Stunning report of interference from the top in an internal audit

November 16, 2017 5 comments

I normally don’t post a blog on a Thursday, but the news today is so important I want to bring it to as many people’s attention as possible.

Please read this:

Report says UC president’s office improperly interfered with financial audit

Questions for you:

  1. Have you seen interference yourself in an audit that is similar in any respect to what is alleged in this report?
  2. What should be done?

I welcome your comments and let’s have a fruitful discussion.

Advertisements

Do we understand what a Risk Event is?

November 9, 2017 12 comments

People talk about a risk event as if it is obvious what it is and what it means.

COSO ERM talks about the possible effect of an event on objectives, and in common parlance we are talking about something happening that has an effect on the organization.  (COSO thinks of risk as the possibility of that event occurring; ISO talks about risk as the effect of what might happen on objectives.)

Most often, people are thinking of a negative effect, something harmful that is the consequence of the event.

Examples of so-called risk events include:

  • The passing of new regulations
  • The loss of a key employee
  • An earthquake, hurricane, flood, or other natural disaster
  • A data center fire
  • An intrusion by a hacker

One of the things that concern me is that these events may have multiple effects or consequences, not just one.

Some of those effects might be positive.

For example, a new regulation might mean that sales are disrupted and additional costs incurred to bring a product into compliance. There is an increase in cash flow risk, revenue risk, customer satisfaction risk, and compliance risk. But, if the organization is sufficiently prepared and agile, it may be able to release a compliant product earlier than its competitors and gain market share. In fact, some competitors may not be able to adjust at all.

The loss of a key employee may be a risk to a project or other key activity, but it is also an opportunity to hire somebody with greater or different skills, making other things possible. It may even be an opportunity to reorganize for agility or efficiency.

The loss of a data center due to fire or flood may have multiple and diverse effects, but is also an opportunity to build a better one, financed by the insurance proceeds.

There are times when it may be to a company’s advantage to get new regulations passed, simply because they are better prepared to respond than their competitors! It also helps the company’s reputation to be seen as sensitive to the demands of the community – for example by adding safety features.

All of this needs to be considered: the likelihood of an event, the range of potential consequences and the likelihood of each, how the organization can be prepared, and how advantage may be taken.

The other thing that gives me cause for concern is that events are not the only source of risk.

Decisions have an effect as well. The action taken following a decision, for example the decision to read this article, can have an effect as well.

But let’s come back to events.

Years ago, when I was a VP in IT, I was responsible for data center disaster recovery and corporate contingency planning.

I learned that rather than building a plan for every event that could cause the data center to be out of commission, it was better to build a plan that addressed how to deal with the effect of those events.

In other words, we had a plan for the loss of a data center, rather than separate ones for loss due to fire, flood, and so on.

Similarly, many things can happen that might affect the achievement of an objective.

Shouldn’t we have plans that address how we respond to the effect rather than to every event?

If we are monitoring the likelihood of achieving an objective rather than simply the levels of individual risks, won’t that help the organization run the business to success?

Just thinking.

What do you think?

Is asking about risk culture the right question?

November 3, 2017 6 comments

Everybody is talking about assessing and addressing risk culture.

They talk as if risk culture (the beliefs and so on that drive risk-taking behavior) is not only a major factor in whether risks are at desired levels, but is consistent across the organization.

But, while culture is a major driver of behavior (of all types, not just risk-taking), it is most certainly not consistent.

Consider the executive team.

Do they have an identical attitude towards taking risk? Aren’t some more careful and cautious than others? Isn’t there often a healthy debate when it comes to the timing of product launches or expansions into new markets?

If you don’t have a consistent attitude towards taking risk among the few members of the executive team, how can you expect to have a consistent attitude among the population of employees and decision-makers?

I am not saying that attention should not be paid to culture. If there are conditions (such as severe penalties and repercussions for making a mistake) that can drive behavior in the wrong direction, it is important to understand and address them.

What I am saying is that we should ask a different question.

How can we be reasonably sure that decision-makers will take the desired level of the desired risks, the level of risk that the board and top management want taken to achieve objectives?

Follow that with asking who (individuals and teams) is more likely to take a different level of risk?

Now that we have identified the potential sources of poor risk-taking (and decision-making, by the way), we can start to think about what we are going to do about it.

Options might include expanding or shrinking how we empower certain employees to make decisions and take risks without approval.

Let me close with this.

Are you paying too much attention to risk culture in general and not enough to people who you (or top management) are not confident will make intelligent and informed decisions and take the wrong level of risk (which may either be too little or too much)?

I welcome your comments.

Can you manage technology risk in today’s environment?

