Auditing Identity and Access Management

July 22, 2021 3 comments

The IIA has published several useful Global Technology Guides (GTAGs), available to members on their website under Standards and Guidance. They are considered recommended rather than mandatory guidance.

However, their recent GTAG, Auditing Identity and Access Management, second edition, should not be recommended. I recommend setting it aside. In fact, I recommend that the IIA delete it.

The primary problem is that the GTAG does not recognize that “there is no such thing as an IT risk, there is only business risk” (Jay Taylor). There are other major issues, but rather than get into the detail of what was wrong or omitted, I will share some alternative guidance.


  1. Don’t audit access management (or anything else) just because the ’authorities’ say you should. The IIA mandates a risk-based approach and that requires judgment. Audit what matters to the success of your organization.
  2. Where’s the risk? It is important to understand how an access management issue could affect the business. The GTAG falls into the NIST trap of talking about information assets when we should be talking about the potential impact on the business. In fact, access management is not only about limiting who can access information systems and data; it also may limit access to inventory, facilities, people, and equipment! Just think about your card reader at the office.
  3. Any audit of access management should be identified through the singular internal audit planning process, based on which areas represent higher enterprise risk where we can add value. There should not be a separate IT audit risk planning process. Instead, there must be a clear understanding of where access management falls against other sources of business risk – and that will help with the detailed scoping of any audit.
  4. Which access needs to be limited and why? Not all access issues represent a risk of any significance to the business. All audits should focus on what matters to the business. The whole array of controls should be considered in assessing the risk, including business process controls. For example, there may be both card readers, guards, and daily inventory counts around valuable raw materials.
  5. Focus on the business controls (or ITGC key controls) that rely on limiting either individual access or a combination of access. For example, a control that says only certain people can approve a journal entry, or an invoice for payment. Then there is the need to limit who can both set up a new vendor and approve payments to them. Can you see where the GTAG mentions a combination of access, apart from in the Glossary? It does not! We need to understand where controls within business processes specify either restricted access (relying on a limited number of people having access) or a division of duties (representing a fraud risk).
  6. Understand how access is controlled, limiting access to individuals authorized in the system. What systems are involved? Are they purchased or maintained in-house? How do they function, including how access limits are set up, enforced, and periodically reviewed?
  7. Are the controls over access adequately designed and operating consistently? This may require understanding and then assessing related IT general controls. It should include testing that the access limits are properly enforced and exceptions investigated.
  8. Are the controls that monitor access rights adequately designed and operating consistently? For example, if a monthly or quarterly report is provided to business managers to review and confirm, what assurance is there that the report is complete and accurate, that it is properly reviewed, and actions taken as needed?
  9. How is access granted? How does the provisioning system work and is it reliable? Consider the need for the access request to be approved, not only by the user’s manager, but also by the owner of the related risk and/or system. For example, the AP manager should approve all access to several functions within the AP system. When a SOX key control is involved, additional approvals may be needed. Is there assurance that access is changed on a timely basis when the individual’s needs change (e.g., through transfer or termination)?
  10. As new systems and processes are introduced or changes made to existing ones, are there adequate controls to ensure access management is appropriately addressed? I have seen situations where a new code was used to distinguish types of credit notes in an SAP system, but the reports used to monitor who had the ability to approve credit notes was not changed.

I am sure there is more to be said, but the key point is that any audit should be based in design and execution on the level of business risk, and not only any generic standard or list of information assets.


I welcome your thoughts.

How to build credibility with management

July 19, 2021 5 comments

There is a story about this: the story of the biggest lie in the world. The practitioner enters the executive’s office and says, “I am here to help you”. That is not the biggest lie. The biggest lie is when the executive says, “I know, and you are welcome”.


It is one thing to explain how risk management or internal audit can and should add value.

It is quite another to get to where the key players in management actively welcome you to their table because they know that:

  • You want to help them succeed (instead of pointing out their failures) and
  • You have proven your ability to do so.

I am going to share a couple of relevant pieces and then add my own comments.

First, let’s read what Carol Williams has said in 5 Ways to Improve ERM ‘s Reputation with Executives.


She tells us, accurately in my opinion, that most “executives continue to see ERM as a check-the-box compliance exercise solely focused on preventing failure and not helping the company achieve goals and objectives and make informed and timely decisions.

That is not a reputation you want. It means you are not considered a credible partner. At best, you are credible as a barrier to their entrepreneurship.

Her 5 Ways are:

  1. Start thinking like management– ERM practitioners “need to stop thinking like ‘risk people’ and start thinking like management.” This includes talking the language of the business, not using risk terminology. What are ways that risk can be integrated into executives’ daily conversations and decisions?
  2. Examine potential scenarios– when it comes to big decisions involving uncertainty, work with relevant individuals and departments to develop scenarios, determine which ones are most likely to occur, determine how to ensure success, and develop plans around these likely scenarios. Consider also developing high-level plans for those unlikely scenarios; after all, you do not have a crystal ball into the future to know what will happen.
  3. Consider rebranding – this may be the biggest step you can take and one I’ve addressed in the past. If ERM is there to be an enabler of success and not a roadblock or “Debbie Downer” to initiatives, should its name within the company change? Some companies refer to it as “Enterprise Risk Advisory.” Or, you can take the “risk” out of the name altogether. Our friend Hans suggests that risk management should really be thought of as “Decision Quality Assurance.” Another potential option includes “Decision Management,” or as Norman Marks suggests, “Success Management.” Whatever title and branding you choose, it should be made clear that you are there to provide support, not follow a strict process.
  4. Closely examine reporting structure – where ERM resides in the company hierarchy is also important for improving the perception of ERM. If it’s housed within the internal audit function, executives and managers may feel they’re under the microscope. If it is taken out of management altogether and reports directly to the Board, ERM will be seen as preventing management from taking too much risks, as explained by Norman in this recent piece.
  5. Whatever you do, it’s important to quit doing the things you’ve been doing all along and expect a different result as Norman points out in his analysis of the NC State report. After all, that is the definition of insanity–you keep doing the same thing and expecting a different result.

These are all great ideas, but there is (as always) more to consider.


In 2012, McKinsey shared a great piece, The Executive’s Guide to Better Listening”.

While it may on first glance seem to be off-topic, active listening is a great way to gain credibility with executives.

There are just three important points:

  1. Show respect. That doesn’t mean you have to be subservient; it just means that you should show respect to everybody for their experience and insight – even if you disagree. Respect their opinion and make sure you listen to it! If your opinion is different, explore why.
  2. Keep quiet. The author says this, although I have been saying this for decades myself (and I heard it from someone else.) “I have developed my own variation on the 80/20 rule as it relates to listening. My guideline is that a conversation partner should be speaking 80 percent of the time, while I speak only 20 percent of the time. Moreover, I seek to make my speaking time count by spending as much of it as possible posing questions rather than trying to have my own say.” I add to that that keeping quiet doesn’t mean that you are just waiting for them to stop speaking so you can talk. It means you are paying careful attention, listening actively.
  3. Challenge assumptions. I would add that you should understand and address your own biases. They adversely affect your ability to listen.


All of this is good advice.

Let me add my own:

  1. Have the right attitude. If you believe in your heart that your mission is to help each executive succeed, then that will influence your demeanor, words, and actions.
  2. Understand what they need to happen as well as not happen to be successful. Then focus on that rather than (only) a compliance checklist, a standard, or so-called best practices. Help them manage (including taking more ‘risk’ when appropriate) all the things that might happen so they can achieve their and enterprise success.
  3. Stop doing stuff that is not necessary. Work on potential issues that would never be a significant risk to enterprise objectives is wasting not only your time but theirs as well. In fact, take care not to waste their time to any degree. If they don’t see the value of what you are doing, are you sure you should be doing it?
  4. Make them champions. If they do not believe you are adding value, perhaps because until now work by your function has focused on a list of risks or on finding fault, ask them for an opportunity to prove what you can do. Is there a problem, or a difficult decision, that is troubling them? Perhaps there is a situation where they cannot obtain agreement with another department on how to move forward. Suggest a workshop that you could facilitate with all the parties so everybody can share perspectives and reach a consensus on how to resolve the issue. Or perhaps your team could consult with everybody, analyze the situation, and then lead a discussion on your assessment and insights – without an audit or other report to senior management.
  5. Celebrate management success rather than the length of your report. When management has everything under control, that is good news. A clean internal audit report is excellent.
  6. Work with management to upgrade. If issues are identified, listen actively to management; agree with them on the level of risk to objectives (and be specific as to which objectives); and discuss the best course of action. Take a business perspective and don’t recommend what you wouldn’t do in their shoes.
  7. Be humble and listen actively. I repeat this because it is so important. People love to vent; let them; encourage them; and don’t betray that trust be sharing their words with others. If you listen and help them believe you care about their success, their attitude towards you will change. Similarly, listen actively and discuss rather than preach when the results of your work disclose an apparent issue.


One of the things that bothers me is the desire of many practitioners to have a ‘seat at the table’, by which they mean an official and formal position within the organization (such as reporting to the board or to the CEO) that puts them on an (apparent but not real) equal level to top executives.

Trust me.

Your title does not mean you are invited and welcomed to meetings of the management team.

It does not mean that they listen to you.

It does not make you credible.


Your actions make you credible. They make you trusted and respected – not for your title, but for your insights and contributions to their personal and the organization’s success.


I welcome your insights and comments.

The positive side of risk

July 15, 2021 8 comments

While both ISO 31000 and COSO ERM recognize that risk can have a positive effect on the achievement of objectives, I don’t see that aspect being covered well if at all.

I discussed the positive side of risk in 2019 (which you may want to re-read), but let’s examine some more examples. Each of these are based on real life situations.

  • The company is part-way through a project to build an additional processing unit in its New Jersey refinery. The commercial team inform management that the prices for the mix of products from the new plant have changed significantly since it started. If the design is modified to create more of what are now high-value products, the additional revenue should be significant. Of course, there are cost implications and the schedule for completion of the new unit might be adversely affected.

Management needs to understand the range of additional revenue and the likelihood of each point on that range – just as they need to understand the cost implications and the possible effect of a schedule delay.

The techniques used by risk practitioners to understand, assess, and evaluate the potential for harm work well when applied to the potential for reward.

In addition, it should be possible to use techniques like Monte Carlo simulation and business judgment to weigh the potential benefits of the design change against the potential harms.

  • The CIO is asked by the Senior Vice President of Marketing to change the scope of a systems development project. The project is about 30% completed, so any change can have adverse effects. But the SVP points out that the change he is requesting will support a surge in demand for on-line shopping by customers around the world.

As in the previous example, the risk practitioner can use their tools and techniques to assess all the pros and cons of the change, enabling an informed and intelligent business decision.

  • A member of the board alerts the CEO that there are rumors about the financial health of a major competitor. If the other company falters, there would be an opportunity to seize a larger share of the market. However, there is no certainty.

The risk practitioner can work with the management team to assess the situation. How likely is it that the other company will fail completely vs. have to cut back? If they fail, how likely is it that they would do so in three months, six months, a year? Given that, what is the range or potential benefits and what is the likelihood of each point? The practitioner can also help management determine what it will take to seize the market, what it will cost (in dollars spent as well as what is given up to free resources to prepare to seize the day), and how to evaluate what is best for the business considering all of the above.

  • The vice president in IT is told that a third-party expert in a system they just purchased has just become available. If they hire that person, it would not only speed implementation but reduce the risk of getting it wrong. However, the budget would be blown.

The risk practitioner can help evaluate the options and enable an informed and intelligent business decision.

  • A data privacy bill is working its way through Congress. There is no certainty it will pass, although it seems more likely than not, and the final form of the legislation is unclear. If it passes, it will affect a profitable revenue stream of a subsidiary. Action will be needed to avoid losing that revenue. However, the company believes it is in a better position to make necessary changes than its competitors and, if it moves aggressively, it might be able to capture a larger market share.

This is one of those situations where an event or situation does not have only a negative or only a positive effect on objectives.

The risk practitioner can help management consider all the uncertainties, both now and as the situation unfolds, and make informed and intelligent decisions.


What should be clear to everybody is that pretty much every situation has several things that might happen, some of which are positive while others are negative.

Evaluating the downside and hoping somebody else has equivalent tools and techniques to evaluate the upside (the ‘it’s not my job’ disease), in a way that enables informed and intelligent decision, doesn’t make business sense to me.

I welcome your thoughts.

US Government Guidance on Cyber Risk – and Why Risk Management

July 12, 2021 4 comments

Before addressing new draft guidance from the Federal Government, 2nd Draft NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM), it is essential to go back to fundamentals.

Why, we should ask, do we need risk management?

The answer is not: “Because we are required by the regulators and others to have it. It’s a compliance activity”.

While that may be true, we should comply while using the least possible effort and resources if this is the only purpose and there is no other value.

The answer should also not be: “We need to create a list of the things that could go wrong and harm us, so we can avoid or at least mitigate that harm”.

While there is some value in a list, focusing on avoiding all harm is the path to failure. To succeed, you need to take the risk of harm – but do so judiciously where it is warranted on business grounds.

Risk practitioners should avoid being labeled, because of their blinkered approach to managing or mitigating risk, as people who get in the way of running the business.

The correct answer is, of course, that only by understanding what is happening and what might happen in the future can we set and then achieve enterprise objectives – and we do that through informed and intelligent tactical and strategic decisions that are made every day.


Business decisions can be complex and require the consideration of multiple factors.

For example, decisions are often needed in response to questions like these:

  • How much should we invest in cybersecurity, given our limited resources and the need to fund new systems, product development, and marketing initiatives?
  • Should we implement this new internet-enabled product on time, early (to gain market advantage), or delay it (to obtain greater assurance that it won’t be hacked)?

