Home > Risk > Practitioners in a box

Practitioners in a box

September 14, 2018 Leave a comment Go to comments

You know the expression, “think outside the box?”

Well, over the years I have met many risk and audit leaders who did just that.

They came into a new position and formed then led a function that was creative and well-received by top management and the board.

However, they fell in love with their creation.

They thought they had found the answer.

But the world is changing and so are the questions.

What might have been outstanding when established can become barely adequate, if that, over time.

That time may even be as short as a year or two!

What these leaders have done is build a new box around themselves: a box built with the ideas of the past.

Successful leaders are constantly challenging themselves and fixing things even if they are not broken – yet.

They listen to new ideas and techniques, not blindly but with an appropriate level of skepticism and openness.

As you know, I have written here and in my books that the practices of internal audit and risk management need to change.

The practices that worked well in the past don’t help our leaders and the organization to succeed.

The old style of creating and then managing a list of risks, or a static audit plan composed of audits of locations and processes instead of how enterprise risks are managed, needs to be vigorously discarded.

When I speak at conferences around the world, excited auditors and risk practitioners tell me they want to embrace the ideas in Auditing that Matters.

The trouble is their leader lived in a box of his past success.

Is that your world? It sounds claustrophobic to me.

I welcome your thoughts.

  1. Mike Corcoran
    September 14, 2018 at 3:29 PM

    Yeah, we got rid of this approach in 1983.

  2. Ammar Ahmed REDA
    September 14, 2018 at 3:49 PM

    ”When I speak at conferences around the world, excited auditors and risk practitioners tell me they want to embrace the ideas in Auditing that Matters.” – Don’t you think Norman that you are following the suit as most of the professionals? You keep on referring to the ideas that you shared in your book and ever since then you keep quoting mostly the same ideas (basically living in your own other box you created no. of years ago). BTW, I agree with the theme of your article. Thanks for sparing time and sharing your ideas.


    • Norman Marks
      September 15, 2018 at 6:12 AM

      Excellent challenge, Annar!

      I wrote that book a couple of years ago and in the process clarified and expanded my thinking.

      Have I moved on since then?

      The answer is Yes.

      That’s not to say that what I wrote is outdated.

      It stands the test of time so far.

      But I am influenced by the movement in risk management to the consideration of informed and intelligent decision-making. Noting that rational thinking only dominates 30% of decisions and 70% are the results of emotions (think cognitive bias, etc.),

      I am working my way through how internal audit should address the quality of decision-making processes.

      I expect to be addressing that issue in future posts, maybe a book.

      Again, thanks for keeping me on my toes.

  3. Jeffrey Hare
    September 14, 2018 at 5:18 PM

    The industry as a whole has a LONG ways to go. Management is way too reactive to external audit findings and needs to be more proactive at identifying and managing risk.

    I don’t see a big change coming until the PCAOB cracks down on the big 4 for wild inconsistencies in their audit approach. There is little standardization in auditing. I bring this perspective from seeing significant differences within firms in auditing Oracle E-Business Suite. There doesn’t appear to be national standards at all.

  4. GSosbee
    September 15, 2018 at 6:27 AM

    Everything in life changes with age. Leadership, while concerned with tactical implementation, should be focused on the strategic (long-term) plan of the organization – even if that plan means their position could possibly change through M&A.

    Risk managers have to be ready to provide appropriate input into potential strategic changes while minding tactical risk finance applications. Internal auditors have to keep up with changes in policies and procedures.

  5. September 17, 2018 at 3:13 AM

    When hanging on to an idea you are forgetting that business development is like walking up a down-escalator. The very second you stand still (or even, do not move fast enough) you are moving in the wrong direction.

    It’s a firm ISO 31000 principle … “continuous improvement” and improvement in this context is not about doing things you have always done, just a bit faster. It’s about changing what you are doing to meet the needs of today and tomorrow.

    • Jeffrey Hare
      September 18, 2018 at 5:55 AM

      Norman – we should connect. We have a lot in common. Check this out:


      This blows a hole in the substantive-only audits. If only the PCAOB understood this concept and held the big 4 accountable… it would have a huge impact on the audit strategy of the externals / big 4. Involving IT Audit or at least having an understanding of the system is essential to having complete population – especially in the area of JEs.

  6. Anonymous
    September 17, 2018 at 3:14 AM

    Not changing denies the logic of life, which is interdependent, interconnected and in constant change. We continue to see how flawed risk and compliance management programmes fly in the face of such logic through the constant flow of misconduct scandals. The 3LOD model is a perfect example – instead of challenging its validity, the embeddedness excuse keeps getting trotted out as the reason it has failed. It failed because it is a theoretical model that does not work in the real world – yet we continue to live inside the box that thinks it does. Thanks for your thoughts.

  7. Anonymous
    September 17, 2018 at 8:24 AM

    Its human to want to live in past glories. IA functions that do this however are a huge disservice to their organisations.
    The tragedy is that at times senior management and the board may never know how much they are missing through backward looking IA as opposed to the ideal forward looking,risk anticipating and org. objectives-oriented IA function. This especially happens when CAEs resort to sensationally report non issues or minor issues riding on past performances to obscure absence of strategic focus.
    Its true many CAEs would rather not rock the boat especially when things seem to be okay in the organisation lest they be seen to be against business.
    Over emphasis in the past robs organisations off IA’s integral contribution in evaluation of risk management and governance since most risks likely to affect org. objectives are future risks as opposed to those addressed by CAEs who choose to operate in their comfort zones

  8. Dan kalwiji
    September 23, 2018 at 4:26 PM

    Innovation is important but auditors need to pay attention to what is happening in their own yard. Auditors are inclined to expect response to change being undertaken by their clients. Auditors ought to review their control environment, assess audit risk, ensure audits are controlled effectively, and system s monitored. The audit committee needs assurance that effective systems are in place to reduce audit risk to reasonable levels and that risks and controls brought out of audits are reasonable and reliable.

  1. September 14, 2018 at 4:56 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: