, and you’d be able to measure whether you’re operating within those parameters. But a lot of companies are just nowhere… they’re still doing the sort of high, medium and low, hungry-averse-type scales, which are just worthless” (Focus group).
  • …adopting a ‘compliance mind-set’ … may foster excessive risk aversion: ‘it’s the mind-set of actually, rather than helping us take risks better it’s about not taking risks at all’ (executive director).
  • Non-executives need to be assured that executives have ensured there is an appropriate risk-management framework that is operating effectively.
  • What was stressed by a number of participants was the need for discussion of risk at a strategic level – not at a level of governance and oversight that dwells on risk registers and frameworks – in order to be able to take advantage of opportunities.
  • The ability to move away from vast static risk registers that are essentially backward looking, towards a dynamic view of the real-world impact of risks on the activities of the organisation, was something that many have aspired to, but few have actually achieved, in their board’s approach to risk registers. All too often, and much to the disappointment of some participants, the use of risk registers was seen as a ‘tick-box’ exercise characterised as compliance, as opposed to one of many sources of information pertinent to strategic decision making.
  • The risk and/or audit committee was seen to act as a filter for the board, with a more succinct discussion taking place at board level.

The paper has a number of highly constructive suggestions. I recommend reading them all, but here are the ones I especially liked:

  • Place risk in a positive context. Consider the potential for outcomes to be better, as well as worse, than expected, making it clear when you are talking about opportunities and risks. If necessary, avoid using words such as risk if they have a negative meaning in your organisation; eg consider alternatives such as ‘volatility’ and ‘uncertainty’.
  • Integrate your strategy and risk decisions. When setting your strategy and business objectives, consider the potential for better or worse-than-expected outcomes from the outset.
  • Boards should adopt the 75:25 rule. Spend 75% of board meetings looking outwards and forwards. This will help the board to identify external and future threats and opportunities. Spend the remaining 25% of board meetings looking inwards and backwards. This will help the board to understand the organisation’s capabilities and competencies in areas such as finance and risk management.
  • All papers going to the board should have a dedicated risk section within the executive summary, highlighting their risk implications for the strategic objectives of the business. This provides visible anchor points for discussion of the strategic risk-reward equation.
  • Policymakers should revisit their risk mind-set: risk is not bad in itself and opportunities are never certain. Rather than considering risk management as a device for increasing certainty, it should be considered as a means for achieving ever more positive outcomes. Risk management should help an organisation to create value, as well as to protect it.
  • Always encourage boards to make links between strategy and risk. Potential risk exposures, along with the ability of an organisation to manage these exposures, should be considered as part of strategy setting. Risk management should not be a bolt-on activity after the strategy has been determined.

I recommend that the full board, not just the risk and/or audit committee, should receive a copy of this paper and hold a discussion with management on its key points, recommendations, and self-assessment questions.

I welcome your thoughts.

A definitive risk and compliance benchmark report

July 31, 2020 3 comments

Navex bills itself, in all modesty (!), as “the worldwide leader in integrated risk and compliance management software and services that help organizations manage risk, address regulatory compliance requirements and foster an ethical workplace culture”. I am sure that every other software vendor and consultancy firm agrees that Navex is #1!

They have just released their Definitive Risk and Compliance Benchmark Report, a publication with a modest name to match their modest branding.

Does it live up to that billing?

One of the things that always bothers me about surveys and the resulting reports is that they ask the providers of information about its value rather than the consumers. They ask the risk, audit, compliance, and other practitioners rather than the business leaders.

Value is only assessed through the eyes of the buyer. The seller can say whatever they like, but it’s all about what the buyer is willing to pay.

Let’s face it: most buyers of risk, audit, and compliance services shell out the money reluctantly.

But, back to their report. Here are some excerpts and I will follow them with comments:

  • Ninety-two percent (92%) of respondents said their organization behaved ethically all or most of the time. Over a third (36%) described their organizations as ethical all the time. This positive view is not shared by the public. In a recent Gallup poll, business executives were considered high or very high in honesty and ethics by only 20% of respondents. In a Deloitte global survey of professional millennials, business fared a bit better, with 49% saying that business leaders operate ethically.
  • Corporate responsibility is not a corporate priority. In the Deloitte global survey of professional millennials, a majority were critical of businesses for focusing primarily on maximizing profits instead of giving a higher priority to pursuing “socially useful” objectives. Although millennials are not alone in their growing concern for more corporate social responsibility, it ranked last amongst R&C concerns.
  • Compliance professionals prioritize workplace culture, but don’t act.
  • Overall, fewer than a third (32%) of R&C programs prioritize preventing and detecting harassment and discrimination, while just one in ten (10%) of respondents said detecting and preventing retaliation was a high priority.
  • Programs in highly regulated industries are more likely to deprioritize activities aimed at reducing harassment and discrimination.
  • Over two-thirds (68%) of respondents identified data privacy and cybersecurity as a top R&C concern, consistent across all maturities. Respondents also listed enhancing data privacy, cybersecurity, and the protection of personal identifiable information (PII) as top priorities. Nearly two-thirds (64%) listed this issue as one of their top two priorities; over a third (35%) ranked it as their number one priority. This was consistent across all maturities
  • Nearly a third (31%) of respondents experienced a data privacy or cybersecurity breach in the past three years.
  • Nearly half (47%) of respondents describe financial integrity and fraud as a “top concern,” up 11% from 2019. Bribery & corruption concerns also rose to 39%.
  • For the first time, this year’s benchmark survey explored the topic of risk integration. Identifying six key types of risk – compliance, IT, operational, reputational, third-party, and financial – we asked respondents how their R&C programs did (or didn’t) manage these concerns. Overall, compliance risk remains the central focus of the vast majority (88%) of R&C programs. This is followed by IT and operational risks at 57% and 53% respectively. No form of risk is managed by fewer than 40% of R&C programs.
  • Overall, a plurality (23%) of programs cite their CCO as primarily responsible for integration strategy.
  • The CRO role is still an emerging one. More than half (53%) of programs do not have a CRO. Of those that do, half (47%) have constructed this role as a dedicated FTE.
  • Overall, respondents believe their risk and compliance programs are well-supported by leadership, with nearly two-thirds (64%) saying they have program buy-in, oversight and commitment from senior management.
  • Over half (56%) of respondents say their R&C program periodically reports to a board that also oversees it.
  • Organizational risk assessments are a core evaluative R&C program tool. The practice of regular assessments is now widespread, with two-thirds (66%) of programs conducting periodic assessments of their organization’s risk profile.
  • A little over half (56%) of programs have audits to measure compliance program effectiveness.


  1. This is not a risk and compliance report. It’s pretty much ignores any form of risk management.
  2. It does have some decent data on compliance programs.
  3. It is unfortunate that the respondents work at organizations that do not recognize the importance of social responsibility, the harm that can arise if it is ignored and the benefits that can accrue when it is given a priority.
  4. It is even more unfortunate that so little is being done about sexual harassment and assault in the workplace.
  5. Action is not being taken to address culture, even when it is recognized as a problem.
  6. These guys have no clue but are happy to profess expertise in “risk integration”.
  7. Even though the regulators call for compliance to be risk-based, these experts don’t seem to understand or adhere to those practices.

I will let you decide whether the authors are working for the leader.

However, as I said, there is some interesting material and data on ethics and compliance programs.

I welcome your comments.

New advice for internal auditors

July 27, 2020 5 comments

There’s a new article that merits our attention. It’s from the software vendor, MetricStream.

Strengthening Internal Audit’s Business Impact makes some good points:

  • From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness.
  • One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives.
  • Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
  • Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well.
  • Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth.
  • When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses.
  • Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations.
  • While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs.
  • Internal auditors today have the opportunity to create real business impact.

These are all good points.

BTW, they are a software vendor, so I suggest ignoring their comments about technology and its use by internal auditors. There is frequently a great deal of value, but its neither certain nor the same for every organization.

My thoughts:

  • Internal audit has progressed significantly over the last decade. Perhaps half have moved away from annual audit plans to ones that are far more dynamic (in line with agile auditing, although that term is newer than the practice of continuous audit planning). There is still a lot of progress to be made to bring the other half to a more dynamic process and everybody to more of a continuous planning activity than one that is quarterly.
  • The reference to insights is very important. When we developed the Core Principles, we were referring not only to the traditional comments in the audit report, but also to the insights we have as professionals that may or may not be backed by hard evidence, but should be shared with leadership.
  • The idea of “aligning to business objectives” seems passive to me. It sounds like you pick the audits you want to do and then identify which are the objectives to which they might relate. I very much prefer to consider the objectives, what is relied on to achieve them, and then plan audits to provide related assurance, advice, and insight. Add to that ensuring that we only perform audits where there is a strong likelihood that our results will provide valuable information to leaders of the organization.
  • The idea that internal audit challenges the setting of business objectives is, itself, challenging. It’s fair that we say something if we don’t believe the processes for setting the objectives are sound. For example, we should point out situations where functions like Compliance were not consulted, or if the impact of technology advances has not been considered. I think it’s also fair if the objectives of a team or business unit are not properly aligned with those of the enterprise as a whole, or are in conflict with another department, business unit, etc. But I am not sure we should challenge them based only on whether we think they are the right objectives.
  • I agree entirely with the need to make sure auditors understand the business. But let’s not forget other soft skills, such as interpersonal communications, listening and interviewing skills.
  • There’s a lot I could say about reporting. Let me just make two points. 1. It’s not about reporting, it’s about communicating. 2. Tell them what they need to know, not what you want to say.
  • If you cannot explain why something is important and how it affects the achievement of objectives, maybe it isn’t and doesn’t – and management should ignore you.
  • We can and should have a significant impact on the business, but that requires that we audit what matters, when it matters, and communicate the assurance, advice, and insight leaders need for success.

I welcome your thoughts.

The Three Lines of Defense Model is no more

July 20, 2020 9 comments

Today, the IIA released what I would call a replacement for its Three Lines of Defense Model. The old model was released in a Position Paper in 2003, The Three Lines Of Defense in Effective Risk Management and Control.

One of the more significant things to note is the change in name to The Three Lines Model.

Before you read and digest the new model, I suggest you read an excellent introduction by Richard Chambers, New IIA Three Lines Model Offers Timely Evolution of a Trusted Tool.

I disagree with Richard’s piece in one respect, when he says the new model (and it is almost entirely a new piece of work) will change the way many organizations look at risk and controls. I think that is hyperbolic optimism.

Before going further, I should reveal that I am one of the 30 members of the advisory group. But having said that I can also tell you that I was highly critical of each of the previous drafts I received for review and comment. I even made calls to Richard and others pleading for dramatic change, if not destruction of those drafts.

I am thrilled to tell you that I wholeheartedly endorse the new model. It’s not perfect, nothing can be, but it comes close. It has a great deal of value and merits a close read with careful attention to each phrase.

The only change I would have required to the final product would have been to strengthen the discussion of the independence of internal audit by requiring that the compensation, hiring, and termination of the CAE be the responsibility of the governing body, not management.

You can download the new Model from this page.

Some of the improvements:

  • It is no longer only about “defense,” protecting rather than creating value. It’s about achieving objectives and that requires both creation and protection of value.
  • It repeats the consistent message from the IIA, only more clearly, that management is responsible for achieving objectives and the success of the organization, with oversight from the governing body (the board). That includes understanding and addressing what might happen, “risk”.
  • It helps organizations understand the responsibilities of and relationships among the board, management, internal audit, and others.
  • It is based on principles that are sound and useful.
  • It recognizes that what we used to call the second line is really part of management. Now my concern about the old model and trying to fit functions like Legal, Compliance, Information Security, Quality Management, and so is addressed by recognizing that there is some fluidity between first and second lines.
  • The Model emphasizes the need for collaboration, the essence of GRC (see my earlier post).
  • It also confirms that risk management contributes “to achieving objectives and creating value, as well as to matters of “defense” and protecting value”.
  • The final version of the diagram is simple. There’s no need any more to argue about whether there are three, four, five, or even six lines.
  • It’s less about “lines” than it is about who does what and how they collaborate for enterprise success. The Model continues to use the word “lines”, but is almost apologetic for doing so.

I will close with just one excerpt that I like, with one sentence in particular highlighted:

Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. There is a need for collaboration and communication across both the first and second line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.

What do you like or dislike about the Model?

Please share and let’s discuss.

What can the audit committee do for you as internal auditor?

July 16, 2020 4 comments

There’s an interesting new post, an article in the IIA’s Internal Auditor, Working in Concert: ​CAEs weigh in on the types of questions audit committees could ask them to strike the right tone.

Several CAEs were surveyed by the magazine “to find out which key questions they wish their audit committees would have asked them, but never — or rarely — did.”

They identified seven questions:

1.       What can the audit committee do for you?

2.       Is the audit plan the right one, and can it be delivered?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

5.       What is internal audit’s view of external audit and other assurance functions?

6.       How can internal audit add value? What is your vision for the future?

7.       Would you like to have a coffee off-site?

These should all stimulate some reflection, not only by the audit committee but also by internal audit leaders. Here are my thoughts. Please read the article in full so you can see what I am essentially replying to.

1.       What can the audit committee do for you?

My audit committee invariably asked this question so I am disappointed that these CAEs identified this as their #1 missing item.

Why should the audit committee need to “champion internal audit within the organization?” If the team is doing their job, their value is recognized by both executive and operating management. Do you still need your father to champion you in your work? (I know, ouch!)

I agree that members of the audit committee should bring their expertise to the table and help internal audit understand the more significant risks to the enterprise.

I tell the story of Tom O’Malley and one of my first audit committee meetings as CAE at Tosco, an oil refining and marketing company. The genius asked if I had considered the risks due to failure in the blending process. That came out of nowhere and I had no idea what it was about, but I did the right thing. I thanked him and said I would look into it. The blending of various products into gasoline, diesel, and jet fuel was in fact an extraordinarily high risk. If it was done poorly, it could lead to impurities in the product we sold. Some years later, many diesel-fueled vehicles in the Los Angeles area had major problems, even to the point of engine damage, due to defects in the fuel. Now just imagine a 747 coming into land at a major city when the engines fail due to jet fuel impurities.

Tom O’Malley was not a member of the audit committee; he was the CEO. But the point remains valid.

Years later, Ed Hajim, a member of the Tosco audit committee, asked if I or any of my team was an expert on derivatives. The company had just established a derivatives trading for its purchases and sales of crude oil and finished products. Ed was the CEO of a financial trading company and had just been burned by his lack of understanding of derivatives. He made sure that I was given the time and budget to attend training at the New York Institute of Finance.

If the audit committee is not doing what the CAE needs from them, my position is that the CAE needs to bring this up, tactfully, in private meetings.

2.       Is the audit plan the right one, and can it be delivered?

Of course, the plan should be questioned, but not in the way suggested by the article. For example, the committee should be asking:

·         How do you determine which areas to address?

·         Are you basing your plan on management’s assessment of risks? If not, why not?

·         How do you keep your plan up-to-date so that you address the risks of today and tomorrow, not those of the past?

·         What should be in the plan but is not, for whatever reason? Which significant risks have you decided not to include?

·         Have you sufficient budget for training and staff development? How are you maintaining and growing your skills yourself?

3.       Does internal audit have the necessary resources and skills to provide the required level of assurance?

This is a necessary question, but why should the audit committee ask it? The CAE should have already given them the answer – and the actions they are taking to address the problem.

4.       How responsive is management in dealing with the risks that internal audit and other assurance providers flag to them?

If this is a problem, the CAE should have already told the audit committee. Are these CAEs, the ones surveyed, too passive?

5.       What is internal audit’s view of external audit and other assurance functions?

Similarly, if there is a problem, the CAE should have already shared that with both management and the audit committee.

The question they should be asking, in private sessions, is “what is your view of the senior management team?” That should be followed by questions about the culture of the organization and the tone at the top. These are far more difficult for the CAE to raise without initiative by the committee members.

6.       How can internal audit add value? What is your vision for the future?

Sorry, but again these reflects on the passivity of the CAE. If the members don’t see the value themselves, there’s a problem. If they ask management (and they invariably do) and don’t get a thumbs up from them, there’s a problem.

The CAE should be asking whether they are providing the audit committee and executive management team with the value they need: assurance, advice, and insight on what matters when it matters.

7.       Would you like to have a coffee off-site?

I was the one taking the initiative and asking for private, sometimes offsite, meetings.

The CAE needs to be and act like a leader, an executive with initiative. As the article says, “CAEs also can take better charge of the situation.”

Father may know best, but we should act like adults ourselves and be less passive.

I welcome your thoughts.

Internal Audit Independence and Objectivity

July 12, 2020 9 comments

Internal auditors are afraid of crossing the line and impairing their independence and objectivity.

That’s fair enough, as long as judgement is used as to what those terms really mean and where the line lies.

My friend Mike Jacka has written eloquently about this and I agree with everything he has to say in NOT a Declaration of Independence.

Some of the examples he shares are right on point. I have seen similar situations where internal auditors acted in a way that I call downright silly!

  • I remember one CAE saying he had to use his own analytics software, not the company’s, to preserve his independence.
  • Another refused to accept a Vice President title because it made him sound like he was part of the management team.
  • Several over the years have told me that their job is to find problems and make recommendations for management response. Independence prevents them from sitting down with management, figuring out and then reporting agreed action items instead of recommendations.
  • Some have even told me that independence prevents them for relying on management’s risk assessment – to any degree.

Objectivity, the leaders of the profession will tell you, is the more important of the two words. But independence is still necessary – as long as we are clear what it means. It doesn’t mean that we can’t report administratively to a top executive, have a vice president title, or accept bonuses based on corporate performance.

The IIA tackled Independence when the Core Principles for the Professional Practice of Internal Auditing were written. (Yes, I know there are related Standards and Implementation Guides.)

I will pat myself on the back for coming up with the phrase used in the Principles: “free from undue influence.” The words “from management” didn’t make it into the final language, but they are certainly implied.

The Principles use the single word Objective, without expansion, but it’s not always as simple as a single word suggests.

Some examples to think about:

  • Your boss, the CAE, has told you to find more deficiencies to report. Is he or she being objective? Are you objective if you obey and report something that really isn’t important so that the audit report looks more substantial (I would call that ‘padding’ the report)?
  • The manager of the department responsible for the controls you are testing has questioned your business understanding. You are angry. Will you be objective?
  • The CAE has told you that he has concerns over the integrity of the department head whose area you are auditing. Will you be objective?
  • The process you are auditing has had multiple serious deficiencies in prior years. Will this affect your objectivity?
  • The department head is somebody that you like personally and admire. Will that affect your objectivity? Will you have an unconscious bias?
  • The employees responsible for the controls are difficult to work with. Will that affect you?
  • The department you are auditing has a reputation for excellence and there were no deficiencies, only best practices in the last audit three years ago. You performed that audit. Will you be totally free of bias and unarguably objective?
  • You audited the area last year and they haven’t agreed to implement any of your recommendations. Will that affect you?
  • Your spouse is nagging you to cut your offshore audit engagement short so you can help look after an ailing child. Will that affect your objectivity?

OK, let’s have a look at the Standards:

Standard 1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in performing their work.


Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.

Revised Standards, effective 1 January 2017

Frankly, I prefer the phrase in the Principles for independence: free from undue influence. I think the language of the Standards confuses the independence and objectivity, but that’s just hypercritical me.

Some suggest that our independence and objectivity are threatened if the CAE takes on additional responsibilities, participates in executive management discussions, and so on.

I say to that: phooey!

Doing what is right for the organization comes first. Anything questionable should be discussed with and agreed with the audit committee of the board.

But any assurance, advice, and insight we share should be free from bias (conscious or not, positive or not) and as objective as possible.

We are professionals.

Professionals are willing to share their professional opinions and ideas. They come from a place of, yes, independence and objectivity, and when we share them my experience is that they – and we – are treated appropriately.

I welcome your professional opinions.

