My friend Richard Chambers has written a couple of posts that merit our careful attention.
Frankly, all of his posts merit our attention, but these are important.
I ask that you review:
- The State of Internal Audit: Facts vs. Conjecture, and
- For Internal Audit, the Best Defense Is a Strong Offense
I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)
However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:
In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.
Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.
- Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
- Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.
Richard is far more provocative than usual in his March 27 post when he says:
It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.
Naturally, Tim sees this as labeling his writing as “fake news”.
Richard is 100% correct when he states:
No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.
Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.
I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.
Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.
Let’s look at some more information.
My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.
I strongly recommend reading the piece and noting the eight action items.
One quote by Brian caught my eye:
Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.
I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.
An article in the local business newspaper reported that:
Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).
In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.
“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.
“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”
Tim has every right to challenge the current state of internal auditing and I know Richard respects that.
I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.
There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).
Nevertheless, we need people like Tim to challenge us.
Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.
Richard and I have both shared our views with new books.
- Auditing that matters takes on the issue of auditing the risks that really matter to the success of the organization and then sharing with executive management and the board what they need to know.
- Trusted Advisors: Key Attributes of Outstanding Internal Auditors discusses the “top attributes needed to excel as an internal audit professional and be viewed as the go-to person within the entity”.
I would like to think that between us we have charted a way forward.
Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.
Let’s adopt that mindset for our own practices and profession.
Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.
I welcome your comments.
NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.
Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.
I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.
The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.
Humans as a root cause is also a topic I cover in World-Class Risk Management.
As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.
The same thing applies to cyber risk and even compliance risk.
They are all dominoes.
A case study:
- There is a possibility that the manager in HR that recruits IT specialists leaves.
- The position is open for three months before an individual is hired.
- An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
- A system vulnerability remains open because there is nobody to apply a vendor’s patch.
- A hacker obtains entry. CYBER RISK
- The hacker steals personal information on thousands of customers.
- The information is posted on the Internet.
- Customers are alarmed. REPUTATION RISK
- Sales drop.
- The company fails to meet analyst expectations for earnings.
- The price for the company’s shares drop 20%.
- The CEO decides to slash budgets and headcounts by 10% across the board.
- Individuals in Quality are laid off.
- Materials are not thoroughly inspected.
- Defective materials are used in production.
- Scrap rates rise, but not all defective products are detected and some are shipped to customers.
- Customers complain, return products and demand compensation. REPUTATION RISK
- Sales drop, earnings targets are missed again, and …….
- At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
- The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
- Multiple breaches are not detected. CYBER RISK
- Hackers steal the company’s trade secrets.
- Competitors acquire the trade secrets and are able to erode any edge the company may have.
- The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
- Sales drop. Earnings targets are not achieved, and……..
It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.
But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.
One decision at a low level in the company can have a domino effect.
I welcome your comments.
This is the time of year when people are rushing to share the top risks to organizations across the world.
Those lists include such items as cyber, political change, economic instability, and so on.
Here’s a different type of list.
It’s comprised of risks that are perhaps the most critical but, for whatever reason, rarely figure on any risk register (those awful devices) or other ERM report.
They are not in any particular order.
- Bad decisions, for any number of reasons such as involving the wrong people; relying on gut experience instead of information; failing to act; and so on
- Poor information flowing to decision-makers and the board (it may be out-of-date, slow, incomplete, indigestible, wrong, or simply off the mark)
- Hiring the wrong people
- Not having sufficient people
- Lack of teamwork
- Lack of shared goals
- Legacy systems that make the organization lack agility
- Bureaucracy that slows decisions and stifles ingenuity and innovation
- A bully of a CEO
- Executives who don’t listen
- Poor morale
- High turnover of staff
- Failing to fire poor customers
- Ignorance of new technology that could disrupt the business
- Being excessively risk averse
- An ineffective internal audit function
- An ineffective risk management function
- A legal function that does not provide quality advice when it is needed
- A CFO who does not get involved in the business and its operations
- And so many more
I welcome your thoughts – and additions of risks that are too often overlooked, usually for political reasons.
HAPPY NEW YEAR!
My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.
We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.
We should address risk because of its potential effect on the achievement of enterprise objectives.
Think about a tree.
In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.
Unless the root cause is addressed, the malaise will continue.
In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.
Talking about cyber, or third party risk, is talking about a problem at an individual root level.
What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.
If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?
Now let’s extend the metaphor one more step.
This is a fruit tree in an orchard owned and operated by a fruit farmer.
If a problem is found with one tree, is there a problem with multiple trees?
How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?
Will the owner of the orchard be able to achieve his or her business objectives?
Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.
Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.
I remind you of the concepts in A revolution in risk management.
Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.
Is the anticipated level of achievement acceptable?
I welcome your thoughts.
I have been a proponent and supporter of the OCEG view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).
I remain an advocate of their definition of GRC as well as their focus on Principled Performance.
Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.
This paragraph from the Introduction to the paper explains both GRC and Principled Performance.
As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.
GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”
What I like about their definition is:
- It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
- It describes a capability that is more than the sum of its parts. It is more than governance, which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
- It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.
This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:
“A system of people, processes and technology that enables an organization to:
- Understand and prioritize stakeholder expectations
- Set business objectives that are congruent with values and risks
- Achieve objectives while optimizing risk profile and protecting value
- Operate within legal, contractual, internal, social and ethical boundaries
- Provide relevant, reliable and timely information to appropriate stakeholders
- Enable the measurement of the performance and effectiveness of the system”
The question for me as I review the maturity model is whether it truly describes a GRC capability.
I believe it is a valuable piece of work, but only if you are concerned about the R and the C.
I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.
The ‘G’ in GRC is silent.
Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?
Don’t expect harmony when people do not see the songsheet.
Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.
Where is the integration of performance management and risk management? Sadly, it is not here either.
This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?
Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.
I welcome your views.
 OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at www.oceg.org with many valuable resources for members. Membership is free for individuals.
 I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”
Overall, I am pleased to see the progress the internal audit practice has made over the last few years. While there are still serious problems regarding independence and resources in some parts of the world (where internal audit is established only to “check-the-box, not with any intent to be a serious activity), more and more organizations are moving to what I call “enterprise risk-based” auditing; perhaps half are providing assurance through formal audits and assessments of the management of risk; and, many are focusing on identifying problems before rather than after the occur has become a recurring mantra.
Yet, the picture is not entirely rosy.
This year, I have been privileged to work with the National Association of Corporate Directors. I was a panelist at three separate events where they discussed cyber risk.
In one group session, a director said that the board could not ask internal audit to assess and help with cyber risk because they lacked that capability. The others voiced their agreement, one and all.
This is a huge problem!
Internal audit may not always have the talent on staff to address every risk or concern, but if the board would only give it the resources, internal audit can either hire that staff or outsource the task.
As a chief audit executive, I have hired specialists to address specific risks in IT (including highly technical personnel), environmental compliance, engineering, fraud investigations, and more. Where possible, I have provided staff (including myself) training in specialized areas, such as derivatives trading, Six Sigma, and Lean Manufacturing.
I also used outside resources from consulting and personnel agencies:
- A derivatives trading and management specialist
- A “white hat” penetration testing team
- A former global procurement executive
- An expert in sales contracting and management
- A corporate tax specialist
- and more
Some talk about internal audit being the “consultant of choice”. I wouldn’t go that far. Where I would go is that internal audit should have the capability, whether through its own personnel, co-sourcing, or other contract staffing, to address and provide assurance on the key risks facing the enterprise.
Internal audit should:
- Inform the audit committee when it has insufficient resources to address a specialized area of risk, and endeavor to persuade them to provide such additional resources (headcount or dollars) to address the need
- Inform the audit committee that it has the capability to obtain the necessary resources to address specialized areas such as cyber security, ethics compliance, corporate culture, corporate governance and more. This means that the CAE needs to build a network that he/she can tap to locate and hire the necessary expertise
- Challenge management and even the audit committee when either goes outside to obtain assurance on an area of risk
I welcome your comments.
One of the readers of my work sent me this message.
I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.
In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.
I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).
I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.
Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.
I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?
I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.
I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?
The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.
Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!
I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.
But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.
Down in the weeds, missing the big picture.
I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.
Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.
Where are you now and are you changing?
What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?
By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.