Understanding data breaches 2020

July 1, 2020 2 comments

For 13 years, Verizon has shared their Data Breach Investigations Report. The 2020 edition is now available.

As usual, it contains some interesting information:

  • Only 70% of breaches were by external actors.
  • Organized crime was behind 55%.
  • Nation states, sysadmins, and end users were each behind about 10% of the breaches.
  • 22% included social attacks (pretexting and phishing), 96% of the time by email. 1% by phone or SMS.
  • 17% involved malware; 27% of malware was ransomware.
  • 8% was from misuse by authorized users.
  • Partners were involved in 1%; multiple parties were also involved in 1%.
  • 81% were contained in one day or less [a massive improvement from what I have read in the past].
  • 72% of the victims were large businesses.
  • 58% of victims had personal data compromised.
  • 20% of breaches take months to be discovered, a significant improvement from prior years
  • Of the 108,069 breaches and 157,525 incidents reported to Verizon, more than 100,000 breaches “were credentials of individual users being compromised to target bank accounts, cloud services, etc.”
  • There were 25,029 incidents involving organizations where they could identify the industry category. 7,463 (30%) involved professional organizations, 6,843 (27%) were of public organizations, and 5,471 (21%) were information industry related.
  • Of the 3,262 breaches involving organizations where the industry was known, 521 (16%) were in healthcare, 448 (13%) in finance.

Unfortunately, there is next to no information on the extent of damage caused by the incidents. The top part of Figure 32 seems to indicate that very few exceed $100,000. However, the report says that “In 2019, the Secret Service prevented $7.1 billion of cybercrime losses and returned over $31 million in stolen assets to victims of fraud”.

The report has some fascinating detail that should be of great interest to infosec practitioners.

I keep coming back to the issue of whether data breaches are as significant a ‘risk’ as people make out. All of the studies point to small losses among a few massive ones that hit the headlines.

I suggest that every organization consider:

  • If we have a breach, how is it likely to affect the business and how it is run? Consider that there may be a single breach or a sequence of breaches by the same people.
  • How great would the damage be?
    • In terms of dollar losses?
    • In terms of impacting our ability to meet business objectives?
  • How likely is it to be so significant an impact that it merits board attention? Remember there is a range of potential impacts from minor to massive, each with its own likelihood, not a single point.
  • How much should the organization invest to prevent, detect, and respond to breaches – given the potential downside of a breach, the resources available for investment, and the opportunity to invest those resources elsewhere?

Cyber is a tough topic to translate from techie-talk to business-speak, from the concerns of the CISO and CIO to those of the CEO and the board. If you haven’t seen it, please consider my thought-provoking Making Business Sense of Technology Risk.

How do you measure the effectiveness of internal audit?

June 25, 2020 18 comments

I want to thank Dr. Rainer Lenz for telling me about the new paper he and Dr. Marc Eulerich have written for the IIA’s Internal Audit Foundation. (I also want to commend the Foundation and the IIA Dallas Chapter, the sponsor, for their innovative crowd-funding of the paper.) Rainer and I have exchanged thoughts and ideas about internal audit for years, and I respect him and his contributions to the profession.

The products of the Foundation are intended as leading research. They do not represent guidance.

Defining, Measuring, and Communicating the Value of Internal Audit: Best Practices for the Profession has some excellent content, especially the quotes from CAEs. I will focus on those before explaining why I think it falls short.

  • Internal auditors and internal audit functions have been struggling — some more than others — to find convincing answers addressing one fundamental question: What is the added value of internal auditing in the specific organizational context?
  • Internal audit’s perceived value and its standing in the profession itself and among its stakeholders is still often described as hazy and enigmatic.
  • Deloitte (2018) finds that only about 40 percent of CAEs believe that their function has strong impact and influence within the organization and only 46 percent think that stakeholders are aware of internal audit’s services. In other words, more than 50% of internal audit’s key stakeholders do not see the added value of their audit functions.
  • …there is a difference between the value internal auditors think they rendered and what their stakeholders perceive.
  • “[What we] try to do is help the company identify the top risks, determine whether or not the management and risk management practices are adequate to deal with those risks or whether or not additional work needs to be done […]. Then I’m providing the assurance that it’s in place and operating the way it should be […]. I’m like your doctor or your dentist, I can’t brush your teeth for you, but I can tell you here are the steps you need to do to be healthy and I don’t want to be a police officer. I want to be that person that helps you get healthy, but I can’t do it for you.” —CAE of a large multinational technology company
  • “The audit committee and the management board know that we are going after the right topics and provide advice about these hot topics and we have a lot of them in our company. That is, I would say, our number one value. Number two, obviously, is that the audit committee and our board of management not only know that we go after the right topics, but that we have the competencies to tackle those topics.” —CAE of a large, listed infrastructure company
  • …the survey responses unambiguously suggest assurance services as internal audit’s core value.
  • …in some organizations, stakeholders actually completely deny internal audit’s value.
  • “Our value proposition cuts across all of the types of risks that the company sees, going from operational through financial and regulatory. We have to offer assurance for the audit committee and the C-level.” —CAE of a large multinational company from the financial industry
  • “We are providing the assurance: is everything (e.g., controls) in place and operating the way it should be?” —CAE of a large listed multinational company
  • “We are seen as the trusted advisor at least for management, we give them advice and also give the audit client advice, how they can do better. We are not only the bad ones, telling them what they are doing wrong. We also tell them how they can do better. Thus, it is important to be ready to switch your roles.” —CAE of a large listed multinational company
  • “How would I define the strategic value of internal auditing? From the perspective of the person receiving the value, they (the stakeholders) are able to say, I can use this information from internal auditing. I needed this information and I can actually make things better.” —CAE of a large national governmental organization
  • [Only] about half of the participants stated that they deliver significant value.
  • …company size does not prevent internal auditors from adding value to the organization. The overall picture regarding total assets and revenues suggests that there is no association between company size and value creation.
  • …the self-perception of audit leaders surveyed is that the audit committee and senior management (the two central stakeholders of internal audit) are very satisfied with the work.
  • …the added value of internal audit can be made clear through direct communication between the CAE and key stakeholder groups. The direct contact with both senior management and the audit committee provides the internal audit function with the opportunity to demonstrate and discuss its value performance and establish a relationship built on trust.
  • Truly audit what matters to the success of the organization. Become a respected value driver of the organization.

I find it refreshing and exciting to see the ideas and even the language I have been promoting for many years repeated by the authors and the CAEs they talked to. Just look at that last sentence I quoted. It’s something I might have said.

Now for the criticism. (Sorry, Rainer.)

  • The paper talks about ‘assurance’ as being limited to financial reporting and compliance. This is a major misunderstanding. As referenced by the CAEs that are quoted, assurance relates to all sources of ‘risk’ and opportunity. “Is everything in place and operating the way it should be?”
  • No reference is made to the Core Principles for the Professional Practice of Internal Auditing. (I thank Paul Hicks for pointing this out.)
  • The value of anything is what people are willing to pay for it – as a general rule.
  • To know whether the stakeholders on the board and in top management believe they are receiving full value is to ask them. To quote from the paper, “there is a difference between the value internal auditors think they rendered and what their stakeholders perceive.” If they say, for example, “I can use this information from internal auditing. I needed this information,” then you are adding value. I cover this extensively in Auditing that Matters, with examples of positive responses to the question of “How are we doing” of:
    • “Keep it up or your fired”, a joke by the CFO before awarding me a huge bonus
    • “You help us sleep through the night” from an audit committee chair
    • “You have yet to perform an audit I wouldn’t gladly pay for” from a divisional CEO
    • “You help us stay efficient” from another divisional CEO
    • “I want you to attend the IT committee meetings” from a board member who chaired that committee
    • I (an executive) don’t want to cut internal audit budgets when we are having layoffs.
  • The metrics discussed in the paper are, by and large, measures of ineffectiveness. For example, completion of the audit plan measures whether you have continued to audit what used to matter, rather than what matters today and tomorrow. If you have an audit plan that is continuously updated, by definition you are completing it.
  • There are other metrics which are more useful, such as the number of requests from management for assistance. A soft one, which defies measurement, is the speed with which executives respond to e-mails or requests for a meeting.
  • While I agree with the use of a maturity model in assessing internal audit performance, the one in the publication is poor. Providing effective assurance on what matters, when it matters, satisfies all three levels of the paper’s model, and there is insufficient attention to providing insight as well as advice. I have a much more sophisticated model. Unfortunately, it is not free: Is your Internal Audit World-Class? A Maturity Model for Internal Audit.
  • The publication has contradictory information without explanation:
    • …only about 40 percent of CAEs believe that their function has strong impact and influence within the organization and only 46 percent think that stakeholders are aware of internal audit’s services. In other words, more than 50% of internal audit’s key stakeholders do not see the added value of their audit functions.
    • [Only] about half of the participants stated that they deliver significant value.
    • Survey participants indicate that more than 80% of the stakeholders are either “very satisfied” or “satisfied.”

Finally, if you have to tell the audit committee and CEO how valuable you are, you are lost. If they don’t already believe you are valuable, then you are doing something wrong.

If I was on the audit committee of an organization, I would assess internal audit based on:

  1. Are they helping me be effective as a board member, providing the assurance, advice, and insight on what matters, when it matters, in an actionable form that I need?
  2. Does the management team believe and trust internal audit’s assurance, advice, and insight? Do they agree that internal audit provides the information they need on what matters, when it matters, and in an actionable form?

When I started out as a CAE many, many years ago, I started to fall into the trap of trying to put a value on our assurance, advice, and insight. The number is meaningless.

I turned instead to asking my stakeholders some simple open-ended questions, such as “are we helping you as much as we should” or “are we doing something that is not valuable to you?”

The only thing that matters is the assessment of the customer. Having said that, there is good advice available elsewhere (hint) on how to build and then measure a world-class internal audit function.

I welcome your thoughts.

Announcing a new pair of books for internal audit practitioners

June 19, 2020 4 comments

Case Studies book coverDiscussion Guide book cover

One of the best ways for an internal audit department or individual internal auditors to upgrade their practices is by discussing case studies.

I learned this through a friend of mine, Professor Barbara Toffler, who mentored top executives on ethics. Instead of learning an ethics code, which is not sufficient in guiding action in real life, she led sessions where a team of executives would discuss one or more case studies based on real life situations. This was very effective in helping them think through the implications of the situation and how they should – and should not – respond.

Auditing that Matters: Case Studies is a collection of 20 case studies based (all but one) on real life situations from my years as an internal audit executive.

When an internal audit function holds a team meeting, each member is given a copy of this book (preferably in advance) and asked to think about what they would do. Each case study ends with a number of questions, but the leader can certainly either adapt them or add his or her own.

Then the team leader can facilitate a discussion of the selected case and see if the team can, after exploring the options, come to a shared approach. The discussion alone can be illuminating even for the more senior members of the team.

The team leader uses the partner to the Case Study book, Auditing that Matters: Case Studies Discussion Guide to help him or her with ideas and suggestions for each case.

While the pair of books is designed for groups (including college classes), individual practitioners may also find the books useful.

Both books are available in e-reader form from Amazon (Kindle), but I recommend the print copy so people can highlight sections or make notes.

This pair of books rounds out a series. First there was World-Class Internal Auditing: Tales from my Journey that explained how I came to my approach to internal auditing. Then, Auditing that Matters explained how to achieve what I consider world-class internal auditing practices, and most recently I published Is Your Internal Audit World-Class?: A Maturity Model For Internal Audit so that people can assess their practices.

I hope these are helpful.

More thoughts on risk management

June 17, 2020 4 comments

Today, I am going to review some recent articles on risk management. Each has some good notes, which I will highlight, without hitting what I believe to be all the right ones for success.

AuditBoard is a software vendor and they have shared a whitepaper Strengthening ERM: A Key to Success in a Volatile Environment in a blog entitled Getting Risk Management Right: Making the Case for Risk Maturity. (You can download the whitepaper using a link, with registration, in the blog.)

The blog makes some points I have made before:

  • …effective business leaders understand that organizations must take risks in order to be successful in a competitive business landscape.
  • …higher risk maturity ratings are linked to better stock price performance, lower market volatility (and reduced insurance premiums), higher market valuation, and greater organizational resilience in response to key market events.

The question is whether AuditBoard’s idea of risk maturity is a good one. I doubt it, especially when they use artificial distinctions between strategic and other risks. If something is not a “risk” to enterprise strategies, its unlikely to merit executive and board attention. They have included Earnings Shortfall as an Operational rather than a Strategic risk, so they have lost me.

However, using a maturity model for assessing ‘risk management’ is an excellent idea and included my own (as well as a few others) in World-Class Risk Management.

The whitepaper also hits some good notes (my comments are in square brackets):

  • Enterprise risk management (ERM) is an activity whose overall objective is to enhance organizational performance.
  • 83% of institutions in Deloitte’s latest Global Risk Management Survey, 11th edition, have an ERM program in place, up from 73% in the prior year’s survey. [But very few are ‘mature’ according to the ERM Initiative’s study.]
  • Now more than ever, it is important to have mature risk management practices in place to respond as efficiently and adequately as possible to unprecedented risk events, such as the Coronavirus (COVID-19) pandemic.
  • Adopting a strategy-centric position toward ERM—as opposed to overly focusing on risk prevention—empowers leaders to take the right risks and realize significant strategic advantages, while strengthening organizational resiliency and agility during times of crisis.
  • “[ERM] is not a separate activity with its own objectives but an integral part of the organization’sstrategy setting and performance processes.” — COSO, Creating and Protecting Value, January, 2020
  • …a 2018 study found that only 22% of organizations with ERM programs in place described their risk management programs as “mature.” Such stark numbers [which are higher than I believe are justified] illuminate the greater overarching issue of risk maturity and its effects on organizational success.

The paper relies heavily on the COSO ERM Framework. One problem is that while it says you should focus on risks from a strategic perspective instead of a risk perspective, it is a static approach.

Risk (if you want to use that term) is not static. A periodic process in the midst of a dynamic environment simply doesn’t cut it for me.

It also omits any mention of the fact that we take and modify ‘risk’ with every decision. Those decisions are made every day across the extended enterprise.

Finally, while it talks about a strategic purpose, there is no measurement of the likelihood of achieving your objectives and strategies. Is that likelihood sufficient?

I think any maturity model has to consider the ability of the organization to:

  • anticipate what might happen,
  • in a dynamic environment,
  • and make the decisions that lead to taking the right ‘risks’ with an acceptable likelihood of achieving enterprise objectives.

My good friend Michael Rasmussen has been cogitating and then writing about risk management this month as well. His first article was The Pandemic & the Dominos of Risk Interconnectedness.

Michael’s a smart guy and when he writes it’s always thoughtful, so I give it my attention. Again, there are some nuggets:

  • Risk, according to ISO 31000, is “the effect of uncertainty on objectives.” Uncertainty is all around us in 2020. Organizations go through a lot of effort to try to put a label on specific risks, but the reality is risk is too complex to put into a container and label it. An organization cannot look at risk in silos of labels as it fails to see the interconnectedness of risk.
  • As the pandemic unfolded all organizations had a specific impact on their business objectives. Adapting to the crisis, businesses had to modify their objectives. Entity, divisional, department, process, project, and asset level objectives have been modified and risk exposure in the uncertainty of hitting both original and modified objectives is in a state of volatility with the pandemic.
  • With reduced staff, employees are wearing multiple hats and there is greater exposure from segregation of duty conflicts. Employees themselves are concerned about the economy and their (and their loved ones) well-being and security. Working from home offices and not in the corporate buildings means further insecurity for many.
  • Today’s organization is a complex web of nested relationships spanning suppliers, vendors, outsourcers, service providers, contractors, consultants, temporary workers, brokers, agents, dealers, and intermediaries. We have seen significant issues where service providers and outsourcers have completely shut down because of lockdowns and are unable to support organizations and deliver services. We have seen constrained supply chains and the inability to deliver goods.
  • Constrained supply chains and pressure to meet objectives increases the risk of bribery and corruption. With customs, import and export, coming to a crawl in some countries there is greater risk and exposure that someone may pay a foreign government official a bribe to expedite their goods over others, or to get specific contracts or permits at a time when not much is being done.
  • …risk is interconnected. Organizations need to map and understand the interconnectedness of risk. Risk management requires scenario planning as well as table talk exercises to creatively walk through how risk unfolds, where uncertainty and other risks can develop, and how objectives are impacted.
  • Organizations cannot be managing risk in isolation. They need an enterprise view of risk that sees the interconnections and impact of uncertainty on objectives. They need a top-down approach to risk management that looks at objectives and risk and uncertainty to those objectives. They also need a bottoms-up approach that looks at the details of risk down in the weeds of business processes and transactions.
  • Enterprise risk management also needs to be balanced and not held captive by one department, like IT security, as the risks the organization and world face are complex and interconnected and risk management needs to be balanced.

I can understand how Michael thinks of a “risk event” having a domino effect. I don’t ascribe to that way of thinking. I prefer to think of a typical event as having multiple possible (ranges of) effects on multiple objectives.

What is critical, in my view, is that organizations strive less to manage risks, let alone risks in isolation, and more to manage the achievement of enterprise objectives. They need to obtain assurance that there’s an acceptable likelihood of achieving objectives, and that requires understanding what might happen and how it might affect one or more objectives – then acting where that is not acceptable.

Michael’s second article is Managing Risk Creatively & Structurally.

This is a thought-provoking piece and I encourage everybody to read and reflect on his point.

Let me just pick one section and build a different point than Michael’s:

If we use the ISO 31000 definition of risk: risk is the effect of uncertainty on objectives. Risk management starts with understanding the objectives. My objective could be to cross the street, it is from there that I analyze and look at the uncertainty in crossing the street. Is the light red or green? Is there oncoming traffic or other moving threats? How fast are the threats coming? Does it look like they see the light? What are the conditions of the road? Is it slippery or dry? We analyze risk in the context of the objectives.

I agree 100% with everything he has written – but it is incomplete.

1.       He is only considering threats, not the benefits of crossing the street.

2.       The level of benefit affects the decision of whether and when to cross the street. Do you want to cross because there’s a shop window that’s interesting, or is it because your 5-year old daughter is lying on the sidewalk with a head injury?

3.       The decision also should consider the options. Is your spouse or a police officer close to your daughter so you can rely on him or her? How far would you have to walk before you can get to a safe crossing place?

Quality decision-making depends on the use of both sides of your brain, as Michael says. My brain tells me that you need to consider and then weigh all the things that might happen (aka risk), understanding and taking the right level of the right ‘risks’.

I keep coming back to this:

If the CRO only addresses potential threats, executives and the board will learn all the reasons NOT to cross the road, and none of the reasons you should.

Does this make sense?

The Evolution of Internal Audit

June 14, 2020 20 comments

Now is an opportunity for internal audit leaders to pause, reflect, and consider whether it is time to leave past practices – even if they have proven remarkably successful – for a different approach to internal auditing.

As I said to the author of Reassessing Risk: What Matters Most Now?:

“Never has business changed so much, so fast”

“As the business is probably going to be run differently, so shouldn’t we run internal audit differently?”

“Doing a traditional audit that takes weeks, if not longer, is not necessarily going to help business leaders run the business today”

Another article that appeared this month in Internal Audit 360o was The Value Challenge in the Evolution of Internal Auditing. The Italian authors, a CAE and a manager in a consulting firm, said:

The recent macroeconomic developments emphasize a change that is already taking place: remaining anchored to the most traditional and archaic conception of the internal audit mandate exposes the profession to the highly probable and impactful risk of losing relevance, progressively emptying not only its perceived value but the real content of the profession as well.

We live in an era of epochal changes which demand an evolution of the internal audit profession. Paraphrasing Darwin: if we as auditors will be more reactive to change and will change proactively, we will not only survive, but also consolidate a competitive advantage. The alternative would lead the function to an inexorable, progressive decline.

