Home > Risk > The most important audits my team performed

The most important audits my team performed

A friend suggested that I should write more about audits that my team completed that stand out for their importance.

One that comes to mind immediately may surprise you.

It was not an audit that led to major change by the company. Instead, it’s most significant effect was that as a result of the major finding and our recommendation, the respect for internal audit from both senior management and the board dramatically increased.

This is how I described it in World-Class Risk Management: Tales from my Journey.

Lorie Reynolds [my IT auditor] and I performed an audit of information security over the company’s primary data center in Concord, California. By now, Tosco had grown significantly, adding a second large refinery in Linden, New Jersey (the Bayway Refinery, acquired from Exxon) and a smaller refinery and gas station business in Ferndale, Washington (acquired from BP). But, the company’s financial system and other legacy applications were run at the Tosco Refining Company (TRC) data center and managed by TRC’s IT department, led by S. Denny Smith.

We knew going into the audit that the legacy systems were quite old, written in COBOL, and severely patched over the years. They were no longer supported by the vendor, but generally met the requirements of the users.

What we didn’t know until we performed the audit was that the only security over the legacy applications was within the applications themselves – and that only applied to online transactions. There was no security to speak of over batch jobs that accessed the application files for overnight and other processing.

The risk was high. While we believed that user controls would prevent any major failure when it came to either financial reporting or other critical business processes, the risk of business disruption from a security breach was significant.

But we didn’t make the leap to insisting on immediate corrective action. For a start, we knew that the company planned at some stage to move much of its IT production to a new data center at Bayway. We didn’t know when that would happen or what would move.

Lorie and I met with Denny and his manager, Bill McDaniel. We learned that management planned to shut down the entire Concord data center in favor of a new Bayway data center. In addition, because of anticipated company growth and a desire to upgrade to a modern set of applications, the plan was to replace the legacy systems as part of the data center move.

Lorie and Denny continued their conversations, considering what options were available to enhance security over the legacy applications. Unfortunately, they agreed that the cost would be high. When compared to the level of business risks posed by the security deficiencies, and considering that the legacy systems would be replaced, they were both reluctant to recommend that management make a significant capital investment in new security products.

When I presented the results of the audit to the audit committee, with the CEO and CFO in attendance, I told them that this was an area of high risk – but that I was not recommending that they take any action, except to continue to monitor management’s migration to the new data center and applications. (These days, now that we have a risk management language, I would say that “I agree with management that this is a risk that should be accepted”.)

My words were met with astonishment. They had never seen a CAE fail to recommend action on a high risk area!

But, I stood my ground. If I owned Tosco, I would not make the capital investment necessary to upgrade security.

Taking a business perspective is essential to world-class internal auditing.

Internal auditors should understand that business is not about avoiding or limiting risk, it is about taking the right risk. I have learned that all internal auditors should consider themselves business people who have a job as internal auditors. Their work should be intended to contribute to organization success, not just point out deficiencies or “findings”.

Where it is appropriate to accept a risk or even to take more risk (because the risk is acceptable or even desirable if the organization is to succeed), auditors should not be afraid of standing tall and saying so.

I hope you enjoyed this story, one of many in the book. It highlights some important points for all internal auditors:

  • Our objective should be to help the organization succeed, not just avoid failure
  • We need to understand risk management within the context of our organization – how risks and opportunities are addressed in decision-making
  • It is not always appropriate to mitigate risks. Sometimes, the risks we identify should be accepted or even increased!
  • If we simply recommend spending scarce resources to address a risk and leave it to management to indicate in their response that they are willing to accept the risk, we are not helping anybody. In fact, we appear distanced from the business, failing to understand and help management and the board succeed
  • It is essential to put ourselves in the shoes of the owners of the enterprise and recommend the actions we would take ourselves
  • Even if management accepts a risk – and we agree with that decision – the board may need to know

What do you think?

Advertisements
  1. January 9, 2018 at 3:51 PM

    Yes and No. I see value in most of those ‘important points’ listed but the case study is a bit unconvincing because it doesn’t deal enough with the magnitude of the impact. It’s OK to take that liberal attitude to risk tolerance but there are risks in play over time (not dealt with here in this moment in time) and with size of the impact.