Dysfunctional GRC

July 8, 2020 27 comments

The Open Compliance Ethics Group (OCEG) has published the results of its 2020 GRC Maturity Survey, written by my good friend Michael Rasmussen. In full disclosure, Michael and I are two of the original three OCEG Fellows. This is an unpaid honor, apparently (in my case) for my thought leadership around GRC.

In fact, I have been writing about GRC for over a decade! For example, in 2009, I wrote Is there value in talking about GRC?

I believe the OCEG definition of GRC is the only one that makes any sense. Theirs is the only explanation of the value and meaning of combining the separate practices of governance, risk management, and compliance. In fact, for most so-called GRC discussions and solutions, the G is silent! Governance is not addressed (and it extends far beyond internal audit and ‘risk governance’ to include all board activities, strategic planning, performance management, legal, and more.)

In the latest OCEG report, Michael quotes the official and current OCEG definition of GRC:

“GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and act with integrity [compliance].”

He has also modified it slightly to emphasize the need to integrate multiple functions and avoid siloed operations.

“GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity”.

It’s concise. It’s impactful.

Note that this is more than a defensive posture of managing risk and ensuring compliance. It’s about moving forward to reliably achieve objectives.

But there is a great deal behind this single sentence. In that 2009 blog post, I had a more expansive OCEG definition:

“A system of people, processes and technology that enables an organization to:

    • understand and prioritize stakeholder expectations;
    • set business objectives that are congruent with values and risks;
    • achieve objectives while optimizing risk profile and protecting value;
    • operate within legal, contractual, internal, social and ethical boundaries;
    • provide relevant, reliable and timely information to appropriate stakeholders; and
    • enable the measurement of the performance and effectiveness of the system.”

This is more meaningful than the simple version. In fact, I suggest you can’t understand the full meaning of the OCEG definition without it.

I explained this musically in a 2011 post, A metaphor that explains GRC.

Simply stated, everything within the extended organization has to be working together to achieve a common purpose: the achievement of enterprise objectives.

If that is not the case, GRC is not fully functional. It is at least sub-optimal. To at least some degree it is dysfunctional.

Examples of dysfunction I have seen over my career include:

  • Executives putting personal objectives and their related compensation ahead of what is best for the enterprise as a whole
  • People running the business not even knowing what the enterprise is trying to achieve and how enterprise success depends on their actions – or is affected negatively by anything they do or fail to do
  • Individual and team objectives and metrics for compensation that were divorced from what was required of them for enterprise success. They were set in isolation and at best had a tenuous link up to one or more enterprise objectives. Nobody started with the enterprise objectives and determined what was needed from whom, with compensation based on that achievement
  • A failure of visibility of operations across the enterprise. For example, one company had no idea which consultants it was paying, whether they were paying at different rates, that they were paying for the same services in different locations, and so on
  • Executives not working as a team. They withheld information from one another, even competed for customer business, and would never consider sharing resources.
  • A failure to see the big picture of what lies ahead, which some people call risk but includes opportunity as well
  • A failure to base forecasts and projections on the combination of where we are, performance reporting, and where we are likely to go, risk and opportunity
  • An inability to bring all affected parties to the table for decision-making
  • and the list could go on

I believe strongly in the need to assess where your organization is.

How dysfunctional is it?

What is holding it back from peak performance?

I wrote a book to help with this in 2014: How good is your GRC? It has 12 questions to guide you through the assessment process.

The OCEG report is well worth reading. It focuses on whether the various functions within the extended enterprise are “integrated” or whether they are in silos. While it is able to report that most organizations are moving to integrate further, only 14% say they have integrated many or all organizational silos of operation.

One huge opportunity is the integration of risk and performance. This helps you see what a car driver likes to see: where you are and what lies ahead, your speed and vehicle performance, and other information that helps you drive with confidence and safety to your destination.

But OCEG reports that this integration is unusual.

Read the report, please.

But before taking actions to upgrade your GRC, identify what is holding you back and where you need improvement. This is a great opportunity for internal audit!

Are all the horses (or mules) pulling your wagon in the same direction, giving their all for your safety and success?

mules pulling a wagon

As usual, I welcome your comments.