I am pleased to see a growing number of internal audit departments moving from a static annual (or worse) audit plan to one that is dynamic and based on a continuous understanding of how the business and its environment is changing. (Some call that risk assessment, but it’s really more than that.)

Certainly, continuous monitoring of the business that dynamically updates the audit plan, so that internal audit is addressing what matters now and soon to the leaders of the organization, is important.

But there is more to being agile, a term mentioned in the second piece.

Think about the navy.

Do its commanders send in a fleet every time there is an issue?


They recognize the need for agile, fast, and mobile forces that are capable of acting quickly to achieve their mission, in addition to the more traditional use of overpowering force.

Internal audit needs similar capabilities.

There are times when a fleet of auditors needs to be sent to attack an issue.

But, that fleet takes time. It requires time to plan, mobilize, and then execute. It may also require time to consolidate, consider, evaluate, and report its findings.

Can the organization wait? Don’t they need information on significant ‘risks’ now rather than later?

The modern internal audit team needs to be as agile as its audit planning. It needs the ability to send in a one or two person commando team that will get in and out rapidly, with the information needed by leaders of the organization.

Audit at the speed of risk and the business, providing management and the board with the assurance, insight, and advice they need, when they need it (i.e., not waiting weeks for a formal report), in a readily actionable form.

In my internal audit departments, the typical audit was one or possibly two people for a week or two – total, not just fieldwork. They focused on the few risks at any location or in any business process that had the potential to be significant if poorly controlled.

If you spy an enemy risk on the horizon, you need to evaluate and respond at top speed, not waiting until the fleet has arrived.

How agile is your internal audit team? Do you have speedboats or only battleships?

Is your average audit 200 hours or more? If so, are you auditing areas where, even if there were problems, they wouldn’t rise to the level that requires CEO or board action? Why? Are you taking too long to provide management and the board with essential assurance, advice, and insight?

Audit with focus and be agile about it.

I welcome your thoughts.

When an internal audit consultant goes seriously wrong

June 7, 2020 14 comments

In a recent post, I criticized Protiviti’s Brian Christensen for saying that internal audit should monitor risks. I said that was management’s job, not internal audit’s. If management is not doing that job, there’s a serious problem that internal audit should be reporting to the board. Brian replied, correctly and appropriately, that he agreed with me; internal audit should assess management’s processes for identifying and assessing risks and, if they are adequate, use them as the basis for developing the audit plan; if they are not adequate, that should be reported but internal audit still needs to do the work necessary to ensure the audit plan addresses the more significant risks to enterprise success – see also my recent post where I shared a 2003 Position Paper from (UK) IIA.

I accept and agree with Brian’s explanation.

But I cannot accept another piece of (mis)guidance from Protiviti.

Risk Awareness and Analytical Insight: Driving Audit Into the Future was written by two of the firm’s leaders in healthcare auditing.

It starts with a disturbing comment. Despite recent IIA surveys showing that an increasing number of IA functions are updating their audit plan on a more frequent basis, Protiviti says (my emphasis):

When it comes to risk awareness, the status quo for the past several years has been to conduct an annual risk assessment that established the compliance and internal audit plans for the year. In some cases, those were being performed only every two to three years. Based on a recent poll that was taken during a webinar titled Focusing on the Risk Assessment Process in a Dynamic Environment, approximately 50% of the respondents indicated that they conduct a risk assessment annually or even less frequently. Audit hours would then be focused on executing projects from the plan with little regard to changes in the environment throughout the year. Occasionally, something would surface that shifted audit’s focus from the annual plan to an event at hand that warranted attention, but this has been the exception rather than the rule. It is not acceptable or viable simply to move forward with the way things have always been done. Internal audit and compliance must retool themselves to leverage data in new ways to help prioritize their focus.

I agree with the authors’ comment. It is certainly “not acceptable or viable simply to move forward with the way things have always been done”, not if that includes basing audit engagements on what used to be a risk.

Having correctly made this point, the authors make a huge mistake.

They say:

We [internal audit] must alert the business to external conditions that are changing, whether that be in terms of regulatory matters, payer behavior, payment models, customer population or other obstacles the industry is experiencing.

If management and the board rely in internal audit to do that, instead of doing it themselves, the organization is in dire straits. I am not saying that internal audit is not competent; I am saying management is not competent!

Internal audit needs to have some serious conversations with the executives and the board if this is the case.


Internal audit should be assessing whether management is doing its job. If not, then inform the board so they can act.

The rest of the Protiviti article expands on this incorrect approach.

I hope and trust nobody follows their example.

I hope and trust that Protiviti (and I rely on Brian for this) acts to stop both the message and any related internal audit services they are performing. They are better than this. The firm was a go-to co-sourcing partner when I was a CAE and I am friends with a number of their people.

That’s my rant for the day.

What do you think?

Understanding and practicing risk-based internal auditing

June 4, 2020 15 comments

Recently, I have shared a number of related posts on risk-based internal auditing (RBIA) that received a lot of attention:

One of the comments was by a CAE, Paul Hicks (thank you), who said that he had been practicing risk-based internal auditing for 15-20 years, ever since it came out. He was referring to a 2003 Position Paper on Risk Based Internal Auditing from what is now the Chartered Institute of Internal Auditors (UK and Ireland). Unfortunately, it is no longer available on the Institute’s website, so I have made my copy available here: https://app.box.com/s/5mjlzotbcqoejup5ffyk9oga5ht8teli.

The Position Paper did not invent risk-based internal auditing. I recall discussing it 30 years ago with practitioner, teacher, and author David McNamee – as discussed in a post of mine for the IIA in 2003: Explaining Modern Risk-Based Auditing.

This old Position Paper has some excellent content that is worth reading, including (with my emphasis):

The objective of RBIA is to provide independent assurance to the board that:

  • The risk management processes which management has put in place within the organisation (covering all risk management processes at corporate, divisional, business unit, business process level, etc.) are operating as intended.
  • These risk management processes are of sound design.
  • The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level acceptable to the board.
  • And a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat.

RBIA starts with the business objectives and then focuses on those risks that have been identified by management that may hinder their achievement.

The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organisation to reduce risks to a level that is acceptable to the board (the risk appetite).

This guidance is supplemented with an excellent and simple flowchart. There are also these points:

  • The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the business has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives.
  • The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk appetite) or to facilitate and/or agree improvements as necessary.

The only change of significance I would make today would be to change the focus from risks that “may hinder their achievement” to a more inclusive discussion that recognizes that management needs to take risk and seize opportunities through informed and intelligent decision-making. Risks (what might happen, both good and bad) need to be at desired levels, not necessarily lowered.

[A quick example from my books: When I was at Tosco, the Treasurer only invested overnight funds in the safest government securities. My auditor, Laura, pointed out that the company was trading derivatives and the risk we were taking in these two activities was inconsistent. After consulting with the CFO, the Treasurer modified the investment policy to include allowing the purchase of less secure securities.]

I would also add the need to maintain the audit plan at the speed of risk. Listen to this video with a CAE who has implemented continuous audit planning at the speed of risk (or speed of the business, if you prefer).

Let me close with a video by my good friend, Richard Chambers, President and CEO of the IIA. It is the latest in his series, IA Insight and Advice. Audit Reporting at the Speed of Risk.

Richard makes some good points and I added this in my comments to him on Twitter:

Richard, excellent topic and points. We talked about this in our video.

    1. Tell them what they need to know, no more
    2. Tell them when they need to know
    3. Tell them in a way [that is] readily consumed
    4. Most important, tell them in person and discuss
    5. Write later if needed

What do you think?

Should the IIA (Global) update and issue this guidance?

Should it update the Standards to be consistent with modern risk-based internal auditing practices?

By the way, as you will know I have written several books on internal auditing that explain all of this, most notably Auditing that Matters. I will soon be announcing the publication of a book of case studies with an accompanying discussion guide that will help practitioners further enhance internal auditing practices.

I have been begging for a critical update to the IIA Standards

May 28, 2020 28 comments

That is not an exaggeration.

I have spoken to multiple IIA leaders for more than a decade, including a series of chairs of the IIA’s Standards Committee, about the need to update guidance on internal audit’s risk assessment and audit plan.

This month, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan. Practice Guides (PG) are recommended guidance but not mandatory.

I was excited!

I became even more so when I saw that they had taken up a number of issues I had been speaking about (along with many others) for years.

Here are some of the shining lights in the PG (with my highlights):

  • In today’s business environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks.
  • To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
  • Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
  • While the annual risk assessment is the minimum requirement articulated in the Standards, today’s rapidly changing risk landscape demands that internal auditors assess risks frequently, even continuously. Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.
  • Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
  • …. need to continuously assess risks, reevaluate risk priorities, and adjust the plan to accommodate the new priorities.

I am now on page 5 of the PG and things are looking good – very good. On page 7, I even saw a reference to a ‘risk universe’. This is a term I coined many years ago, when I was preaching about the need to replace the obsolete concept of an audit universe with a risk universe.


Because we are providing assurance, advice, and insight on (as the PG says) “the risks with the greatest potential to affect the organization’s ability to achieve [enterprise] objectives.”

We should be auditing whether management has effective controls to address those risks (you can talk about “auditing the risks”) rather than auditing individual business units, locations, processes, etc.

Audit and provide assurance on the management of the risks, not the management of “auditable entities”.

At the end of the day, the audit committee and top management need assurance from us that the more significant risks are being addressed properly, and you do not achieve that by auditing entities instead of risks.

To repeat what the PG says in its initial pages:

  • address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
  • produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
  • continuously assess risks, reevaluate risk priorities, and adjust the plan.

And, the audit plan should answer the question in the PG:

  • Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?

By the way, and this is important, to gain assurance on a single enterprise risk of significance, you may have to consider controls at multiple locations, in multiple departments, and within multiple systems. Auditing what happens at a single “auditable entity” often won’t give you sufficient insight into the management of an enterprise risk.

Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks.

Audit risks to the enterprise, not risks to an auditable entity.

Moving on.

The PG includes one paragraph on page 12 that is important, although not well understood and not explored further by the PG:

…internal auditors should consider that “risks represent the barriers to successfully achieving … objectives as well as the opportunities that may help achieve those objectives.” Indeed, “risks may relate to preventing bad things from happening (risk mitigation) or failing to ensure good things happen (that is, exploiting or pursuing opportunities).”

In other words, it is necessary for management not only to only take risks when justified, but also to seize opportunities judiciously.

Having set the stage, that internal audit should be addressing the more significant risks to the enterprise’s objectives, and making sure that we are agile in responding to changes in those risks (including the emergence of new ones), the PG loses its way.

The PG crashes and burns by talking about an audit universe (a list of auditable entities). It then turns everything to ashes by recommending what we used to call cyclical auditing!

The audit frequency is based upon the level of residual risk determined in the risk assessment. For example, auditable units ranked high-risk may be audited at least annually (or once every 12 to 18 months), those rated with a moderate level of risk scheduled may be reviewed every 19 to 24 months, and those rated low-risk might be audited only once every 25 to 36 months (or not at all)

This approach has been obsolete for at least 20 years.

The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out. The PG at one point even mentions moving to a 7 year plan!

To top it all off, the PG recommends a level of detail in the plan and its documentation that goes well beyond what is necessary, efficient, agile, or of interest to the executive team or the board.

OK, enough criticism. Let’s be constructive.

Here’s my advice:

  1. Understand the business and its environment
  2. Understand the organization’s strategies, goals, and objectives
  3. Understand how success is measured by the board and management team
  4. Determine which are the more significant sources of risk to enterprise objectives and build (and maintain) a risk universe
  5. Confirm that there would be value in performing an engagement relative to those risks, whether assurance or advisory. For example, consider whether management already has a project underway to address the issue
  6. Prioritize the enterprise risks based on their significance to the enterprise and the value of an audit
  7. Determine a strategy for each audit engagement. That may require:
    1. Assessing the management of multiple significant enterprise risks in a single audit of a single entity
    2. Assessing the management of a single enterprise risk across multiple entities in a single or multiple audits (examples are in Auditing that Matters)
    3. Some adaptation of these two
    4. Being flexible and agile, expanding or contracting the scope and level of work during the audit as needed
  8. Don’t spend so much time on risk assessment and audit planning that you are not getting enough audit work done

Continuously ask this question (modified slightly from that in the PG):

Which internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks to the enterprise and its objectives are being managed[i] effectively?

I was one of the members for many years of the IIA’s international committee that worked on PGs and wrote a few myself. I know there is a tension between the need to move the profession forward and the concern about leaving past practices and their adherents behind.

But I can only recommend the first 5 pages of this PG. (If you want practical guidance on enterprise risk-based auditing, please see Auditing that Matters.) Both the PG and the related standards need serious revision.

Should I resume begging?

I welcome your comments.

[i] “Managed” means making intelligent and informed decisions that include taking risk or seizing opportunities where justified, and managing or mitigating risk when appropriate.

COSO still believes in risk appetite statements

May 24, 2020 22 comments

My good friend Paul Sobel and I generally see eye-to-eye on matters relating to risk management. Over the years, we have chatted over meals, at conferences, and on the phone.

He is now the chair of COSO, which has to be a very tough job. Not only does he have to deal with the competing interests of its five members (the AICPA, FEI, AMA, AAA, and IIA), but he has inherited the COSO ERM Framework (and the Internal Control Framework, but I am not discussing that today).

Paul decided to share a series of pieces on LinkedIn a couple of weeks ago. His initial post started by saying “Many wonder whether the current pandemic is another example of ERM failing”. It got (as of today) 133 comments!

Now I don’t think Paul expected to receive that level of response. I am also pretty sure he didn’t expect to see so many comments about the general failures of risk management (ERM) programs.

Personally, I see the growing chorus as progress!

We now have a new COSO document that should receive a similar greeting. More and more people are recognizing that the traditional ERM programs typified by COSO’s guidance are simply not helping organizations succeed. They are seen by a growing number of executives and practitioners as a compliance activity. They look good, satisfy regulators, but don’t help leaders make the informed and intelligent decisions necessary for success.

This is what the COSO announcement on May 20th said:

In an effort to help boards, executives, and managers recognize how a better understanding and communication of risk appetite will help their organizations succeed, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is releasing new guidance, “Risk Appetite–Critical to Success,” focusing on how organizations can promote risk appetite as an integral part of decision-making.

I have written extensively about the concept of risk appetite here and in my books. My most recent discussion was Do risk appetite statements add value? You should also consider “Should we tear up the risk appetite” statement? and Let’s talk about risk appetite.

The authors of the new COSO guidance are the same people who have written about risk appetite for COSO before. So it may be difficult for them to step back and challenge their own (and COSO’s) established thinking.

I have a few questions for them and anybody else who likes risk appetite statements.

  1. Do you have risk appetite statements in your personal life? Are they necessary for your decisions about where to live and work, travel and vacation options, caring for your family, and so on?
  2. What is your personal “amount of risk”? Do you have an amount of risk that includes the possibilities of family illness, job loss, auto accidents, problems with your home, serious family disputes, and so on?
  3. If you don’t need a risk appetite statement in your personal life, why do you need one in your professional life?
  4. How do you explain the act that an “amount of risk” is a concept that is wrong both logically and mathematically? Are you using the discredited formula of likelihood times effect? How do you come up with an “amount” when there are actually ranges of potential effects (not a single number) each with its own likelihood, as well as multiple sources of risk (such as compliance, cyber, human resources, treasury, and more)?
  5. Why are there no examples of how you calculate risk appetite and then use it to compare it against the potential for reward and make quality decisions? Is it because that is not as easy (or practicable) in practice as it sounds in theory?
  6. While COSO seems to recognize that what might happen includes not only harms (which they call risks) but also positive things (they call opportunities), the discussion of risk appetite only talks about the negative. How do you make intelligent and informed decisions without comparable information on both the positive and the negative? How can you weigh them against each other to see if the risk (negative) should be taken?
  7. Isn’t it far better to use techniques like Monte Carlo Simulation that considers all the possibilities, not just harms?
  8. Where is the guidance on how to measure the possibility of reward and then compare it to the possibility of harm, and do that for each option or scenario? Why only provide guidance on half of the equation? How do you ensure that the right risks are being taken and opportunities seized?
  9. The guidance talks about operationalizing the risk appetite using risk tolerance. How are they any different from the limits and standards that have been in place for many decades? In other words, why can’t I simply retain my existing standards and polices and forget about risk appetite?
  10. How do risk appetite statements help you ensure that you have an acceptable likelihood of success, whether that is measured by the achievement of objectives, strategy, purpose, or something else?

If you are still enamored with risk appetite, I hope you enjoy and benefit from this new guidance. Unfortunately, I find it of little use.

I welcome your thoughts.

Should we audit at the speed of risk?

May 22, 2020 8 comments

It’s quite a few years[1] since I first started talking about “auditing at the speed of risk”. Sometimes I also referred to “auditing at the speed of the business”.

The idea is that the world within which we live and work is dynamic and turbulent – even more so now than when I first started using the term to describe the impact of new technology.

If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice, and insight) to our leaders in executive management and on the board.

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen together with Sharon Lindstrom talk about the need for “agile auditing”. Here are some quotes. Note that the first quote uses that same phrase.

  • With regard to immediate needs, the question we as internal auditors are asking ourselves right now is, “How can we be most helpful at this moment?” We have to be able to move at the speed of risk, which, as we’ve seen from the past several weeks, can be lightning fast.
  • Auditors should put aside worries about violating independence standards for internal audit when providing consulting to the second and first lines of defense and see themselves less as an assurance provider and more as a proactive partner. In essence, we have to become part of the response team.
  • While traditional risks remain, auditors should be ready to quickly change their focus as newer challenges present themselves.
  • Even as the COVID-19 crisis continues to rage, auditors need to be thinking about the next step forward, when the marketplace and the economy gradually regain their footing….. But when the economy begins to move into the recovery phase, Agile auditing needs to refashion itself again.
  • It is at this point that internal auditors may need to re-think their risk assessment
  • It is IA’s responsibility to evaluate not only the likelihood of new risks during this phase, but to also assess how quickly such challenges may arise and the extent of their duration. [Note by Norman: It is NOT internal audit’s responsibility to identify or assess risk. That is a management responsibility. Internal audit should be assessing how well management does that, not doing it themselves.]
  • Looking ahead, Agile auditing will continue to be the best way forward for IA, as organizations adjust with a changed market and social environment. It will enable auditors to better align assurance with the dynamic condition of a post-COVID world.

I have also been talking about Agile auditing for years[2]. I am encouraged to see this new focus by Protiviti on it.

What do I mean by agile auditing?

  • Being able to shift rapidly to audit what matters now and in the next period when everything is changing constantly
  • Being able to perform audit engagements at speed. If you think of an agile person, they move with quick steps. IA functions that take weeks or even a month to perform an audit are not agile
  • Being able to stop auditing when there is little value in continuing
  • Being able to accelerate and expand an audit engagement when new and significant issues or opportunities emerge (a.k.a., stop-and-go auditing, as discussed in Auditing that Matters).
  • Being able to communicate the results when they are needed by management or the board. If you take even a week to share the nature and extent of issues, you are not agile

One of the points I made in my recent webinar with Richard Chambers illustrates this. Richard asked me what I might include in my audit plan for the second half of 2020. I replied that “I don’t think that far ahead!” I said that today I would be working on what mattered right now and this week, anticipating what might matter next week and month, and later looking at how the business will be changing in future months. Our environment was and is changing very fast indeed, and where we should put our limited internal audit resources should be changing at the same speed.

In their CFO Signals for Q2, Deloitte makes a couple of interesting observations:

  • …many management teams remain focused more on ensuring viability and adapting for near-term performance than on evolving their company for success post-crisis. Still, teams’ focus varies greatly by industry, and many appear to be putting in substantial work on survival, adaptation, and evolution at the same time.
  • 60 percent of CFOs do not expect to return to a pre-crisis level of operations in 2020. Instead, 21 percent expect to reach this milestone in 1Q21, with 39 percent saying 2Q21 or later.

The speed of management is changing.

Decisions have to be made faster in response to changing conditions and in anticipation of what is around the corner.

We have to provide the assurance, advice, and insight that will enable the leaders of our organization to make intelligent and informed decisions at that higher speed.

So, I now suggest a number of ‘mottos’:

  1. “Audit at the speed of risk”
  2. “Audit at the speed of business”
  3. “Audit at the speed of decision-making” [NEW]
  4. All of these require “Audit with agility”

What do you think?

[1] Since at least 2002.

[2] Since at least 2010, and it is covered in Auditing that Matters.

The post-pandemic practitioner

May 16, 2020 5 comments

As Winston Churchill said, “To improve is to change; to be perfect is to change often”.

COVID-19 is disrupting life all over the globe.

Organizations are having to change to survive, let alone thrive.

For example we are seeing:

  • Changes in how people work
  • Disruption to the supply chain
  • A need to reconsider where we manufacture products
  • Shifts in how people purchase goods and services
  • and more

Whether we are talking about corporations, not-for-profits, or government agencies, leaders are changing how they run their organizations today and how they will run them tomorrow.

They face different challenges today than they did three months ago (or just last week) or will in three months’ time.

Here are some useful pieces for you to consider:

Some interesting quotes:

The coronavirus pandemic has radically changed demand for products and services in every sector, while exposing points of weakness and fragility in global supply chains and service networks. At the same time, it has been striking how well and how fast many companies have adapted, achieving new levels of visibility, agility, productivity, and end-customer connectivity—while also preserving their cash.

All over the world, companies are being challenged by the COVID-19 crisis to find new ways to serve their customers and communities. Many are rising to the occasion. Almost every leader we speak with has an inspiring story of radical, positive change in how work gets done and what it can accomplish.

Amid the fear and uncertainty, people are energized as companies make good on purpose statements, eliminate bureaucracy, empower previously untested leaders with big responsibilities, and “turbocharge” decision making. As one executive we spoke with observes: “Our senior team meets every morning for 30 minutes. It’s incredibly productive. We make decisions and go. We don’t have full information, but that’s OK—we can’t afford not to move.”

The speed of the pandemic surprised everyone. So, too, did the fast reflexes of some companies: even their own leaders were shocked at how quickly colleagues stepped up, made dramatic changes, and began performing at new levels.

In our conversations with operations leaders, we find that many are energized and inspired by the progress the crisis has forced them to make. Production lines have achieved record levels of availability and output: one automotive company found that manufacturing productivity actually increased when it introduced physical-distancing measures. After switching to daily planning cycles and gaining real-time visibility of their operations, managers don’t want to return to the old cadence of monthly planning and metrics that lag behind the situation on the ground. With physical stores closed, online and direct-to-customer sales are booming in many categories. That’s inspiring companies to upgrade their sales and distribution capabilities to meet this new type of demand.

As uncomfortable as it feels, leaders are finding that they can make decisions faster than they thought possible—and with imperfect information. The aha moment for some executives is the realization that when urgency and uncertainty collide, the time spent waiting to decide is a decision in itself.

Inertia is clearly riskier than action right now, so companies are mobilizing to address the immediate threat in ways they may have struggled to when taking on more abstract challenges, such as digital technology, automation, and artificial intelligence (all of which still loom). Bold experiments and new ways of working are now everyone’s business.

..the post-pandemic reality will likely be very different. Businesses may find, for example, that their trading partners have been undergoing changes too and that relationships may change. Vendors they used in the past may no longer be available, or may be available on different terms. Customers that were loyal before the pandemic may have shifted to new providers. Consumers may have developed new habits that will inform their preferences and behavior when the pandemic is over.

Planning has never been a particularly easy task, but the spread of COVID-19 has made it even more difficult. Finance professionals are used to accuracy, consistency, and relatively predictable planning cycles, not the unclear economic conditions and time horizons of a global pandemic. As one executive told us: “The five-year plan that we would be sending to the board right now is completely out the window. How do we plan in this environment when we don’t know what is going to happen?”

What leaders envision for their enterprises today may change with new information or new, yet unanticipated behaviors in the market. An organization needs not only a reemergence plan but also a framework for updating this plan in a way that does not generate confusion or uncertainty.

Amid the terrible human toll of the pandemic, some organizations are finding that, by working differently, they can rise to the occasion and help their employees, customers, and even their communities.

Across industries, companies are realizing that they can aspire to much more than simply a safe return to work. They want to take what they have learned during the COVID-19 crisis and create a new kind of operational performance.

As business operations make the transition to the next normal, speed will continue to be of the essence. Companies that are willing to maintain their momentum while also setting new standards and upending old paradigms will build long-term strategic advantage.

The organizations we serve as practitioners are changing.

Surely, we should be at least open to changing ourselves: changing how we work, the services and information we provide, and even our own self-image.

I suggest that we all set aside what has worked for us in the past, even the professional standards and guidance that we have followed.

Instead, let’s challenge ourselves by answering this question:

How can we best help our organization survive and then thrive today and tomorrow?

Here are some clues:

  1. How has the organization changed in the last couple of months?
  2. How is it likely to change over the next few months and into next year?
  3. How has management of the organization changed?
  4. What are the issues and challenges consuming management and board attention and how are they different today and into the future?
  5. How have essential business activities changed?
  6. How has the board changed in its activities?
  7. What information do your leaders need, especially what information do they need but are either not getting or are not getting reliable data promptly?
  8. What do they need to know about how the organization is behaving?
  9. What do they need to know about the capacity of the organization to meet demands over the next months or so?
  10. What can you do?

Now ask and answer that question again:

How can we best help our organization survive and then thrive today and tomorrow?

I welcome your thoughts and ideas.

How have you changed?

Should internal audit perform a risk assessment?

May 9, 2020 29 comments

This is a simple question that has many non-simple aspects.

I am not going to deal today with the issue of whether internal audit should be performing a risk assessment when there is a perfectly adequate risk assessment made by management. I have shared my view before that internal audit should (after auditing management’s processes) rely on management’s work as much as possible. However, even when it is excellent, more needs to be done to determine what engagements to perform, as explained in Auditing that Matters.

I am also not going to deal today with the word “a” in the question. I have shared in this blog and in that book why any assessment has to be continuous. It is refreshing that the majority are moving away from relying on the obsolete annual assessment process, instead updating the assessment and the audit plan quarterly or (in a growing number of cases) monthly. But it needs to be continuous. Auditing at the speed of risk (or of the business, if you prefer that term) means updating your plans at that speed as well. Otherwise, you are likely to audit what used to matter, not what matters today or tomorrow.

Today, I want to talk about the four-letter word ‘risk’ in the question.

For most people the four-letter word refers either to events that might happen with an adverse effect on objectives; for others it’s the adverse effect itself. It doesn’t really matter which definition you choose. Both talk about adverse effects.

The point is whether we need to be identifying and prioritizing the possibilities only of significant adverse effects.

What are we trying to accomplish?

Our objective should be to perform the audit engagements that will deliver the greatest value to our organization.

Let’s break that down a little further.

The value we deliver from our work is derived from the assurance, advice, and insight we provide on the issues that matter to the leaders of the organization (hence the title of my book, Auditing that Matters). We provide them with information that helps them run and lead the organization for success. We don’t provide them with information that doesn’t matter to them, points they can leave to middle or lower levels of management; that has little positive value.

In other words, we want to perform the engagements that will provide leaders with assurance that the organization’s people, processes, and systems will function as needed to both create and protect enterprise value – so that the objectives of the enterprise are achieved – and advice and insight to make improvements where needed.

What is the relationship between ‘risk’ and the engagements we seek to perform?

In theory, you start with objectives and then identify risks to those objectives. From there, you see where those risks may arise and which are the controls that address them. At that point, you can decide which audit engagements to perform because you are assessing and testing the controls over the risks; you are not really auditing the risks per se.

But this is exclusively focused on the harmful things that might happen.

What about providing assurance over the good things that might and must happen if the organization is to succeed?

Why should we only provide assurance regarding preventing or mitigating bad stuff, in other words protecting value?

What can’t we provide assurance that opportunities to create value will be taken?

The IIA’s suggested Mission for Internal Audit starts with this key phrase:

“To enhance and protect organizational value….”

Do our ‘risk’ assessment processes help us define engagements that will provide assurance that organizational value will be not only protected but enhanced?

As CAE, I talked about a ‘risk and value’ assessment rather than simply a risk assessment. By value, I meant to identify the engagements that would have the greatest value to our leaders. What I had in mind was that for some high ‘risks’, management was not only well aware of them but was actively working to address them. In those cases, an audit engagement would be of little value. In addition, my plan included audits of the controls relied on to create value, not just protect it.

That’s better than a straightforward and traditional ‘risk’ assessment.

But there’s a better approach.

  1. Understand the business
  2. Understand the goals and objectives of the board and the management team
  3. Identify the challenges facing the organization today, tomorrow, and going forward
  4. Define the audit engagements that will provide the assurance, insight, and advice leaders need – the ones that will provide the information they need, when they need it

That approach doesn’t use the ‘r’ word at all.

What do you think? Do you agree with me that we need to stop thinking about a risk assessment; that instead we should be thinking about which audit engagements will provide the assurance, advice, and insight that leaders of the enterprise need?


After reviewing and responding to comments (thank you) here and on LinkedIn, I want to add some points:

  1. While value is created by an internal audit risk assessment in many cases, our objective is not a perfect risk assessment (however you define it). Our objective is to identify the audit engagements that we need to perform if we are to add the most value to our organization.
  2. If we focus on the identification of the best audits to perform, we might avoid spending unnecessary time creating and then updating a risk assessment.
  3. One of the challenges voiced by many in making sure we are focused on audits that address risks/opportunities/challenges facing the organization today and tomorrow is the need to update the risk assessment continuously. But if we replace questions about the risk assessment with questions about which audits should we perform next (considering changes in the business, both internal audit external), we can minimize that additional work.
  4. In my organizations, we replaced a static audit plan with one that had a fair degree of certainty up to three months ahead, but recognized the uncertainty in what might change in the business and therefore in our auditing further out. This was communicated to the audit committee; as experienced and sensible people, they acknowledged its wisdom.

