Common sense talk about risk heat maps and more

October 12, 2019 6 comments

My congratulations go to James Lam, a long-time risk practitioner at E*Trade, and Chris Inglis, board member at FedEx, for their comments in a recent article. The piece says:

  • The current iteration of risk evaluation heat maps are akin to slow-to-pixelate Doppler radars. They don’t do cyber risk evaluation justice, nor do they convey impact in a thoughtful manner for a board of directors.
  • “I’ve seen heat maps since the ’90s … and I still don’t know what to make of them. Looking at a heat map, the board is left to question the placement of risk. “Heat maps are one of the worst things that happened to risk assessment,” said Lam. “If I look at something in yellow, should I want it in the green? … or do I want to get closer to orange or red if I can get a return on the risk?”
  • Traditional color-coded risk assessments fail to quantify risk in a manner boards are prepared to understand.
  • If someone asks for $5 million for multifactor authentication, the board won’t know how to respond.
  • It’s a “breath-taking moment” when someone from IT can say they read the business plan during a board pitch.

Inglis says he wants his risk assessment team and cyber defense to be able to answer five questions during a pitch:

  • Are you defending the business or a component of the business, like digital infrastructure?
  • Are the people authorized to take risk the ones who mitigate the risk?
  • Has the security organization done everything defensible?
  • How are they defending the business?
  • Have you used all the instruments of power at your disposal?

I don’t think this goes far enough.

Quantifying the potential for a cyber breach to affect the business is a sound first step, but it is even more important to understand how such a breach might affect the achievement of enterprise (business) objectives.

Then, you can answer questions that should be posed by executive management and the board such as:

  • Does cyber risk represent an unacceptable risk to the achievement of enterprise objectives? If so, which ones? This determination requires the involvement of both technical and business management.
  • By how much would an additional investment in cyber reduce that risk? Will the investment be more than the reduction in risk? Why?
  • Should the investment be in prevention, detection, or response, or a combination of those areas? Why?
  • Can I afford that level of investment? Will it be at the expense of addressing another source of risk or seizing an opportunity? For example, will it mean that I will not have the funds for a marketing campaign, investment in new products or services, or an acquisition? How would it affect cash flow and earnings?
  • What are my options and why is one recommended by business and technical management? Can we really manage cyber risk by ourselves?

Only when the business impact is understood does it make sense to get into the details of which risks to which information assets should be mitigated and how.

For more on this topic, including an analysis of the major cyber frameworks and standards, please see Making Business Sense of Technology Risk.

I welcome your thoughts.


Allegations and investigations

October 6, 2019 5 comments

It is difficult today to avoid news about allegations and subsequent investigations.

First it was a slew of high profile allegations about sexual misconduct. Now it’s about abuse of power – and the sex-related allegations continue.

In my time, I have conducted many investigations, had my team perform others, and been a target in an allegation that was investigated by outside counsel hired by the audit committee. So I think I have some relevant experience!

What we should all note from the news is that a failure to perform an appropriate investigation is a serious source of risk to any organization.

This is what I believe:

  1. It is critical for any individual within the organization to be able to report suspected inappropriate behavior without fear of retaliation.

The apparent effort by members of the US government to identify a whistleblower and then paint him or her as a political operative is unforgiveable and probably illegal (these federal employees are protected by law).

Unfortunately, many people do not come forward because there is a credible fear – justified by real life examples – of retaliation.

I advised (through her attorney) one lady who reported suspected wrongdoing by her manager to her company’s ombudsman, as required by company policy. However, her manager had started a disciplinary process against the whistleblower, triggered by that person’s refusal to perform what she believed to be corrupt acts demanded by the manager. The ombudsman was a senior member of the legal department who was advising the manager on the disciplinary process; he refused to open, let alone act on, the whistleblower’s complaint. Unfortunately, the whistleblower was fired, her allegations were never investigated, and her personal attorney failed to advise her properly on how to sue for damages. (Sadly, the only protection under federal law is when the whistleblower reports the suspected activity to the SEC. No protection against retaliation is provided when allegations are reported to the company’s ombudsman or hotline following company policy.)

At one company, an individual told one of my team that she had been subject to inappropriate sexual harassment. He came to me and I advised that the lady should report the allegation to HR or the hotline. Our team did not investigate personnel-related incidents. Later, I asked the VP of HR whether the allegation had been received, without naming the person. He said that it had been received but he had decided it had no merit and would not investigate. He had recognized the name of the complainant and that was enough for him. He said the lady had disciplinary problems and was complaining to protect her job, not because anything had happened. I tried to persuade him that the allegation needed to be investigated, to no avail. I reported this to the General Counsel and let him handle the issue, which he did.

Failing to investigate an allegation by an employee who is being disciplined exposes the company to a claim that the company’s actions against the employee are retaliation.

I also think about the ladies who have alleged inappropriate sexual activities by Supreme Court judges during the confirmation proceedings. They were not only identified by name but were publicly ridiculed.

These allegations should, if there was to be a fair process, have been conducted quietly by professional investigators with an open mind, not in public. Frankly, as I look at the current impeachment inquiry, I have to wonder whether the process is appropriate. It should be much quieter and performed by objective professionals.

  1. It is also critical that individuals outside the organization be able to report suspected wrongdoing by our employees.

I can recall a number of cases where vendors and customers gave us information that we investigated and determined there had been fraudulent acts. (The assessment of fraud is a legal determination, based on facts that we provide counsel.)

Few organizations, in my experience, have processes where vendors, customers, and others can report suspected inappropriate behavior by an employee of the company. When complaints are made, they generally end up in the wrong hands because the third party doesn’t know whom to tell.

  1. Every allegation should be considered. Before launching a formal investigation by my team, we look to see if there is predication.
    • If the allegation is true, would the actions represent a violation of law, company policy, or desired behaviors?

If not, we still consider whether it would be appropriate to conduct further inquiries; sometimes, the whistleblower did not explain the situation adequately and we have our suspicions.

If yes, then we determine who is responsible for the preliminary investigation: a process to see if a formal investigation should be opened. Sometimes, it is internal audit, sometimes HR, and sometimes it could be another function like physical security or legal.

    • Is there sufficient information and evidence that the allegation might be true?

Sometimes, we can fairly quickly determine that it is without foundation, in which case we document that and close the case. (We will consider contacting the complainant if we know who that is to make sure a mistake has not been made in the details they provided. On rare occasions, we might consider investigating whether this was a deliberate smear that represents a violation itself.)

There have been times where the allegation was too vague to investigate. If we can contact the complainant, we will try to elicit more information. If not, we flag the complainant, keeping it open and waiting to see if we receive more at a later date.

    • If there is predication, we will open a formal investigation. But we try very hard to keep it quiet. The fewer people who know about it the better, even (and especially) management. I am proud to have completed investigations of suspected inappropriate employee behavior and closed them as without foundation without the ‘targets’ even knowing there had been either allegation or investigation.
  1. All investigations should be conducted by trained (and certified, where possible) objective professionals.

My investigators (including myself) were either certified fraud examiners or had received appropriate formal training in investigations, interviewing, and interrogations.

The investigation is to uncover related facts. Interpretation of those facts is a management decision with advice from legal counsel. It is very easy, too easy, for investigators to form opinions that bias and taint the investigation.

Every ‘target’ must be treated with respect and dignity throughout the investigation.

I suffered through an investigation by HR of a personnel-related complaint against some of my employees. The investigator did not know what she was doing and alienated everybody – and then failed to uncover the truth.

When a complaint was lodged against me (together with the CFO), the audit committee engaged outside counsel. She was professional and handled herself well. It was an awful experience but turned out well – although the individual who invented the complaint was paid to leave the company, which upsets me even today.

  1. Internal audit should consider a periodic review to ensure all of the above and provide assurance to top management and the board that the allegation and investigation processes are appropriate.

Where internal audit itself is responsible for the hot line or related processes, and/or investigating allegations, they should consider engaging a third party to perform a review and report the results to the board.

What do you think?

KPMG studies ERM and gets some things right but misses the key point

September 27, 2019 6 comments

There’s some good material in KPMG’s Enterprise Risk Management Benchmarking Study, subtitled Evolving to an active, integrated and agile approach amidst change and disruption.

Here are some excerpts, with my comments, in the order in which they appear in the report.

  • Companies are rightly questioning the strength of their ERM programs in the face of rapid change, competitive disruption, an unrelenting news-cycle, and a global crisis in trust. Unfortunately, this questioning may come after a major risk incident for an organization, when vulnerabilities become apparent. Despite seismic shifts in the environment and a critical need for risk agility, the evolution of ERM is slow.

Comment: While it is important for organizations to “question the strength of ERM”, they should start with questioning why they have a program in the first place. No significant progress is going to be made unless and until organizations realize they are not in the business of managing risk; they are in the business of managing the business for success, which means achieving their objectives. Then they should question hot ERM is supposed to help that, and the answer is that it should provide actionable information about what might happen so they can make the intelligent and informed decisions necessary for success.

Evolution is slow because too few are replacing the management of risk with the management of success.

  • ERM has the potential to contribute significant organizational value, helping organizations navigate both the opportunities and threats that risk present. In our survey, companies are making the right moves to address risk, but the question is… are they are moving fast enough?

Comment: I concur that we need to manage both opportunities and threats. I only wish more people understood that the same tools and techniques can and should be used to understand both upside and downside – and then make a decision that weighs all the things that might happen and their effects on achieving objectives. I don’t concur that organizations are making the right moves. They don’t understand the basic nature of the problem – it’s not about managing risk, it’s about managing success.

  • Risk registers and heat maps are commonly used to document, prioritize and report on risks. However, ERM leaders see the opportunity to reduce the administrative burden of documentation and evolve to higher-impact reporting. An annual risk assessment process is still the predominant practice, but some organizations have been able to evolve to a more continuous approach.

Comment: KPMG points out the failure of most to do more than a periodic review of so-called top risks. But they still focus on reporting risks instead of reporting whether enterprise objectives are likely to be achieved.

  • A majority of surveyed companies expressed a desire to better connect risk and strategy, often citing the 2017 COSO Guidance on Enterprise Risk Management – Integrating with Strategy and Performance. Most indicated that while their executives informally consider risk during strategic planning, ERM often didn’t have ‘a seat at the table.’ For those organizations that have integrated ERM and strategic planning, natural advancements have been made in emerging risk management and consideration of risk as not just a threat, but an opportunity.

Comment: How can you set the right objectives and strategies without a disciplined approach to considering all the things that might happen to affect their achievement? You can’t, unless you are lucky.

  • One company has been able to correlate enterprise risks to potential impacts on strategic priorities and understand risk connectivity by adopting a dynamic risk assessment approach*. This has allowed business leaders to more deeply understand top risks, the interrelationship between risks, and the impacts of risk contagion, which has improved the clarity of what they must get right and what they cannot afford to get wrong.

Comment: It is easy to start with risk and then link to affected strategies. It is perhaps less easy to start with the strategies and ask (my questions, thanks KPMG for adopting them) what must go right and what can’t we afford to go wrong?

  • Study participants acknowledged that while the concepts of risk appetite and tolerance are sound, they struggle with practical application.

Comment: No surprise here! Guidance needs to be provided to decision-makers at all levels on how to take the right risks. Risk appetite at enterprise level simply fails that test. At best, it’s an after-the fact check to see whether undesired risks have been taken. Too many fool themselves, investors, and regulators by expressing their risk appetite in aspirational language (such as “we have no tolerance for fraud or failure to comply with laws and regulations”) that is not actionable.

  • ERM leaders recognize that executive leadership needs to be more than just aware of top risks, rather they need to adopt a risk mindset, model behaviors and integrate appropriate risk management (including risk taking) practices into their approach. Leaders need to “walk the talk” in order to realize the value of ERM and grow a risk-aware culture. Respondents described a number of tactics to drive leadership engagement including concentrating effort on key leaders and influencers, evaluating the frequency and duration of risk discussions, improving reporting (e.g. dashboards and scorecards), and the formation of a dedicated risk committee.

Comment: How about having success or strategy performance discussions instead of siloed and out-of-context discussions of risk? Stop trying to get business leaders to use the language or risk and start having risk practitioners use the language of business. Talk about the likelihood of achieving objectives instead of whether the risk is high.

You don’t want to create a risk-averse culture that is afraid of seizing opportunities because something might go wrong – and they don’t know how to weigh the upsides and downsides together.

  • In general, enterprise risks are being discussed by senior leaders on a quarterly cadence, with the broader support of a risk champion network. For most organizations, the Audit Committee has responsibility for risk oversight at the Board level. Board level reporting was generally semi-annual, with a focus on the top 5-10 enterprise risks inclusive of strategic risk, status reporting on priority risk response efforts, and ERM program updates for more mature programs.

Comment: This is enterprise list management, not management of the business for success.

  • Many companies equate risk culture with tone at the top because you can’t have a healthy risk culture without it. A strong risk culture starts with leaders, who are not only engaged, but actively modeling desired risk management behaviors, setting clear expectations for their teams, taking a longer-term view and showing through their actions that risk management is something all employees must embrace — not just senior leaders and risk practitioners.

Comment: This is true, except that risk management is not about focusing only on threats. Learn what to talk and only then walk it.

  • Attention should be given to sharing stories of success and lessons learned to make the impacts of risk and the connection to routine decision-making real.

Comment: Excellent, especially the reference to decision-making.

  • It is more important than ever to get risk management right. Effective ERM will empower leaders to take the right risks, realizing significant strategic benefits (e.g. first mover advantage), support organizational agility and learning, and strengthen organizational resiliency and sustainability in a very uncertain climate.

Comment: Correct. But that means enabling and empowering decision-makers at all levels to make informed and intelligent decisions that lead to success – not just avoiding failure.

I welcome your opinions.

The board and cyber security

September 20, 2019 5 comments

There’s another useful article on Forbes. How to talk to the board about cybersecurity is written by an experienced CIO, John Matthews. Here are some useful excerpts with my highlights:

  • For technical professionals who increasingly find themselves plucked out of technical operations centers and dropped into boardrooms, learning to speak the language of business is critically important, not just for their jobs and teams, but for the business as a whole. If a CIO can’t effectively communicate budget requirements, or a CISO can’t articulate why the risk outweighs the efficiency that would be gained by rolling out a particular technology, it puts not only technical, but business operations and security, at risk.
  • …while security teams increasingly recognize the fact that breach prevention is a losing strategy, oftentimes the board is not quite there yet. Just as security teams are recalibrating their efforts towards detection, mitigation, and resilience, CISOs should encourage the board to look at how the organization is equipped to respond when the inevitable occurs—including how it will recover.
  • In the day-to-day of security operations (SecOps) and IT operations (IT Ops), priorities often come into conflict. One is focused on performance, which requires speed and agility. One is focused on protecting critical assets and data, which can often mean strict requirements and lengthy evaluations. But for the board, the only consideration is how these two things are supporting (or hindering) business operations.
  • CISOs and other security leaders do need to find ways to avoid being pigeon-holed as the team of “no.” If CISOs, together with CIOs, can demonstrate a clear understanding of business requirements and objectives and talk about what security measures need to be in place to achieve them, it reframes the conversation around “when” not “if.”
  • Ultimately Security is about tradeoffs: risk vs. reward, risk vs. speed. If you, as a technology leader, can demonstrate that you understand those tradeoffs and are capable of moving forward while balancing those risks, you will be seen as an asset to the success of your business, not a roadblock.

Let me talk for a moment about these excerpts.

  1. If a practitioner wants to have effective communications with leadership, he or she needs to use the language of that leadership. In most cases, that is business language. When it comes to risk management, I advise avoiding the four letter word, ‘risk’. It immediately causes a reaction by the listener that may hinder effective communication. Talking in business language about ‘what might happen’ is easier for everybody.
  2. It is nigh impossible to have 100% certain breach prevention. Do what makes business sense, but make sure you have measures and tools that will help you detect breaches and what hackers are doing promptly. The average detection time of 10 months is clearly unacceptable. Then have a discussion with business leaders about what might happen should there be (when there is) a breach. Invest in defenses consistent with the level of harm and how much it is reduced by such investment, and then ensure you have response processes that will minimize the damage and keep the business running.
  3. Discussion about cyber risk should be based on the way in which a breach might affect the business and the achievement of enterprise objectives. Please see Making Business Sense of Technology Risk, where I review existing cyber risk standards from NIST and elsewhere, and suggest a better way to assess the ‘risk’ and work with management and the board to make quality business decisions about handling it.
  4. Practitioners should focus on how they can help the organization succeed instead of helping them avoid failure. They need to be the department of ‘how’ instead of the department of ‘no’.
  5. Credibility and respect is gained (and truly earned) when practitioners can express their concerns within the context of business success. Know when it makes sense to take the risk of a breach because at some point there are better ways to spend the organization’s limited resources than on further investment in cyber. Investing money in cyber is at the cost of investing in a marketing campaign, product development, customer service, and so on.

Saying that cyber risk is ‘high’ is meaningless. Business leaders don’t know how much to invest in cyber, especially if they understand that the risk can never be eliminated and that the hackers are constantly developing new and better ways to break in.

I welcome your thoughts on the above and how practitioners can help.

Risk and the lemonade stand: how it matters in the simplest settings

September 14, 2019 5 comments

Your neighbors are asking you for help.

Their young children, ages 7 and 9, want to set up a lemonade stand in front of the house. While it’s not a busy road, there is a periodic flow of traffic. Most are people who live in the neighborhood and observe the 25 mph speed limit.

The parents are interested in letting their kids run a stand because of the life lessons it will bring them. They also support the children’s desire to raise money that will be donated to feed homeless people in the general area. (The homeless are a few miles away, not close to the family home.)

The parents have developed a list of ‘pros and cons’ but are undecided. Since you help people at work understand this strange idea of ‘risk’ (although you prefer to talk about ‘what might happen’ and the likelihood of achieving objectives), they have asked for your advice on how to assess the situation, their options, and the best path forward for the family.


  1. It would help the children understand what it is like to run even a small part of a business.
  2. The children would develop skills in selling and communications.
  3. It will encourage their desire to help others.
  4. They will have to stay focused for hours, rather than being drawn away to play on their devices.


  1. They might be discouraged if sales are poor.
  2. There is a safety concern with adults they don’t know, and because they will be close to the street.
  3. The parents will have to be there the entire time, even though they have other things to do.

How would you help? Make whatever assumptions you would like.

Hint: this is a ‘risk management’ challenge. What are the parents’ objectives and how would you go about assessing whether the likelihood of achieving them is acceptable and, if not, what actions to take?

Do risk appetite statements add value?

September 8, 2019 12 comments

I like to read Enterprise Risk, the official magazine of the Institute of Risk Management. Not only are its features often of interest, but it includes useful graphics that summarize studies, etc. on a number of useful topics.

In its Summer 2019 issue, the magazine captures the most interesting observations of a study by Baringa Partners (the full report is here).

  • Only about 15% of respondents strongly agreed that “Statements provide a clear link with the firm’s strategy”. About 30% disagreed.
  • About the same number strongly agreed that “Statements provide a forward-looking vies of risk,” while nearly 40% disagreed.
  • Only about 10% strongly agreed that “Statements are embedded into business decision-making”. Again, nearly 40% disagreed.