As you know, I cover this and much more first in Making Business Sense of Technology Risk (focused on the topic at hand today) and then in Risk Management for Success.


There are some good points in the draft NIST report (they haven’t called it a Standard yet).

But they are focused on developing a cyber risk register that can be added to an enterprise risk register, as if that is all that is required for effective risk management.

A risk register, or a risk profile, or a list of risks in another guise will not help management make the business decisions necessary for success.


Let’s review some of the good content, with comments where appropriate.

  • For federal agencies, the Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives.” An organization’s mission and business objectives can be impacted by such effects and must be managed at various levels within the organization.

Comment: this is excellent, but the report does not ask those assessing risks (and they focus on harms rather than all the things that might happen) to do so in terms of the potential effect on objectives. It should be noted that in order to do that, it is necessary to specify which enterprise objectives might be affected and by how much. In my books, I recommend considering how they might affect the likelihood of achieving the objectives rather than a simplistic dollar figure.

  • ERM strategy and CSRM strategy are not divergent; CSRM strategy should be a subset of ERM strategy with particular objectives, processes, and reporting.

Comment: this is good, but care should be taken to ensure that any reporting is designed to address the need to enable informed and intelligent decisions. In other words, provide the specific information decision-makers need, when they need it – and that is rarely a list of risks.

  • CSRM, as an important component of ERM, helps assure that cybersecurity risks do not hinder established enterprise mission objectives. CSRM also helps ensure that exposure from cybersecurity risk remains within the limits assigned by enterprise leadership.

Comment: CSRM, or cybersecurity risk management, should be fully integrated with enterprise risk management so that all sources of risk (i.e., both the potential for harm and the potential for reward from things that might happen) are considered together. You need to intelligently aggregate risks from disparate sources, such as compliance and cyber, when making a decision.

  • Risk appetite regarding cybersecurity risks is declared at the Enterprise Level. Risk appetite provides a guidepost to the types and amount of risk, on a broad level, that senior leaders are willing to accept in pursuit of mission objectives and enterprise value. Risk appetite may be qualitative or quantitative. As leaders establish an organizational structure, business processes, and systems to accomplish enterprise mission objectives, the results define the structure and expectations for CSRM at all levels. Based on these expectations, cybersecurity risks are identified, managed, and reported through risk registers and relevant metrics. The register then directly supports the refinement of risk strategy considering mission objectives.

Comment: while I accept the need for limits, such as credit limits, the idea of an enterprise level risk appetite statement strikes me as having little logical or practical merit. I know many will disagree, but have yet to hear a persuasive argument in their support.

  • In a footnote, the report states: OMB Circular A-123 states, “Risk must be analyzed in relation to achievement of the strategic objectives established in the Agency strategic plan (see OMB Circular No. A-11, Section 230), as well as risk in relation to appropriate operational objectives. Specific objectives must be identified and documented to facilitate identification of risks to strategic, operations, reporting, and compliance.”

Comment: this footnote states a critical point that is missing from the body of the report.

  • Risk identification represents a critical activity for determining the uncertainty that can impact mission objectives. NISTIR 8286A primarily focuses on negative risks (i.e., threats and vulnerabilities that lead to harmful consequences), but positive risks represent a significant opportunity and should be documented and reviewed as well. Consideration and details regarding positive risks will be addressed in subsequent publications.
  • Practitioners will benefit from identifying and overcoming bias factors in enumerating potential threat sources and the events they might cause. Consideration of these factors will also help reconcile reactionary thinking with analytical reasoning. An intentional approach to enumerate threats without bias helps to avoid complacency before an incident and supports a proactive evaluation based on relevant data, trends, and current events.

Comment: I like the fact that the report includes a table with a few types of bias included.

  • Some industry specialists have indicated that a range of possible values is more helpful and likely more accurate than a single “point estimate.” Additionally, while this example uses the mean values of those ranges to identify the likelihood and potential impact, the ranges themselves are often recorded in the risk register. In this instance, given a possible impact of “between $1.7 million and $2.4 million,” the exposure may have been presented as “$1.02 million to $1.44 million.”

Comment: the report should add that each of the potential effects has a separate likelihood. I also like the inclusion of a discussion of “three-point estimation” and Monte Carlo simulation.


I have not excerpted more from the NIST report because of its focus on developing a list of risks rather than enabling informed and intelligent strategic and tactical decisions.

I also disagree with the static idea of developing objectives and then setting a risk appetite. I do not believe that will be effective for many of the decisions that have to be made every day in running the business, where multiple sources of risk and reward need to be considered.


I welcome your thoughts.

PS: I have sent comments to NIST at I would send them a copy of Making Business Sense of Technology Risk, but they are not allowed to accept gifts.

How do you audit risk culture?

July 6, 2021 5 comments

Some years ago, the Australian affiliate of the IIA started publishing its own guidance for internal auditors. Recently, they shared Auditing Risk Culture: A practical guide. It has been written within the context of Australian financial services organizations, but the authors believe it has more general application.

As you might expect, it has some interesting content – but has a couple of glaring omissions, IMHO.

They start well:

Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary. Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.

Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some definitions of risk culture also incorporate the group’s underlying values and assumptions about risk management, and others incorporate policies and systems. In large organisations, subcultures often form in different areas and even in specific teams with different managers. Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.

What needs to be said more clearly than this is that people’s actions (behavior) are heavily influenced by culture.

We want assurance that people are likely to act in a way that is desirable. That includes:

  • We want them to avoid unnecessary and unjustified harms.
  • But we also want them to take advantage of opportunities, where the potential upside clearly justifies taking the risk of harm.

The authors ignore two important facts:

  1. We need to manage the business rather than managing the potential for harm. Their view of risk only includes the dark side, not the potential for reward. As has been quoted by me and others many times, both ISO 31000 and COSO ERM see ‘risk’ as including both: what I prefer to refer to “what might happen”.
  2. Desirable behavior includes other attributes that can create a conflict, or at least tension, with attitudes towards ‘risk-taking’. They include:
    1. The taking of initiative
    2. Challenging past thinking and behavior; thinking out of the box
    3. An entrepreneurial attitude
    4. Satisfying the customer

They also ignore one essential element in the consideration of any audit of culture.

Any experienced and competent audit executive should have a nose for the culture of the organization. I always felt I understood the management team, collectively and individually, and which could be relied upon to act wisely.

I would strongly encourage a discussion among the audit staff that surfaces each member’s experience on how management makes decisions; are they informed and intelligent decisions that consider all the things that might happen. Or are they so tied up with red tape and so risk averse that the organization is failing to fulfil its potential?

I recognize that management and the board need assurance that people will act as desired. But I am not convinced that the approach in the IIA Australis guide is the way to go.

Instead, I refer you to a post of mine in 2018, “How do you manage culture?” I believe the approach I suggested is both simpler and more valuable.

What do you think?

Resilience and the speed of decision-making

July 1, 2021 7 comments

The topic of resilience is an increasingly topical one, given the challenge that responding to the pandemic has been. I think its fair to say that few organizations had identified COVID-19, or even the possibility of a major pandemic, and had to find a way to respond quickly.

While management has been fighting the fire, boards have had to consider not only their role in this crisis, but how they can help their organization be prepared for future ones, both known and unknown (with a timely tribute to Donald Rumsfield).

McKinsey have shared a number of articles very recently on this topic.

In the first, three McKinsey partners shared their views of The role of boards in fostering resilience.

Here are some of their more interesting points, with my highlights:

  • Broadly speaking, resilience refers to a company’s ability to weather a crisis well. That means being prepared to deal with an unforeseen event such as an accident or, more commonly now, a major global health or economic crisis. [Amended later to include foreseen events.]
  • Companies aware of how various types of events would affect their economics are generally better prepared.
  • During this crisis, share price changes of the companies on whose boards I sit have ranged from a 50 percent decline to an increase of 200 percent, and the biggest difference has been the nature of demand. An airline flying out of Hong Kong is now more than a year into demand at 1 percent of historic levels, whereas a manufacturer of PCs has seen the highest demand for its products in years. The resilience challenge at the computer manufacturer has been about ensuring the supply chain works, whereas for the airline it was more about balance-sheet resilience.
  • So it makes sense to differentiate between the actions companies take before a crisis strikes to prepare themselves where the timing is uncertain, and the actions they take once these externalities hit.
  • One important resilience factor we have seen, especially in this pandemic, is how quickly companies shifted their operating model at the top—how they collaborate, how they make decisions and at what pace, and how they support those processes with war rooms or teams providing a synthesized version of external information, structured into scenarios so decisions can be taken confidently. 
  • One of the big insights we had from working with hundreds of corporations during this crisis is that, especially when uncertainty is extremely high, not just focusing on firefighting (although firefighting is important) and not just focus­ing on the long term but focusing on key deci­sions along the entire timeline is crucial.
  • If there is one thing to remember from our conversation, it is the importance of preparation across a broad set of potential risks. Second is to lean in to decision making. Taking them sooner is generally better. And because of geopolitical risk, avoid the small and risky investments: initiatives that could create value but are potentially highly risky, where you could get a disproportionate negative impact on the business in return for relatively small gains.

I will let you read the rest of the piece. I just have two significant disagreements with the authors:

  1. They only talk about the effects of disruption in financial terms, and
  2. They haven’t recognized that disruption can bring great opportunities – even when they refer to a computer company that took great advantage of the pandemic. Ensuring supply lines is one thing; to be smart, that company needed to engage marketing initiatives and be prepared to boost manufacturing as well.


A second, by four different partners, is Speed and resilience: Five priorities for the next five months, published in March of this year.

It emphasizes many of the same points, again with my highlights:

  • Speed has been a fundamental characteristic of the COVID-19 pandemic—the virus hit fast, sending much of the world into lockdown just months after it was first detected. Businesses reacted rapidly, reorganizing supply chains, adopting remote-work models, and speeding up decision making with surprising velocity. And as with prior crises, the organizations that acted quickly to counter the COVID-19 downturn dealt with the disruption better than the organizations that reacted more slowly.
  • Speed is also likely to be a central feature of what happens next—with one important difference. Over the past year, adrenaline unlocked speed. In the near future, speed will need to arrive by design. For companies to achieve long-term resilience, it is imperative for them to ensure that the speed they successfully unlocked during the pandemic remains sustainable in the future.
  • In some cases, companies are using this moment to strengthen their speed muscles, while also increasing the emphasis on building personal connections and reducing fatigue. Work can and should look different to create competitive advantage in performance and health.
  • In June 2020, McKinsey asserted, “An organization designed for speed will see powerful outcomes, including greater customer responsiveness, enhanced capabilities, and better performance in terms of cost efficiency, revenues, and return on capital. The speedy company might also find it has a higher sense of purpose and improved organizational health. These outcomes are possible, but not inevitable.” Nine months later, we think that this analysis is as sound as ever. Speed matters, but not at the cost of making mistakes or burning out. By asking the right questions, business leaders can improve the odds of negotiating the next normal successfully, and in so doing, help themselves, their employees, and their communities.


Finally, the partnership shared Ready, set, go: Reinventing the organization for speed in the post-COVID-19 era.

It shares the same message: to be resilient, you need speed in decision-making. (I would add you need those decisions to be informed and made intelligently.) They say, with my emphasis:

  • When the coronavirus pandemic erupted, companies had to change. Many business-as-usual approaches to serving customers, working with suppliers, and collaborating with colleagues—or just getting anything done—would have failed. They had to increase the speed of decision making, while improving productivity, using technology and data in new ways, and accelerating the scope and scale of innovation. And it worked. Organizations in a wide range of sectors and geographies have accomplished difficult tasks and achieved positive results in record time:
    • Redeploying talent. A global telco redeployed 1,000 store employees to inside sales and retrained them in three weeks.
    • Launching new business models. A US-based retailer launched curbside delivery in two days versus the previously-planned 18 months.
    • Improving productivity. An industrial factory ran at 90-percent-plus capacity with 40 percent of the workforce.
    • Developing new products. An engineering company designed and manufactured ventilators within a week.
    • Shifting operations. Coordinating with local officials, a major shipbuilder switched from three shifts to two, with thousands of employees.
  • At the heart of each of these examples is speed—getting things done fast, and well. Organizations have removed boundaries and have broken down silos in ways no one thought was possible. They have streamlined decisions and processes, empowered frontline leaders, and suspended slow-moving hierarchies and bureaucracies. The results, CEOs from a wide range of industries have told us, have often been stunning: “Decision making accelerated when we cut the nonsense. We make decisions in one meeting, limit groups to no more than nine people, and have banned PowerPoint.”
  • Technology and people interacting in new ways is at the heart of the new operating model for business—and of creating an effective postpandemic organization.
  • An organization designed for speed will see powerful outcomes, including greater customer responsiveness, enhanced capabilities, and better performance, in terms of cost efficiency, revenues, and return on capital. The speedy company might also find it has a higher sense of purpose and improved organizational health. These outcomes are possible, but not inevitable. Organizational successes forged during the crisis need to be hardwired into the new operating model; and leaders must ensure their organizations do not revert to old behaviors and processes. That requires making permanent structural changes that can sustain speed in ways that will inspire and engage employees.


I think this makes a lot of sense!

The question for you is whether your organization has rewired itself for speed. If not, what are you going to do about it?

Board Governance of Cyber Risk

June 28, 2021 5 comments

Three respected organizations (PwC, National Association of Corporate Directors, and the World Economic Forum) have collaborated in a post on the Harvard Law School Forum on Corporate Governance.

Their piece, which merits our attention and analysis, is entitled: Principles for Board Governance of Cyber Risk.

It makes a number of excellent points but goes astray on a few as well.

I will use a couple of new metaphors to make some very important points that don’t seem to be well understood.

But first, the good stuff, with my comments:

  • As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity.