SOX risk assessment in 2020

April 30, 2020 1 comment

We are living in a turbulent world. But the SOX compliance requirements remain fairly static. It’s not as if the SEC is going to relax the requirements for companies to assess the condition of internal control over financial reporting, or that the PCAOB will reduce the requirement for the external auditor to provide their independent assessment.

Yet, there are issues and challenges that we need to consider.

Protiviti has done a decent job summarizing some of them in SOX Risk Assessment in the Time of COVID-19. (The text in italics is my addition to the author’s writing.)

I will come back to points of difference, even omission, later. Here are some highlights:

  • “Though forecasts may still be in the process of being reworked, they may prove to be the more suitable starting point” in determining materiality and which accounts and locations should be in scope. Note: that has always been best practice.
  • “Usual measures such as net income before tax are likely to be substantially lower for FY20 and even negative for some companies. In such situations, other measures such as EBITDA or revenue may need to be used and several materiality scenarios assessed.” This should be discussed with the external auditor. There is existing guidance on what to do when results are abnormal, including when there are losses.
  • “With the results of the materiality calculation likely being lower than in recent prior years, there may be financial statement elements or perhaps even locations that will” have to be brought into scope.”
  • “…if materiality has significantly decreased, thresholds or tolerances applied in controls, particularly for management-review controls, may need to be calibrated to the unique circumstances of FY20.”
  • “This new environment we are living in will push us more than ever toward real-time risk assessment rather than an annual update.” The best practice that I teach has always been to check the materiality level and program scope quarterly.
  • “…it will be important to closely communicate updates to filing calendars and coordinate with the Legal, Investor Relations and Financial Reporting departments.” If the SEC makes changes to annual reporting and filing requirements, they should be studied to determine whether they change the timing or nature of year-end and other procedures.
  • “…technology that may have been hastily deployed to a newly remote workforce but perhaps without the normal diligence to ITGC coverage or with a mind-set of enablement rather than restriction regarding user access. Organizations should consider the impact of these new exposures in a robust fraud risk assessment.” While it is possible, even likely, that the nature and magnitude of fraud schemes may have changed, the same fraud risk assessment process as in prior years should be performed. The author highlights access controls, which should merit increased attention. However, the focus remains on the possibility of fraud that leads to a material error or omission in the filed financial statements – and this remains unlikely for most companies, even with a lower materiality level.
  • “Management should review and obtain external audit agreement with the risk assessment conclusion and establish practical cadence for updates in FY20. Additionally, management should discuss how the timing and extent of audit procedures will be impacted and coordinate on the impact of any filing extension.”

I only disagree with the author on one minor point: she says that April is when 12/31 year-end companies start their SOX planning. I teach best practice as starting no later than January. The earlier you plan and then start walkthroughs, the more time you have to perform them and a first round of testing.

What is missing that matters?

Just one point, with consequences.

The way in which people work has changed and probably will still be different for the rest of this year, if not longer.

That means that controls may be performed differently. The information needed by control owners may not be provided the same way, for example, when people are not working in close proximity.

It is important, therefore, to have every control owner revisit their controls and update the documentation now and as it changes during the year.

The changes in how controls are performed needs to be shared with the SOX team so that an assessment can be made as to whether they remain adequately designed. For example, will evidence of the control being performed be recorded the same way; how will work be reviewed?

In addition, the way in which the controls can and should be tested may have to change. It may not be possible to perform walkthroughs or tests of operation by observing how an individual works at home.

Common sense and thinking about what we are seeing now and are likely to see in the future will help us succeed this year, as it does every year.

We need agility in our thinking as well, being prepared to adjust as everything changes.

We are living in a turbulent world.

I welcome your thoughts.

Let’s talk about Deciding

April 25, 2020 7 comments

The focus today among leading ‘risk’ thought leaders, including at COSO, is on decision-making. For example, COSO ERM says: “From day-today operational decisions to the fundamental trade-offs in the boardroom, dealing with risk in these choices is a part of decision-making”.

Think about it. How can we or our organizations be successful without sound decision-making?

How can we, as practitioners, help leaders make informed and intelligent decisions that consider all the things that might happen?

Some years ago, Grant Purdy (the grandfather of Australia/New Zealand’s risk management standard 4360, the precursor to the global standard, ISO 31000) told me that when he is engaged to help an organization upgrade its ERM program, he doesn’t talk to management about risk. Instead, he asks:

“How do you make decisions?”

Grant has teamed up with a fellow Aussie, Roger Estall, to bring us Deciding: A Guide to Even Better Decision-Making.

The book is an interesting read, with some useful perspectives and advice. It will help you challenge your and others’ decision-making processes.

Over the years, both Grant and I have been on a journey of discovery. We have both moved away from what I would call traditional risk management, recognizing that it really is not helping leaders make those all-important strategic and tactical decisions. It’s a compliance activity.

We haven’t always been in sync on our journeys, reaching points at different times. In addition, we have different background and experiences, so we sometimes use different language.

But we have always agreed far more than we disagreed. Neither of us like the word ‘risk’ any more, but it has taken us time to get there.

For example, I talk about managing the likelihood of success instead of focusing on the potential for harm (which is unfortunately what most ‘risk’ practitioners do). Grant and Roger talk about achieving a sufficient level of certainty of the outcome of the decision.

Those are essentially the same idea. The way I think about it is that leaders (both executives and board members) are looking for an acceptable level of certainty/likelihood that they will achieve the objectives/goals of the organization.

If we can help them understand where they are against their objectives and how what lies ahead might affect their success, we are adding huge value. What lies ahead is what some call ‘risk’ or ‘risk and opportunity’.

Grant and Roger help us understand a number of things, including what they call a global process, about making informed and intelligent decisions.

One area I like is the discussion about assumptions.

Far too often, people make assumptions without thinking of how uncertain they are. I have seen many proposals and plans that list assumptions without any thought to assessing the likelihood that they will in fact happen.

Grant and Roger talk about how it is important to understand how critical each assumption is so that the most significant can be monitored. This way, as soon as it looks likely that an assumption will not hold, actions can be taken – including revising the decision.

As I said, it’s an interesting book and it should make you think about how you and those in leadership positions make or should make informed and intelligent decisions.

Are you concerned about the quality of decision-making?

What are you doing about it?

Integrating cyber and enterprise risk management for success

April 21, 2020 5 comments

The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. It has provided guidance on the assessment of cyber-related risk that is followed by many information security and cyber professionals.

In March, it published a draft, Integrating Cybersecurity and Enterprise Risk Management (ERM).

One of the problems, a serious constraint on NIST, is that it operates in an environment that has required the traditional practice of ERM, where the final product is a risk register (or a risk profile, which is simply a prioritized risk register). Federal (US) agencies[1] have published authoritative guidance that mandates this approach.

Most leading practitioners and thought leaders have recognized that risk registers and risk heat maps are without significant value. They might enable leaders of the organization to manage individual risks, but they neither help see the big picture nor run the organization for success.

As I have said before, such as in Time to Wake Up to Risk Reality, leaders of organizations around the world have consistently said that traditional risk management is not helping them set and then execute on enterprise objectives.

Traditional risk management is not helping leaders make the decisions necessary for success.

Avoiding failure is not the same as achieving success. In fact, if all you do is manage risk instead of the likelihood of success, then you will almost certainly fail to achieve your goals.

I believe it was the FAIR Institute in their adaptation of NIST guidance that recognized that a prioritized list of cyber-related risks did not provide leaders of the enterprise with the information they need. They recognized that fact but offered no suggestions.

In Making Business Sense of Technology Risk, which was written specifically to provide some ideas on this topic, I suggested that leaders need to know how to answer questions like these:

  • Should I invest $1 million in cyber or in new product development? I can’t do both.
  • If I open a new office in Belarus, I have significant upside possibilities but will also increase the possibilities of damage from regulatory compliance issues, currency volatility, cyber intrusions, and more. How can I know whether, on balance, I should open now, in six months, in a year, or not at all?
  • How likely are we to achieve our targets for the year, given all the things that might happen over the next months, including the possibility of a data breach?
  • Should we take our new product line to market now, given the revenue it might bring and the vulnerabilities we are aware of?

Neither a risk register, nor a prioritized list of information assets, helps answer these or pretty much any other business decision.

The most these lists of risks do, IMHO, is help prioritize investments between cyber vulnerabilities. They don’t help leaders of the enterprise – as evidenced by the views of those leaders in survey after survey.

Where we need to go, as explained in my book, is to provide leaders with the information they need.

  • Information on how a breach would affect enterprise objectives, being specific about which ones
  • Information that can be aggregated with other sources of risk (both positive and negative) so that all the possibilities can be weighed together and an informed and intelligent decision made
  • Similarly, information that can be aggregated so that performance reporting can show the overall likelihood of success for each of the organization’s goals and objectives
  • Information in the language of the business

I welcome your thoughts.

(This post is being shared with NIST as a comment on their draft.)

[1][1] Such as the OMB and GAO, in additional to previous NIST standards.

Fraud is always with us

April 20, 2020 6 comments

Even with the COVID-19 crisis dominating our thinking, fraud persists. People with unbelievable levels of immorality are taking advantage of the pandemic with new ways to steal from people and organizations who cannot afford any further losses.

For internal auditors, fraud has always been a concern.

Some nations even have regulations that require internal auditors to make the detection of fraud and the auditing of controls around fraud to be one of, if not their top priority.

But should it be?

Every year since 1996, the Association of Certified Fraud Examiners (the ACFE) has shared a revealing look at fraud in their Report to the Nations. It is always worth our time.

The ACFE has just released their Report to the Nations: 2020 Global Study on Occupational Fraud and Abuse.

Here are some key points:

  • The results of their study are based on a global survey of Certified Fraud Examiners (CFEs) in 2019. In other words, this is a perspective from fraud practitioners, not business executives.
  • Overall, the CFEs estimate that organizations lose about 5% of revenue to fraud each year. It is unclear in this year’s report what is included in that estimate, but in prior years it has included a variety of both monetary and non-monetary frauds, including both significant (such as financial statement fraud) and trivial activities (such as personal use of a company computer).
  • The median loss per case was $125,000 and the average $1,509,000 – indicating that there were a huge number of small losses and a limited number of large ones.
  • A typical fraud lasts 14 months and costs $8,300 per month.
  • 43% of frauds were uncovered by a tip. The next most common detection was by internal audit at 15%. (Internal controls are split out among management review, 12%, account reconciliation, 4%, document examination, 3%, surveillance/monitoring, 3%, and IT controls, 2%; the total for internal controls is therefore around 24%.)
  • Certain fraud schemes, such as check and payment tampering, were far more common in smaller businesses.
  • As to be expected, frauds involving senior executives or owners were far more significant, averaging $600,000.
  • In 46% of cases, organizations decided not to refer those involved to law enforcement.
  • The typical loss varied widely by region. It will surprise some but the typical loss in Asia Pacific of $1 million dwarfs that in the US of $563,000 and in Western Europe of $638,000.
  • Only 21% of cases involved losses exceeding $1 million.

Every year, I come to the same conclusion.

Fraud is rarely one of the top ten sources of risk to an organization!

These losses are (with few exceptions) immaterial to the overall success of the organization.

That doesn’t mean fraud should be ignored, but it shouldn’t be assumed that every audit has to assess controls over fraud.

I am fine with every audit planning exercise (including the periodic and continual risk assessment processes) consider the risk of fraud. But then, work should be performed that is commensurate with that level of risk.

Having said that, this report provides interesting and valuable information on fraud schemes around the world, differentiating between each region.

I highly recommend it.

What do you think?

Rethinking internal auditing

April 13, 2020 10 comments

In 1998, the magazine of the American Institute of Certified Public Accountants (AICPA), the Journal of Accountancy, approached the IIA. They said they wanted to write an article about progressive internal auditing leaders and (I thank them) the IIA pointed them to me.

I was the CAE of Tosco Corporation. I had been in that position for 8 years and had seen the company grow from $2 billion in revenue to $15 billion. It was still growing rapidly and profitably. Tosco would reach its peak in 2001 when it recorded $28 billion in revenue and was about #50 in the Fortune 500 list of US companies. Sadly, the board decided to take advantage of the market and sold the company to Phillips Petroleum for $7.5 billion.

Today, I want to share the piece they wrote.

Looking back, I haven’t changed my thinking a great deal in the 20+ years since then.

I will let you read it and then comment on what I might say differently if interviewed today.

Rethinking internal audits

By Anita Dennis

Journal of Accountancy, November 1998


What are the keys to running a lean, proactive internal audit department? At Tosco, a petroleum refining and marketing company, Norman Marks, general auditor, has developed an approach that adds value while reining in costs. His strategy can help to provide a model for other internal auditors seeking to enhance their departments’ contributions.



When Marks joined Tosco in 1990, the audit committee’s chairman said to him, “I’ve got about $6 million worth of stock in this company. Make sure there are no surprises.” Marks has taken it as his charge to protect all the stakeholders in the company from a variety of unpleasant surprises that can result from failures in internal controls. “We have to consider the integrity of financial reporting, custody of assets, environmental and safety issues, and the efficiency and effectiveness of operations,” Marks says, in addition to what he calls “the 60 Minutes test.” “I try to protect us from doing anything that would embarrass us if it ever turned up on 60 Minutes.”

The challenges of his job have grown along with the company, which went from a $2 billion operation in 1990 to an organization today with $15 billion in sales. Despite its size, “it’s a very small company. In 1997, we had sales of $13.3 billion, but our pretax earnings were $381 million, just 2.9% of sales. That’s not a function of write-offs but of the fact that the petroleum industry has very thin margins. In terms of revenue per thousand employees, this industry has one of the highest ratios, which means we have very few people for a very large amount of dollars. Since our margins are thin, to survive in the industry you must be one of lowest cost operators, which we have become.” At the same time, companies in the industry face financial uncertainties in a number of transactions. Tosco, for example, buys $10 billion worth of crude every year, which is subject to market price shifts; at a single refinery, operating costs can run $100 million per year, or one-fourth of its pretax earnings. “That gives me a lot to worry about. Not only must I consider outside forces but also I must provide the audit committee with assurance about controls and I have to be careful about how much money I spend.”



When Marks came to the company, he had worked in public accounting and in industry. “Having been audited and having done auditing, I saw how painful and disruptive it could be. I wanted to do something that was more like a service.” To achieve his goals, Marks has crafted an approach to make the most of his 22-person audit staff. To measure efficiency, he relies on benchmarks to compare his operations against those in the industry and in manufacturing as a whole. For example, his company has 1.3 auditors per billion dollars of gross sales, while the industry average is 4.35 per billion. While Tosco has 0.67 auditors per 1,000 employees, the industry average is 3.05 employees per 1,000. However, he considers the most important Benchmark to be internal audit cost as a percentage of sales. For his company, that number is 0.017%; for the industry, it is 0.044%.

How can the audit department maintain these numbers while providing high-quality audits as well as offering worthwhile solutions to company problems? His blueprint is one that may serve as a recommendation for other internal audit departments seeking leaner operations:

Stop auditing history. “Our general routine is not to go back and audit what’s happened in the past,” Marks says. “Many companies will take a month’s or even a year’s past transactions and verify them. All that’s doing is auditing the past. My job is to audit the present and to provide protection for the future. Our emphasis is on the controls we have today rather than on what might have taken place.”

Narrow the focus. In a step he calls using a laser rather than a shotgun, Marks’ department focuses exclusively on key risks. For example, Tosco’s Linden, New Jersey, refinery could be considered the top risk area in the company based on the volume of its operations and the money. While some internal auditors might audit the total refinery, “I am interested only in certain business risks within that operation,” Marks says. “We decide where, if controls fail, we are likely to have a problem.” Areas to audit are chosen based on a subjective assessment of risk to the company and value of the audit. “Each audit has a value (to management and the board) in its assessment of controls and in the positive changes it effects. The changes could have a direct contribution to the bottom line (such as cost savings, revenue enhancements) or an indirect contribution (risk reduction, fraud deterrence). We work with management at all levels to define those areas.” In a given year, Marks may determine that the biggest risk in accounts payable is payments to maintenance contractors, so the auditors will target just that segment of accounts payable. In the following year, observations of the refinery operations and experience in other audits may lead the auditors to examine payments to utilities. Although the internal auditors perform a number of audits at the refinery, they concentrate on selected risk areas rather than blanketing an entire department.

Dispense with lower level staff positions. While some audit departments have a hierarchy of positions ranging from neophyte to manager, Tosco hires mainly manager-level staff and some seniors. “If you ask managers how much time they spend supervising, training, reviewing workpapers and rewriting the audit report, you find they are probably spending as much time as if they were doing all the work themselves,” Marks says. The department seeks a blend of experience, from people who’ve worked with large and midsize accounting firms to former controllers, treasurers and internal auditors in the oil and other industries. Because Tosco has cut out an entire level of staff, “our cost per auditor is higher, but total audit costs are lower.” Productivity also is enhanced. “Our people are so much more experienced that the quality of the audit tends to be higher. We are able to explain to people in other departments what we are doing and focus quickly on the significant business risks. Since we don’t go in and ask silly questions, the work is received better by people in other departments.”

Employ stop-and-go auditing. In this technique, auditors go into an area and determine on the job whether the risk is so low that an audit isn’t needed or whether greater resources should be devoted to the audit because of questions uncovered. With experienced people and a narrowed focus, this technique can greatly boost efficiency, but companies don’t always employ it. When the company acquired a wholesale terminal, Marks was told that the previous owner had sent two internal auditors to perform a month-long audit; the Marks team, however, sent one person for four days. “Our managers know every unnecessary hour spent auditing an area costs the company money and takes time away from another project we could do that has value.” On most jobs, auditors go in with an estimate of 250 to 300 hours to perform the work, but they are encouraged to use their discretion to spend more or less time as needed. “We hire people who are proficient enough to make those decisions.”

Position auditors throughout operations. Tosco’s auditors work alongside other staff members in locations throughout the company’s operations, which include refining and marketing. Marks believes this enables them to understand a business area and its risks and to add value in the eyes of the audit committee and management by, for example, becoming familiar enough with an area to offer useful suggestions. “We don’t want to be seen as outsiders coming in from corporate management but, rather, as part of the local management team.”

Marks has not experienced resistance to the changes he has made in his area because of the quality of the people in his department and the value that they add to processes throughout the company.



Marks believes his approach is justified by the fact that well over 90% of the recommendations made by the internal audit department are implemented. For example, some of the company’s audits may cover a business risk that spans many departments, such as the one performed recently on travel expenses. The company’s travel agent forwarded to management any reports about travel items that departed from policy. Those reports were then sent to two vice-presidents for follow-up. The internal auditors suggested the reports be sent to the relevant department manager instead, since it seemed unnecessary to tie up senior executives’ time over travel expenses. “The person doing the audit who made that suggestion is an ex-controller, and he knows how to run a business,” Marks says. “Because I run the audit department as a business, we’re always trying to make sure we’re adding value.”


The fundamentals have not changed in my approach. I would change some of the language, but the practices I developed for Tosco endure.

  1. I would talk more about assurance and its positive value for our leaders. That’s more of a language change, since even then I knew that telling people that “everything is OK and there is nothing to worry about” has huge value to board members and top executives.
  2. Instead of talking about not auditing history but today, I would talk about the need to audit today and tomorrow: what might happen over the next year or so. Change is where the greatest risk and opportunities lie, and where controls are more likely to be in need of improvement.
  3. I would emphasize that when I talk about risk-based auditing, I am talking about risks to the enterprise as a whole. I worry about risks to a process or business operation if and only if it is a source of risk to the enterprise as a whole.
  4. At Tosco, I was more concerned with things that might go wrong as our margins were thin. But that changed as I moved from Tosco to other organizations. I included in my audit plan controls that provided assurance that we would take advantage of possibilities that would benefit us, the creation of value, whether in sales or even in procurement.
  5. I would also make every effort to avoid using the 4-letter “r” word, as it has negative implications and triggers less than an enthusiastic response from management.
  6. The article doesn’t say anything about reporting. This is an area where I made a lot of innovations at Tosco that I carried on in my later positions. Basically, it’s the idea that you “tell them what they need to know, not what you want to say, and do it in as few words as possible”.
  7. I would also say something about the people on my team. They were the source of any success I had. I learned a lot as a leader and would bring those out – as I did in my books.

Questions for you:

  1. How have the profession and its practice moved on from what I was doing in 1998? Or have many still to catch up?
  2. The idea of not hiring junior staff was highly controversial in the 1990’s. It was before SOX, so there was little need for that level of internal auditor. Do you agree with the basic principle explained in the article?
  3. Do you audit controls over the creation of value?
  4. The article doesn’t talk about technology, although I used it when it had value. Do you agree with me that the use of technology has to be dependent on its value? In other words, if we really have a dynamic audit plan, you should make sure there is value in spending the money to develop internal audit software and analytics that may only be used once.
  5. What other comments do you have?

What makes for effective decision-making?

April 9, 2020 13 comments

I was talking with a friend about decision-making and decided to put together a list of principles for effective decision-making. This is my first shot. What do you think? What would you change?

  1. Effective decisions require that the right people are making them at the right time.
  2. It is imperative that the decision-makers understand the nature of the problem, why a decision is required, and what they are trying to achieve
  3. The decision-makers need reliable, complete and accurate, current, and timely information.
  4. Everybody whose information and insight into the situation and the effects of a decision should participate. The level of each individual’s participation may vary depending on such factors as how much they will be affected, the information and insight they offer, and so on.
  5. The alternatives should be identified and their potential effects on success understood.
  6. Consideration should be given to both the potential for harm and the opportunity for reward, recognizing that there may be both multiple ‘risks’ and multiple ‘opportunities’, with reliable analysis that weighs all the pros and cons in a disciplined manner.
  7. The depth of analysis and the time taken will vary depending on factors such as the urgency of the situation, the magnitude of the potential effects (both positive and negative), the authority of the decision-maker, and the complexity of the situation.
  8. Decision-makers and their advisors need to understand and allow for their cognitive and other biases that may influence their decisions.
  9. The effectiveness of a decision depends on a common and clear understanding of the decision and required actions, together with timely and clear communications.
  10. The effectiveness of a decision should generally be monitored and adjustments made as necessary.
  11. The authority to make decisions should be determined by senior management with the approval of the governing body.
  12. The governing body should be assured that the more significant decisions that will affect the overall success of the organization are made consistent with these principles.

I don’t want to have so many principles that they become impractical. While there is probably more to say, I think 12 should be a good number.

What do you think?

If you like these (perhaps with some change), what should this mean for:

  • Boards?
  • Executives?
  • Other decision-makers?
  • Risk practitioners?
  • Internal auditors?

I welcome your thoughts.

Time to wake up to risk reality

April 2, 2020 38 comments

This is a post about news we should have known for a long time.

It’s time to recognize the truth about risk management.

For 11 years, the ERM Initiative at North Carolina University has surveyed executives (this year they were again all financial executives) about what they call “the current state of risk oversight processes in organizations of all types and sizes to obtain an understanding of the relative maturity of underlying activities executives and boards use to monitor the rapidly changing risk landscape”.

On April 1st, they published the 2020 The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices – 11th Edition.

It is jarring to see how the authors continue to ask the wrong questions.

Consider how the Journal of Accountancy wrote about the study. This is their lead observation about the results of the study:

While concerns about risk, even before the virus outbreak, have not subsided, fewer finance executives were finding strategic value in their risk management processes. In 2016, 20% of respondents said they believed that risk management mostly or extensively provides strategic value. In the most recent survey, the number was 17% — a small drop, but still the third consecutive year of one-percentage-point declines.


These are finance executives and you would expect more of them to see the value, if it existed, than other in the executive suite. In many cases, they are responsible for the risk management function! Other surveys have reported much lower numbers, such as that by Deloitte. In fact, the numbers are declining even as people get, arguably, more sophisticated.

Yet, the authors of the study persist in talking about the maturity of a program that, where it exists, is not seen as adding strategic value! They have this damning point sixth on their list of key findings.

Ask yourself why so many companies are not investing the resources and attention to bring their risk management program up to what the authors reference as mature.

I believe that executive teams are failing to invest in fully mature ERM programs and directors are not discussing the results of such a program because it is separate from how they run the organization for success. That is clear when risk discussions are distinct, even with different people, from strategy and performance discussions.

Practitioners and board members, ask each of your executives whether risk management at your organization is providing significant strategic value, whether it makes a marked and important contribution to the development and execution of strategies and achievement of success.

If they say no (or fail to enthusiastically say yes), ask why not. Listen and then make sure they get what they need.

If they say yes, make sure you are asking them about whether risk management contributes to their decision-making and success, not about whether it has ‘value’. It should have value, even if it’s limited to satisfying the regulators and avoiding (some) harms. If they continue to say yes, then celebrate and tell us all what you did different.

Yes, there are areas where traditional risk management is the right thing to do. For example, it is essential in project management, safety management, and the management of a financial portfolio. But putting together a list of top risks for the organization as a whole and the idea that you need to manager risks should be something done to satisfy the regulators, not how you run the business.

As for academics and consultants, PLEASE STOP preaching what doesn’t work, traditional risk assessments and reporting. START understanding what leaders of the organization need and how it can be provided efficiently and effectively. How can so-called risk practitioners help the organization increase the likelihood of success?

Where do you stand?

Are we getting the COVID-19 information we need?

March 26, 2020 15 comments

Like most people (I assume) I am following my local (county), state, and national public health agencies’ web sites for information on the spread of the COVID-19 virus. I also watch the PBS NewsHour TV program and read the news from the BBC and major newspapers.

I am retired, so I don’t have to worry about any corporate effects; I only have to worry about what my wife and I need to do if we are to stay safe. While I also worry about the health and safety of my family in Nashville and London, as well as my friends around the world, there is nothing much I can do for them. (They reassure me they are practicing appropriate social distancing when we chat.)

My question today is whether my wife and I are getting the information we need. Are we able to make the informed and intelligent decisions necessary for our health and welfare?

Each of us may have different questions to answer and different decisions to make.  Today I am talking about my personal ones – and later will make a more generalized point.

What are the questions I have to answer? Here are the first that come to mind:

  1. Do I need to stay in my house?
  2. When, for what purpose, and how often should I leave it?
  3. Do I need to do something different to stay healthy, like take extra vitamins?
  4. Do I need to buy something so that if I am infected I will be more likely to survive?
  5. If I need groceries, should I go to the store or order for delivery?
  6. If I get groceries or other supplies, how do I stay safe?
  7. If I order food for delivery, how do I stay safe?
  8. How long will this last?
  9. How will I know when it’s easing off around me?
  10. Should I cancel my trips in April and June?

If I look at the information provided by the county, state, and federal agencies, I get some information:

  • The county tells me the total of confirmed cases; the number hospitalized; how many have died; how many are infected because of close contact with known cases; and the number infected due to presumed community transmission. There’s also a breakdown of the age of confirmed cases by decade. They tell me that schools will remain closed until May 1st and the shelter-in-place order is through April 7. There’s an additional Frequently Asked Questions section.
  • But the county does not tell me how many have been tested; how many are waiting to be tested; the wait time to be tested; or the trend – the shape of the curve that people keep talking about.
  • The county also doesn’t tell me how many people have called their doctor to report symptoms and stayed home without being tested. They recently announced that the federal government has asked them to gather and report those numbers.
  • The state tells me similar information: the number of positive cases and deaths; how many were community-acquired; the number of health care workers infected; the age breakdown, but only in 5 groups rather than by decade; and the gender of those tested positive.
  • One of the frustrating aspects of the situation is that some reports say the risk is greater for those over 70, some say (as does the state) over 65, while others say 60.
  • As with the county, the state provides general guidance on how to wash your hands and the symptoms of the disease.
  • But neither shares the information that would help me to see the trend, the shape of the curve. Nor do they tell me how to be safe when it comes to grocery-shopping or food deliveries, or how else to prepare.
  • The federal government has some high-level data to share: total cases; total deaths; the sources of exposure (97.5% are ‘under investigation’ so that data is useless); and the trends in total cases, although they indicate that recent data is incomplete. That data doesn’t make it clear whether the rate of increase is slackening or not. Nor do they break the data down by region or state.

Does this give me all the information I need to make informed and intelligent decisions?

Not really.

There are many sources of additional information in the media and on the web. The question is whether that information is (a) relevant to my decision, and (b) reliable. US government and state officials hold frequent press conferences, but not everybody believes what they have to say – especially when they contradict themselves and each other.

A number of health professionals have addressed some of my questions in the media and on YouTube. But I check their credentials before considering them credible. For example, one of my friends shared advice from an MD and when I checked into him I found that he was a specialist in treating allergies.

I will share this important video on safe shopping because it’s important and credible.

So, I don’t believe I am getting all the information I need. I have to make decisions based on what I do know and what seems prudent.

Now to the more general point.

What is happening is that these agencies are sharing what they want to tell me. In some cases, they are complying with federal or state requirements.

They are not thinking about what each of us needs to know so we can make our own informed and intelligent decisions.

I call this ‘push’ reporting. What we need is ‘pull’ reporting, where the individual who has the data understands what the consumer of the information needs to know. He or she understands the decisions that have to be made and the information necessary to enable them.

As practitioners, we need to do the same.

What do the decision-makers need from us?

What does the executive team need from us?

What does the board need from us?

Don’t follow standard practice and give them a report that doesn’t help them make their important decisions.

If you don’t know what they need, even if you believe they don’t know themselves, find out!

Then execute and tell them the shape of the curve, and so on.

I welcome your thoughts.