    Furthermore, point 5 suggests taking action/recommendations based on what we would do ourselves. Not sure about the sustainability of that because the self is governed by many internal and external influences. I suggest its better to base the actions/recommendations on sound principles and procedures.

    • Norman Marks
      January 10, 2018 at 7:20 AM

      Thank you for your comments, David. This is a true story.

      Of course we considered the potential impact and its likelihood, as well as the cost for addressing it in the current (soon to be obsolete) environment.

      The decision, agreed to by management and the board, was based on business judgment: the cost outweighed the benefit through risk reduction. That is a better basis, IMHO, than any process grounded in theory.

  2. Barry Raven
    January 10, 2018 at 1:46 PM

    I agree with all said especially with the recommendation of “continue to monitor management’s migration to the new data center and applications.” Companies I have worked for are famous for saying an application is going away and several years later after the application didn’t go away saying the same thing yet again.

  3. Kaya Kwinana
    January 10, 2018 at 5:39 PM

    They must have been very glad when you “told them that this was an area of high risk”.

    But if they did not already know this, how could they have accepted the risk?

    Was this a case of their internal control system being inadequate or being ineffective?

    In fact, was internal control adequacy and effectiveness a concern you raised at the meeting with the audit committee? Why not?

    If internal control was inadequate, you should have conducted and reported on a consulting engagement.

    If internal control was adequate, only then should you have conducted and reported on an assurance engagement, to the effect that even though internal control was adequate, it was ineffective – it was not being implemented as designed.

    Internal auditing is not concerned about individual issues but about the system of internal control as a whole, regarding every objective pursued everywhere in an organisation.

    Internal auditing does not encourage crisis management, where organisations are constantly fighting fires instead of addressing the fundamental issues which give rise to those fires.

    The irony of the situation s that you say “Instead, it’s most significant effect was that as a result of the major finding and our recommendation, the respect for internal audit from both senior management and the board dramatically increased.”

    This was NOT even an internal audit engagement. You don’t claim it was (to your credit, intentionally or not) and yet “the respect for internal audit from both senior management and the board dramatically increased.” Amazing!

    One of those fundamental issues is misleading risk management advice. You say, “It is not always appropriate to mitigate risks. Sometimes, the risks we identify should be accepted or even increased!”

    So in your mind, you envisage a situation where organisations should increase the probability of negative consequences – what they do not want to happen, or of bad things – happening?

    You must because to you the term “risk” means “threat” (otherwise your reference to risks and opportunities would be meaningless) and you never make the point that the acceptance of more risks applies only to opportunities and not to threats.

    The risk appetite – the level of risk an organisation is willing to accept – is higher for opportunities and lower for threats and is best specified after the inherent risk assessment of an identified risk in an adequate system of internal control.

    • Norman Marks
      January 11, 2018 at 6:50 AM

      Kaya, thank you for taking the time to comment at length.

      Here are my replies, embedded into your comment.

      They must have been very glad when you “told them that this was an area of high risk”.
      NEITHER THE BOARD NOR TOP MANAGEMENT WERE HAPPY TO KNOW THAT THEY HAD A SIGNIFICANT RISK

      But if they did not already know this, how could they have accepted the risk?
      THEY KNEW WHEN WE TOLD THEM

      Was this a case of their internal control system being inadequate or being ineffective?
      THE SYSTEM OF INTERNAL CONTROL (INFORMATION SECURITY) WAS INADEQUATE AND WE SAID THAT

      In fact, was internal control adequacy and effectiveness a concern you raised at the meeting with the audit committee? Why not?
      OF COURSE IT WAS

      If internal control was inadequate, you should have conducted and reported on a consulting engagement.
      WHY? THAT IS ONLY AN OPTION, NOT A REQUIREMENT. IN THIS CASE, WE HAD WORKED WITH MANAGEMENT TO ASSESS THE SITUATION (RISK AND THE VALUE OF REMEDIATION) AND WERE CONTINUING TO MONITOR THE SITUATION. THAT, IF YOU LIKE, WAS A CONSULTING ENGAGEMENT. WE WERE ALSO CONSULTING ON THE NEW DATA CENTER SETUP

