Archive

Archive for the ‘Compliance’ Category

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

Is a new maturity model for GRC the right model?

September 25, 2016 4 comments

I have been a proponent and supporter of the OCEG[1] view and definition of GRC for a very long time. In fact, OCEG honored me for my GRC thought leadership by making me one of the first OCEG Fellows (along with my friends, Michael Rasmussen and Brian Barnier).

I remain an advocate of their definition of GRC as well as their focus on Principled Performance.

Very recently, OCEG leadership published a maturity model for GRC (developed by RSA Archer, which has been an active member and sponsor of OCEG for as long as I can remember). You can download it (and become a member for free, which I heartily encourage) from the OCEG web site.

This paragraph from the Introduction to the paper explains both GRC and Principled Performance.

As the think tank that defined the business concept of GRC, OCEG has long talked about the need for a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity. These capabilities are outlined in the GRC Capability Model (“the OCEG Red Book”), the publicly vetted, free and open source standards for GRC planning and execution. The outcome of applying effective GRC is Principled Performance, which demands a mature, integrative approach to governance, risk management and compliance; the component parts of GRC.

GRC is defined by OCEG, repeated in the section above, as “a harmonized set of capabilities that enable an organization to reliably achieve its objectives, while addressing uncertainty and acting with integrity.”

What I like about their definition is:

  • It focuses on achieving objectives and delivering value to stakeholders, not just avoiding harm and remaining in compliance. Risk is managed, not for its own sake, but to help drive performance.
  • It describes a capability that is more than the sum of its parts. It is more than governance[2], which includes not only the operation of the board but those of the legal department, internal audit, the strategic planning function, performance management, investor relations, and more; it is more than simply risk management, because it requires that the consideration of risk be part of the rhythm of the business (credit to EY for that expression) as decisions are made and strategy not only developed but executed; and, it is more than compliance: in fact, the OCEG definition includes not only compliance with applicable laws and regulations (what they call a ‘mandated boundary’) but with societal norms and the values of the enterprise (a ‘voluntary boundary’).
  • It emphasizes the need for harmony between all the various elements of the organization if they are to drive towards and achieve shared goals for the enterprise.

This section from OCEG’s Red Book (version 2.0) builds on the short definition above. It says that GRC is:

“A system of people, processes and technology that enables an organization to:

    • Understand and prioritize stakeholder expectations
    • Set business objectives that are congruent with values and risks
    • Achieve objectives while optimizing risk profile and protecting value
    • Operate within legal, contractual, internal, social and ethical boundaries
    • Provide relevant, reliable and timely information to appropriate stakeholders
    • Enable the measurement of the performance and effectiveness of the system”

The question for me as I review the maturity model is whether it truly describes a GRC capability.

I believe it is a valuable piece of work, but only if you are concerned about the R and the C.

I am afraid that the authors, who are friends as well as colleagues, have fallen into the trap I started talking about more than 6 years ago.

The ‘G’ in GRC is silent.

Where is there mention of everybody, from the board down to the shop floor worker, working to shared objectives? If enterprise objectives are not just set and approved by the board and top management, but cascaded down and across the enterprise with all performance incentives fully aligned, how can we expect the right risks to be taken and value delivered?

Don’t expect harmony when people do not see the songsheet.

Where is there mention of effective decision-making? Both the ISO and COSO risk guidance is moving towards an emphasis on intelligent and informed decision-making. But, I don’t see that here.

Where is the integration of performance management and risk management? Sadly, it is not here either.

This is a fine document for risk and compliance maturity. But is it a maturity model for GRC?

Hopefully, there will be a version 2.0 of the model where the G is not silent, where it is in fact dominant.

I welcome your views.

 

[1] OCEG, the Open Compliance and Ethics Group, is a not-for-profit think tank that focuses on Principled Performance and GRC. It has a wonderful website at www.oceg.org with many valuable resources for members. Membership is free for individuals.

[2] I like the OECD definition of governance: “A set of relationships between a company’s management, its board, its shareholders and other stakeholder. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined.”

Compliance and risk appetite

July 18, 2015 7 comments

Recently, a compliance thought leader and practitioner asked my opinion about the relevance of risk management and specifically risk appetite to compliance and ethics programs.

The gentleman also asked for my thoughts on GRC and compliance; I think I have made that clear in other posts – the only useful way of thinking about GRC is the OCEG view, which focuses on the capability to achieve success while acting ethically and in compliance with applicable laws and regulations. Compliance issues must be considered within the context of driving to organizational success.

In this post, I want to focus on compliance and risk management/appetite.

Let me start by saying that I am a firm believer in taking a risk management approach to the business objective of operating in compliance with both (a) laws and regulations and (b) society’s expectations, even when they are not reflected in laws and regulations. This is reinforced by regulatory guidance, such as in the US Federal Sentencing Guidelines, which explain that when a reasonable process is followed to identify, assess, evaluate, and treat compliance-related risks, the organization has a defense against (at least criminal) prosecution. The UK’s Bribery Act (2010) similarly requires that the organization assess and then treat bribery-related risks.

I think the question comes down to whether you can – or should – establish a risk appetite for (a) the risk of failing to comply with rules or regulations, or (b) the risk that you will experience fraud.

I have a general problem with the practical application of the concept of risk appetite. While it sounds good, and establishes what the board and top management consider acceptable levels of risk, I believe it has significant issues when it comes to influencing the day-to-day taking of risk.