October 28, 2017 7 comments

While this post starts with an internal audit perspective, I close with how the board and top management should address the issue of information/cyber risk.

Protiviti believes, in An Involved and Agile IT Audit Function Is Key to Cybersecurity, that the internal audit team can add significant value when it comes to technology risk.

I tend to agree, but not in the same way that Protiviti suggests.

I do agree with these statements:

High-functioning audit teams help organizations look ahead to identify dangers and opportunities that lie on the road ahead. Getting ahead of the threats, rather than constantly reacting to their consequences, is what it’s all about.

There is a growing recognition that IT auditors need to be involved in the investment, planning, design and implementation phases of new technology projects as well as other, non-technology projects that have the potential to impact an organization’s security risk profile. Additionally, IT auditors should be considering whether their approach to cybersecurity risk assessments (often an annual, point-in-time activity) is sufficient given the rapidly evolving technology and threat landscapes.

I strongly agree with this:

Develop a view of cybersecurity risks focused on business services and outcomes rather than being viewed exclusively through a technology lens.

However, this should not (as implied by Protiviti) be an internal audit responsibility.

In fact, what is missing from the Protiviti piece is any assessment of management’s ability to understand technology-related business risks. Protiviti is marketing their own technology risk assessment methodology, which is a blend of top-down (i.e., considering the effect on the business and achievement of enterprise objectives of a failure relating to technology) and bottoms-up (the more traditional IT approach, starting with technology threats and vulnerabilities). I like the Protiviti approach (which is not at all new and should not be presented as such), but I don’t see it reflected sufficiently here.

Protiviti errs further, IMHO, when they say:

IT audit functions should ensure their cybersecurity risk assessments and supporting toolkits are designed and deployed to provide timely identification of key risks in an environment of rapidly evolving threats and technologies.

Internal audit should help management do this, with advice and insight, but should NEVER take on this responsibility themselves – or even consider it.

Frankly, I am concerned that most IT and information security functions don’t have the capability to:

  • Understand all the cyber risks their organization faces today and tomorrow in this dynamic and turbulent environment, especially how it could affect the organization, its business, and its enterprise objectives
  • Provide a reasonable level of prevention against cyber-attacks, whether internal or external
  • Ensure breaches are detected PROMPTLY
  • Ensure intruders are expelled PROMPTLY
  • Ensure that they know what the intruders did and can mitigate any damage PROMPTLY
  • Respond to the external stakeholders PROMPTLY and effectively

In the ‘old days’, when I was at times an IT auditor, responsible for information security, and then responsible for the internal audit function, I might have taken a different approach. I was fond of assessing the foundation for information security, including its resources (money and people) and positioning within the organization, policies, and acceptance by the rest of the organization. Then, I and my team would focus on the more significant areas of concern.

But today I would take a different approach.

These are the critical questions I would ask as a member of the board, as CEO, CIO, or as CFO.

  1. Do you (person responsible for information/cyber security, which should include the CEO and CIO) believe we have reasonable security? Is the risk at acceptable levels?
  2. If the answer is yes (which should rarely be the case):
    1. Why? What gives you this assurance? Would you bet your job on it?
    2. How do you know your risk assessment is reliable?
    3. How would the business and our objectives be affected?
    4. What confidence do you have that breaches would be prevented? Why? Is that an acceptable level of confidence?
    5. Do you believe you can keep out the most sophisticated attackers, such as from nation states’ cyber warfare teams? If yes, how? If not, why do you say risk is at acceptable levels?
    6. What confidence do you have that breaches would be detected on a timely basis so damage (including to our reputation) could be mitigated? How quickly would they be detected?
    7. Do you believe our response plan is effective? Why?
    8. Do you believe that we will continue to have effective information/cyber security as threats and techniques change, which they do?
    9. How and when will you communicate any change in the above or any successful intrusion?
  3. If the answer is no:
    1. What are you doing about it?
    2. Do you believe we will have effective information/cyber security within a very short time? If not, why not?
    3. Can we afford to try to do this in-house? Should we go to an external service provider?
    4. How are we addressing the risks this represents to the enterprise and its objectives? Do you know what they all are and do business leaders know?

Internal audit should always be auditing the risks of today and tomorrow – and ensuring that management knows what they are and has appropriate risk assessment and controls in place.

This is not new. Even when I started in IT audit, 40 years ago (OMG), we were performing ‘pre-implementation reviews’ and providing consulting services on major IT projects.

But, this is a new world and we need to re-examine traditional techniques for addressing technology risk.

Before assessing and testing controls, challenge management on whether they believe effective security is in place and why.

The effect of technology failures is simply too great not to.

I welcome your comments.

Are we doing enough about behavior?

October 22, 2017 Leave a comment

Mike Jacka has written from the heart in his latest blog post. Click on this to access it.

I encourage all of you to read it, think about it, and then answer these questions:

  1. Are you comfortable with the culture within your organization – how people behave towards others? Consider not only how women are treated, but those who are “different” in any way (gays, people of color, those who observe a different faith, etc).
  2. Are you comfortable with what is being done about it?
  3. Are you comfortable with what you are doing about it?
  4. What else should you, management, or internal audit do about it?

I have written about culture as having many facets. Auditing culture is not just about ethics, or risk-taking. It’s about behavior and what drives it.

Are we, as individuals (especially when we are in a position of authority, such as any member of internal audit) doing enough?

Well done, Mike!

Now it’s up to the rest of us to act.

COSO ERM explains the flaw in risk appetite statements

October 21, 2017 7 comments

Yes.

I really mean that.

Of course, COSO ERM 2017 pushes organizations to establish “risk profiles” (a.k.a., lists of risks or risk registers) and their risk appetite.

But if you look carefully you will see one paragraph in the COSO update that explains why devotion to compliance with a risk appetite statement can lead an organization to fail to take the right risks.

“Organizations may … choose to exceed the risk appetite if the effect of staying within the appetite is perceived to be greater than the potential exposure from exceeding it. For example, management may accept the risk associated with the expedited approval of a new product in favor of the opportunity and competitive advantage of bringing those products to market more quickly. Where an entity repeatedly accepts risks that approach or exceed appetite as part of its usual operations, a review and recalibration of the risk appetite may be warranted.”

In other words, stay within risk appetite if it is the right thing to do. Don’t stay if that is the right thing to do.

It’s all about weighing all the potential consequences before acting – not just the potential for harm.

Of course, that is what all effective decision-makers do.

Of course, that is what risk practitioners should advocate!

Devotion to remaining within risk appetite (if you can even express one that will proactively guide decision-makers) is likely to make you risk averse – and focusing on avoiding harm is the path to avoiding success.

So, what do we do instead?

Let’s spend our time and energy thinking about how we can enable those making the decisions necessary to running the business and achieving success to make good decisions. Smart decisions.

Empower people across the organization to use not only their experience and judgment, but all appropriate and reliable information to make informed and intelligent decisions.

Instead of worrying about whether they are complying with the risk appetite statement, worry about whether there is reasonable assurance that good decisions are made.

Radical?

Sensible?

What do you think?

Is it about managing risk?

October 14, 2017 7 comments

It seems to be Protiviti week! On my IIA blog, I am covering a piece by Jim DeLoach and Brian Christensen on internal audit. Here, I want to talk about another DeLoach piece, Transitioning Risk Management to the Digital Age.

Jim’s lead-in is excellent:

The risk management methodologies in play for most companies today were developed before the turn of the century. In effect, risk management is often an analog approach being applied in what is now a digital world. More importantly, if enterprise risk management (ERM) is a standalone process, it is suboptimal. More needs to be done to elevate risk management to help organizations face the dynamic realities of the 21st century and truly leverage the advances of digital, cloud, mobile and visualization technologies, exponential growth in computing power, and advanced analytics to embed deeper and more insightful risk information in strategy-setting, performance management and decision-making processes.

He continues with another excellent observation:

The business environment features rapid advances in and applications of digital technologies and rapidly changing business models. Consistent with the objective of being an early mover, risk reporting should help organizations become more agile, flexible and nimble in responding to a changing business environment. For most organizations, today’s risk reporting falls short of that objective.

But then he says something with which I strongly disagree.

To impact decision making, there are three questions risk reporting must address:

  • Am I riskier today than yesterday?
  • Am I going into a riskier time?
  • What are the underlying causes?

Jim, it’s not about risk.

It’s about achieving objectives.

Managing risk absent the context of your objectives leads you to manage what may be irrelevant and miss what may be crucial.

COSO ERM 2004 got it right when it said that risk management is “Geared to achievement of objectives in one or more separate but overlapping categories”.

Jim, IMHO the board should be asking these questions:

  • How likely are we to achieve our objectives?
  • If the likelihood is less than acceptable, why? What can we do about it?
  • If there is a possibility of exceeding our objective, what can and should we do?
  • What assurance do we have that management is taking the right risks, making intelligent and informed decisions?
  • Are there any risks that we should be concerned about, that merit our attention and possibly our action?

I don’t want the board to focus on risks in one meeting and then talk about performance and results in another.

They are or at least should be intertwined.

What do you think?

I welcome your comments.