As Baringa comments:

Whilst the majority of firms had risk appetite statements that were set by the Board and which were supported by relevant metrics, 50% of respondents noted that their risk appetite statements did not link to the firm’s strategy or to the actual underlying risk the firm faced, and did not provide a forward looking view of risk.

The regulators want to make sure that firms do not put the continued existence of the organization and the investment stakeholders have made in jeopardy as it pursues profit.

Risk appetite statements I have seen can be general in their language or specific, with metrics against which actual levels might be compared.

When they are general, talking about intent, such as “The Group has zero appetite for regulatory risk and a moderate appetite for the risk of litigation”, it is difficult to see how this affects decisions made either by the board or operating management.

When more specific metrics are established, such as “the Loans to Asset Ratio will be no more than 70%”, actual performance can be compared to the limits to confirm that it is line with board-approved guidance.

But does such a comparison do enough to drive behavior in a dynamic environment? It is difficult to see how it is more than an after-the-fact check rather than a driver of management actions.

This is especially true when activity across the organization needs to be aggregated to compare to enterprise-level limits. For example, if I set an enterprise level target of “the Loans to Asset Ratio will be no more than 70%” but I have to aggregate Loans and Assets numbers across multiple business units and countries, how do I guide a Loan Officer in Guyana whether to approve a loan?


Let’s step back and think about what we are trying to achieve.

While the regulators focus on preventing failure through reckless risk-taking, stakeholders should be concerned whether management and the board are taking the right risks for success (i.e., not just avoiding failure).

Success is achieved, and failure avoided, when management and the board make informed and intelligent decisions.

Do risk appetite statements lead people to make informed and intelligent decisions?

If they are not:

  • Linked to the firm’s objectives and strategies for achieving them, and
  • Forward-looking, and
  • Embedded into every important business process, and
  • Measurable and actionable…

…they will have little effect on decision-making or success. Arguably, they have little effect on avoiding failure as well.

I am not persuaded that ISO’s risk criteria are necessarily the answer either!

Rather than providing guidance and limits on risk, I prefer to consider:

  • What decisions have to be made for success?
  • What could go wrong and what needs to go right?
  • What information do decision-makers need?
  • Who needs to make the decisions and who needs to be involved?
  • How I can guide decision-makers to take the right level of the right risks?
  • How do I monitor performance to know when poor decisions are made?

Maybe the answer includes risk appetite statements.

Maybe there are some aspects that you cannot really quantify.

Maybe you will have to rely on after-the-fact detection in some cases.

You certainly have to satisfy the regulators.

But you should also customize what you do to the needs and practices of the organization.

I am not persuaded that risk appetite statements should be the core around which risk management practices and programs are built.


What do you think?


The core principles for effective internal auditing

September 3, 2019 4 comments

I was privileged to be a member of the IIA’s task force that developed the Core Principles for the Professional Practice of Internal Auditing.

I believe they were a significant step forward in guiding internal audit functions around the world.

So, I was very interested when I saw that the IIA had published a new Practice Guide (PG), Demonstrating the Core Principles for the Professional Practice of Internal Auditing.

It is worth reading by and discussion among practitioners.

But, while it has some good advice, it is also flawed. Let me take it principle by principle.


  1. Demonstrates integrity.

This is good:

“In simple terms, integrity means doing the right thing and providing honest, objective assurance and advice, even when doing so is uncomfortable or difficult and avoiding an issue might be easier (e.g., minimizing engagement observations or omitting observations from an engagement report).”

What is not said clearly is that internal auditors need to be brave – but not foolhardy. They need to find a way to communicate the fact that the emperor has no clothes without getting their head chopped off.

My main objection is that the Key Indicators omit the most significant factor: whether management and the rest of the organization believe in the integrity and objectivity of the internal auditors. Is IA able to set aside their biases (see my earlier post) whether favorable or adverse? Are they constructive in their advice, rather than confrontational?


  1. Demonstrates competence and due professional care.

By and large, the PG is OK, but again it misses a key point.

Is the internal audit function able to perform engagements on every area of significant risk to objectives? Many struggle with this, whether it is the ability to hire IT audit expertise or to staff audits on technical accounting, marketing, or engineering issues.

A key indicator should be based on:

  1. the ability of the IA team to perform audits of all significant sources of risk, and
  2. whether owners of those areas of risk believe internal audit has the competence to perform related audits, understand the issues, assess the adequacy of risk management and internal control, provide useful and valuable constructive advice, and communicate effectively.


  1. Is objective and free from undue influence.

As the PG states, this is closely linked with the first principle. But this one is more about the CAE being able to withstand any inappropriate pressure from management, whether it is in risk assessment, selecting which audits to perform, the staffing of those audits, or how the results are communicated.

While the PG includes some useful factors to consider, there are more:

  1. Who hires the CAE? Does the audit committee only consider candidates recommended by management?
  2. Who fires the CAE?
  3. Does the audit committee only approve the CAE’s compensation, or does it have a more active role?
  4. Who sets the budget for the IA function? Is the audit committee able to override any limitations by management?
  5. How strong is the relationship between the CAE and the executive team? How strong is the relationship with the audit committee?
  6. How effective and frequent are the in person and other meetings with the members of the audit committee?
  7. What happens when management tries to interfere?


  1. Aligns with the strategies, objectives, and risks of the organization.

The discussion in the PG is quite good.

  • Internal auditors have a responsibility to add value to the organization they serve. One of the best ways to provide that value is to connect internal audit engagements to the risks that may have the greatest impact on the organization’s ability to achieve its objectives.
  • … the CAE should consider the risks to achieving the organization’s strategic objectives.
  • In response to changes in the organization’s business, risks, operations, programs, systems, and/or controls, the CAE must also review the plan and adjust it, even if that is necessary more often than annually.
  • … internal auditors should have sufficient information to regularly update the internal audit activity’s organizationwide risk assessment.

The Enablers and Key Indicators are again useful but incomplete. They omit:

  1. Few, if any, audits are performed where the focus is on sources of risk that are not strategic to the organization and its ability to achieve its objectives. That includes cutting out of the scope of audits sources of risk that are of concern only to middle or local management.
  2. The board and executive management support IA in a flexible risk assessment and audit planning process.
  3. Audits can be performed and the results communicated when management needs the information. That requires an agile and lean IA function that is responsive to changes in the business and its environment.


  1. Is appropriately positioned and adequately resourced.

The key is in this discussion:

Ideally, the CAE functionally reports directly to the board (i.e., the highest level of governance in the organization), which preserves independence by providing the CAE with unrestricted access to address sensitive matters, especially those involving management or senior management. Administratively, the CAE should report to the highest level of management, which is generally the CEO, or at least to a level that enables the internal audit activity to carry out its responsibilities.

My earlier comments apply to this Principle as well, but:

  • ‘Percentage of completion of internal audit plan’ is a very poor indicator of quality. A high percentage may indicate that the function is insufficiently flexible and is not adapting as conditions and risks change.
  • Another key indicator in the PG is ‘Percentage of internal audit plan available for management requests.’ But every audit, including those at the request of management, should be prioritized based on enterprise risk and value. Best practice is not to allocate a percentage of the plan to management requests, but to have a flexible plan that includes such requests when justified.
  • ‘Percentage of internal audit plan coverage dedicated to high-risk processes and entities’ is another key indicator in the PG, but not only should it be 100%, but every hour on every audit should be on issues that are of potential significance to enterprise objectives and success.


  1. Demonstrates quality and continuous improvement.

This is clearly important and the traditional methods for measuring quality are discussed in the PG. I prefer to ask management and the board:

  1. Are we providing you with the information you need, when you need it, in a form that is actionable?
  2. Do you believe our team and our work product are as effective and valuable as they should be?


  1. Communicates effectively.

The PG goes down a rabbit hole that was not envisaged by the task force. We were focused on communicating the results of our work, which should not be limited to the written report.

Meetings with management where a two-way discussion can be held, with questions asked and answered as necessary to build a common understanding of the situation, its condition, and what needs to be done, are far more important and valuable than a written report.

The written report needs to communicate:

  1. What the stakeholder in management or the board needs to know, rather than what IA wants to say.
  2. Whether there are issues of significance, defined as matters that represent an unacceptable level of risk to enterprise objectives.
  3. Whether senior management and/or the board need to act themselves, or at least monitor actions taken.

Anything more is potentially burying valuable information in a mountain of waste.

But the PG starts and spends most of its time on the communication of matters that may be important to some CAEs (not to me) but are not of significance to top management or the board.


  1. Provides risk-based assurance.

Key here is to focus on enterprise risk, not risk to the objectives of a function of department. That is an area of the IIA’s Standards that needs to be updated.

The PG refers appropriately to the risk assessment and the maintenance of an audit plan that focuses on the risks of today and tomorrow to enterprise success.

But if fails to explain the word ‘assurance’.

Assurance should be one of the primary products of internal audit work.

Are management’s processes, systems, organization, and so on sufficient to provide reasonable assurance that the more significant risks to the success of the organization are at acceptable levels?

Saying that something is unacceptable, high risk, or low risk, is not providing the assurance stakeholders need. Provide the context and actionable information if the risk to objectives is unacceptable.

Is everything OK or not? If not, where and what needs to be done?

As noted earlier, the metric should be whether stakeholders believe IA is providing the information they need, when they need it.

I am reminded of a conversation I had with the chair of the audit committee at the first company where I was CAE. I asked him for his assessment of IA performance. His answer was:

“You help us sleep through the night.”

We gave him the assurance that he could rely on management to address the more significant sources of risk. Similarly, executives told me that we gave them that same necessary assurance together with constructive and objective advice when any area, new of emerging, needed attention.


  1. Is insightful, proactive, and futurefocused.

Our focus on the task force was that internal audit should audit the risks of today and tomorrow, rather than those of history.

The organization is moving forward and reporting on the past only has value if it is relevant to decisions and actions today and tomorrow. That way of thinking is not reflected in the PG.

We included the wonderful word ‘insightful’ because we wanted internal audits to loosen the shackles of the written report and share all their insights about the area audited with management. As noted earlier, in person communication is an under-utilized tool.

There are insights that don’t belong in a formal report but can be shared more informally with management.

We are professionals and are entitled to share our professional insights and advice, even if the objective evidence may be lacking. All we have to say is that it’s our opinion, based on our experience and so on.

The PG goes down another rabbit hole when it links the use of analytics and other technology to being insightful, proactive, and futurefocused. While they are wonderful tools that can help, the attitude of the auditor is what we are talking about – not the tools they may or may not use.


  1. Promotes organizational improvement.

I agree with this:

“If the internal audit activity is implementing this core principle, management will consider the internal audit activity to be a business partner and a trusted advisor that helps it to achieve its objectives. Evidence of this relationship includes management proactively reaching out to the internal audit activity to request services. Additionally, stakeholder surveys issued by the internal audit activity may measure whether management finds value in a collaborative partnership with the internal audit activity.”

But the percentage of consulting engagements has nothing to do with quality performance. When audits identify issues, we should be working with management to agree on and for them to implement corrective actions.

The PG is generally OK with its Key Enablers and Key Indicators, but I prefer seeing whether management believes we are contributing to their and the organization’s success.

Is the money spent on internal audit worth it?


The Core Principles are something that every internal auditor should understand and every CAE should base the performance of their function against.

My guidance is in Auditing that Matters and I plan to provide more in the coming months.


I welcome your comments.