Here is an edited excerpt from my new book, World-Class Risk Management, in which I dedicate quite a few pages to the discussion of risk appetite and criteria.

Evaluating a risk to determine whether it is acceptable or not requires what ISO refers to as ‘risk criteria’ and COSO refers to as a combination of ‘risk appetite’ and ‘risk tolerance’.

I am not a big fan of ‘risk appetite’, not because it is necessarily wrong in theory, but because the practice seems massively flawed.

This is how the COSO Enterprise Risk Management – Integrated Framework defines risk appetite.

Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

One of the immediate problems is that it talks about an “amount of risk”. As we have seen, there are more often than not multiple potential impacts from a possible situation, event, or decision and each of those potential impacts has a different likelihood. When people look at the COSO definition, they see risk appetite as a single number or value. They may say that their risk appetite is $100 million. Others prefer to use descriptive language, such as “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.”

Whether in life or business, people make decisions to take a risk because of the likelihood of potential impacts – not the size of the impact alone. Rather than the risk appetite being $100 million, it is the 5% (say) likelihood of a $100 million impact.

Setting that critical objection aside for the moment, it is downright silly (and I make no apology for saying this) to put a single value on the level of risk that an organization is willing to accept in the pursuit of value. COSO may talk about “the amount of risk, on a broad level”, implying that there is a single number, but I don’t believe that the authors of the COSO Framework meant that you can aggregate all your different risks into a single number.

Every organization has multiple types of risk, from compliance (the risk of not complying with laws and regulations) to employee safety, financial loss, reputation damage, loss of customers, inability to protect intellectual property, and so on. How can you add each of these up and arrive at a total that is meaningful – even if you could put a number on each of the risks individually?

If a company sets its risk appetite at $10 million, then that might be the total of these different forms of risk:

Non-compliance with applicable laws and regulations $1,000,000
Loss in value of foreign currency due to exchange rate changes $1,500,000
Quality in manufacturing leading to customer issues $2,000,000
Employee safety $1,500,000
Loss of intellectual property $1,000,000
Competitor-driven price pressure affecting revenue $2,000,000
Other $1,000,000

I have problems with one risk appetite when the organization has multiple sources of risk.

  • “I want to manage each of these in isolation. For example, I want to make sure that I am not taking an unacceptable level of risk of non-compliance with applicable laws and regulations irrespective of what is happening to other risks.”
  • “When you start aggregating risks into a single number and base decisions on acceptable levels of risk on that total, it implies (using the example above) that if the level of quality risk drops from $2m to $1.5m but my risk appetite remains at $10m, I can accept an increase in the risk of non-compliance from $1m to $1.5m. That is absurd.”

The first line is “non-compliance with applicable laws and regulations”. I have a problem setting a “risk appetite” for non-compliance. It may be perceived as indicating that the organization is willing to fail to comply with laws and regulations in order to make a profit; if this becomes public, there is likely to be a strong reaction from regulators and the organization’s reputation would (and deserves to) take a huge hit.

Setting a risk appetite for employee safety is also a problem. As I say:

…. no company should, for many reasons including legal ones, consider putting a number on the level of acceptable employee safety issues; the closest I might consider is the number of lost days, but that is not a good measure of the impact of an employee safety event and might also be considered as indicating a lack of appropriate concern for the safety of employees (and others). Putting zero as the level of risk is also absurd, because the only way to eliminate the potential for a safety incident is to shut down.

That last sentence is a key one.

While risk appetites such as $1m for non-compliance or $1.5m for employee safety are problematic, it is unrealistic to set the level of either at zero. The only way to ensure that there are no compliance or safety issues is to close the business.

COSO advocates would say that risk appetite can be expressed in qualitative instead of quantitative terms. This is what I said about that.

The other form of expression of risk appetite is the descriptive form. The example I gave earlier was “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns.” Does this mean anything? Will it guide a decision-maker when he considering how much risk is acceptable? No.

Saying that “The organization has a higher risk appetite related to strategic objectives and is willing to accept higher losses in the pursuit of higher returns”, or “The organization has a low risk appetite related to risky ventures and, therefore, is willing to invest in new business but with a low appetite for potential losses” may make the executive team feel good, believe they have ‘ticked the risk appetite box’, but it accomplishes absolutely nothing at all.

Why do I say that it accomplishes absolutely nothing? Because (a) how can you measure whether the level of risk is acceptable based on these descriptions, and (b) how do managers know they are taking the right level of the right risk as they make decisions and run the business?

If risk appetite doesn’t work for compliance, then what does?

I believe that the concept of risk criteria (found in ISO 31000:2009) is better suited.

Management and the board have to determine how much to invest in compliance and at what point they are satisfied that they have reasonable processes of acceptable quality .

The regulators recognize that an organization can only establish and maintain reasonable processes, systems, and organizational structures when it comes to compliance. Failures will happen, because organizations have human employees and partners. What is crucial is whether the organization is taking what a reasonable person would believe are appropriate measures to ensure compliance.

I believe that the organization should be able to establish measures, risk criteria, to ensure that its processes are at that reasonable level and operating as desired. But the concept of risk appetite for compliance is flawed.

A risk appetite statement tends to focus on the level of incidents and losses, which is after the fact. Management needs guidance to help them make investments and other decisions as they run the business. I don’t see risk appetite helping them do that.

By the way, there is another problem with compliance and risk appetite when organizations set a single level for all compliance requirements.

I want to make sure I am not taking an unacceptable level of risk of non-compliance with each law and regulation that is applicable. Does it make sense to aggregate the risk of non-compliance with environmental regulations, safety standards, financial reporting rules, corruption and bribery provisions, and so on? No. Each of these should be managed individually.

Ethics and fraud are different.

Again, we have to be realistic and recognize that it is impossible to reduce the risk of ethical violations and fraud to zero.

However, there is not (in my experience) the same reputation risk when it comes to establishing acceptable levels – the levels below which the cost of fighting fraud starts to exceed the reduction in fraud risk.

When I was CAE at Tosco, we owned thousands of Circle K stores. Just like every store operator, we experienced what is called “shrink” – the theft of inventory by employees, customers, and vendors. Industry experience was that, though undesirable, shrink of 1.25% was acceptable because spending more on increased store audits, supervision, cameras, etc. would cost more than any reduction in shrink.

Managing the risks of compliance or ethical failures is important. But, for the most part I find risk appetite leaves me hungry.

What do you think?

BTW, both my World-Class Risk Management and World-Class Internal Auditing books are available on Amazon.

Predictions for GRC, risk management, and compliance

March 7, 2015 4 comments

MetricStream[1] has shared with us a November, 2014 report from the analyst firm, Forrester: Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption (registration required).

I have had serious issues in the past with Forrester, their understanding and portrayal of risk management and GRC, their assessment of the vendors’ solutions, and the advice they give to organizations considering purchasing software to address their business problems.

However, they do talk to a lot of organizations, both those who buy software as well as those who sell it. So it is worth our time to read their reports and consider what they have to say.

I’m going to work my way through the report, with excerpts and comments as appropriate.

“…the governance, risk, and compliance (GRC) technology market is ripe for disruption”.

I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient, and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance, and so many more.

In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities, but only use some of what they have bought – and what they do use may not be the best in the market to address that need.

Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.

“A Corporate Risk Event Will Lead TO Losses Topping $20B”

What is a “risk event”? This is strange language. Why can’t they just talk about an “event” or, better still, a “situation”?

I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage, and huge losses. I also agree that the size of those losses continues.

But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market, or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).

Management should consider all potential effects of uncertainty on the achievement of objectives.

“Embed risk best practices across the business…Risk management helps enhance strategic decision-making at all organizational levels, and when company success or failure is on the line, formal risk processes are essential.”

The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as he or she makes a decision, so they can take the right amount of the right risk.

“Read and understand your country’s corporate sentencing guidelines.”

This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.

“Build and maintain a culture of compliance.”

Stating the obvious. It is easy to say, not so easy to accomplish.

“Review risks in your current register and add ‘customer impact’ to the relevant ones.”

All the potential consequences of a risk should be included when analyzing it. Rather than ‘customer,’ I would include the issues that derive from upsetting the customer, such as lost sales and market share.

Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.

Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong.

However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.

I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.

What do you think of the report, the excerpts, and my comments?

Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance, and risk solutions?

[1] By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.

The effective audit committee

November 22, 2014 7 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leading the 21st century organization

October 6, 2014 1 comment

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Management for the next 50 years

October 3, 2014 3 comments

An article in McKinsey’s Quarterly Journal that I strongly recommend is on the topic of Management intuition for the next 50 years. My only quibble is that title implies that there is time to act; I believe organizations that prepare now for the changes described in the article will thrive immediately and their competitive advantage grow in the next decade let alone 50 years.

I recommend a careful read of the entire piece. Here are some key excerpts to whet your appetite (emphasis added):

“We stand today on the precipice of much bigger shifts…., with extraordinary implications for global leaders. In the years ahead, acceleration in the scope, scale, and economic impact of technology will usher in a new age of artificial intelligence, consumer gadgetry, instant communication, and boundless information while shaking up business in unimaginable ways. At the same time, the shifting locus of economic activity and dynamism, to emerging markets and to cities within those markets, will give rise to a new class of global competitors. Growth in emerging markets will occur in tandem with the rapid aging of the world’s population—first in the West and later in the emerging markets themselves—that in turn will create a massive set of economic strains.”

Any one of these shifts, on its own, would be among the largest economic forces the global economy has ever seen. As they collide, they will produce change so significant that much of the management intuition that has served us in the past will become irrelevant. The formative experiences for many of today’s senior executives came as these forces were starting to gain steam. The world ahead will be less benign, with more discontinuity and volatility and with long-term charts no longer looking like smooth upward curves, long-held assumptions giving way, and seemingly powerful business models becoming upended.”

The article discusses three key trends while acknowledging that there are many more:

  • Dynamism in emerging markets
  • Technology and connectivity
  • Aging populations

This is what it says about technology and connectivity:

“As information flows continue to grow, and new waves of disruptive technology emerge, the old mind-set that technology is primarily a tool for cutting costs and boosting productivity will be replaced. Our new intuition must recognize that businesses can start and gain scale with stunning speed while using little capital, that value is shifting between sectors, that entrepreneurs and start-ups often have new advantages over large established businesses, that the life cycle of companies is shortening, and that decision making has never had to be so rapid fire.”

I think this is very well said! They go on to say:

Emerging on the winning side in this increasingly volatile world will depend on how fully leaders recognize the magnitude—and the permanence—of the coming changes and how quickly they alter long-established intuitions.”

“It will be increasingly difficult for senior leaders to establish or implement effective strategies unless they remake themselves in the image of the technologically advanced, demographically complex, geographically diverse world in which we will all be operating.”

Technology is no longer simply a budget line or operational issue—it is an enabler of virtually every strategy. Executives need to think about how specific technologies are likely to affect every part of the business and be completely fluent about how to use data and technology…… Technological opportunities abound, but so do threats, including cybersecurity risks, which will become the concern of a broader group of executives as digitization touches every aspect of corporate life.”

“New priorities in this environment include ensuring that companies are using machine intelligence in innovative ways to change and reinvent work, building the next-generation skills they need to drive the future’s tech-led business models, and upskilling and retraining workers whose day-to-day activities are amenable to automation but whose institutional knowledge is valuable.”

McKinsey closes with a reiteration of the problem that is also an opportunity for those prepared to take the risk and embrace the need for change:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

I welcome your comments.

Auditing Risk Appetite

September 27, 2014 9 comments

Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.

The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.

What is risk appetite?

In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:

Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.

Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.

Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.

The FSB document includes some useful language (emphasis added):

“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”

The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):

“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;

“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;

“c) establish and actively monitor adherence to approved risk limits;”

The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.

Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.

The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):

“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;

“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;

“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;

“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;

“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;

“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and

“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “

This is useful for anybody who wants to audit risk management, even if for a non-financial institution.

I translate all of the above to answering these questions:

  1. Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
  2. Is that guidance updated and communicated as business conditions (internal and external) change?
  3. When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
  4. Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
  5. Are exceptions appropriate reported and addressed?
  6. Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?

That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.

What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.

I welcome your comments.

Leaders of internal audit should never be satisfied

September 12, 2014 7 comments

If you think you are world-class, it is time for you to consider change.

Our organizations and the risks they face are changing constantly and the pace of change is increasing.

Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.

Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:

OK, you and your team have been recognized as adding huge value and being world-class.

Do you stop there, confident and happy in your success?

No. What is world-class for your organization today may be insufficient for tomorrow.

The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.

I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.

Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.

We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.

This is what I had to say about the future of internal audit:

Internal audit has made great strides since I first became a CAE in 1990.

We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.

The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.

But that leading edge is a thin one.

Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.

Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.

As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.

Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.

Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.

Those that do will create a competitive advantage for their organizations.

Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?

Are you ready to adapt to tomorrow’s challenges?

I welcome your comments.

Auditing Forward

September 6, 2014 13 comments

One of the new Core Principles for the Professional Practice of Internal Auditing proposed by the IIA’s Exposure Draft (if you haven’t seen it, read it, and responded please do so) is:

  1. [Internal Audit is] insightful, proactive, and future-focused.

The last two adjectives, proactive and future-focused, translate to internal audit “auditing forward”.

This is an expression I only heard for the first time this year. It may have been one of the other members of the IIA Task Force that used it; but whoever said it, it resonated with me.

I have a chapter on “Auditing Forward” in my book on World-Class Internal Auditing and the best way for me to explain my thinking is through excerpts.

I assess my effectiveness as CAE by my ability to prevent internal control or risk issues when I can, rather than identify them (and find fault) when they already exist and represent an obstacle to organizational success.

If you are familiar with the CSI TV series, you can imagine a crime scene investigator entering a room and telling a detective “you have a dead body”. If I can, I prefer to be working with management to ensure there are reasonable controls that would prevent a dead body.

That means a couple of things: seeing the value of internal audit as helping improve risk management and controls, and “auditing forward”.

“Auditing forward” means being involved in new initiatives and projects [such as a pre-implementation controls review of a new IT system], providing consulting advice that helps management implement a reasonable level of controls and security.

It means seeing our success as linked to the success of management. If management implements a new system without sufficient controls or security, when we had an opportunity to warn them, it reflects as a failure on our part. Either we failed to identify the issue, to persuade management it was important, or to work with them on corrective actions that addressed the problem.

………………………………………………………………………………………….

“Auditing forward” also means auditing the risks that impact today and tomorrow, not limiting your focus to what has happened in the past.

Is there value in somebody telling you that the road in front of the house you lived in last year is being repaired? You only want to know about road conditions where you are likely to drive now or in the future.

In the same way, internal audit needs to provide assurance and consulting advice on the risks of today and tomorrow. Telling management what has been a problem in the past has some limited value, but only to the extent that those conditions continue to exist and similar problems may continue into the future.

Wayne Gretzky’s father advised him to “skate where the puck’s going, not where it’s been”.

Internal auditors need to take this advice to heart and audit where the risk is going to be, not where it has been.

That requires:

  1. Being sufficiently agile to change the internal audit plan as risks and business conditions change; and,
  2. Knowing that risks and business conditions are changing.

………………………………………………………………………………………….

Business leaders and the board like it when internal auditors talk about the business using the language of the business; when we can demonstrate that we understand what the company is doing and where it wants to go; and, where we can show that our work is directed to helping them succeed – arriving safely where they want to go.

Do you “audit forward”?

I welcome your views and comments.

Dynamic, iterative, and responsive to change

August 23, 2014 4 comments

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Where is internal audit world-class?

August 17, 2014 20 comments

A conversation I just had with Michael Corcoran left me wondering which companies have now or in the past had what one might consider “world-class” internal audit departments?

My personal view is that the CAE is the last person to say his or her internal audit department should be considered world-class.

Instead, that should only be awarded by members of the audit committee or top executives (although I am not sure I would give as much credence to the opinion of a CFO who wants IA to focus on financial and compliance risks).

I would allow members of the audit team to make the award based on what they hear from senior operational executives.

As a former CAE, I am going to hold to my word and not name any of my prior teams. If they want, they can speak for themselves.

So, please use the comments to identify the IA departments you think are world-class and why.

SEC and SOX plus COSO 2013 News

August 16, 2014 4 comments

I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.

 

SEC Charges SOX 302 Violation

On July 30th, the SEC published a press release “SEC Charges Company CEO and Former CFO With Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements”.

Here are the key points in the SEC’s remarks:

The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report.  The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.

The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls.  However, Sherman did not actually participate.  The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors.  On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations.  They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time.  The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.

According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting.  And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.

What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.

I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.

But here they are now.

In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:

“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

  • Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
  • Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
  • Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
  • Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

  • All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
  • Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”

In the book, I say:

“…. prudence suggests that management:

  • Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
    • This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
    • The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
    • The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
    • The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
  • Confirms that the external auditors do not disagree with management’s quarterly assessment.
  • Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”

Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?

 

Mapping of Controls to COSO 2013 Principles is Wrong

I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.

I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.

It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.

The head office leader made a comment that I like very much.

She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.

This is wrong.

There is no such requirement, nor is it useful.

What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.

I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.

Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.

I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.

Please share through comments or private email to me at nmarks2@yahoo.com.

 

I welcome your insights and observations.

World-Class Internal Audit

August 13, 2014 4 comments

Over the years, I have had the privilege of leading world-class internal auditors – world-class people who deliver world-class internal audit services to our customers on the board and in management.

I hesitate to call the teams I have led world-class. There has always been room for improvement.

But our customers and peers have called us world-class. For example, executives and audit committee members have said:

  • “Internal audit provides us with a competitive advantage”
  • “You have yet to perform an audit I wouldn’t gladly pay for”
  • “You help the audit committee sleep through the night”
  • “You are not a typical internal auditor”

When Arthur Andersen (and then Protiviti with KnowledgeLeader) built their on-line repository of best practices, ours was the first internal audit function profiled.

Now that I am retired (even if still busy), I have found the time to collect stories from my professional life in a new book: World-Class Internal Audit: Tales from my Journey (see below for links to the book). These are stories about experiences that have shaped me as a leader as well as how I approach internal audit.

World-Class Internal Audit

My hope is that the book will not only be an easy and entertaining read, but my successes and failures, together with my reflections, will help you as you consider your own career.

Some stories are, I hope, amusing. Some are about learning experiences (i.e., mistakes and embarrassments) from which I grew.

I have also included comments and observations from members of my teams, some of whom followed me as I moved to other companies. For example, a current chief audit executive who worked with me at two different companies had this to say:

“Norman had a unique leadership philosophy where he adapted to the demands of the situation, the abilities of the staff and the needs of the organization. He was able to move between leadership styles utilizing the one needed for the challenges that the company was facing. He was at times visionary along with a coaching emphasis while not micromanaging. Norman set high standards, was democratic but occasionally would utilize a classic authoritarian style when needed with certain employees and situations. Norman moved easily between leadership styles which resulted in developing World Class departments. As the Chief Audit Executive for a semiconductor company I still consult Norman on various audit topics and practice leadership techniques I learned under his tutelage.”

The book is available in paperback (or on Amazon) or as an e-book (Kindle).

Here’s one of the stories in Chapter 5 on the topic of “the value of writing and teaching”. The ‘David’ referred to was my boss at Coopers, David Clark.

My next adventure took me into a new and smaller world: the world of microprocessors.

People I knew were buying do-it-yourself microcomputer ‘kits’ from mail order stores, and the technical computing journals were starting to hint that these devices had the potential to move from a hobby to a business tool. In 1974, a company called Zilog was founded and in 1976 they introduced the Z80, an 8-bit microprocessor that was a significant advance from the early Intel 8080 model. The Z80 allowed more powerful devices and the military, in particular, used it extensively. The Z80 powered early business computers, such as the Osborne, Kaypro, Xerox 820, Radio Shack TRS 80, and Amstrad. I purchased a Radio Shack TRS 80 Model II a little later – but that’s another story.

I believed in the potential and wanted to share that vision with the rest of CAG. After obtaining materials directly from Zilog and accumulating a number of pieces from journals, I started to write. I was smart enough to include diagrams, but not smart enough to please David with the initial drafts of my paper.

After I had exhausted my patience and wanted to give up, and David had nearly exhausted his patience with me, he gave me two pieces of sage advice:

  1. Tell him (in person) why this is important. Say it and then write what you said. As you are saying it, learn from the listener (David) how to express your thoughts in a way that will be understood – and learn what not to say because it will not be understood.
  2. Avoid technical language and use ordinary English where possible. If you have to be technical, explain the terms clearly so that the non-technical person will understand.

I ended up writing a much longer piece, but it worked. While not everybody would share my opinion of the potential, everybody understood what I was talking about.

Later that year, I was asked to be one of the teachers at the off-site training session for people joining CAG. This was a wonderful learning experience for me. The task of teaching meant that I had to master the fundamentals of what I needed to teach. It was also essential that I avoided technical language when plain English could be used – and that I explain the technical in easy-to-absorb-and retain terms.

This set of experiences led me to require all of my staff to:

  • Write and speak for the people who are listening, the people you are trying to influence, inform, or persuade
  • Write and say what they need to hear, rather than what you want to say
  • Use language they understand. If they don’t start with a decent understanding of the topic, explain any technical terms in ways they can understand
  • Give examples and use diagrams; they are of great value in expressing ideas, especially to those who are visually oriented (i.e., absorb concepts from seeing better than they do by reading). I became used to getting up and using a chalkboard to diagram and explain what I was trying to communicate
  • Master the fundamentals: you won’t get far explaining anything unless you have deep understanding of the topic yourself

I hope you enjoy this story and consider the book.

Advancing the Practice of Internal Audit

August 9, 2014 17 comments

As I mentioned earlier, I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF).

One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing.

The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice.

For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program.

The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three).

10. Provides reliable assurance to those charged with governance.

11. Is insightful, proactive, and future-focused.

12. Promotes positive change.

What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.

They need our professional opinion.

I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management.

A list of deficiencies is not assurance.

#11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report.

Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future.

This means moving from hindsight to foresight with insight into current and foreseeable conditions.

We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls.

The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer:

“I skate to where the puck is going to be

We need to audit where the risk is going to be.

The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.

In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings.

My comment?

That is a 16% failure rate!

Where is the value when management only occasionally listens to us?

How will management see us if we frequently are unable to see business risks and needs in the same light as they see them?

There is zero value in recommendations.

There is only value in positive change.

We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward.

If the great majority of internal audit departments are able to say that:

  1. We provide our stakeholders with the assurance they need to manage and direct the organization with confidence
  2. We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and
  3. We work with management to effect positive change

the professional practice of internal audit will be one worthy of pride.

I welcome your thoughts and comments.

Updating the IIA Standards

August 7, 2014 3 comments

The IIA is asking for its members’ opinion on a set of proposed changes to the framework for its Standards (the IPPF). The detailed Standards are not changing, but the proposed changes are significant and merit every audit professional’s attention.

The proposal was crafted by a select group of practitioners called the “Re-Look Task Force”, and I was privileged to be a member.

The proposal explains the recommended changes and asks a number of questions to elicit members’ opinions and suggestions for improvement.

I encourage all IIA members across the world to read the proposal carefully and provide your input.

You should receive a copy of the proposal from your institute. You can also download it from either the IIA Global or IIA North America web site. In addition, Hal Garyn, a Vice President with The IIA, has recorded a video (http://auditchannel.tv/video/1321/The-IPPF-Is-Evolving-How-You-Can-Help).

I want to share my perspective on the changes, hoping that might be useful to you.

The proposal represents the consensus view. While there were, in a few cases, disagreements among the task force members, those disagreements were minor. The questions we included are designed to address those issues.

The task force discussed whether it was time to make a change to the Definition of Internal Auditing. Quite a few changes were suggested, but in my view they were only tinkering with the words and not changing the underlying message: that ours is an assurance activity (in my opinion this is our primary mission) that also helps our organizations succeed through consulting/advisory services that contribute to the improvement of governance, risk management, and related control processes.

We talked about changing “consulting” to “advisory”. We talked about ways to make the wording more succinct.

But in the end, it was tinkering and we recognized a change could lead to issues where the Definition has been incorporated into other standards, corporate governance codes, and so on.

I think the right decision was made, to leave the Definition unchanged.

We also talked about the Standards being “principle-based” rather than “rule-based”. If so, what are the principles?

Again, we spent a lot of time defining and then wordsmithing the principles.

I think the list included in the proposal is a good one. I will write separately about some of the principles and why I like them.

One of the questions is whether the principles are shown in the best order. This is one area where I was in the minority. While I see the logic of the proposed order, I would put the last three first as they represent what we are all about. The other nine are how we get there. You can share your opinion by answering a question on the order of the principles.

Although presented before the principles, the discussion of a mission came after.  I like it! It is short and sweet and captures the essence of the purpose and value of internal auditing.

I like the other suggestions for supplemental guidance, guidance on emerging issues, and local guidance. The last should be useful where local practices are in a different environment than in other countries. For example, I work with IIA chapters and institutes around the world and know that in some nations there are many family-owned corporations; in others there are a lot of government-owned for-profit companies. There will now be a place for local IIA organizations to craft guidance that addresses local issues in ways global guidance cannot.

If you haven’t already seen the proposal, please watch for it and if necessary check the IIA web site.

Feel free to share your thought here for discussion.

More Poor Guidance on COSO 2013

July 30, 2014 2 comments

I continue to be concerned that accounting firms are providing poor guidance to their clients and other organizations.

Let’s look at new guidance from PwC’s Canadian firm, “What does it mean to me? Frequently asked questions about the COSO Updated Framework”.

PwC asks and provides their answers to a few questions, including:

Q: What might happen if my company does not update to the 2013 Framework?

A: There are indications that the SEC will take a close look at any company that doesn’t make this transition. We’re encouraging our clients to transition before December 15, 2014.

Norman: PwC fails to point out that this only applies to the SOX assessment of internal control over financial reporting for organizations subject to that compliance requirement. There is no requirement to adopt COSO 2013 for any other business objective.

Q: Are there new/updated requirements for effectiveness?

