Archive

Archive for the ‘Audit’ Category

Deloitte on internal audit and the path forward

May 12, 2017 36 comments

In a new paper, Deloitte takes the results of its latest survey of chief audit executives (CAEs) and makes recommendations for action.

The survey, which has been widely reported, indicated that in the opinion of the responding CAEs only 28% of them “believe their functions have strong impact and influence in their organizations, while 16 percent felt that Internal Audit has little to no impact and influence”.

I think the path to fixing the problem starts with acknowledging it, which Richard Chamber has done in a number of his IIA posts (which you can find here).

Deloitte has suggested 9 areas of focus.

I disagree with them.

Here are my suggestions for CAEs, audit committee members, and executives who want to help improve the quality and value of internal audit services.

  1. Audit what matters. Audit how risks to the achievement of enterprise objectives, what might cause them to fail and what is necessary to succeed, are managed. Richard Chamber and I have both written a book with advice on the path forward. Neither of us do it for the money; it’s our shared desire to see the profession advance. My latest book addresses this topic and more, Auditing that matters.
  2. Focus on helping your stakeholders succeed, rather than on performing audits and writing audit reports. Read Richard’s latest, Trusted advisors: key attributes of outstanding internal auditors. Ask what information your stakeholders need from you which could make them welcome you to their table.
  3. Communicate what matters, when it matters, in a way that is actionable and readily consumed. The advice on this topic from Deloitte is off the mark. I cover the point in far more detail in my book, including pointing out that IIA Standards do not require an audit report; that the best communication is face-to-face where questions can be asked and answered; and that we need to deliver our assurance, recommendations, and insights at speed. The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.
  4. Understand why the CAE is not getting the respect he or she should. Is it a failure of the CAE to explain effectively or of the audit committee and management to understand the potential for internal audit to help them succeed? Is it because the CAE is complacent, delivering what he is told he should and being satisfied with good performance reviews and bonuses instead of pushing the envelope to deliver the services and value he or she could and should?
  5. Deliver. Last but hardly least, the CAE must deliver assurance and insights that the executive team and the audit committee truly value. Again, this is what my book is all about, but if the executives and audit committee see our end product as ‘ho-hum’ and not something that might affect their decisions or strategies, then is it worth the money being spent on internal audit? Why should they give respect and, more importantly, their time to an activity that is peripheral at best to running the business?
  6. Be willing to change. Some CAEs, such as Chris Keller at Apple, have thrown out the traditional internal audit model because they can see a better way to add value to the organization, providing assurance that the right risks are being taken. We don’t accept people in the business doing things the same way for years because that’s the way it is always done, so why should we do that ourselves?

 

I welcome your comments and perspectives.

How do we make decisions? Where does ERM fit?

May 8, 2017 4 comments

How do you make decisions in your personal life?

How do you decide where to live, which car to buy, and where to go for lunch?

For many of us, the last is the most difficult decision to make in a day!

So let’s think about it.

 

It’s lunch time. Even if your watch didn’t tell you, your stomach is loud.

The first decision is whether you are going to eat at all.

Can you afford the time? Can you afford not to eat, given what lies ahead in your day?

What can you get done if you skip lunch? What will suffer if you don’t?

Did you bring your lunch to work? That would provide a compromise solution: eat while you work. Do you really want to do that and risk getting stains on your papers? Is it accepted behavior or will you be forced to leave your workspace for a lunch room or similar – in which case, time might be saved but the idea of eating and working may not be achieved.

If you have to get some lunch, where do you go?

Do you go where you love the food, or where you can get a quick bite of so-so flavor and be back at work promptly, or do you go somewhere where the food is just OK but at least is relatively quick?

Or, do you gather up some colleagues and have a lunch together? This may help with team spirit and other objectives but would take longer. Maybe your colleagues ‘expect’ you to go with them and failing to do so will affect your relationship with them.

Can you afford the time, given how much work you have and the deadlines given you by your boss?

 

There’s more to the lunch issue (such as how will you get to the restaurant and when you should leave), but let’s leave it there.

 

What we did was consider our current situation and determine whether it was acceptable or not. We decided that it was not, because we needed (and wanted) to eat. The value of eating outweighed the loss of time (sorry, boss).

We then considered all the options, the benefits and downsides of each.

We made a decision.

 

Where was the risk manager with his list of potential harms?

Did we have a separate analysis of the risks from any analysis of the benefits (getting more work done, satisfying the boss, enjoying our food, and being ready for the rest of the day)?

What would you say if one of your colleagues responded to every suggestion about a restaurant by pointing out what could go wrong (bad food, food poisoning, delays getting back, unpleasant service, and so on)?

Would you say he or she was doing their job well and look for a separate colleague to identify and assess all the good things that might happen by going to this or that restaurant?

 

Can risk practitioners continue to be the voice of gloom and expect to be asked to join the CEO for lunch at his or her club?

 

I welcome your thoughts.

Risk appetite in practice

April 29, 2017 32 comments

From time to time, I am asked about the best risk management activity I have seen. Perhaps the best overall ERM was at SAP. I wouldn’t say it was perfect but it did include not only periodic reviews but the careful consideration of risk in every revenue transaction (including contracting) and development activity.

The best risk management activity was when I was with Maxtor, a $4b hard drive manufacturing company. It was based in the US but had major operations in Singapore, which is where I saw this.

The head of procurement for the region, a vice president, and his director were evaluating bids to supply the two Singapore plants with critical materials.

Margins in that business were not high, so the effective management of cost was very important indeed.

[David Griffiths has pointed out that my post, as originally written, did not specify the objectives to which we have risks. I am adding them here:

  • Procure critical materials at the lowest possible cost to optimize margins
  • Ensure timely delivery of critical materials to support manufacturing and timely delivery of finished products to customers with a positive effect on customer satisfaction
  • Minimize supply chain disruption risk
  • Ensure quality materials so that scrap and rework are minimized, manufacturing is not delayed, costs are contained, and customers are satisfied]

But, there were additional issues or ‘risks’ to consider:

  • The choice of a single vendor would increase the likelihood and extent of supply chain disruption if that vendor was hit by floods or other situations that could disrupt its ability to manufacture and deliver.
  • If we were dependent on a single vendor, that vendor could demand price increases.
  • If we were dependent on a single vendor, we could not switch with agility to another should the single vendor have quality manufacturing problems.
  • If the decision was made to select two vendors, the total cost would be likely to increase.
  • If two vendors were selected and the supply split between them, there would be less desire for them to make us a priority customer.
  • If only two vendors were selected, there would still be significant supply-chain disruption risk.
  • If more than two vendors were selected, additional agility would be obtained, but at a cost.
  • If more than two vendors were selected, they might be less reliable because they would be less dependent on us as a major customer.

Cost was not the only consideration. Quality, timely delivery, and our agility to respond to any form of disruption were also very important.

The procurement VP gathered together all the potentially affected parties to participate in the decision, including the vice presidents for finance, sales, manufacturing, and quality.

They considered all the options, the consequences of each decision (both positive and negative), and decided to select three vendors and split the allocation between them. They also decided to negotiate backup supply contracts with a couple of other companies.

The decision involved taking a higher level of some risks and lower levels of others.

Basing the decision on whether one risk was too high would not have led to the optimal overall result.

Now, how would a risk appetite statement have helped the VP of procurement?

I believe the answer is “not at all”.

What do you think?

I welcome your comments.

The state of the internal audit profession

April 6, 2017 18 comments

My friend Richard Chambers has written a couple of posts that merit our careful attention.

Frankly, all of his posts merit our attention, but these are important.

I ask that you review:

I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)

However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:

In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.

The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.

The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.

Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.

Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.

  • Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
  • Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.

Richard is far more provocative than usual in his March 27 post when he says:

It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.

Naturally, Tim sees this as labeling his writing as “fake news”.

Richard is 100% correct when he states:

No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.

Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.

I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.

Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.

Let’s look at some more information.

My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.

I strongly recommend reading the piece and noting the eight action items.

One quote by Brian caught my eye:

Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.

I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.

An article in the local business newspaper reported that:

Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).

In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.

“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.

“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”

Tim has every right to challenge the current state of internal auditing and I know Richard respects that.

I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.

There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).

Nevertheless, we need people like Tim to challenge us.

Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.

Richard and I have both shared our views with new books.

I would like to think that between us we have charted a way forward.

Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.

Let’s adopt that mindset for our own practices and profession.

Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.

I welcome your comments.

 

 

NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

The real risks: the ones not in the typical list of top risks

December 31, 2016 22 comments

This is the time of year when people are rushing to share the top risks to organizations across the world.

Those lists include such items as cyber, political change, economic instability, and so on.

Here’s a different type of list.

It’s comprised of risks that are perhaps the most critical but, for whatever reason, rarely figure on any risk register (those awful devices) or other ERM report.

They are not in any particular order.

  • Bad decisions, for any number of reasons such as involving the wrong people; relying on gut experience instead of information; failing to act; and so on
  • Poor information flowing to decision-makers and the board (it may be out-of-date, slow, incomplete, indigestible, wrong, or simply off the mark)
  • Hiring the wrong people
  • Not having sufficient people
  • Lack of teamwork
  • Lack of shared goals
  • Politics
  • Legacy systems that make the organization lack agility
  • Bureaucracy that slows decisions and stifles ingenuity and innovation
  • A bully of a CEO
  • Executives who don’t listen
  • Poor morale
  • High turnover of staff
  • Failing to fire poor customers
  • Ignorance of new technology that could disrupt the business
  • Being excessively risk averse
  • An ineffective internal audit function
  • An ineffective risk management function
  • A legal function that does not provide quality advice when it is needed
  • A CFO who does not get involved in the business and its operations
  • And so many more

I welcome your thoughts – and additions of risks that are too often overlooked, usually for political reasons.

HAPPY NEW YEAR!

Why do so many practitioners misunderstand risk?

November 26, 2016 19 comments

My apologies in advance to all those who talk about third-party risk, IT risk, cyber risk, and so on.

We don’t, or shouldn’t, address risk for its own sake. That’s what we are doing when we talk about these risk silos.

We should address risk because of its potential effect on the achievement of enterprise objectives.

Think about a tree.

fruit-tree

In root cause analysis, we are taught that in order to understand the true cause of a problem, we need to do more than look at the symptoms (such as discoloration of the leaves or flaking of the bark on the trunk of the tree). We need to ask the question “why” multiple times to get to the true root cause.

Unless the root cause is addressed, the malaise will continue.

In a similar fashion, most risk practitioners and auditors (both internal and external) talk about risk at the individual root level.

Talking about cyber, or third party risk, is talking about a problem at an individual root level.

What we need to do is sit back and think about the potential effect of a root level issue on the overall health of the tree.

If we find issues at the root level, such as the potential for a breach that results in a prolonged systems outage or a failure by a third party service provider, what does that mean for the health of the tree?

Now let’s extend the metaphor one more step.

This is a fruit tree in an orchard owned and operated by a fruit farmer.

If a problem is found with one tree, is there a problem with multiple trees?

How will this problem, even if limited to a single tree or branch of a single tree, affect the overall health of the business?

Will the owner of the orchard be able to achieve his or her business objectives?

Multiple issues at the root level (i.e., sources of risk) need to be considered when the orchard owner is making strategic decisions such as when to feed the trees and when to harvest the fruit.

Considering, reporting, and “managing” risk at the root level is disconnected from running the business and achieving enterprise objectives.

I remind you of the concepts in A revolution in risk management.

Use the information about root level risk to help management understand how likely and to what extent it is that each enterprise business objective will be achieved.

Is the anticipated level of achievement acceptable?

I welcome your thoughts.