Comment: the board is there to provide oversight, not to manage the organization. Their job is to obtain assurance that (a) management is setting and walking the right tone, and (b) is also taking the right risks for success (including those relating to cyber) through informed and intelligent decisions. They need to obtain assurance that management is addressing cyber effectively, not to define how they should do so.

  • Cyberthreats are persistent, strategic enterprise risks for all organizations regardless of the industry in which they operate. Effective organizational cybersecurity directly contributes to both value preservation and new opportunities to create value for the enterprise and larger society. Navigating this risk requires a culture of cybersecurity with leadership commitment to, and modelling of, good cybersecurity decision-making.

Comment: Kudos to the authors on this point. I would add that cyber needs to be considered in tactical as well as strategic decision-making.

  • Key considerations include:
    • Hardwire cyber-risk considerations into key operational and strategic decision-making process, including the adoption of cyber risk as a recurring agenda item for full board meetings.
    • View each major new digital transformation initiative through the lens of cyber risk.
    • Determine which board committee should have primary oversight of cyber-risk issues.
    • Analyse cybersecurity issues with respect to their strategic implications and as part of enterprise risk; additionally, analyse business strategy and business model considerations with respect to cybersecurity issues.
    • Ask executives to identify opportunities to use cybersecurity as a market differentiator/ business driver.

Comment: There is a major risk of treating everything cyber in a silo, rather than as only one of the risks and opportunities being taken or addressed by a decision. Instead, the board should satisfy itself that management is taking a more holistic and inclusive view of all the things that might happen, not just cyber, when it makes strategic and tactical decisions. I will return to this later with a metaphor.

  • In order for organizations to make effective business decisions, risk determinations should focus on the financial impact to the organization, including trade-offs between digital transformation and cyber risk. By using scenario planning, leaders in the organization can consider potential gains and losses relative to other business priorities and obligations. Leaders should also measure cyber risk (empirically and economically) against strategic objectives, regulatory and statutory requirements, business outcomes and cost of acceptance, mitigation or transfer.

Comment: the financial impact is only one dimension of how an organization can be affected. It is not always the best measure. I far prefer what is implied in the last sentence: measure the effect on the likelihood and extent of achieving enterprise objectives.

Comment: scenario analysis is an excellent tool, and I commend the authors for suggesting it.

  • Review and approve the organization’s cyber-risk appetite, or tolerance, in the context of the company’s risk profile and strategic goals by ensuring management has:
    • Defined cyber-risk appetite levels in financial terms to inform decision-making and developed key metrics to measure overall cyber-risk management performance
    • Implemented a programme that seeks to identify cyber-risk scenarios that align with the organization’s risk profile and establish a risk appetite
    • Provided the board with detailed rationales for the organization’s determination of materiality of risk, including cyber risk, based on an indication of the risk’s reputational, customer, financial and other relevant impacts as part of its regular risk-management monitoring framework

Comment: while I generally support limits to guide decision-makers, the idea of cyber risk appetite strikes me as absurd. I have criticized the concept of risk appetite at enterprise level before, but to suggest you can have one for cyber by itself leaves me without words. As explained before and I will cover shortly in a metaphor, deciding on acceptable levels of each source of risk without either the context of reward or the context of other sources of risk is likely to result in poor decisions.

Comment: I do agree, however, that management needs to explain why it believes cybersecurity is or is not effective, given what might happen and its potential (range of) effects on the organization’s success.

  • The board needs to consider not just the economic upside of the new market but the economic downside of the cyber risk. Management should provide the board with an empirical and economic assessment of the probable extent of cyber risks versus the probable business advantages using modern risk-assessment techniques that enable such analysis.

Comment: Excellent – as long as the full context is included in the analysis.

  • Effective governance of any enterprise requires clear alignment between cyber-risk management and business objectives across every facet of decision-making, including mergers and acquisitions, business transformation, innovation, digitalization, pricing, product development, market expansion etc… …. Require management to integrate cyber-risk analysis into significant business decisions (e.g. launching a new product or publishing an app).

Comment: Again, excellent.

  • Consider periodic audits, reviews of cybersecurity strength and benchmarking by independent third parties.

Comment: I agree but note that neither here nor in their list of “Executives who can support the board’s understanding of cyber risk” is the internal audit function mentioned – a glaring and terrible omission.


It is now Storytime.


A couple is considering taking the family on a road trip to visit family in Philadelphia. It will take most of the day to get to there and they plan to spend at least a couple of days before heading back. They realize that:

  • Their oldest child, Jonathan, might be developing a cold or worse. While he doesn’t have a fever, he is coughing and is unusually subdued. They decide that a mild cold is acceptable and should not prevent their taking the trip.
  • Sometimes, their twin girls fight over access to their favorite toy. This can lead to excessive noise, tears, and a need for calming parental attention. They have been calm for the last few days, but a long trip could be a problem because they would get bored. The couple decide that possibility is not sufficient to deter them from seeing family.
  • The weather forecast indicates a slight possibility of hailstorms. They are willing to take their chances, even though it might scare the children.
  • One of the reasons for visiting this week is that their uncle and aunt plan to be there as well. However, the uncle is recovering from illness and there is a chance that they will have to stay home and not be part of the family event.
  • The wife’s boss has told here there is a possibility, which she puts at 30%, that the wife will have to work during the trip. This could probably be done remotely, but it would clearly affect everybody’s enjoyment. Again, they decide that this is a possibility they could handle.

Considered individually, each of the ‘risks’ are acceptable. If just one of them happened, they would be OK. But if more than one occurred, they would probably regret making the trip.

However, as they are thinking through the situation the wife gets a call from a recruiter. Can she come to Philadelphia for an interview? It’s a position she is keen to get, even though it would require the family moving.

The opportunity outweighs the downsides, and the decision is an easy one to make.


In the same way, considering cyber by itself is unwise. For example, imaging this:

  1. Management is considering moving forward with a new technology. Let’s say that there is a 15% possibility that a breach would occur as a result of a new vulnerability that would have unacceptable consequences (however you determine that – again, my preference is to measure the effect on the likelihood and extent of achieving objectives). Management and the board may decide that is acceptable.
  2. There is also a 15% possibility that the new technology would be seen as anti-competitive by the regulators in the EU, to the extent that significant harm would be incurred. Management and the board are aware of this, have consulted with independent experts, and are willing to take the chance.
  3. While one of these sources of risk may be acceptable on its own, the possibility of one or the other occurring is more than the 15% for either one alone. This could change the decision.
  4. While the overall situation may now be considered unacceptable, management has to decide what to do about it. They need to consider whether to invest resources and time into cyber or compliance. The latter may be easier, cheaper, and faster to achieve.


It is still Storytime.


Jane, the CEO needs to replace the CFO, who is retiring. She has relied extensively on his experience and technical knowledge when it comes to leading the Finance team, including handling not only the accounting and financial management functions, but also advising her on acquisitions and other key decisions.

She needs to find an individual with whom she is comfortable, trusting him or her to run a major part of the business and help the entire management team be successful.

She doesn’t want to have to monitor his decisions and challenge his decisions.


The CEO is with the business every day.

The board members are not.

Rather than seeing their responsibility as one of “defining how their organizations must address cybersecurity”, they need to make sure management is capable of running the business.

Members of the board do not have time to get in the weeds. But they do have the time to ask intelligent questions and require that management explain to their satisfaction whether issues like cyber and other topics of the day are being addressed.


Personally, I like the idea that board members require management to explain:

  • Why they believe they are making the intelligent and informed decisions necessary for success, considering all the things that might happen.
  • Why they believe their processes for the identification, assessment, evaluation, and responses to all the things that might happen (both risks and opportunities) are reliable.
  • Why they believe they have an appropriate level of cybersecurity – and are managing other sources of business risk, such as ethics and compliance, third party relationships, technology development and use, competition, and so on.


So, my principles for effective governance of cybersecurity are much simpler:

  1. Remember yours is an oversight role. Hire the right people and let them do their job with your help.
  2. Noses in, fingers out.
  3. Require that management explain to you why they believe everything is as it should be.
  4. Ensure internal audit has the resources and ability to provide you with the assurance you need on major sources of risk, which would probably include cyber.


I welcome your thoughts.

ERM and the Internal Audit Plan

June 24, 2021 5 comments

Internal audit should have a plan for the work it will do, and by now we all know that audit plan should be continuously updated. It should be designed to address the more significant risks to the enterprise and its success.


Management should have an enterprise risk management program that helps them identify and anticipate all the things that might happen (both risks and opportunities) that might affect the achievement of its objectives, its success. That information enables them to make the necessary informed and intelligent tactical and strategic decisions.


There is synergy, but it is not 100%.


Internal audit should try to take advantage of the work management and the CRO have done. But first it must audit their ERM program to ensure it is reliable.

Assuming it is reliable (meeting the needs of the organization, not just a compliance activity), it should provide the audit team with valuable information about management’s view of threats and opportunities.


The audit team doesn’t simply take those same top risks and opportunities and slot related audits into the audit plan. It has to do at least these two things:

  1. Determine whether any assurance, advice, and insight from internal audit on those top risks and opportunities would be of value to top management and the board. Would there be a satisfactory ROI on the cost of the audit? I have discussed this in earlier blog posts. For example, if there is already a high-powered initiative to address the risk, an audit engagement might not add sufficient extra value.
  2. Identify the root causes or drivers of the risk or opportunity. This should help determine where and how an audit should be performed. An audit is usually focused at a more granular level than what is reflected in the ERM program. For example, at Solectron one of our greatest sources of risk was our ability to source critical components of the necessary quality, to be delivered on time, at a low cost. We had more than 100 factories and we needed to decide which locations and which (if any) corporate functions to include in the scope. I selected four factories on three continents and the corporate materials sourcing department. The team performed four consecutive audits, each with its own audit report, followed by a report with an overall assessment and insights.


But there is one more very important point to be made.


The ERM program assumes that the controls relied upon to manage risks and assure opportunities are functioning as needed.

That is not always reality.

In fact, one of the values of internal audit is to tell management when those controls are not working, almost always surprising leadership.


I am not a big fan of the term ‘inherent risk’ because of the way it is often defined as the level of risk in the absence of controls. (There are other definitions, especially when talking about the risk of a material misstatement of the financials, but let’s stay with this one.)

The best argument against the term is that it is highly unlikely that all related controls will fail.

But there remains a possibility that one or more controls will not perform consistently as required to maintain risk at desired levels or better.

The possibilities of one or more controls failing and the range of effects of such control failures represent what I call ‘control risk[1]’.


What this means is that even though management may assume that a risk is low because of its related controls and procedures, there is no certainty that the latter are:

  • Adequately designed to address the risk, and
  • Operating consistently and effectively as designed


I wrote about the approach Andrew MacLeod used to develop the audit plan as CAE for Brisbane City Council in Auditing that Matters.

He starts with the level of (current) risk defined in the enterprise risk assessment. But then he considers the likelihood that the controls relied upon to manage risk at that level might fail.

Sources and indicators of control risk might include:

  • A history of control failures, especially those detected in prior audits
  • Inexperienced process and control owners
  • Changes to systems
  • Concerns about management and their supervision of the work performed
  • Changes to the business, especially if there is high volatility
  • …and so on

Andrew would also consider other factors in his assessment of the likelihood that controls might fail. An example would be the time since the last audit of related controls.

The table below illustrates my interpretation of the Brisbane City Council approach.

  Inherent Risk Residual Risk Effect of Controls Confidence in Controls Adjusted Effect of Controls Adjusted Residual Risk
a b c=a-b d e=c*d f=a-g
Customer Credit 300 50 250 90% 225 75
Inventory Valuation 200 50 150 80% 120 80
Investments 150 50 100 70% 70 80

The first column shows the level of inherent risk. Customer Credit rates highest of the three in the example, followed by Inventory Valuation and Investments.

The second column shows the level of residual risk, with the third column representing the effect of controls. For example, inherent risk for Customer Credit is assessed as 300, but if the controls over Customer Credit are working as they should the level of risk (i.e., residual risk) is reduced to 50.

Taking multiple factors (such as discussed above) into account, internal audit determines how confident they are that the controls are in fact operating effectively as desired. (This is not as quantitative as it looks. The 90% confidence level for Customer Credit is very much a matter of judgment and experience.)

Based on that, internal audit calculates an adjusted value for controls and, accordingly, for residual risk.

For Customer Credit, the 90% confidence level (or 10% lack of confidence) reduces the effect of controls from 250 to 225. Audit’s adjusted residual risk changes from 50 to 75.

Looking at all three areas of risk, this model has changed the risk priority. Customer Credit has moved from first to third.


I develop a prioritized list of potential audit projects based on a combination of (a) where I can add value to what management and the board consider to the top risks and opportunities facing the organization (which tends to assume controls are present and functioning), and (b) an analysis like Andrew’s.

I don’t commit to any timeframe beyond three months for performing any of the projects on the list, because business conditions, risks, and opportunities are changing all the time.

In a fluid environment, my commitment is not to performing these audits at a specific future date. My commitment is to perform the right audits all the time.


I welcome your thoughts.

PS – Join me to discuss the above on Wednesday on Auditopia.

[1] I realize there are other definitions, but this makes more sense to me.

Can internal auditors audit cyber or risk management?

June 21, 2021 7 comments

One of the commenters on my last post on audits of cybersecurity said that providing assurance on such a technical area is beyond the ability of internal auditors.

He has a point!

  • First, I don’t have a lot of confidence that InfoSec practitioners have the right cybersecurity in place for their organizations as few seem to be focused on enterprise business risk. They are following guidance from NIST, ISO, and others that treat information security in a silo.

Business executives and boards appear reluctant to give InfoSec practitioners all the support and resources they desire, and in my opinion it is because the case has not been made that the funds and attention are needed on business grounds. The only case being made is in technobabble, based on a list of high-risk information assets instead of the result of an analysis of how the business might be adversely affected.

If those in charge, with all the training and experience in the world, are having trouble implementing and maintaining systems and processes they and top management believe are fully effective, then why should we expect internal auditors to know whether information security is adequate?

  • Then, there aren’t enough internal auditors who both have a deep understanding of the business (essential for everyone) and have more than a basic appreciation of what it takes to protect an organization’s systems and information – and the technical world of cyber is constantly changing. Training they may have received in 2020 may not be sufficient in 2021 and beyond.


But I believe internal audit can and should provide the assurance, advice, and insight top management and the board need.

I suggested in my last post that internal auditors should take this approach:

  • Examine the foundation of information security before looking at any detailed defenses. I had a separate audit of this performed at one company. It assessed the context for information security, including the effectiveness of related risk management, the staffing level and competence of the team, the position of the CISO in the organization, and so on.
  • Have management explain why they believe cybersecurity is effective. You don’t need the same level of technical expertise for this as you would for trying on your own to audit the technical details of protection, monitoring, detection, and response mechanisms. The answers will give you great insights, especially if you discuss them without blame or judgment with both operating and technical management.
  • Audit in more depth only those areas of cyber that represent the greatest risk to the business. In other words, I would perform a series of audits starting with the foundation and progressing to focused areas of concern.
  • Work towards an opinion on how management is maintaining information security over time rather than seeking to reach an opinion whether it is sufficient at any point in time.


Saying that you can’t audit InfoSec because you lack the technical skills is not, in my opinion, acceptable. If you can’t hire the people you need, then co-source expertise. If you are not given the budget to do either, you have a very much more significant problem with confidence in and support for internal audit!

In each of my companies, I made sure that between people on my team and those I brought in as co-source partners, I had the requisite skills and experience to provide a professional opinion on how management was addressing cybersecurity.

For example, at Tosco in the early years, I used Arthur Andersen to perform white hat penetration audits. In later years, I had an IT auditor on staff (Alan Proctor) who had better information security skills than most of the IT Security team. (As a matter of interest, most of the latter had been hired out of my IT audit team.) The other IT auditors, and there were several, had a great combination of business and technical skills, albeit not at Alan’s level. At Business Objects, the individual with the strongest technical skills in the company was one of my IT Audit Managers, Tabitha Gallo.

I am comfortable that I had the resources to audit and provide assurance on cyber at each of my companies. My teams worked to improve information security so that it met the needs of the company, rather than score points by finding holes in the defenses.

I should add that we audited InfoSec within the context of the business and other, operational controls.


Auditing risk management is another challenge.

Just as I said with cybersecurity, I am not confident that many risk management programs meet the needs of the enterprise. The great majority are focused on avoiding failure rather than enabling the informed and intelligent decisions necessary for success.

The IIA has a Certification in Risk Management Assurance (CRMA), a credential that I have myself. You can see the syllabus on their web site. The only prerequisites are that you hold a CIA certification and have 5 years of either internal audit or risk management experience. There is no requirement that you have any experience in auditing risk management.

While I believe the credential has value, I am not persuaded that those who pass the exam are immediately qualified to audit and then express an opinion on whether risk management meets the needs of the organization. That takes more business experience and insight, as well as a broader understanding of what it takes for risk management to be effective. For example, how risk management enables the informed setting of objectives and the weighing of risk and reward in decision-making.

The syllabus appears to me to be, again, focused on avoiding harm rather than achieving success through informed and intelligent decisions.

But I believe internal audit can and should provide assurance, advice, and insight on risk management. It will usually require the involvement and judgment of the CAE working with the CEO and other executives.


I have said in my books and writing in this blog that I like using a maturity model when reporting on an entity’s risk management programs – and include a very comprehensive one in Risk Management for Success.

Comcover, the Australian Government’s self-managed insurance fund, has shared a risk management maturity model that may not be as extensive as mine but is free. It has quite a lot of detail and I recommend its consideration.

Any maturity model should be tailored for your specific organization.


Returning to the question, can internal auditors provide a valuable opinion on risk management?

I believe the answer is yes. They can and they should.

But they need to understand, as a prerequisite:

  • The business: its operations, people, and processes.
  • The capabilities and objectives of the business.
  • That effective risk management is more than an insurance or compliance function. It is not the periodic review of a list of risks. It is about enabling success.

As with cyber, I like the idea of asking management at various levels whether they believe risk management:

  • is effective,
  • helps them make informed and intelligent decisions, both tactical and strategic, and
  • helps them achieve personal, departmental, and enterprise goals.

If they say yes, then we need to ask why and how. If they answer no to any, we explore what is holding the organization back.


I welcome your thoughts.

Authoritative guidance on audits of cybersecurity

June 17, 2021 4 comments

Last year, The IIA released Assessing Cybersecurity risk: The three lines model (Download at It is considered Supplemental Guidance (one of their Global Technology Audit Guides, GTAG) rather than mandatory

The GTAG has some good ideas and is useful reading for those charged with an audit of cybersecurity.

However, it is not without its flaws.

I will provide some excerpts here with my comments.

  • Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete.

Comment 1: While providing assurance over cybersecurity risks is an interesting concept, it is far better to provide assurance on the management of business risks and opportunities. You cannot understand and assess cybersecurity risks without first understanding how a failure to provide effective cybersecurity would affect the business. Managing cyber in a silo is not good management of the business.

Comment 2: IT general controls include information security and cyber is simply (IMHO) a new buzzword for infosec.

Comment 3: One of the challenges is that the level of threat changes all the time. That makes it more challenging to express an opinion on cyber-related risks, because an opinion might be right today and wrong tomorrow.


  • In response to such emerging risks, CAEs are challenged to ensure management has implemented both preventive and detective controls. CAEs must also create a clear internal audit approach to assess cybersecurity risk and management’s response capabilities, with a focus on shortening response time. The CAE should leverage the expertise of those in the first and second line roles to remain current on cybersecurity risk.

Comment: It is important to remember that there may be compensating or mitigating controls within the business. For example, on Canadian agency I worked with managed funds for other agencies in the province. It rarely traded, so the loss of availability of their systems was mitigated to a large extent by the fact that each executive had spreadsheets showing their positions.


  • Management in first line roles owns and manages data, processes, risks, and controls. For cybersecurity, this function often resides with system administrators and others charged with safeguarding the assets of the organization.

The second line comprises risk, control, and compliance oversight functions responsible for ensuring that first line processes and controls exist and are effectively operating. These functions may include groups responsible for ensuring effective risk management and for monitoring risks and threats in the cybersecurity space.

As a third line role, the internal audit activity provides senior management and the board with independent and objective assurance on governance, risk management, and controls. This includes assessing the overall effectiveness of the activities performed by the first and second lines in managing and mitigating cybersecurity risks and threats.

Comment: We need to be careful not to assign responsibilities to functions in the second line for ensuring anything. They help the first line, who own and are accountable for understanding, assessing, and evaluating sources of risk.


  • As part of evaluating the effectiveness of the risk management process required in IIA Standard 2120 – Risk Management, the role of the internal audit activity is to independently assess cybersecurity risks and controls to ensure alignment with the organization’s risk appetite.

Comment 1: Incorrect. Internal audit should assess whether management is understanding, assessing, and addressing risks; it is not internal audit’s responsibility to assess the risks themselves.

Comment 2: It is correct, however, that internal audit should independently assess the design and operation of related internal controls – which include the combination of controls in the business as well as in IT and other functions.

Comment 3: Risk appetite is a debatable concept, and it is hard to see how it relates to cybersecurity risks. It should apply to the business operation, if at all.


  • This involves reviewing the adequacy of work done by the second line roles related to frameworks, standards, risk assessments, and governance.

Comment: Internal audit should assess the work of the second line in terms of whether they meet the needs of the organization. A compliance audit (for example with standards or frameworks) is of far less value.


The GTAG shares 10 questions that internal auditors should consider asking during their audit. While they merit consideration, they are based on auditing cyber as if it existed in a silo, separate from the operation of the business.


I believe any audit of cybersecurity (or information security, if you see a difference) should be based around these principles:

  • Any organization’s approach to cybersecurity should be risk-based, and by that I mean designed to reduce the overall risk to enterprise objectives to acceptable levels, given the cost and other factors.
  • It is impossible to reduce the risk to zero, so business judgment should be applied in allocating resources.
  • Every dollar spent on cybersecurity is a dollar that is not spent addressing other sources of opportunity and risk.
  • Internal audit’s goal should be to assess whether management has reasonable processes in place to assess cyber as an element of business risk, determine appropriate prevention and response measures, and then design, implement, and maintain reasonable cybersecurity.
  • Internal auditors need not only to have an acceptable understanding of cybersecurity principles, but also how risk management can help an organization make the informed and intelligent decisions necessary for success[1].
  • The threat landscape is changing all the time, so a point-in-time detailed assessment of cybersecurity measures is of less value than assessing whether they have reasonable ongoing processes. However, periodic assessments of those areas that are considered most vulnerable often has value to confirm management’s approach and ability.
  • Excessive caution around cybersecurity can be harmful. However, a failure of the whole organization to recognize the risks and use reasonable caution in their work is itself a source of risk.
  • Internal audit should be wary of penalizing good faith efforts to build an effective cybersecurity program. Progress and other positive aspects should be highlighted, while explaining where improvements should be made.


Here are some different questions to consider:

  1. Does management have an acceptable program for anticipating what might happen (a.k.a. risks and opportunities) and factoring that into objective and strategy-setting, as well as in strategic and tactical decision-making? (This question is for the extended enterprise-wide, not just cyber.)
  2. Does management understand what the likelihood of achieving enterprise objectives is, given all the things that might happen?
  3. Does that program include the consideration of how a failure to protect information and the related systems and infrastructure might affect the achievement of enterprise objectives?
  4. When assessing how a cyber breach could affect the business, is there an effective partnership between operating management and the technical staff? In other words, do both actively participate and is it a shared assessment?
  5. Are all the risks and opportunities, including those that are technology-related, assessed and evaluated in a way that enables them to be compared, aggregated, and addressed in a way that optimizes the likelihood of enterprise success? Is all of this done in a way that enables the appropriate allocation of capital and other scarce resources?
  6. When it comes to cybersecurity, and changes in associated risks and opportunities, is there a constructive discussion about actions and budget with management – in business language? Do all parties understand each other and the situation?
  7. Does the information relating to cyber that is provided to management and the board understood by them within the context of running the business? Is it actionable, providing the information they need for management decisions?
  8. Is the budget for cyber defense and response allocated based on an appropriate understanding of what is needed to help the business achieve its objectives?
  9. Does management have a list of areas where improvement is needed? Is there a plan to address them on a timely basis?
  10. Are sufficient resources in place or at least budgeted to make all necessary upgrades?
  11. Is there effective monitoring of potential and actual breaches so that their effect can be minimized, including their duration?
  12. Is the organization adequately prepared, with communication and recovery plans as necessary, for a breach?
  13. Are there appropriate procedures in place to notify external parties, such as customers and partners? Is there reasonable assurance that any necessary filings are made with the regulators to disclose breaches?
  14. Do both management and the Infosec leaders believe there is an appropriate level of prevention, mitigation, and response when it comes to cyber? If not, why not?
  15. If management believes there is a reasonable level of cybersecurity, why?
  16. Have appropriate insurance policies been put in place?
  17. Are those charged with managing cybersecurity technically competent, and do they have a solid understanding of the business?
  18. Do those charged with cybersecurity have an appropriate position within the organization, with necessary access to top management?


Clearly, this is only a start. I prefer to ask why management believes they have appropriate cyber security because I can base additional audit activities around it. If they can’t explain why, there is another problem entirely.

You may have noticed I am not mentioning any of the cybersecurity frameworks or standards. Each organization has to do what is right for them rather than adhere and comply with a generalized standard. Those pieces of guidance are valuable frames of reference, but compliance with a standard is not a guarantee of effective cybersecurity.


I hope this is food for the thoughts that you will share in the comments.

[1] Of course, it would be disingenuous not to recommend my own book, Making Business Sense of Technology Risk.

An important discussion of risk and its assessment

June 14, 2021 17 comments

Alex Sidorenko has written What is a risk? It’s not what you think it is.  Here’s his first and most important point, with my emphasis added:

Uncertain event with uncertain effect

This is probably the most known way to describe risk. Risk is represented as an uncertain event within a given timeframe that if it happens will have an effect on objectives, decisions or some other important aspect of the business.

Make no mistake, I am not talking about qualitative nonsense you would see in a heatmap. Risks don’t have a single consequence, it is always a range. Smaller consequences usually have higher probability and catastrophic consequences usually have lower probability. Consequences of any given risk are a probability distribution. Understanding the nature of that distribution is crucial for risk mitigation, whether it is lognormal, metalog or something more exotic.

What about frequency or probability? First basic math, risk doesn’t happen on average (unless we are dealing with some portfolio risk analysis), it either happens or it doesn’t. That’s why probability is also a distribution, like Bernoulli for example. But wait, many risks may happen more than once per period. That’s why it’s actually often useful to replace probability with frequency which is also a distribution, like Poisson.

ISO 31000 talks about risk as the effect on objectives, and that is fine. (COSO is not that different.)

So, I would argue that we are not talking so much about an uncertain event (or situation) as we are or should be concerned with an uncertain range of effects, each with its own and uncertain likelihood. While they may be caused by one or more events (bad things do tend to happen in clusters), it is the effect that needs to be addressed – or, I should say, the range of effects.


Understanding that an event or situation can have a range of effects, each with its own likelihood, is crucial to informed and intelligent decision making.

While I understand the desire to reduce the range to a point (Alex talks about a value), we must be incredibly careful!

Is there a point, maybe more than one, in the range of effects and likelihoods that is not acceptable? While calculating an overall value may incline people to decide that it is okay and can be accepted, it is quite possible that even a very low likelihood of a catastrophic effect is unacceptable.


Even then, making a decision based on an assessment or visualization of one source of risk, even if shown clearly as a range, ignores the fact that:

  • There is rarely just one source of risk that needs to be considered in making the decision.
  • It ignores the reasons you might want to take the risk, such as the possibility of reward or the need to invest the resources in addressing one or more other sources of risk.


I like the concept of resilience.

As a Vice President in IT at major financial institutions, one of my teams was responsible for contingency planning (both for the data centers and for the business). We realized that we needed to be prepared for and ready to recover from the disruption of technology services (the effect) regardless of the cause of that effect (the event or situation). Yes, prevention of the event was important, but there are some events or situations that are out of your control. For example, our main data center was on the flight path into Burbank airport and there was no way we could prevent a plane hitting our facility!

Resilience recognizes that while there are some sources of risk that you can anticipate, others can surprise you.


Returning to the main points:

  1. Recognize that heat maps and even models that attempt to put a single value on the level of risk, ignoring the fact that there is a range of effects and likelihoods, are simply wrong.
  2. Trying to make a decision based on information about only one of the many potential sources of risk, only one of the potential drivers and consequences, is unlikely to lead to success.
  3. Don’t leave out of the equation the reasons for taking a risk – the potential for reward.


One massively overlooked point is this:

You need to understand the decision that needs to be made before you can understand and develop the information needed to make it.


Provide decision-makers the information they need about risks, opportunities, and the potential consequences of their actions/inactions.

Don’t provide the information you think they should need based only on standards, frameworks, so-called best practices, or other generic guidance.


I welcome your thoughts.

Assessing and addressing technology risk

June 10, 2021 5 comments

One of my frustrations over the years has been the continuing practice of those involved in addressing technology (or IT) risk and related audit of seeing it in a silo.

About 15 years ago, I was on a team of practitioners developing guidance for auditors (the GAIT Methodology, which continues to be recommended guidance by the IIA). One of the team members was Jay Taylor, head of IT Audit for GM at that time (later their CRO). He said something that resonates today:

“There is no such thing as IT risk, only business risk.”

We should not be concerned specifically with risk to systems availability, access, security, etc. or even to information assets. What we should be concerned with is risk to the business and the achievement of its objectives.

Any technology risk assessment should be made in terms of the potential effect on the business, not any effect on IT assets or goals.

Yet, guidance from ISO, NIST, and FAIR continues to focus on the silo not the whole business. It does not enable risks arising from technology-related issues to be measured against technology-related rewards, or other sources of business risk. It doesn’t enable decisions to be made about where scarce resources are best invested: for example, addressing ransomware risks or the possibility of being late to market with new products. After answering such strategic questions and determining the level of resources that should be spent on addressing cyber, for example, it is time to look inside the silo and decide in more detail and specificity where those resources should be focused.

I addressed this in Making Business Sense of Technology Risk, in many ways my most difficult book to write and which should be eye-opening to many IT risk and audit practitioners. Fortunately, I had an all-star cast of practitioner reviewers!

But the world continues to focus on IT risk instead of business risk.

Consider a recent piece from KPMG: IT Internal Audit Planning for 2021. While it has some interesting and useful observations about what is inside the silo, it recommends that IT audit practitioners focus there instead of the larger business – the context within which IT operates and serves.

For example, KPMG says:

IT Internal Auditors must stay aware of, and align themselves to, the IT transformation activities across the organization to stay relevant.

While this is true, what is more important is for all internal auditors, not just those who specialize in technology, to understand how the business is transforming! Auditors (and risk practitioners) should look to the future and understand how technology can and should be deployed for current and future benefit.

In other words, understand the strategic plans and initiatives of the enterprise and then consider how technology is and will be used.

Only now can technology-related risks to the business be identified and assessed – in terms of achieving those strategic plans and related objectives.


The other point I would make, which is overlooked by far too many, is that talking about “IT” is limiting. It is far better to talk about technology, which extends beyond the scope and control of IT management. Technology is being deployed in manufactured products as well as the equipment used to make them.


Technology should not be assessed in a silo.

We should not be talking about IT audit planning but planning for the entire internal audit organization. Often, I had integrated teams of operational and technology auditors working on major system development projects. And… planning should be continuous.

Staffing needs to be done with care. You need people who can see the big (business picture) as well as people with the technical skills for the technology of today and tomorrow.


I welcome your thoughts.

Revitalizing risk management

June 7, 2021 10 comments

One of the problems with many risk management functions, as I see it, is their reporting structure.

Many (including regulators) see the ideal as reporting directly to the board or a committee of the board. That sets them up as separate and independent of the management team, creating the perception if not the reality that they have a different agenda: preventing management from taking too much risk (whatever that means) rather than helping them take the right risks for success.

If risk officers are seen as standing in the way of innovation and performance, let alone agility in decision-making, why should we expect executives to welcome them into their house?


The second preferred option for many is to report directly to the CEO.

Does the CEO understand how risk management can help him or her and their team succeed? Or are they under pressure from the board and others to, again, see risk management as helping to avoid failure?

Focusing on avoiding failure inevitably leads to failure.

In addition, the CEO is probably the busiest person in the organisation, and it is not easy to get their time let alone their attention.

In fact, even when the CRO does report to the CEO, he or she is usually not seen as a member of the top executive team and is rarely included in meetings of the elite group that runs the organization.


Most will agree that the CRO should not report to the CFO, as this may:

  • Unduly influence the CRO towards financial issues, and
  • Create the perception that the CRO is a finance and compliance rather than a business person.


I don’t have any problem with the CRO reporting to (or being the same person as) the CAE. But that all depends on the CAE. Does he or she have the right attitude about taking risk? Does he or she have the respect of the rest of the organization – as a business rather than police person? Truly?

Even then, when the CAE is also the CRO, where should he or she report? When I wore more than one hat like this, I made sure it was clear where I reported for each responsibility.


I believe there are two better options. Options that could revitalize a risk function mired in risk avoidance and mitigation.


The first is to report to the Chief Operating Officer.

This is how the responsibilities of a typical COO have been described:

  1. Provide management to staff and leadership to the organization that aligns with the company’s business plan and overall strategic vision.
  2. Assist executive team members in creating, growing and building a world class, industry leading organization.
  3. Drive company results from both an operational and financial perspective working closely with the CFO, CEO and other key executive team members.
  4. Partner with the CFO to achieve favorable financial results with respect to sales, profitability, cash flow, mergers and acquisitions, systems, reporting and controls.
  5. Set challenging and realistic goals for growth, performance and profitability.
  6. Create effective measurement tools to gauge the efficiency and effectiveness of internal and external processes.
  7. Provide accurate and timely reports outlining the operational condition of the company.
  8. Spearhead the development, communication and implementation of effective growth strategies and processes.
  9. Works with other c-level executives on budgeting, forecasting and resource allocation programs.
  10. Work closely with senior management team to create, implement and roll out plans for operational processes, internal infrastructures, reporting systems and company policies all designed to foster growth, profitably and efficiencies within the company.
  11. Motivate and encourage employees at all levels as one of the key leaders in the company including but not limited to professional staff, management level employees and executive leadership team members.
  12. Forge strategic partnerships and relationships with clients, vendors, banks, investors and all other professional business relationships.
  13. Work with the CEO and CFO in the capital raise process, participate in the company’s road shows.  Meet, interact and present information effectively to potential investors and private equity firms.
  14. Foster a growth oriented, positive and encouraging environment while keeping employees and management accountable to company policies, procedures and guidelines.

If the CRO’s primary purpose is to help management make the informed and intelligent decisions necessary for success (as I have argued here and in my books), then it seems to me that the COO is a primary customer.


Why not report to your primary customer?

That will help ensure that your interests are aligned, and you get his or her valuable support, including time and resources.

The COO will have an incentive to make risk management as effective as possible when it comes to both strategic and tactical decisions.

Just like the CAE, the CRO can have matrix reporting. For example, some organizations might want him or her to report to the board (or a committee of the board) and the COO. I could see some variations on this theme, for example reporting to the COO who is the chair of the management risk, strategy, and performance committee. Note how I integrated all three rather than having a siloed risk management committee.


The other option may be a new idea to some.

Have the CRO report to the Chief Strategy Officer.

This is how Wikipedia describes the role:

The CSO is an advisory and deal making role; both leader and doer, with the responsibility for formulating corporate strategy as well as ensuring that execution of the strategy supports the strategy elements. The CSO at times functions as a sort of “mini CEO,” someone who must see the issues confronting the company from as broad a perspective as the chief executive does.

Typical CSO responsibilities include:

    • Develop a comprehensive, inclusive strategic plan and growth strategy by collaborating with the CEO, senior leadership and the board of directors.
    • Analyze market dynamics, market share changes and product line performance.
    • Identify and often execute important capital projects, joint ventures, potential M&A targets and other strategic partnership opportunities.
    • Identify and convey strategic risks.
    • Communicating and implementing a company’s strategy internally and externally so that all employees, partners, suppliers, and contractors understand the company-wide strategic plan and how it carries out the company’s overall goals.
    • Driving decision-making that creates medium- and long-term improvement.
    • Establishing and reviewing key strategic priorities and translating them into a comprehensive strategic plan.
    • Monitoring the execution of the strategic plan
    • Facilitating and driving key strategic initiatives through inception phase.
    • Ensuring departmental/unit strategic planning projects reflect organizational strategic priorities.
    • Partnering with institutional leadership, special committees, and consultants to support execution of key initiatives.
    • Developing inclusive planning processes.
    • Translating strategies into actionable and quantitative plans
    • Mobilizing and managing teams of individuals charged with executing strategies.
    • Acting as a resource across an organization to increase broad cohesion for strategic plans.
    • Execute divestments and divestiture.
    • Collaborate with the CFO to develop a capital plan in line with the organization’s strategy.

Again, the objectives and responsibilities of the CSO seem to me to be aligned with those of the CRO.


What do you think?

Would a change in reporting structure revitalize and give new energy to a risk management function and practice?

GRC Confusion

May 31, 2021 6 comments

In 2008, SAP asked me to take a leadership position in talking about GRC. I was ready for a change, as my company (Business Objects, where I had led both internal audit and risk management as a vice president) had been acquired by SAP. While I had been offered an interesting opportunity in a risk management role with the company, I was less than enthusiastic about it.

I had enjoyed speaking at IIA and other conferences and seminars over the years, and the idea of making that a full-time job was appealing.

First, I had to find out what they meant by GRC!

In all my years as a risk and audit executive, I had never heard about it.

I knew what governance, risk, and compliance were individually, but I was not familiar with this acronym and why people wanted to combine three separate activities into a single expression.

SAP had a suite of programs they called GRC. But they were limited to tools to help manage user access to its ERP, maintain trade compliance (I make no comment on their own recent trade compliance problems), perform risk management, and comply with SOX. They also had a strategy management solution, but it was managed separately without integration with the solutions in “GRC”.

SAP also had a GRC department that focused on risk management, SOX compliance testing, and high-level information security oversight. The Senior Vice President of GRC also chaired their policy management committee.

These situations were not the answer to “what is GRC?” – in a way that made sense. Why the three in combination?

I found the answer in the work of the Open Compliance and Ethics Group. They have a definition of GRC that makes sense.

GRC is the capability, or integrated collection of capabilities, that enables an organization to reliably achieve objectives, address uncertainty, and act with integrity; including the governance, assurance and management of performance, risk, and compliance.

In other words, it is about achieving objectives – together.

While this makes business sense, it is not accepted by everybody.

In fact, when I did my own study of what GRC meant, I found a useless plethora of definitions and understandings.

That led me to writing and talking about the fact that GRC should stand for Governance, Risk Management, and Confusion.

I also pointed out that the G in GRC was silent in most cases, because few if any GRC departments and even fewer GRC “platforms” have functionality to help those with a governance role: the board, executive management team, legal, strategy, and so on.

I first started blogging about this in 2009 (when I was in my new role at SAP). I closed that post with (emphasis added):

So, what does this all mean? I believe that there is so much talk about GRC that we can’t ignore it. Instead, we need to:

  • Recognize there is no common definition of GRC and ask everybody who uses it just what do they mean.
  • Instead of talking about GRC processes and applications, talk about the real business process problems in the enterprise.
  • When assessing applications from so-called GRC vendors, realize that each has a different definition of GRC and focus on the real business process needs you have. Don’t allow the fog of GRC to get in the way.
  • Recognize that the assessments of the market and solutions by analysts like Forrester Research and Gartner are based on their own (different) definitions of GRC. The components they include may not all be as important to you as they have assumed in rating vendors’ solutions.

The bottom line, for me, is that we should not allow the buzzword of GRC to divert us from assessing what is needed in our business. Just because somebody includes a functionality in their “GRC platform” does not mean we have to.

In a second post, I suggested a common English variation of the OCEG definition:

I like to think of GRC as how a company is managed and directed to achieve the strategies and goals of the stakeholders, considering risks and staying within compliance boundaries of applicable laws and regulations.

I could have said it even more simply: it’s effective, thoughtful, management for success.


Have people learned in the dozen years since?

I don’t think so.

People call themselves GRC professionals without any responsibility for governance activities. For the most part, they seem to be risk practitioners, compliance professionals, or internal auditors. Few have more than one part of GRC in their job description.