A: While the fundamental requirements haven’t changed, there’s greater clarity around what management should assess in determining effectiveness. The requirements are that:

  • Each of the five components and relevant principles are present and functioning
  • The five components are working together in an integrated manner

Norman: I find it unforgiveable that PwC omits the first and most significant requirement: internal control is effective when it provides reasonable assurance that risk to objectives is at acceptable levels. Unforgiveable because this is the primary and overriding way to assess internal control; it comes ahead of the requirements relating to components and relevant principles in the COSO section on Effectiveness; and PwC really should get this right as they wrote the COSO 2013 update! (By the way, I give PwC kudos for pointing out that the “fundamental requirements have not changed”.)

Q: Isn’t this just a mapping exercise? Can’t you just use the template?

A: The mapping of controls based on the 1992 Original Framework to the updated 2013 Updated Framework is a key part of the transition. Many companies seem to think it’s just a mapping exercise and that there’s little they need to do to apply the update. We’ve heard of other organizations who think that because they had a clean certification last year, there won’t be any challenges this year. However, once they start this mapping, many companies are finding that updates are needed to their system of internal control. The mapping templates help draw this out, and management should expect some level of added effort to the update.

Norman: There is no requirement to map your controls from last year to the Principles. This is a creation of consultants.

The requirement is to demonstrate that the Principles are present and functioning, which will serve to demonstrate that the components are present and functioning and working together in an integrated manner.

I give credit to Deloitte for including this distinction in their firm’s internal training (according to the lady who runs it for them). Companies don’t need to take all their existing controls and map them to the new Principles. Instead, they need to identify the controls that satisfy the Principles.

I again give credit to Deloitte for training their people that there is no need to identify controls for every Point of Focus. The latter are provided to assist in addressing the Principles.

The other major problem, and this applies to every guidance I have seen on COSO 2013, is the failure to note that the requirement to assess internal control over financial reporting using a top-down and risk-based approach has not changed. This is mandated in Auditing Standard Number 5 (which has not been changed), included in the SEC’s Interpretive Guidance (which has not been changed), and strongly reinforced in the PCAOB’s Staff Alert 11 of October, 2013 (published after the release of COSO 2013).

The assessment of the Principles should be based on whether any gap represents what COSO calls a major deficiency: one which represents a significant risk to the achievement of the objective of reliable financial reporting to the SEC. Absent such a major deficiency, which basically translates to a material weakness, the Principles can be assessed as present and functioning. I haev confirmed this with COSO and several audit firm partners.

Finally, the mapping templates can be and generally are misused. When consideration of risk is not included, these templates are just checklists. This is why many organizations are warning against the checklist approach to COSO 2013 adopted by firms and registrants alike.

I like how the PCAOB Board Member Jeanette Franzel advised organizations to avoid the checklist approach and use the 2013 Update as an opportunity to revisit the system of internal control’s design, effectiveness, and efficiency.

I have talked to a number of PwC partners about the COSO 2013 update and its effect on SOX. They “get it” so this failure to talk about providing reasonable assurance that risk to objectives is at acceptable levels is not pervasive across PwC. I hope it is limited to this guidance.

These partners know that the assessment of effective internal control over financial reporting is still based on whether there are no material weaknesses. Translating this into COSO language: the objective is to file financial statements that are free of defect; the acceptable level of risk is that they do not contain any material errors or omissions; if there are no material weaknesses, then it should be possible to show that the principles are free of major deficiency and thus present and functioning.

I welcome your comments.

By the way, this is addressed in more detail in the guidance to management on SOX published by the IIA (written by me).

Risk Management is not about Defense

July 28, 2014 16 comments

From time to time, I get into trouble with the IIA.

Here’s another opportunity.

The IIA has embraced the Three Lines of Defense Model and in 2013 issued a Position Paper (identified as strongly recommended guidance[i]) The Three Lines of Defense in Effective Risk Management and Control. Since then, IIA leadership has advocated the model, including in its recent Enhancing value Through collaboration: A call to action (see this related post).

The idea of the model has some merit. It distinguishes between functions that own and manage risk (operational[ii] management: the 1st line of defense), those that “oversee risk” (including risk management facilitation and monitoring of risk management practices: the 2nd line of defense), and those who provide independent assurance (primarily internal audit: the 3rd line of defense).

Distinguishing the roles of management, risk management, and internal audit has merit. It is also useful to talk about the need for coordination.

However, I believe the IIA has made a grave mistake.

Risk management is not about defense.

It’s about management making informed decisions and taking the right risks.

If anything, that is offense.

Defense implies you are defending against risk. If you don’t take risk, you wither and die.

Defense implies that risk is bad. It is not. It can be positive or negative and, as one sage individual commented on my blog, there is often an opportunity to change a potential negative into a positive.

Last week, I met a top financial services risk management expert in Singapore (Martin Davies of Causal Capital). He told me about a situation where a trader submitted a proposed transaction for risk management review and approval. It was rejected because it fell outside the organization’s “risk appetite” (used in this context, it really referred to risk criteria[iii] rather than risk appetite as defined by COSO ERM). The risk manager rejected it. Martin explained how if he were in this situation he would sit down with the trader and work with him on how the deal could be restructured such that it is acceptable[iv].

This is offense, not defense.

In any event, my view is that when you put responsibility for managing risk in the hands of a siloed risk management function you are at the same time removing that responsibility from operating management.

This is not a good thing.

Management needs to own risk, with risk management serving as facilitator.