      If internal control was adequate, only then should you have conducted and reported on an assurance engagement, to the effect that even though internal control was adequate, it was ineffective – it was not being implemented as designed.
      NONSENSE. IT WAS INEFFECTIVE AND THE RISK WAS HIGH AS A RESULT. THAT IS WHAT THE SITUATION WAS AND WHAT WE REPORTED

      Internal auditing is not concerned about individual issues but about the system of internal control as a whole, regarding every objective pursued everywhere in an organisation.
      ALSO NONSENSE. YOU OBTAIN AN ASSESSMENT OF INTERNAL CONTROL AS A WHOLE BY ASSESSING CONTROLS OVER THE MORE SIGNIFICANT RISKS – WHICH IS WHAT WE DID. WE PROVIDED AN OPINION OVER INTERNAL CONTROL AS A WHOLE LATER IN THE YEAR

      Internal auditing does not encourage crisis management, where organisations are constantly fighting fires instead of addressing the fundamental issues which give rise to those fires.
      TRUE.SO?

      The irony of the situation s that you say “Instead, it’s most significant effect was that as a result of the major finding and our recommendation, the respect for internal audit from both senior management and the board dramatically increased.”
      THAT IS NOT IRONY, IT’S SUCCESS

      This was NOT even an internal audit engagement. You don’t claim it was (to your credit, intentionally or not) and yet “the respect for internal audit from both senior management and the board dramatically increased.” Amazing!
      IT WAS AN INTERNAL AUDIT ENGAGEMENT

      One of those fundamental issues is misleading risk management advice. You say, “It is not always appropriate to mitigate risks. Sometimes, the risks we identify should be accepted or even increased!”
      THAT IS ESSENTIAL. BOTH COSO AND ISO WOULD AGRGEE

      So in your mind, you envisage a situation where organisations should increase the probability of negative consequences – what they do not want to happen, or of bad things – happening?
      DO YOU EVER CROSS THE ROAD? THAT IS INCREASING THE RISK OF BODILY HARM. BUT YOU DO IT FOR A REASON

      You must because to you the term “risk” means “threat” (otherwise your reference to risks and opportunities would be meaningless) and you never make the point that the acceptance of more risks applies only to opportunities and not to threats.
      RISK IS THE EFFECT OF UNCERTAINTY ON OBJECTIVES AND INCLUDES BOTH POTENTIALLY POSITIVE AND NEGATIVE EFFECTS. YOU SHOULD READ MY BOOK TO UNDERSTAND MY VIEWS ON RISK MANAGEMENT. ACCEPTING RISK APPLIES TO POTENTIALLY NEGATIVE EFFECTS SO THAT YOU CAN PURSUE POSITIVE EFFECTS

      The risk appetite – the level of risk an organisation is willing to accept – is higher for opportunities and lower for threats and is best specified after the inherent risk assessment of an identified risk in an adequate system of internal control.
      SORRY, I DON’T THINK YOU UNDERSTAND RISK MANAGEMENT. OF COURSE YOU ARE WILLING TO ACCEPT OPPORTUNITIES IF THEY COME WITHOUT STRINGS (POTENTIALLY ADVERSE EFFECTS). YOU ALSO ACCEPT POTENTIALLY ADVERSE EFFECTS (SUCH AS BEING HIT WHEN CROSSING THE ROAD) BECAUSE OF THE POTENTIAL FOR GAIN OR BECAUSE THE COST OF REMEDIATION EXCEEDS THE RISK

  4. January 11, 2018 at 2:45 AM

    Intelligent risk taking is much more valuable than relentless risk avoidance. As racing icon Mario Andretti stated “If everything is under control, you are moving too slow”. This is true in business as well.

  5. January 11, 2018 at 9:54 AM

    Your last point (‘tell the board’) is particularly important where high risks are not being controlled to bring them below what the board would normally consider as acceptable. It gives them the opportunity to approve the decisions and ensures no unexpected surprises. It also lessens the chance of scapegoating and ‘blame games’ if the risks do occur.

  1. January 9, 2018 at 5:20 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: