Archive for the ‘COSO’ Category

The SOX State of the Nation

June 7, 2014 4 comments

Each of the last few years, Protiviti has conducted a survey to understand and then report on the state of SOX compliance programs. They recently published their 2014 Sarbanes-Oxley Compliance Report.

The Protiviti survey and analysis is interesting, useful, and valuable. If you contact them, they may be able to give you detail customized to your situation.

Not surprisingly, Protiviti has a major focus on how companies are adopting the 2013 update to the COSO Internal Controls – Integrated Framework.

I am surprised, as are the authors, that a large number of organizations “have yet to begin work on gaining an understanding of and implementing” COSO 2013. I join Protiviti in urging every organization subject to SOX to figure out their plan and discuss it with the external auditors a.s.a.p.

I am less surprised, even encouraged, that the majority of those who say they understand COSO 2013 are not anticipating a major increase in the level of work required for SOX compliance in 2014 and beyond. Here, I part ways with Protiviti who seem to believe that the external auditors will require organizations to do a lot more. That, in my opinion, would be a mistake.

Companies need to continue to take a top-down and risk-based approach to SOX, even in the face of COSO 2013, and this need not lead to an increase in the number of key controls included in scope (please see this post and the quotes from Jim DeLoach of Protiviti, Ray Purcell of Pfizer, and Marie Hollein of FEI).

For more on applying a top-down and risk-based approach (as required by PCAOB and SEC) to the COSO 2013 update, please see my May post on the topic. I cover it in detail in my SOX book for the IIA.

Protiviti reports that a large number of companies have, presumably with Audit Committee approval, asked the internal audit team to provide SOX project management and leadership. That is consistent with my reading of the market, from my SOX training classes and interactions on social media.

Protiviti did not address how many internal audit departments are performing SOX testing on behalf of management. My reading is that the majority of organizations is doing this, but in contrast with the early years of SOX now have sufficient resources to do both SOX testing and their normal internal audit work.

Protiviti also did not address the extent of external auditor reliance on management testing, especially where performed by internal audit. They pointed out that the PCAOB, in their October 2013 report, criticized the external audit firms for failing to document their reasons for assessing management testing to be sufficiently competent and objective for them to place reliance. Protiviti seems to assume that as the firms address this issue they will tend to reduce reliance on management testing. I fail to follow their logic.

I am pleased to report that I am now finding a number of companies where the external auditors are placing reliance on management testing for as much as 80% of the key controls work.

Another area where I tend to disagree with Protiviti is in the value of automating controls. Protiviti sees this as a significant opportunity, presumably because automated controls only need to be tested once instead of the multiple tests required of manual controls. But, this argument overlooks both the high cost of testing automated controls and the fact that they bring into scope more IT general controls risks.

However, overall Protiviti has continued to provide valuable insights into the state of SOX compliance and their report is a useful read.

I welcome your comments.

My tolerance for risk appetite is fading

June 2, 2014 11 comments

It is amazing to me that one of my most popular blog posts every month is “Just what is risk appetite and how does it differ from risk tolerance?”, which I wrote over four years ago, in April 2011!

In that and several subsequent posts (notably “What is your risk appetite?” from September 2013, “The tricky business of risk appetite: a check-the-box chimera or an effective guide to risk-taking?” from August 2012, “COSO Contributes to Thought Leadership on Risk Appetite” from January 2012,and “New guidance on risk appetite and tolerance” from September 2011) I have expressed my preference for the concept of “risk criteria” used by the ISO 31000:2009 global risk management standard.

I have also said, over and over again, that unless and until any statement of overall organizational risk appetite is linked to guidance that enables decision-makers across the organization to take desired levels of risk, that this idea is not working.

In fact, making people believe they have effective risk management because they discuss a point-in-time list of so-called “top risks” and set limits for those few risks is making them believe in fairies.

It is setting them up to be surprised and for a failure to deliver success.

Now PwC has published a piece, “Board oversight of risk: defining risk appetite in plain English”.

I was hoping to see new thinking that would help organizations and their boards manage risk effectively.

Instead, while PwC says that risk appetite “is not a new concept but one that can be confusing”, I don’t believe they have succeeded in removing any of that confusion.

For example, while the piece talks about understanding an organization’s “exposure” and reducing “risk to an acceptable level”, it also points out (correctly) that organizations need to take care that they don’t take too little risk! (I am not going to bring into this discussion whether risk is the effect of uncertainty, positive and/or negative, on objectives. For purposes of this post, I am going to use the term ‘risk’ the way COSO does, as a negative with opportunity as the positive effect of uncertainty.)

I am not going to dwell on the PwC piece in detail, but instead want to bring out a few major points:

  • It is important for the board, as recommended by PwC, to understand and debate which risks the management team assess as being the most important to monitor and address.
  • It is also important for the board, as expressed in the paper, to understand and agree with management how they will determine the type and level of risks they should and should not be taking. (You can call this risk appetite; I prefer to call it risk criteria.)
  • Even more important, and not mentioned as far as I can tell in the paper, is for the board to obtain assurance (from internal audit, preferably) that the management team has effective processes for identifying, assessing, evaluating, and treating risk as an integral part of running the business. Risk is not limited to what is included in a point-in-time list presented to the board. Risk is created and modified by every business decision, and the potential effects of uncertainty need to be integrated into every decision-making process, from the setting and monitoring of strategy and performance, to the decisions made by front-line employees every day. (By the way, I do not support in any way an internal audit of a point-in-time list of risks; that provides little assurance that management’s continuing processes for managing uncertainty across the organization are what they need to be for the organization to succeed.)
  • If all the board is doing is reviewing a static, point-in-time list of risks and determining what are acceptable levels for those risks, it is reviewing a small subset of risks that is most likely already out of date. Furthermore, its focus may be on the horizon just as the organization is about to step off a cliff. Relatively minor decisions, such as the outsourcing of maintenance and operations of an oil rig in the Gulf, will never rise to the level of board attention but can be sources of massive damage.
  • A risk appetite statement (some use other expressions, such as a risk appetite framework) has limited value if the people making decisions are not guided as to how much risk to take. All it does is create a target for a level of risk that can be compared (after the fact) to the levels of risk actually taken, but doesn’t stop people taking more risk (or less risk) than the board and top management desire.  A risk appetite statement will not tell a procurement manager whether to accept a bid from a vendor that has the lowest price but not the highest reputation for quality and reliability, whether to allocate purchases among several vendors (at collectively higher cost but increased reliability), whether to implement additional quality control measures (at a cost) to address potential quality issues, or take another approach. A risk appetite statement will not tell a hiring manager whether to select the highest cost but most experienced employee, or to take the inexperienced individual who will help him stay within budget.
  • Risk appetite is not a single number. Every area is different and may well need different criteria to establish what is acceptable, from employee safety to cash flow, exchange rate exposure, customer credit risk, investment risk, the loss of key employees and customer relationships, supply chain disruption, quality manufacturing issues, data center disruption, vendor price increases, theft of intellectual property, litigation, brand and corporate reputation, capital project completion, and more.
  • Risk criteria used to evaluate and determine how to respond to risk include but are not limited to values for risk appetite and tolerance. (COSO ERM says this as well.) For example, I would expect companies to be more willing to accept downside risk as the potential for profit increases. Would you be equally willing to accept (a) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $50 gain, (b) a 20% likelihood of a $50 loss if there is an 80% likelihood of a $500 gain, or (c) a 20% likelihood of a $50 loss with an 80% likelihood of a $5 gain?
  • Risk criteria should include not only values for risk, but other attributes. For example, COSO’s ERM Framework says “Risk tolerance reflects the acceptable variation in outcomes related to specific performance measures linked to objectives the entity seeks to achieve.” It continues with “an entity that has set a target of a customer satisfaction rating of 90% may tolerate a range of outcomes between 88% and 95%. This entity would not have an appetite for risks that could put its performance levels below 88%.” However, in my experience managers might well be willing to accept a 2% chance that performance levels fall below 88% if there is an 80% chance that customer satisfaction might exceed 95%. Risk criteria should reflect both impact and likelihood, not just one or the other.
  • Other attributes that should be considered include the speed of onset of the adverse effect (a negative impact that hits the organization faster than it is able to respond and cushion the impact is less acceptable than one that comes at a pace that enables a considered response), the duration of the negative effect, the corporate culture and social environment, and more.
  • Risk appetite is not, or at least should not be set in stone. For example, as the economy thrives, a company may be willing to take a higher level of customer credit risk.
  • Those responsible for making decisions – and decisions are where risks are ‘taken’ – need guidance as to the level of risk they can accept. It’s not enough to have statements by the board and top management that don’t translate into how risk is managed as part of daily business. Acceptable risk levels have to be communicated to and understood by all decision-makers, who also need the tools to measure and understand the risks they may be evaluating.
  • The consideration and discussion of risk by the board has to be integrated with its discussion of strategy. The choice of strategies should be based, in part, on an understanding and appreciation of risk. Performance and the execution of strategy is only successful when those risks, and new ones that may appear, are understood and addressed. Further, the organization should be prepared to shift strategies as risks change.
  • You can’t do this with spreadsheets. If managers are going to intelligently accept downside risks, and executives are going to be able to measure and monitor risk across the enterprise and compare it to acceptable levels, you need an enterprise-wide risk management solution.

This is, indeed, a complex topic and boards must be extremely careful not to oversimplify.

Believing that you have effective risk management because you agree with management’s point-in-time list of so-called “top risks” and have agreed on the organization’s appetite for those risks is believing in fairy tales.

My advice is for the board to understand and become comfortable with management’s ongoing process rather than spend much time reviewing a point-in-time list of risks.

Challenge management on the points I list above. Are you satisfied, not just with the list of risks that management chooses to share with you, but that management addresses the potential effects of uncertainty as it manages the business – at all levels – every day?

Will it step off a cliff as it looks only at the horizon, the few risks on that list?

Separately, I understand that COSO is considering a project to update its COSO ERM Framework, now that it has updated the Internal Control – Integrated Framework. I support such an endeavor and suggest that they consider:

  • How managers can be guided to make risk-intelligent decisions every day.
  • Moving from risk appetite to risk criteria, so that other issues (such as speed of onset, duration of effect, and so on) are considered when evaluating risks
  • Moving towards convergence with the ISO 31000:2009 global risk management standard. One step would be to redefine risk and uncertainty as the potential effects of uncertainty on objectives – a compromise definition I propose between that in ISO and that in COSO today.

I welcome your comments. My tolerance for risk appetite statements without guidance to enable risk-intelligent decisions is fading to black. How is yours?

Reflections on the Third Line of Defense Model

May 23, 2014 14 comments

People are talking about the third line of defense model for internal audit.

–          The IIA has a Position Paper

–          KPMG wrote a paper

–          PwC has made its contribution

–          Protiviti extended the model to 5 lines of defense

–          Not to be left out, EY published a thoughtful piece

–          and Deloitte has a PowerPoint

I even did a webinar on the model (I don’t have link to the recording).

I think the model has some value in explaining how internal audit is not the primary player when it comes to risk or compliance – management is the primary player, assisted by organizations in the second line of defense such as the compliance function, physical security department, risk management, and so on – all part of management.

Internal audit can place some level of reliance on these “other assurance providers” in the second line of defense by assessing how well they monitor management performance of controls.

My problem with the model is that it is all about defense.

Organizations (and sports team) rarely succeed by only playing defense. (When the defense scores a touchdown, that is because they have become the offense after a turnover.)

Organizations (and sports teams) win through a combination of offense, defense, and (perhaps) special teams.

Internal audit can and should have a key role in all three elements of the business game: offense, defense, and special teams.

Internal audit exists not only to protect value, but to help organizations create value.

Too much focus on the Third Line of Defense model relegates us to the traditional policeman role, and sitting on the bench when the offense is on the field.

I welcome your comments.

What Boards Should Ask About Risk Management

May 10, 2014 14 comments

Let’s say that you have taken your car in to your dealer for a routine service and check-up. How would you feel if the mechanic came back and gave you this report?

“Your speedometer registers zero, which is correct because the car is not moving. The compass is pointing due north, which is also correct. The engine oil is full and the tires are at the correct pressure.”

Would you prefer this report?

“The speedometer and compass are working well. The engine oil is full and there is no leak. We took the car for a test drive and checked for leaks and also for any issues with the tires, which remained at the correct pressure.”

The second report provides you with valuable information that gives you comfort that the car is safe to drive and will get you to your destination. The first report is correct but of limited value.

Let’s turn to boards and risk management oversight.

If you listen to the consultants, of whom there are many, board members should ask about the top risks facing the organization and quiz management on how they are being managed. Perhaps the board can go further and ask how these risks are being considered in strategy-setting.

In this scenario, the board members are provided a report (perhaps prepared by the risk officer) as a basis for discussion.

That is a list of the risks that management and the risk officer prepared and reviewed prior to meeting with the board.

That is a list of what used to be the risks at the time it was prepared.

That is a list of risks the organization faced when it was standing still and pointing north.

It is not necessarily the risks and risk levels facing the company at the time of the board meeting, and not necessarily the same risks and risk levels that the company will face next week.

Risks change in our dynamic business and regulatory climate.

I am not saying that it is not a valuable exercise to discuss the most significant risks facing the organization. It is.

What I am saying is that is simply not enough, for two reasons:

–  Any list of risks is a point-in-time report and is probably already out of date

–  The list of risks probably omits some of the most critical risks

Let me explain what I mean by the last bullet point.

The kind of risks that are generally included in the report to the board are “strategic” in nature. They are “big” risks affecting strategy, possibly involving litigation or the loss of key executives – they are what I would call risks on or beyond the horizon.

But the kind of risks that can cause immense damage are those that are taken every day as a normal part of running the business.

If you are focused only on the horizon, you will trip and fall as you walk.

Managers and staff are taking significant risks all the time. Think of the contracts they are entering into for the supply of critical components needed in manufacturing; comments they post on social media; decisions they make to defer or accelerate plant maintenance; and the people they hire.

So what do boards need to do?

This is what I would do as a member of a board:

  1. Ask the CEO and the CFO for their opinion, their assessment, of whether the consideration of risk is an integral part of how they, their management team, and managers at all levels run the organization.
  2. Ask them what they understand by “risk” and “risk management”, and who has responsibility for the management of risk. (This will be a real test!)
  3. Quiz the top executives on how they make decisions: how they obtain the information they need, including how they determine the risks they face (upside and downside) and the actions they ensure are taken to address them and optimize outcomes.
  4. Require the CEO and CFO to provide the board with at least an annual assessment of the adequacy of risk management. That assessment should include whether they believe that the management of risk is effective and suitable for the organization now and into the immediate future. If not, what actions are being taken to upgrade it?
  5. Require the internal audit department to provide at least an annual assessment of how well the organization manages the more significant risks to the organization; this will include consideration of the controls relied upon to manage those risks.
  6. Ask the CEO to describe the relationship between the executive leadership team and the risk function.
  7. Ask internal audit and the risk officer to describe how they work together.
  8. Ask the external auditor for any input they may have on the management of risk, not limited to financial risk, based on their interaction with leadership and management across the organization.

What do you think of the above? Are there two more questions you might ask to bring the list to 10?

Protiviti provides insights into COSO 2013

May 3, 2014 11 comments

The latest publication from Protiviti with answers to Frequently Asked Questions about the Updated COSO Internal Control Framework has some excellent content.

Protiviti emphasizes the continuing need to embrace the top-down and risk-based approach in determining the scope of the SOX program. I like that and congratulate them for emphasizing that point.

However, they have also suggested (as has pretty much everybody else) that companies should map controls to the 17 COSO Principles.

I have expressed my disagreement with the idea of identifying controls to include in the SOX scope before determining whether there is a risk (at least a reasonable possibility of a material error or omission in the financial statements filed with the SEC) that needs to be addressed.

However, it is useful on general principles to consider all the Principles and discuss them with senior management and then with the Board (or audit committee).

The Principles are important, if not essential, to a system of internal control that addresses risks to the more significant objectives of the organization. It is very difficult to argue that they don’t represent good business practices.

But when it comes to the SOX scope, the regulators have said that you can assess the system of internal control as effective if there are no material weaknesses.

How do you reconcile that with the commandments in COSO 2013 that the system of internal control is effective when:

(a) It provides reasonable assurance that risks to objectives are at acceptable levels. (Unfortunately, many consultants, trainers, and commentators have overlooked the COSO text that puts this requirement first, before talking about components and principles),

(b) The components are present and functioning and working together, and

(c)  All relevant principles are present and functioning?

A couple of observations:

(a) You can assess the components as present and functioning if you have assessed the principles as present and functioning

(b) You can assess the principles as present and functioning if any deficiencies are less than “major” (i.e., represent less than a significant risk to the achievement of the objective). In other words, if you don’t have a deficiency relating to the principle that would be assessed (using traditional SOX control deficiency methods) as a material weakness, you can consider the principle as present and functioning.

In one section, Protiviti suggests that if you have a deficiency such that you assess the principle as other than present and functioning, you have a material weakness. I think that is circular thinking. You don’t assess the principle as less than present and functioning unless there is a deficiency that you assess as (in SOX terms) a material weakness. So it’s not the fact that the principle is defective that leads to the material weakness; it’s the material weakness that leads to the principle being defective.

Many of the controls required to address the principles are of the type discussed by the regulators as “indirect entity-level controls”. When these fail, their effect is not to create risk to the financial statements directly; their effect is to increase the level of risk that other controls will fail.

If there is less than a reasonable possibility that, as a result of the indirect control failing, one or more direct controls will fail and lead to a material error or omission, then the failure of the indirect control should not be considered a material weakness.

So, you need to know your direct control population before you can assess potential indirect control deficiencies. Let’s take an example and consider two of the Principles:

13. The organization obtains or generates and uses relevant, quality information to support the functioning of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of other components of internal control.

Any company generates and communicates a massive volume of information. However, what we are concerned about for SOX (in fact for any objective) is whether the individuals performing key controls have the information they need to perform those controls reliably. In order to assess whether this Principle is present and functioning, you need to assess it in relation to your key controls – and for that you need to know what they are.

The same thing applies to Principle 4: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.” Here, we are concerned about the competency of the individuals performing and responsible for our key controls. We all know that even a world-class HR department doesn’t mean that every employee is world class, so I for one would have difficulty placing reliance on HR processes. I need to assess competency as part of assessing each key control.

By the way, Protiviti (and PwC) suggest that there are multiple objectives when it comes to SOX. I have one: “the financial statements that are filed with the SEC are free of material error or omission”. This single objective covers all the objectives they have suggested. For example, compliance with accounting standards is necessary to have the financials free of material error.

I have previously shared my approach to this issue of integrating the COSO 2013 Principles into the top-down and risk-based approach. It is explained in more detail, principle by principle, in my SOX book (available from the IIA Bookstore and Amazon).

The more I talk about my approach with regulators, firm partners, COSO leaders, and senior practitioners, the more I think it is common sense and practical.

So here’s a refinement for those who have already mapped controls to the principles.

Take each of the controls that have been determined as necessary to address the principles and ask this question:

“If this control failed, would it represent at least a reasonable possibility that a material error or omission in the financial statements filed with the SEC would not be prevented or detected on a timely basis?”

If the answer is no, then you may at your discretion remove this control from the SOX scope. If it failed it would not cause the principle to fail; there would be no material weakness.

Remember that the SEC and PCAOB have directed that the scope only needs to address the risk of a material misstatement. Going further is a choice.

Should your external auditor, consultant, or other advisor ask that you include a control “because it is necessary to meet COSO requirements” or because “it is necessary to meet our firm requirements”, ask them this:

“Why? Where is the risk? If it failed, would it lead to a material weakness?”

I welcome your comments.

COSO Checklists – Is your audit firm using one?

February 27, 2014 3 comments

If your audit firm is asking you to complete a COSO checklist with the 17 Principles, please let me know a.s.a.p. I am talking to a regulator who would like to know.


Questions for the Audit Committee to ask the External Auditors in early 2014

February 15, 2014 4 comments

The Audit Committee of the Board (or equivalent) is responsible for oversight of the external auditors’ work. This should include taking reasonable measures to ensure a quality audit on which the board and stakeholders can place reliance. As a second priority, it should also include ensuring that the audit work is efficient and does not result in unnecessary disruption or cost to the business.

Audit Committees around the world should be concerned by the findings of the regulators who audit the firms in the US (the Public Company Accounting Oversight Board, or PCAOB). They examine a sample of the audits by the firms of public companies’ financial statements and system of internal control over financial reporting. A report is published for each firm and an overall report is also published every few years.

In their October 24, 2013 Staff Alert, the PCAOB highlighted “deficiencies [they] observed in audits of internal control over financial reporting”. They reported that “firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies”. In addition, in a large majority of the audits where there were such deficiencies, “the firm also failed to obtain sufficient appropriate evidence to support its opinion on the financial statements”.

While the Staff Alert is intended to help the firms understand and correct deficiencies, it also calls for action by the Audit Committee of each registrant:

“Audit committees of public companies for which audits of internal control are conducted may want to take note of this alert. Audit committees may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor’s internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.”

In a related matter, COSO released an update last year to its venerable Internal Control – Integrated Framework. It includes a discussion of 17 Principles and related Points of Focus. Reportedly, the audit firms and consultants are developing checklists that require management to demonstrate, with suitable evidence, that all the Principles (and in some cases the Points of Focus) are present and functioning. This ignores the fact that COSO has publicly stated that their framework remains risk-based and they never intended nor desired that anybody make a checklist out of the Principles.

Of note is the fact that the PCAOB and SEC have not changed their auditing standards and guidance. They continue, as emphasized in the PCAOB Staff Alert, to require a risk-based and top-down approach to the assessment of internal control over financial reporting.

However, the checklist approach does not consider whether a failure to have any of these Principles or Points of Focus present and functioning represents a risk to the financial statements that would be material.

In other words, blind completion of the checklist is contrary to PCAOB and SEC guidance that the assessment be risk-based and top-down.

With that in mind, I suggest the members of the Audit Committee consider asking their lead audit partner these seven questions at their next meeting. An early discussion is essential if a quality audit is to be performed without unnecessary work and expense to the company.

1. Was your audit of our company’s financial statements and system of internal control reviewed by the PCAOB? If so:

  • For which year was it reviewed?
  • Did the Examiners report anything they considered a deficiency?
    • How significant did they believe it was?
    • Do you agree with their assessment? If not, why not?
    • What actions have been taken to correct that deficiency?
    • What actions will you take to ensure it or similar deficiencies do not recur, including additional training of the staff?
    • Has any disciplinary action been considered?
  • If you did not promptly report this to us, why not?

2. Were any of the partners and managers part of the audit team on a client where the PCAOB Examiners reviewed and had issues with the quality of the audit? If so:

  • What was the nature of any deficiency?
  • How significant did the Examiners consider it to be?
  • What actions have you taken and will continue to take to ensure it and similar deficiencies do not occur on our audit, including additional staff training?

3. Are there any members of your audit team who have been counseled formally or otherwise relating to quality issues identified either by the PCAOB or other quality assurance processes? What assurance can you provide us that you will perform a quality audit without additional cost to us for enhanced supervision and quality control?

4. With respect to the audit of internal control over financial reporting, have you coordinated with management to ensure optimal efficiency, including:

  • A shared assessment of the financial reporting risks, significant accounts and locations, etc., to include in the scope of work for the SOX assessment? In other words, have you ensured you have identified the same financial reporting risks as management?
  • The opportunity to place reliance on management testing? Have you discussed and explained why if you are placing less than maximum reliance on management testing in low or medium risk areas?
  • The processes for sharing the results of testing, changes in the system of internal control, and other information important to both your and management’s assessment?

5. Are you taking a top-down and risk-based approach to the assessment of internal control over financial reporting?

6. Does the top-down and risk-based approach include your processes for assessing whether the COSO Principles are present and functioning? Do your processes ensure that neither in your own work nor in your requirements of management addressing areas relating to the Principles and their Points of Focus where a failure would present less than a reasonable possibility of a material misstatement of the financial statements filed with the SEC? Have you limited your own audit work to areas where there is at least a reasonable possibility that a failure would represent at least a reasonable possibility of a material error – directly or through their effect on other controls relied upon to either prevent or detect such errors? Or have you developed and are using a checklist contrary to the requirements of Auditing Standard No. 5, instead of taking a risk-based approach?

7. How do you ensure continuous improvement in the quality and efficiency of your audit work?

I welcome your comments.

Understanding the COSO Frameworks

February 11, 2014 6 comments

Whether you are a fan of the COSO ERM and Internal Control frameworks or not, a paper just released by COSO is worth reading and thinking about.

The intent of the two authors (my good friend Jim DeLoach of Protiviti and Jeff Thomson of the Institute of Management Accountants) is to explain how the COSO frameworks fit within and enhance the operation’s processes for directing and managing the organization. In their words:

“Our purpose in writing this paper is to relate the COSO frameworks to an overall business model and describe how the key elements of each framework contribute to an organization’s long-term success.”

My intent in this post is not to quibble with some of the concepts and language with which I disagree (such as their portrayal of risk appetite), but to highlight some of the sections I really like (with occasional comments) and encourage you to read the entire paper.

For those of you who prefer the ISO 31000:2009 global risk management standard (and I am among their number), the paper is worth reading because it stimulates thinking about the role of risk management in setting strategy and thereafter optimizing performance. It has some useful language and insight that can help people understand risk management, whatever standard you adopt. That language can be used by ISO advocates, for example when explaining risk management to executives and the board.

In addition, even if you like the ISO risk management standard, it does not provide the insight into internal control provided by the COSO framework. It is perfectly acceptable, in my opinion, to adopt ISO for risk management and COSO for internal control.

I have one quibble that I think is worth mentioning: the authors at one point say that internal control “deals primarily with risk reduction”. I disagree. It should serve to provide assurance that the right level of risk is taken. On occasion, that may mean taking more risk. For example, one objective that is too often overlooked is to be efficient. More risk in reviewing expense reports might be appropriate when the cost of intense reviews exceeds the potential for expense-related fraud or error. Another example is when a decision has to be made on the quantity of key raw materials to re-order as quantities on hand fall. Current practice may be to place an order that will bring inventory to 20% more than is expected to be consumed in the next period, as a precaution in case of quality issues or should incoming orders exceed the anticipated level. But, having excess materials can result in a different risk. Risk management thinking can help us decide how much risk to take when it comes to running out of raw materials compared to how much risk to take that the materials may degrade due to extended time sitting on the shelf.

But back to talking about the “good bits”, with the first from the Executive Summary:

“Within the context of its mission, an organization is designed to accomplish objectives. It is presumed that the organization’s leaders can articulate its objectives, develop strategies to achieve those objectives, identify the risks to achieving those objectives and then mitigate those risks in delivering the strategy. The ERM framework is based on objective setting and the identification and mitigation or acceptance of risks to the achievement of objectives. The internal control framework is designed to control risks to the achievement of objectives by reducing them to acceptable levels. Thus, each of the frameworks is inextricably tied into the operation of a business through the achievement of objectives. ERM is applied in the strategy-setting process while internal control is applied to address many of the risks identified in strategy setting.”

Comment: While COSO Internal Control Framework assumes (or presumes) that the appropriate objectives are set, as we all know controls within the objective-setting process are essential to address such matters as engaging the right people in the decisions and providing them with reliable information.

“The ERM framework asserts that well-designed and effectively operating enterprise risk management can provide reasonable assurance to management and the board of directors regarding achievement of an entity’s objectives. Likewise, the internal control framework asserts that internal control provides reasonable assurance to entities that they can achieve important objectives and sustain and improve performance. The “reasonable assurance” concept embodied in both frameworks reflects two notions. First, uncertainty and risk relate to the future, which cannot be precisely predicted. Second, risks to the achievement of objectives have been reduced to an acceptable level.”

“In general, ERM involves those elements of the governance and management process that enable management to make informed risk-based decisions. Informed risk responses, including the internal controls that accompany them, are designed to reduce the risk associated with achieving organizational objectives to be within the organization’s risk appetite. Therefore, ERM/internal control and the objective of achieving the organization’s strategic goals are mutually dependent.”

“Robust enough to be applied independently on their own, the two COSO frameworks have a common purpose — to help the enterprise achieve its objectives and to optimize the inevitable tension between the enterprise’s value creation and value protection activities. Therefore, both facilitate and support the governance process when implemented effectively.”

“ERM instills within the organization a discipline around managing risk in the context of managing the business such that discussions of opportunities and risks and how they are managed are virtually inseparable from each other. An organization’s strategic direction and its ability to execute on that direction are both fundamental to the risks it undertakes. Risks are implicit in any organization’s strategy. Accordingly, risk assessment should be an integral part of the strategy-setting process. Strategic and other risks should be supported or rationalized by management’s determination that the upside potential from assuming those risks is sufficient and/or the organization can manage the risks effectively.”

“The risk assessment process considers inherent and residual risk and applies such factors as likelihood of occurrence, severity of impact, velocity of impact, persistence of impact and response readiness to analyze and prioritize risks. Risk assessment techniques include contrarian analysis, value chain analysis, scenario analysis, at-risk frameworks (e.g., value, earnings, cash flow or capital) and other quantitative and qualitative approaches to evaluating risk. Furthermore, risk assessment considers relationships between seemingly unrelated events to develop thematic insights on potential long-term trends, strategic possibilities and operational exposures.”

Comment: Although many leading experts have moved away from the concepts of inherent and residual risk, I still like them. What I like most in this paragraph is the discussion of other important attributes of risk. Impact and likelihood are not the only factors to consider when assessing whether the level of risk is acceptable.

“…..organizations must “plan” for disruption and build and refine their radar systems to measure and be on the alert for changes in key risk indicators (leading indicators) versus rely solely on key performance indicators (which are often lagging and retrospective in nature). Looking forward will enable an organization’s culture to support an experimental and adaptable mindset. Adapting is all about positioning companies to quickly recognize a unique opportunity or risk and use that knowledge to evaluate their options and seize the initiative either before anyone else or along with other organizations that likewise recognize the significance of what’s developing in the marketplace. Early movers have the advantage of time, with more decision-making options before market shifts invalidate critical assumptions underlying the strategy. Failing to adapt can be fatal in today’s complex and dynamic business environment.”

“Organizational resiliency is the ability and discipline to act decisively on revisions to strategic and business plans in response to changing market realities. This capability begins to emerge as organizations integrate strategic plans, risk management and performance management and create improved transparency into the enterprise’s operations to measure current performance and anticipate future trends.”

I welcome your comments on this paper and my analysis.

What Audit Committees (Should) Want

January 25, 2014 8 comments

Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).

In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.

The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).

The very first sentence is telling:

“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.

The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.

I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.

Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.

Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?

Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?

Then Michele goes astray:

“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”

The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.

When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:

  • Culture
  • Tone
  • Internal control
  • Compliance, especially regulatory compliance
  • Cyber vulnerabilities
  • Financial reporting
  • Reputation risk, and
  • Oversight of the external auditor

What she does not mention are:

  • The effectiveness of the organization’s ability to manage risks to the achievement of objectives
  • The effectiveness of governance processes
  • The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels

I wish she had. I especially wish she had mentioned the magic word:


Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.

Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.

Does your internal audit department provide that assurance, formally, to the board and top management?


What they don’t know will probably hurt them

January 18, 2014 8 comments

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.

Two new reports show improvement in and value from risk management

December 10, 2013 2 comments

Accenture (Risk management for an era of greater uncertainty) and Aon (Risk maturity insight report) have published new and interesting reports on the practice of risk management.

The Aon report is based on a maturity model (see table below) that I think is interesting. It differs a little from the one I developed. It includes these key requirements for the top level: “process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions”. I prefer the language of the top level requirements in my model: “Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. Early warning system to notify board and management to risks above established thresholds”.

Aon assesses maturity based on ten characteristics, broken down into 40 specific components. I think it would be useful for any organization to participate in the Aon study and assess where their risk management standards, especially compared to where they want it to be.

This is useful information for risk officers, senior executives, and the board. I think using a maturity model to assess and report on risk management is an excellent approach for internal auditors. It provides useful information without punishing risk officers who are still working to implement and upgrade the maturity of their program.

Maturity Level Initial/Lacking










Description Component and associated activities are very limited in scope and may be implemented on an ad-hoc basis to address specific risks


Limited capabilities to identify, assess, manage and monitor risks


Sufficient capabilities to identify, measure, manage, report and monitor major risks; policies and techniques are defined and utilized (perhaps inconsistently) across the organization


Consistent ability to identify, measure, manage, report and monitor risks; consistent application of policies and techniques across the organization


Well-developed ability to identify, measure, manage and monitor risks across the organization; process is dynamic and able to adapt to changing risk and varying business cycles; explicit consideration of risk and risk management in management decisions


In their study of 361 publicly traded companies, Aon found that 3.3% were in Initial/Lacking, just 0.7% were in Advanced, and the majority (56%) were at or around Defined. 30.6% were above Defined and 50.6% were below.

Aon found a correlation between the maturity of risk management and the performance of their stock, based on an analysis of market data between March 2012 and March 2013. Comparing organizations with the highest (Advanced) maturity rating to those with the lowest (Initial/Lacking):

  • Share price grew 18% vs. a drop of 10%
  • Share price volatility was 38% lower
  • Return on equity was 37% compared to negative 11%

They also reported that “Our initial findings indicate a direct relationship between higher levels of Risk Maturity and the relative resilience of an organization’s stock price in response to significant risk events to the financial markets.”

This, I suggest, is useful information to share with executives and the board on the value of mature risk management.

You might reference an older report by Ernst & Young that had similar results, Managing Risk for Better Performance.

The Accenture report was based on a survey of 450 individuals, described in one place as “global risk professionals, and in another as “C-level executives involved in risk management decisions.” The breakdown shows that 25% are CROs, 20% CEOs, 25% CFOs, and 22% are Chief Compliance Officers.

Here are some excerpts:

“The vast majority (98%) of surveyed respondents report an increase in the perceived importance of risk management at their organization. One phrase that resonated with us was “Action is not optional”. That is seen as true both for the broader organization and for the risk management function.”

“At one time, risk management in many organizations could be described by some as “the department that says no”. Today we would characterize risk management more as “the department that enables execution”.”

“The proportion of surveyed organizations having a CRO, either with or without the formal title, has risen from 78% in 2011 to a near-universal 96% in 2013.”

“We see risk management as being much more integrated and connected, playing a much larger role in decision-making across the organization—particularly in budgeting, investment/disinvestment, and strategy.”

“Survey respondents see risk management as enabling growth and innovation. In order to survive—and certainly to grow—every company should strive to innovate and move its business forward. Simply pushing forward without understanding and mitigating the risks ahead could ultimately lead to disaster in some form. To enable growth and innovation, effective and integrated risk management capabilities should be implemented early and throughout the process. And these capabilities are scarce – both within the companies we talked to in this research and also in the market at large. So risk management capabilities should be prioritized and focused on the things that matter to move the needle for the organization.”

However, Accenture warns that risk management in practice is still falling short:

“There appear to be large gaps between expectations of the risk management function’s role in meeting broader goals and it’s perceived performance— for every organizational goal we surveyed.”

The authors include four recommendations and a detailed analysis to support their findings.

One interesting section is where they describe “Risk Masters” (they have a “Risk Mastery capability scale, like a maturity model) and what sets them apart.

“Risk Masters include risk considerations in the decision-making process across strategy, capital planning, and performance management. Masters also better integrate their risk organization into operations, establishing risk policies based on their organization’s appetite for risk. And they delineate processes for managing risks that are communicated across the enterprise. These activities are supported by robust analytic capabilities that reinforce efficient compliance processes and provide strategic insight.”

I encourage the reading and consideration of both reports, together with a discussion of where your risk management program falls.

Are you at the maturity level you want to be? Are you taking the steps to become more mature?

Can you achieve the benefits these studies report?

I welcome your views.