The IIA paper talks about risk management “overseeing” and “monitoring” risk management practices – which sounds awfully (and I mean awful in every sense) like corporate police and a siloed, adversarial risk management function.

No. This is a practice that will only stifle an organization and limit achievement.

Let’s talk about the lines of offense instead of defense.

How can risk management enable the organization to take the right risks, optimize outcomes, and not only achieve but surpass objectives?

I welcome your comments.

 

PS – controls help the organization go faster, not just preserve value

 

[i] Why this is considered guidance escapes me. I understand how it can represent the IIA’s thinking but it is information in nature rather than guidance for the professional practice of internal auditing. I contrast this with the Position Papers on the role of internal audit in risk management and governance, which did provide guidance.

[ii] IIA refers to risk management as being owned by operational management. I don’t understand why they don’t include executive management and the board. They refer to senior management as setting strategies and objectives and defining the governance structure, but that is taking risks and making decisions is not limited to operating management.

[iii] Follow the links to a paper by Martin on risk appetite that relies on ISO 31000:2009 rather than COSO ERM.

[iv] I am with Martin and would fire the risk manager who simply stamps reject the proposed trade.

A Call For Internal Audit Change

July 21, 2014 30 comments

The IIA has released a new report calling for change. Enhancing value Through collaboration: A call to action has a lot of value, drawing on the results of IIA, KPMG, and PwC surveys and reports among others, together with insights and comments from IIA leaders and CAEs.

Change is needed because “ Fewer than half (49 percent) of senior management responding in PwC’s survey believe that internal audit is performing well at obtaining, training, and/or sourcing the right level of talent and the right specialists for its needs.”

The IIA report references five strategies that internal audit leaders should adopt for success:

  1. Improve Upon Alignment With Expectations of Key Stakeholders
  2. Assume a Leadership Role in Coordinating the Second and Third Lines of Defense
  3. Enhance Internal Auditing’s Capability to Address Critical Strategic Business Risks
  4. Develop and Implement Knowledge and Talent Acquisition Strategies
  5. Become a Trusted Advisor to the Audit Committee and Executive Management

Some of the excerpts with which I agree include:

–  There is a need for “a global shift toward greater coverage of risk management, business strategy, and governance” by internal audit.

–  Sprint CFO Joe Euteneuer tells PwC, “internal audit’s mandate is to be proactive in helping us forecast, assess, and manage risk. They are expected to partner with the business as they manage day- to-day operations and be an ‘idea tank’ for insights around risks and controls for the overall benefit of the company.”

–  The first step, according to KPMG’s report, is to “recognize that internal audit is most effective when it is focused on the critical risks to the business, including key operational risk and related controls — not just compliance and financial reporting risks.”

–  Internal audit needs to shift its mindset and be cognizant of an ever-changing operating environment.

–  Presuming maturity of the company’s internal control structure, the CAE should present a strategic internal audit plan, spanning three to five years and showing a reduction in assurance services and an increase in advisory services — in accordance with what the internal control structure will permit. The CAE should not lose sight of the need for flexibility and adaptability in response to emerging risks. Such a plan should present in detail how those advisory services will be performed and how they tie into the company’s business plan.

–  “It becomes incumbent on CAEs to communicate clearly where within their audit plans they have identified and addressed the organization’s key strategic and business risks. Explicit rather than implicit communication with full transparency is needed to avoid any misunderstanding of this critical risk coverage.” — Richard Anderson, Clinical Professor of Risk Management, DePaul University

Some believe I speak for the IIA – that is not correct. From time to time, I disagree (sometimes strongly) with official IIA positions. That happens to be the case with some of the advice in this IIA paper.

The IIA “advocates educating key stakeholders on the three lines of defense model, comprising management controls, risk management, and internal audit. Communicating this model and coordinating with other assurance providers has made slow progress.” I disagree, but will cover my issues with the three lines of defense model in another post.

Today, I want to comment on the first of the five strategies, “Improve Upon Alignment With Expectations of Key Stakeholders”.

The paper talks about understanding the expectations of the board (and top management), agreeing with them on what constitutes value, and then delivering that value.

At first glance, this seems reasonable and appropriate.

The trouble is that most boards and top management have no idea what internal audit is capable of doing – which is why so many insist on internal audit focusing on financial and compliance risks, rather than expanding into strategic and operational areas. It is also why boards are not demanding that internal audit provide assurance on risk management or address the risks of failures in governance processes.

If we only strive to align and meet the expectations of ‘ignorant’ boards and top management, we are doomed to repeat the failures of the past.

Instead, we must recognize our obligation to address all risks to the success of the organization, including those pertaining to governance, risk management, and so on.

Where our boards and top management don’t understand, rather than fall in (or fail in) quietly we must do our best to educate them of our responsibilities and capabilities. Where needed, we must expand our capabilities so we address these key risk areas in a professional and competent manner.

For example, Lord Smith of Kelvin told the International IIA Conference in Kuala Lumpur that “the fish rots from the head down” and that the greatest risk to an organization relate to defects in the CEO and his executive team.

Where we are witness to failures at the C-suite level, should we behave like the three monkeys because the board and management do not expect us to address that risk?

Or, do you disagree?

Understanding Governance Risks

July 14, 2014 4 comments

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?

Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..

But governance risks extend well beyond that

Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.

Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.

The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.

Do you agree? I welcome your comments.