PwC recently published “Next generation digital GRC”. Do they understand and have a useful way of talking about GRC? Look at how they start, with a quote from their Asia Pacific leader:

Throughout the last decade, the concept of governance, risk, and compliance has been viewed as a supporting function. However, more than ever, businesses are evolving to respond to shifting market dynamics, new digitally enabled competitors and changing customer expectations. Addressing these emerging challenges requires companies to rethink how to integrate GRC in order to build trust and enhance their market competitiveness. Otherwise, businesses cannot successfully manage rising uncertainty, complexity, and ambiguity around today’s regulatory and geopolitical environments.

GRC should not be considered a “supporting function”. It is how you manage for success! This is a pure sales pitch, IMHO. If this is your idea of GRC, I will let you read the PwC piece but I am not going to excerpt anything here.

The value of thinking about GRC is, as I have said in the past, that it makes you ask how everybody is working together to achieve success.


Who is a GRC practitioner?

The clearest answer is the CEO. He or she has all the dimensions of G, R, and C.

But another answer is that instead of only people who have all of G, R, and C, its anybody that has at least one part of that combination. That means pretty much everybody is a GRC practitioner.

Or is it a silly expression? Should we instead talk about risk practitioners, compliance professionals, internal auditors, strategic planners, attorneys, board members, information security personnel, and so on? In other words, focus on what people are responsible for rather than tagging them with an expression that signifies nothing?


I welcome your thoughts.

Does agile auditing mean auditing faster?

May 24, 2021 4 comments

My friend, Jason Mefford, recently interviewed Toby DeRoche on this question. Toby has a training program in Agile Auditing that leads to a certification as an Agile Auditor Professional (cAAP). Toby describes his approach this way:

“You’ve listened to the rest, now learn from, and get certified by, the best in agile auditing.”

We can only audit at the speed of risk, if we update our audit process. Traditionally, internal audit completes a risk assessment once each year with only minor updates when needed. The audit plan is set, and the focus is on plan completion – not on gathering risk insights.

Traditional internal auditing is a broken model that is too slow, too historical, and too rigid. In today’s dynamic business environment you have to be more proactive and agile, or you risk being seen as just another compliance function.

With a risk-based, agile approach, you can quickly see that an annual plan is no longer acceptable. In fact, most modern internal audit groups are already making the transition to agile auditing.

Audit plans must be flexible, able to adapt to cover critical and emerging risks at a speed that makes sense for our organizations. The agile audit methodology creates an audit plan that meets the needs of a modern, risk-based team.

In contrast to the traditional process, agile auditing is a risk-centric approach to developing and executing audits, based on a shorter audit lifecycle from assessment to reporting, which focuses on gaining and sharing insights with management related to the most urgent risks in an organization.

We’re not trying to audit faster; we’re trying to audit the right things at the right time.”

Benefits of Agile Auditing

    • More flexible, more aligned, proactive audit plan
    • Less time preparing the audit plan
    • Less time planning individual audits (weeks to days)
    • Significantly reduce time for audit report issuance (often 30-40% of traditional audit hours).
    • Increased communication between auditors and management improving the quality of findings and recommendations.
    • Avoid surprises and contention with management at the end of the audit.

In his intro to the interview, Jason says:

We’ve been talking about agile auditing for years, so why are a few succeeding and others are reluctant to embrace it or failing in their implementation?

Agile doesn’t mean faster, and it doesn’t apply to just one part of the audit process. It is a paradigm shift and one of the most important changes to #internalaudit in many years.

Here is an excerpt from the interview. Toby says:

One of the first things people think is that they’re going to start having these really, really, short, really, really, fast audits. You know, and I’ve even seen people posting on LinkedIn. Like, I’m so frustrated with this whole agile thing. How am I supposed to do an audit in six days? Like, well, why in the world would you think you can do an audit in six days? That’s not the point of this, the whole point wasn’t for us to be able to audit faster, the whole agility idea is that I’m homed in on the things that matter right now.

After this, Toby talks about the need for continuous, dynamic, audit planning; the need for prompt and effective (agile) communications to management and the audit committee; and, an aversion to trying to force the language and (in some cases) techniques in Agile for IT development onto internal audit.

I agree with all of that, except his trashing of the idea of small audits.

I have been practicing, talking, and writing about what is now thought of as agile auditing for about 30 years! That included:

  • Continuous audit (enterprise) risk assessment with a rolling audit plan
  • One page or less audit reports
  • Communication of our results that focused on the closing meeting and face-to-face discussions with management to reach a common understanding and agree on actions
  • Reporting agreed-upon actions instead of recommendations
  • Opinions in every audit report that explained the results in English rather than traffic light colors, and a macro opinion (as explained in later IIA guidance) annually
  • Staff that could think in business terms, and audit at speed

Yes, they completed audits fast.

Here is an excerpt from the audit plan of my excellent East Coast Audit Director (Tom Wisniewski) as he started 2001:


Accounts Payable Controls – Bayway Review of Accounts Payable Controls including approval authorizations 80
Comets Company Wide Project Determine what does not work in Comets. 120
East Coast Power Construction Contract Review of all construction contracts. 200
Foreign Trade Zone – Bayway Review of all procedures, controls, and compliance with all Foreign Trade Zone regulations. 100
Inventory Accounting Consolidation, Evaluation & Rollup for East Coast Refineries and Terminals Review of the entire East Coast Inventory evaluation, rollup, and gain and loss through the Comets system. 120
Outstanding Findings – East Coast Refining All open outstanding findings. 40
Polypropylene Project Review of all construction contracts. 200
Assessment of Raw Material Costs (Crude and Cat Feed). Review of the entire East Coast Raw Material evaluation and rollup through the Comets system. 120
PWC – Procurement, Accounts Payable, Fixed Assets, Payroll, Turnaround, Physical Inventory, and Quarterly Reviews. Assist PWC on their annual audit of Tosco 250
Quarterly Earnings Review – 1st QT. Limited Quarterly Review. 56
Quarterly Earnings Review – 2nd QT. Limited Quarterly Review. 56
Quarterly Earnings Review – 3rd QT. Limited Quarterly Review. 56
Reformulated Gasoline Bayway Regulatory audit to ensure compliance with guidelines 800
Solid Waste Disposal – Environmental Compliance Regulatory audit to ensure compliance with guidelines, including a visit to the dump site 120
Enterprise EMPAC Security and Upgrade Plus E-Security Evaluation of Controls and Security designed into EMPAC.  Plus any parts of EMPAC not being used and why. 100
Network Security Assessment – Bayway Continuously run the ISS software for this location and work with the location to fix all high-risk security vulnerabilities found. 50
Novell Security Assessment – Bayway Continuously run the Kane software for this location and work with the location to fix all high-risk security vulnerabilities found. 50
PWC – IT Audit Assistance Perform whatever scope required by PWC. 60
Comets Security Review of Comets security for the East Coast Locations. 80
Independent Contractor Guidelines Compliance Review Independent Contractor Contracts to assure that they comply with IRS Contractor/Employee Guidelines. 140
Exchanges Review of Exchange Accounting at Bayway 120
Catalyst & Chemicals Review of Procurement and Recovery Procedures. 80
Procurement of Computer Hardware and Software Review of Procurement and disposal of excess equipment procedures. 80
IT Disaster Recovery – Bayway Review of existing IT Disaster Recovery Procedures for Bayway. 60
Bayway Traffic Review controls for contracting rail and trucking services. 90
Process Safety Management Review compliance of safety procedures and follow up of near misses. 80
TOTAL       3,308


That is 26 projects for 3 people, including Tom – except this was only the part of his audit plan that focused on projects at the refinery in New Jersey. While one regulatory compliance audit was a massive 800 hours (the first year of the audit), most are small and fast.

There were an additional 19 projects focused on our wholesale terminals and pipeline operations (from 40 to 120 hours per audit) and 13 at our Pennsylvania refinery (one regulatory compliance audit was for 300 – the same audit as performed in 800 in New Jersey – but the others are, again, small and fast).

That’s a lot of projects for 3 people. I should add that all but one was completed within budget. I should also point out that these were not the same projects we had on our audit plan at the start of the year. The change over the year was about 40%, as new risks were identified and included in the plan, replacing ones that no longer rated high risk.


Fast doesn’t mean quality suffers!

We were able to perform a great many audits, focused on a great many sources of risk to the enterprise, because:

  1. We focused on those few sources of risk at a location or within a process where a failure would matter to the success of enterprise objectives. We did NOT perform anything like a full-scope audit, ever! That meant that the scope was limited and could be achieved without wasting time on sources of risk that did not matter to the achievement of enterprise objectives.
  2. Once we had done enough work to reach a professional opinion, we stopped.
  3. I had a great team of experienced professionals. They had a business orientation, understood processes and controls, and could reach a professional opinion without performing unnecessary work.
  4. Documentation, such as working papers, were limited to what had value. For our regulatory compliance audits, which were going to be reviewed by government examiners, the working papers were exemplary. Otherwise, they were minimal. Reviews were performed (by me, for the most part) through discussion rather than focusing on what had been written down in working papers, and were focused on whether the scope had been covered and the opinion was appropriate.
  5. We knew that every hour spent on an audit that was not necessary was an hour that could have been spent looking at something else that was important.


Agile internal auditing does not necessarily mean short and fast audits.

But it does mean there is a focus on only auditing what matters, with great efficiency, and that means that audits can be completed faster.

When an area has a great many sources of risk that matter, you can include them all in a single and large audit, which can delay sharing valuable assurance and insight (requiring regular discussions with management throughout the audit, as suggested by Toby), or you can split them into a number of smaller audits. Both approaches have their merits.

But the key is to audit only what matters – and that leads to smaller and faster rather than larger and slower audits.

I am reminded of one of the precepts of Lean: smaller batch sizes in production. The concept there, which enables lower inventory carrying costs and more agility in manufacturing, applies here as well.

If you have a large audit, it is hard to pivot and reallocate resources to a new and more significant source of risk.

So, the answer to the question in the title is “Generally, yes. If not, re-examine whether you are really only auditing what matters!”


What do you think?

Where should risk management be discussed? Full board or a committee of the board?

May 20, 2021 5 comments

My good friend, Alexei Sidorenko, recently shared what he considers one of his “controversial thoughts about modern day risk management in non-financial companies”. I recommend his RISK-ACADEMY blog and YouTube channel.

He wrote Why Board Audit Committee is the worst place for risk management and having a separate Board Risk Committee is even worse.

I agree with him to a degree and add that internal audit should report to both the audit committee and any risk committee. Where appropriate, it should attend full board meetings where information from an audit and its effect on enterprise objectives is being discussed.

Here are some key points:

  • Over the last 10 years it became almost dogmatic that risk management effectiveness has to be disclosed at the Board level. It seems to be equally accepted that full Board is responsible for risk management oversight, who, however can and often do, delegate this oversight responsibility to the Audit Committee. This is in fact so common, that many organisations have expanded the Audit Committee mandate to include risk management and renamed them Audit and Risk Committee.
  • According to FRC[1], the audit committee should review related information presented with the financial statements, including the strategic report, and corporate governance statements relating to the audit and to risk management.
  • The audit committee should ensure that the internal audit plan is aligned to the key risks of the business. The audit committee should pay particular attention to the areas in which work of the risk, compliance, finance, internal audit and external audit functions may be aligned or overlapping and oversee these relationships to ensure they are coordinated and operating effectively to avoid duplication. (FRC)
  • If risk management is a decision making tool (under RM2[2]it sure is), then discussing risks, goals, objectives, performance targets or actual performance separate from risks is insanity. Risk is not a standalone item that needs to be managed (except few compliance risks, but only because regulators missed the plot and now we all have to pretend compliance risks need to be managed and not a driver in business decision making), risk is the other side of the performance coin.
  • Business performance is 2 dimensional: reward and risk. How much did we make and how much did it or could’ve cost us (how much risk did we take on to generate the revenue)?
  • Separating the risk conversation from planning, budgeting and performance conversations should stop asap.


I think Alexei is saying this, with which I agree:

  1. The consideration of what might happen (risk and opportunity) is an integral and necessary element in informed and intelligent decision-making. Those decisions include both setting objectives and strategies for achieving them, as well as the tactical and operational decisions made in running the business.
  2. When the board discusses current and future performance, it needs to consider what might happen (information garnered from risk management activities). Discussing strategies and performance at the board level but leaving any thought about what might happen to adversely affect operations and the achievement of objectives to a separate, siloed review by a committee of the board, makes little sense.
  3. Risk and opportunity only make sense when viewed from the perspective of how they might affect the achievement of enterprise objectives. Boards and executives need to manage and direct the enterprise, not a list of risks.
  4. However, the board needs assurance that management has sound processes and systems for understanding and addressing what might happen: its enterprise risk management activities. It is reasonable to delegate oversight of these processes and related activities to a board committee, either risk or audit.

As I said, I think this makes sense.

But what about internal audit?

The traditional approach is to have internal audit report to the audit committee of the board. But what if there is also a risk committee?

I would suggest:

  1. The CAE should report on a solid line to the audit committee, consistent with regulatory guidelines.
  2. The CAE should communicate any issues it identifies that might have a significant impact on the business and its abilities to achieve its objectives to both the audit and the risk committees, preferably at a joint meeting. The CAE should routinely attend both committee meetings, even when he or she has nothing to report.
  3. Where there is a compliance committee and the CAE identifies related issues, he or she should attend a meeting of that committee and communicate the results. I believe the CAE should be a regular attendee of that committee.
  4. When there are serious issues that merit the attention of the full board, the CAE should attend and participate in the board’s discussion.


What do you think?

[1] The Financial Reporting Council explains that “We regulate auditors, accountants and actuaries, and we set the UK’s Corporate Governance and Stewardship Codes. We promote transparency and integrity in business. Our work is aimed at investors and others who rely on company reports, audit and high-quality risk management.”

[2] Alexei defined RM1 and RM2 in 2018 as “There is risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks) and risk management 2 – risk management for the decision makers inside the company.”

Is risk-based audit the best approach?

May 17, 2021 8 comments

When I became a chief audit executive (CAE) for the first time in 1990, I determined that a risk-based approach was not sufficient.

A risk-based approach focuses on how well management can handle a potentially bad event or situation. It assesses the design and operation of the internal controls relied upon to prevent losses or other bad effects, such as financial statement errors, fraud, or reputation damage.

The risk-based approach is suggested by IIA Standards, as described in Risk Assessment in Audit Planning from IIA Belgium that Marinus de Pooter was kind enough to share with me. It quotes relevant IIA Standards:

  • IIA Standard 2010 … requires “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit.”
  • IIA Standard 2010.A1 … requires that “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process”.

It says:

  • These standards require the Head of Internal Audit (HIA)2 to develop a risk-based plan. The HIA should take into account the organisation’s risk management framework, including risk appetite levels set by management for the different activities or parts of the organisation. If a risk management framework does not exist, the HIA uses his/her own judgment of risks after consideration of input from senior management and the board. The HIA must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programs, systems, and controls.
  • The main challenge faced by majority of internal auditors is how to allocate limited internal audit resources in the most effective way – how to choose the audit subjects to examine. This requires an assessment of risk across all the auditable areas that an auditor might examine.

I do not recommend the IIA Belgium guide for several reasons, including the fact that in the detail it talks about identifying and assessing the risks to the objectives of auditable entities (the audit universe, a concept that should be retired) instead of the risks to the objectives of the enterprise (captured in a risk universe).

When I became CAE, that was the prevalent thinking, to risk-prioritize auditable entities. I started talking, instead, about enterprise-risk-based auditing.


But there are times where we should be focusing more on where we can add value rather than where the greatest sources of enterprise risk lie. While they are more often than not the same, that is not always the case.


First, there are situations where the level of risk is and should be considered “low”, but there is great value that could be mined and delivered by internal audit.

The first of these that I experienced as CAE was highlighted by the chair member of the audit committee, Clarence Frame. Tosco at that time was a $2b revenue oil refining and marketing company. However, its roots were in its name.

In a previous era, the name of the company was The Oil Shale Company, abbreviated to TOSCO and later changed to Tosco when it found that there was no money to be made mining oil shale. It acquired a number of oil refineries[1] and concentrated on that space.

However, it continued to own land with oil shale deposits and the water rights crucial to any future mining activity.

Clarence was concerned that the company complied with the rules that mandated certain continuing activities if it were to maintain those water rights.

There was no associated revenue, only costs, and management had no desire to spend any time on the past dreams of its founders.

The risk was that we would lose the rights, and we all knew  that would have no effect on the company’s operations or results in the foreseeable future.

But Clarence and the audit committee, with some support from the CEO, saw value in knowing that appropriate actions were being taken to preserve the potential long-term revenue from oil shale. If the price of crude oil rose significantly (seen then as highly unlikely), the oil shale and water rights would be of high value.

We know now that Clarence was right and the rights needed to be preserved. By the time the oil shale became viable, Tosco had been sold to Phillips Petroleum (now part of Conoco) and I had moved on.

We completed the audit and found that certain actions were required to preserve the rights. Management reluctantly agreed and the shareholders of the successor companies have benefited.

We should always pay attention and consider audit projects that are of high value to the audit committee or CEO. They are not, in my opinion, automatically included but should be given strong consideration.


Then there are situations where the risk is high, but the value of an audit is low.

For example, when I started as CAE at Solectron, the company was still engaged in acquiring smaller businesses and their assembly plants around the world. It was a contract manufacturer for electronics companies like IBM and Intel and our >120 plants served their needs around the globe. But 120 was too many and the average utilization rate (which measured how much of our capacity we were using) was well below 50%. Costs were rising at the same time as our competitors were pushing sales prices down. They were able to use their factories more efficiently and it showed in their competitive bids.

There was a serious possibility that the market would continue to put pressure on sales price, maybe even more pressure, and if we didn’t do something to seriously rationalize our footprint we would go out of business.

I had this as a high-risk issue.

But when I started looking further into the problem, I found that management had already established a high-power task force to assess the situation and make recommendations.

It was clear to me that the right work was being done by the right people, with access to and support from top management.

There was little to no value to any audit project, whether assurance or consulting. I considered an audit to evaluate whether management had sufficient reliable information to enable an informed decision, but the task force leaders assured me that they did.

I continued to monitor the project through periodic meetings with the task force leaders.


The risk-based approach tends to focus on the possibility for harm. But, auditors should also consider whether management has controls and procedures to ensure they are seizing opportunities.

For example, I have seen:

  • Situations where controls could have been improved to ensure management is aware of and putting the best resources towards not only winning a sales contract but optimizing it.
  • Opportunities that were not recognized by management to deploy new technology and realize great benefits. Sometimes, it was technology that had been acquired but was under-utilized. Sometimes, it was because management didn’t have any discipline about understanding how new technologies could be used in its business.


Finally, there are situations where there really isn’t a risk as such. I am talking about where the concern is not about something that might happen at some point in the future, but with the current situation.

For example, at Maxtor the cost of our manufactured product (hard disk drives) was greater than that of our competitors. The reason was two-fold: we had some manufacturing operations in high-cost California, while our major competitor had similar manufacturing in China; and, we had outsourced some manufacturing of essential parts to a Taiwanese company where we were a minor customer, while our competitor had it all in-house in China. As a result, we were unable to develop a next-generation hard drive at a cost that would enable us to make money.

I spent a fair amount of time on a consulting project, looking to see whether there were opportunities to realize cost savings and then sitting in with management as we planned a new site in Thailand or Vietnam to replace that high-cost California operation.


Putting this together, I believe in a tweak of the risk-based audit approach. It should be enterprise risk and value auditing.

What do you believe in?

[1] and a fertilizer mining company on the whim of its president, soon to be sold.

The 2021 State of Enterprise Risk Management – a state of madness

May 7, 2021 10 comments

The ERM Initiative at North Carolina State University’s Poole College of Management has published its 12th annual report on the state of ERM practices. Each year, I have reviewed their report.

I bring it to your attention because it is an important topic and their report usually has some useful data on the level of maturity and effectiveness of risk management practices.

It has consistently confirmed, each year, that traditional risk management practices are not seen as adding value to an organization’s success. It may possibly help them avoid some degree of harm, but it will not add much to the chances of success.

As you will see later, more than half of the larger companies, those with revenues of $1bn or more, believe they have ‘complete’ risk management processes. But only 3% of the CFO respondents say that ERM is giving them much strategic value.


Let’s stop the madness. Continuing what hasn’t worked in the past, traditional risk management based on a periodic review of a list of risks, is not the way to succeed.

Stop the Madness


Change to enabling informed and intelligent decision-making and reaching an acceptable level of certainty that you will achieve enterprise objectives. This requires considering all the things that might happen, both good and bad. Focusing only on avoiding failure will result in failure.

Change to a continuous activity, not one that pops its head up every so often. After all, running the business is a continuous activity!


This year’s report has more detail than I recall in prior years, so I am going to excerpt more than in the past.

However, please note that:

  1. The professors who lead the ERM Initiative and conduct this annual survey are COSO ERM adherents. That is neither necessarily good nor bad, just a fact.
  2. They are academics without, as far as I can tell, practitioner experience. That is, again, neither good nor bad as academics are perfectly capable of conducting a survey – if they can ask the right questions. More on that later.
  3. The survey is of CFOs and similar executives. That will bias the results to a certain degree. There is no assurance that CFOs understand what effective ERM is all about, and they obviously tend to be far more risk averse than operational management and CEOs. However, a survey of CFOs is probably better than a survey of practitioners who will usually not have a clear understanding of how their activity is valued by operating management.


The authors start well (emphasis added by me):

We have recently encountered a new wave of challenging economic, political, social, and technological issues that triggered an unimaginable range of risks that have impacted virtually all organizations. Business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.

Many organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.

Unfortunately, they follow the COSO ERM practice of recognizing that risk can be good, bad, or both (the latter is rarely understood) at the beginning of their paper and then focus exclusively on avoiding harm when it comes to detail and practical guidance. There is nothing in COSO ERM nor here about how to see the big picture and weigh all the things that might happen, both good and bad, to make an informed and intelligent decision.

While they recognize (I think for the first time it is said explicitly in their report) that the intent is to “increase the likelihood the organization will achieve its core objectives” (a principle I have been pushing for several years in my books and this blog), they have nothing more to say.


Their survey (please take note, Mark, Bonnie, and Bruce) does not ask these important questions:

  • Does your ERM program effectively identify, assess, and evaluate together all the things that might happen and effect the business, both good and bad?
  • Does your ERM program help leaders make informed and intelligent decisions?
  • Do you measure the likelihood of achieving core objectives, given all the things that might happen, and act when that likelihood is not acceptable?
  • Is your program continuous, helping decision-makers understand and respond to changing business conditions?

I wonder if anybody will ask these questions in a broad survey of business leaders.


The authors do a decent job of identifying that there are problems when it comes to understanding what might happen before establishing core objectives and related strategies (something missing from COSO ERM):

Organizations continue to struggle to integrate their risk management and strategic planning efforts.

Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.

Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.


They also recognize that too many organizations manage risks for their own sake, rather than with respect to how they might affect (positively or negatively) the achievement of objectives.

There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.


In prior years, I have used the ERM Initiative report to highlight the fact that traditional risk management practices are not seen as effective. That continues to be the case:

Overwhelmingly, most organizations do not perceive their risk management processes as providing important risk insights that management can use to create or enhance strategic value.

This question was asked of the CFOs: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?” The answers were:

  • Extensively – 3%
  • Mostly – 9%
  • Somewhat – 22%
  • Minimally – 31%
  • Not at all – 35%

Yet, many CFOs claim to have complete ERM process and practices, even “mature or robust”:

In 2009, only 9% of organizations claimed to have complete ERM processes in place; however, in 2020 the percentage has increased to 35% for the full sample. [56% of companies with revenues greater than $1bn claim to have a “complete formal enterprise-wide risk management process in place. 35% of the full sample and 38% of larger companies claim a partial process is in place.] So, greater adoption of ERM has occurred.

While we observe an increasing percentage of entities that describe their risk oversight processes as “complete ERM processes,” that does not mean those ERM processes are mature. Interestingly, only 28% of full sample respondents describe their organizations’ approach to risk management as “mature” or “robust.”

This year, the report includes more detail that gives us a clue about what the authors believe makes a program “mature” or “robust”.

Percentage of respondents

Description of the Current Stage of ERM Implementation Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. 42% 65% 75% 62% 33%
Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. 26% 21% 17% 16% 26%
We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. 19% 10% 6% 17% 27%
There is no structured process for identifying and reporting top risk exposures to the board. 13% 4% 1% 5% 14%

As you can see, the survey is focused on whether a list of risks is periodically reviewed.

Let me stress this: the periodic review of a list of risks may be traditionally seen as effective risk management, but it most definitely is insufficient. Effective risk management helps an organization have an acceptable likelihood of achieving its core objectives by making informed and intelligent decisions! (Marks, 2021 and earlier)

Why is risk management in so many cases less than “complete and robust”?

It’s clearly because those holding the purse strings don’t see the value! The authors say:

The most common barrier in the full sample to advancing an organization’s risk management processes is a perception that there are other more important priorities for the organization, with 41% identifying this as a “barrier” or “significant barrier” to the organization’s implementation of ERM processes. Not-for-profits especially perceive that to be a significant barrier to ERM progress.

It’s a “barrier” because management does not see the value and wants to spend its time and money elsewhere. If only risk management focused on helping those same people make informed and intelligent decisions so they can maximize their bonuses!


The report also discusses the frequency of updating a risk inventory (about half only do it annually!), how many organizations have a CRO or equivalent, and the extent of management and board risk committees, and more.


I congratulate the ERM Initiative for their 12 years of running similar surveys. I plead with them to ask better questions to help everybody stop the madness and start a journey to effective risk management.


I welcome your thoughts.

Doing the same thing


An agile audit function needs an agile leader

May 4, 2021 8 comments

My post on agile/Agile internal auditing has attracted a lot of attention, most in support but some have differing opinions.

I want to point you to the thoughts of three individuals.


The first is James Patterson. He is the author of Lean Auditing: Driving Added Value and Efficiency in Internal Audit (I was honored to write the foreword).

James was asked by one of the readers of my post to share his thoughts, which he did at Lean and Agile Auditing. I recommend reading the entire article, but I will excerpt his closing:

In summary, as I see it, lean & agile internal auditing (small a) is about professional auditing that:

I) Understands how internal audit adds value (e.g. via the kano[1] framework);

II) Is clear who internal audit is adding value to (and it should not just be the person who is being audited);

II) Delivers assignments with less waste (e.g. muda[2], rura[3] and muri[4]), on a timely basis,

IV) Delivers insights (e.g. through root cause analysis and benchmarking good practices)

V) Communicates with impact (e.g. killer facts)

.. All of which is set out clearly in an assignment methodology that will pass an IIA EQA[5]..

And above everything all techniques – lean, agile, continuous auditing, data analytics etc., etc. should be seen as simply tools and frameworks that support progressive internal auditing, and not be seen as an end in themselves. 


The second individual is Mark Williams. While he has not been an internal auditor himself, he coaches internal auditors on agility. He says:

Being agile is a means to an end. The end goal being a better auditor. As a coach and trainer I love helping people be the best they can, and I’ve seen that being agile-minded will help you be a better auditor (or leader in IA).

Mark leads a class on being an agile auditor (which he says is sold out for the next several months) and I like the diagram he uses to describe it:

Mark Williams Agile Auditor


He shared with me an article (one of several he is writing for Wolters Kluwer), Leading for agility: Key behaviors of an agile-minded internal audit leader. Here are a few excerpts:

  • Being more agile-minded will help you capitalize on the collective skill and capabilities of your department – and help you become a better leader.
  • To deal with unknowns and complexity, we need to be responsive to change and course correct. Agile-minded leaders make this real by building and incorporating rapid feedback loops. It’s more than regular engagement and collaboration; think of it as a repeatable loop.
  • Undertake rapid feedback loops with stakeholders (audit committee, senior management, risk function, etc.) on the department’s audit plan on a real-time or continuous basis (away from a monthly, quarterly, or annual frequency). Note: The frequency of these feedback loops is a healthy debate as we are in such a dynamic and volatile environment with many uncertainties and new risks emerging. Is what you’ve always done rapid enough for an ever-changing environment? Is a monthly or quarterly feedback loop responsive and rapid enough to highlight changes and challenges so they can be fed into your plans and audit delivery?
  • Conduct a rapid feedback loop with first and second-line management on a continuous or rolling monthly frequency (not on an ad hoc, quarterly, or annual basis).
  • Agile-minded leaders actively practice and promote servant and intent-based leadership:
    • Encouragement, support and development of your people
    • Enable, remove blockers, resolves conflict
    • Intellectual authority, foresight
    • Collaborates, shares, coaches
    • Listens, trusting, humble and self-aware
    • Sets intent rather than micro-manages
  • Being more agile-minded requires new behaviors and for people to think differently about what they work on and how they work on it.


While I prefer small, focused, and agile audits to those that are so long you need to sprint from one stage to another, I have a great deal of common ground with Mark.

I would add some additional points:

  • Understand what you want to accomplish before you start. For example, are you intending to do sufficient work to form and then express an opinion? What is the opinion on and how do you intend to share it?
  • What options do you have for accomplishing your goal? Which is the best? For example, is there technology that would help you do it faster and better? Who would be the best person to do the work?
  • Where is the value in the project? Is it in assurance, advice and insight, or both?
  • Can you do the work in a way that will challenge and excite the staff performing it? See this post from 2019: The Wonder and Joy of Internal Auditing.
  • How can you limit your own time on the project, so you are there when needed and not there when you are not?
  • How can you work with management so that they will want the project done and look forward to its results? How will you communicate with them and discuss (not simply report) what you are seeing so management can take prompt action?
  • What steps can be eliminated without harming the result? (In other words, eliminate any wasted motions or muda.)
  • How will you work with the management team and the audit committee so that they anticipate and welcome your agility?
  • Do you have the right people on your team, the best people, to perform agile auditing? Can they think? If not, what are you going to do about it?


The third person I want to refer you to is Hal Garyn, recognized by Richard Chambers as one of the top ten internal audit thought leaders of 2020. In Managing Internal Audit – It’s a Brave New World, he comments on how a CAE has had to adapt to a world shaped by COVID and working from home. But that is not the only driver of change he discusses. He says:

  • Some have gone so far as to hypothesize that the way we work has changed for good and how we deal with managing, motivating, evaluating, and interacting with the people we are responsible to lead altered permanently as a result. And that new way of working may not even be because of fully embracing a WFA (work from anywhere) practice, but certainly a more modified remote working reality into the foreseeable future.
  • If anyone is waiting around for a return to normal, or a new normal, they might have a long wait. What is certain seems to be that the prior state of how we approach our work and how we interact with each other in the workplace has changed forever. And, what we used to consider normal is no longer what will be the case either. Regardless, it will be new, and it will not feel normal. We, as a profession of internal auditors, have adapted to the current state and we will adapt to the new state of things. It will require a level of use of technology, nimbleness, flexibility, and interpersonal interaction that we have never deployed at any time in our careers. But all these changes were always on the horizon. It is just that factors conspired to accelerate those changes. We are ready, willing, and able.


We must not only be willing to change as our environment changes, but our leaders have to be flexible and agile as well.

Unfortunately, many who have been to my presentations tell me that the greatest obstacle to progress in the internal audit function is the CAE.


I welcome your thoughts.

[1] Kano is a prioritization framework.

[2] Anything the customer wouldn’t gladly pay for, including the waste of time (such as auditing areas that are not critical to the enterprise), excessive communication (such as sharing information they don’t need to know), or the waste of an opportunity (such as not demanding every auditor think for themselves).

[3] I think this is a typo and James meant Mura, which is a lack of uniformity or consistency. It relates to uneven supply of materials to a workstation, so I am not sure how it applies to internal auditing.

[4] Overburden, or asking somebody to do more than they can. One example I have seen is a CAE having her staff perform all the SOX testing in Q4, leading them to work 10–12 hour days, 6-7 days a week. None stayed with the firm.

[5] External quality assessment

Is agile auditing the latest fad or a really great practice?

April 30, 2021 13 comments

I started talking about an agile internal audit practice many years ago. In fact, I still have the deck from a presentation I gave to my local IIA (San Jose) chapter in 2002 entitled “The New Age of Internal Audit”.

I said, for example:

    • The greatest risk is typically at the edge

…..where things are happening

…..where there is change

…..where management’s tolerance for risk is highest

    • Put IA resources where the risk is

$ Provide Assurance
$ Add Value by helping Manage the Risk

    • Audit at the speed of the business (and at the speed of risk)
    • Risk is constantly changing
      • Continuous risk assessment
    • Confront the risk
      ….the core of the risk
      ….the politically risky risk
      head on


The idea was that internal auditors need to be prepared to rise to the challenge of turbulent change (driven primarily by technology) and modify our traditional practices. Risk is greatest where there is change and we must be responsive to those changes, providing assurance on what matters most (where the risk to objectives is greatest) when it matters (not taking weeks to complete a full audit and not then taking additional weeks or longer to report the results). Continuous risk assessment and the agility to change our plans at speed are essential.


In 2014, I presented to IIA Malaysia on “The Agile Audit Department”. I quoted Richard Chambers:

“..executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. Just this year, global financial and business markets have been rocked by spectacular cybersecurity breaches, geopolitical instability in the Middle East and Eastern Europe, refugee crises, and more.”

Then I shared what Jack Welch, former CEO of GE, said:

“If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

My point was that if we are not prepared to change when everything around us is changing, we are doomed. Just because we have been successful in the past doesn’t mean that the same practices will make us successful today and tomorrow.

I shared a quote from “Creating an Agile Organization” by Peter Cheese, Yaarit Silverstone, and David Y. Smith:

“The new business environment will favor those companies able to execute strategy faster, with more flexibility and adaptability, and move their companies ahead briskly.”

Then I asked if we, internal auditors and CAEs especially, are agile.

  • Are we able to execute faster, with more flexibility and adaptability, and help move our companies ahead briskly?
  • Are we constantly adapting so we can audit what is important now and will be tomorrow, or are we continuing to audit what was the risk when we put the annual audit plan together?
  • Are we helping leaders manage the business at the speed of risk? Are we auditing at the speed of the business – and of risk?

I explained that the agile internal audit department has these attributes:

  1. Focuses on providing assurance that matters, on what matters, when it matters.
  2. Has moved from hindsight to foresight + insight.
  3. Performs nimble, focused audits.


Let’s fast forward to 2021.

AuditBoard reports:

Adopting agile principles into one’s audit practice is a trend sweeping across the internal audit world, yet many auditors are unsure where to get started. A recent AuditBoard poll of over 1,000 internal auditors found that 82% say agile auditing has the potential to add more value to their work compared to the traditional project approach — although 45% reported a lack of knowledge or resources as the most significant obstacle to adopting agile.

They also say, in a different article:

When we talk about how to improve the internal audit function as a value-add function rather than just a cost center in the business, we frequently hear “agile” and “relevant” tossed around as vague cure-all concepts. When you hear these words in connection with audit, what comes to mind?

Did you think of the word “relevant” as being “pertinent, applicable, appropriate, suited, fitting, important”? A relevant audit team is one that audits activities that align with business objectives and is an important department within the business. All valuable things!

Today, “agile” is a buzzword that too often just signifies “fast,” and our present use doesn’t encompass what the word truly means or the potential for improving audit. Agile actually means an action that is “nimble, limber, spirited, sharp, active, clever, acute.” Clearly, an internal audit department that encompasses these qualities will be better able to anticipate and respond effectively to changing business risk profiles than one that is simply “fast.”

This begs the question: Can audit be relevant without being agile? Probably not, and an audit department should try to be both. CAEs need to break out of their historical frame of reference to embrace agility in pursuit of relevance. If the internal audit department functions without both agility and relevance, audit may follow a prescribed routine, potentially missing emerging risks and delivering a suboptimal customer experience.

While those two excerpts are valid, I would not recommend following any of the actions the company goes on to recommend. For example, they have “internal audit as a rotation” as their #1 action – and I would not place that in my top twenty. The closest recommendation I would make is the inverse of theirs: hire people who have line operations experience, whether in finance, marketing, IT, engineering, or other function. The intent is not to make them better auditors when they return to their line position, but to ensure auditors understand and have a business perspective when they perform their work.


PwC UK tells us that agile auditing (their version) can lead to “a 20% time saving on regulatory audits” and “a 10% time saving on less standard audits”.

However, they are talking about audits that require, on average, 5 people. Planning alone, which requires the involvement of everybody on the team, is two weeks.

Many of the audits my team performed were just two or three weeks, from planning to reporting! I bet I could save more than 50% of the time spent on every audit compared to the PwC approach!


I prefer the way that my friend Sandy Pundmann or Deloitte describes agile internal audit in an article published by the Wall Street Journal.

Agile IA is a flexible methodology for adapting Agile to the specific needs of an internal audit function and its stakeholders. Originally a software-development methodology, Agile aims to reduce costs and time to delivery while improving quality. Specific characteristics of the Agile methodology include delivering tested products in short iterations and involving internal customers during each iteration to refine requirements.

Agile IA has many potential benefits, but implementing it calls for shifts in the function’s approach, such as that from rigidly planned activities to fast, iterative activities, and from following a preset plan to responding to emerging needs.


However, the urge to adhere to principles and practices that have proven to work in software development is a distraction.

Discard the idea of scrums, etc. (techniques in Agile) and focus on the goal:

Provide assurance on what matters, when it matters, and help the organization succeed.

I agree with AuditBoard that this requires an internal audit function that is “nimble, limber, spirited, sharp, active, clever, acute.”


How do you get there?

Here are my suggestions, proven in a couple of decades of world-class practice (and described more fully in my highly rated Auditing that Matters):

  1. Make sure that you are auditing the issues (both risks and opportunities) that matter to the success of the organization. What has to happen, or not happen, for enterprise objectives to be achieved? Can you add value by auditing the controls that ensure those things happen or not happen, or by providing related advice and insight?
  2. Leverage the organization’s ERM program (after auditing it for reliance purposes) but don’t be limited by it.
  3. Make sure you are not auditing issues that don’t matter! Eliminate from the scope or each audit any area where, should there be breakdowns, there would be minimal or no real impact on the achievement of the objectives of the enterprise. In other words, make sure you are auditing what matters to the enterprise rather than to local management.
  4. In fact, eliminate from the audit plan projects that don’t meet the criteria in #2.
  5. Only perform sufficient work to reach an opinion. Work doesn’t have to ‘expand to fill the time available’ (contrary to Parkinson’s law – a fine book, by the way). Once you have formed a professional opinion, STOP auditing and move to close!
  6. But if you run across an issue that would be significant but wasn’t in scope, consider adding it to the scope of the audit. Don’t get trapped by the belief that you are limited to what was initially planned.
  7. Similarly, if you find you need more time to address an important area, consider adding time to the audit or scaling back another, lesser issue. This is called ‘Stop and Go” auditing.
  8. Make sure your team has the experience, imagination, flexibility, and confidence to retain focus on what’s important, even when the target might be moving. Hire the best people to do the right work, rather than doing the work your people are capable of.
  9. Don’t be an obstacle to an agile, nimble, focused audit. For example, allow your team to adjust without always having to go to you for permission.
  10. Ensure documentation, working papers and so on, are no more than necessary. We are not judged by the quality of our working papers, but by the assurance, advice, and insight we provide. Challenge yourself to find the value of every hour of documentation and stop documenting where there is no real value. How many times do you ever refer to the working papers from a prior audit?
  11. Target no more than 100 hours for any audit, with exceptions justified carefully. That will keep you focused. Don’t fall into the trap that awaits Agile users of scope creep, where local management and the audit team find other ‘stuff’ that is interesting and even valuable to local management. (Obviously, if you truly have multiple areas of great significance in a single location, and you can only visit once – and I question that – then you will need more than 100 hours. But make sure that you really need all that time to reach an opinion on each area of significance to the enterprise.)
  12. Encourage fast and nimble audits that are completed as soon as possible, as every hour that is saved is one that can be used on another audit. There are always more issues that merit our attention!
  13. Communicate, communicate, and then communicate again. Discuss issues with management as soon as they surface and work with them to effect valuable change, identifying agreed action items rather than trying to look good by writing reports with recommendations. Listen, listen, and then listen again as management has (or at least should have – if not, that’s another issue) a better understanding of the business, risks, and opportunities.
  14. Incent your team to use their professional judgment, always thinking about what they see and what it means. Encourage them to feel empowered. Hire people who can and are able to think.
  15. Remember at all times that our job is not to write reports or identify findings: it is to help the organization succeed at speed.
  16. It is not about us: it is about the company we work for. Enjoy and savor its success, as we are contributing to it.
  17. Be sufficiently agile to change and do so quickly and with no regrets.


By the way, if your audit projects need scrums and sprints, they are giant mammoths rather than agile beings.


Capital A Agile internal auditing is a fad and should be ignored.

But small A agile internal auditing is not just a great practice, it is essential.


I welcome your thoughts.