Archive

Archive for the ‘Governance’ Category

New information and perspectives on cyber security

March 21, 2015 10 comments

The world continues to buzz about cyber security (or, perhaps we should say, insecurity). Now we have the Chinese government apparently admitting that they have a cyberwarfare capability: not just one unit, but three. Other nations, including the United States, Japan, and some European nations, are talking about their ineffective defenses and the need to develop an offensive capability.

What can the targets, not only any public or private company, but each of us as an individual target (yes, our personal devices are constantly under attack), do about this?

The first step is to get our collective heads out of the sand and understand that we are all, collectively and individually, at risk. The level of successful attacks is enormous (a billion records with personal information were hacked in 2014 according to IBM, as reported here). According to a survey discussed in Fortune, 71% of companies admit they were hacked last year and the majority expects to be hacked this year. However, nearly a quarter, according to Fortune, has not only kept their heads in the sand but do so with unbelievable confidence; they think a successful cyber attack is “not likely” in the next 12 months. The trouble is that very often successful attacks are not detected! It took a long time before JPMorgan Chase found out they had been hacked, and even longer before they knew the extent of damage.

Organizations need to be ready to respond effectively and fast!

The JPMorgan Chase article reports that “The people with knowledge of the investigation said it would take months for the bank to swap out its programs and applications and renegotiate licensing deals with its technology suppliers, possibly giving the hackers time to mine the bank’s systems for unpatched, or undiscovered, vulnerabilities that would allow them re-entry into JPMorgan’s systems.”

All is for naught if successful intrusions are not detected and responses initiated on a timely basis. In the Target case, reports say that the security monitoring service detected suspicious activity but the company did not respond. According to ComputerWeekly.com, many companies make the mistake of “Over-focusing on prevention and not paying enough attention to detection and response. Organisations need to accept that breaches are inevitable and develop and test response plans, differentiating between different types of attacks to highlight the important ones.”

Another insightful article discusses the critical need for pre-planned response capabilities. IT cannot do it all themselves; business executives need to not only be involved but actively work to ensure their operations can survive a successful intrusion.

What else should we do?

We have to stop using passwords like ‘password’, the name of our pet, or our birthday. Password managers are excellent tools (see this article on the top-rated products) and merit serious consideration. I have one (BTW, I don’t plan to replace it with the latest idea from Yahoo of one-time text messages. However, I do like the fingerprint authentication on my iPhone.)

A risk-based approach to cyber security is the right path, in my view. But that does mean that organizations have to continuously monitor new and emerging risks, or new observations about existing risks. An example is a new article on insecure mobile apps – both from in-house developers and from external sources.

Organizations need to allocate resources to cyber and information security commensurate with the risks, and individuals have to take the time to update the software on their personal devices. Internal audit departments should make sure they have the talent to make a difference, providing objective evaluations and business-practical suggestions for improvement.

Companies and individuals, both, need to make sure they apply all the security patches released by software vendors. They address the vulnerabilities most often targeted and when there is a breach, very often it’s because the patches have not been applied.

As individuals, we should have a credit monitoring service (I do), set up alerts for suspicious activity on their bank accounts, and all the anti-virus and spam protection that is reasonable to apply.

Finally, as individuals and as organizations, we need to make sure we and our people are alert to the hackers’ attempts through malware, social engineering, and so on. It is distressing that so many successful intrusions start with somebody clicking where they should not be clicking.

Here are a couple of articles worth reading and a publication by COSO (written by Deloitte) on how their Internal Control Framework can be used to address cyber risks.

Cybersecurity in 2015: What to expect

Cybersecurity Hindsight And A Look Ahead At 2015

COSO in the cyber age

As always, I welcome your comments.

Predictions for GRC, risk management, and compliance

March 7, 2015 4 comments

MetricStream[1] has shared with us a November, 2014 report from the analyst firm, Forrester: Predictions 2015: The Governance, Risk, And Compliance Market Is Ready For Disruption (registration required).

I have had serious issues in the past with Forrester, their understanding and portrayal of risk management and GRC, their assessment of the vendors’ solutions, and the advice they give to organizations considering purchasing software to address their business problems.

However, they do talk to a lot of organizations, both those who buy software as well as those who sell it. So it is worth our time to read their reports and consider what they have to say.

I’m going to work my way through the report, with excerpts and comments as appropriate.

“…the governance, risk, and compliance (GRC) technology market is ripe for disruption”.

I have a problem with the whole notion of a GRC market. For a start, the “G” is silent! The analysts seem to forget that there are processes, each of which can be enabled by technology, to support governance of the organization by the board and others. For example, there is a need to enable the secure, efficient, and useful sharing of information with the board – for scheduled meetings and throughout the year. In addition, there are needs to support whistleblower processes, legal case management, investigations, the setting and cascading of business objectives and goals, the monitoring of performance, and so many more.

In addition, organizations should not be looking for a GRC solution. They should instead be looking for solutions to meet their more critical business needs. Many organizations are purchasing a bundle of GRC capabilities, but only use some of what they have bought – and what they do use may not be the best in the market to address that need.

Finally, I have written before about the need to manage risk to strategies and objectives. Yet, most of these so-called GRC solutions don’t support strategy setting and management. There is no integration of risk and strategy. Executives cannot see, as they review progress against their strategies and objectives, both performance progress and the level of related risks.

“A Corporate Risk Event Will Lead TO Losses Topping $20B”

What is a “risk event”? This is strange language. Why can’t they just talk about an “event” or, better still, a “situation”?

I agree that management of organizations continue to make mistakes – as they have ever since Adam and Eve ate the apple. Some mistakes result in compliance failures, penalties, reputation damage, and huge losses. I also agree that the size of those losses continues.

But what about mistakes in assessing the market and customers’ changing needs, bringing new products and services to market, or price-setting (consider how TurboTax alienated and lost customers)? I have seen several companies fall from leaders in their market to being sold for spare parts (Solectron and then Maxtor).

Management should consider all potential effects of uncertainty on the achievement of objectives.

“Embed risk best practices across the business…Risk management helps enhance strategic decision-making at all organizational levels, and when company success or failure is on the line, formal risk processes are essential.”

The focus on decision-making across the enterprise is absolutely correct. Risk management should not be a separate activity from running the business. Every decision-maker needs to consider risk as he or she makes a decision, so they can take the right amount of the right risk.

“Read and understand your country’s corporate sentencing guidelines.”

This is another excellent point! Unfortunately, the authors didn’t follow through and point out that the U.S. Federal Sentencing Guidelines require that organizations take a risk-based approach to ensuring compliance; those that do will have reduced penalties should there be a compliance failure.

“Build and maintain a culture of compliance.”

Stating the obvious. It is easy to say, not so easy to accomplish.

“Review risks in your current register and add ‘customer impact’ to the relevant ones.”

All the potential consequences of a risk should be included when analyzing it. Rather than ‘customer,’ I would include the issues that derive from upsetting the customer, such as lost sales and market share.

Further, it’s not a matter of reviewing risks in your risk register. It’s about including all potential consequences every time you make a decision, as well as when you conduct a periodic review of risks. Risk management should be an integral part of how decisions are made and the organization is run – not just when the risk register is reviewed.

Forrester makes some comments and predictions concerning GRC vendors. I don’t know whether they are right or wrong.

However, I say again that organizations should not focus on which is the best GRC platform. They should instead look for the best solution to their business needs, whatever it is called.

I do agree with Forrester that there are some excellent tools that can be used for risk monitoring. They should be integrated with the risk management solution, with ways to alert appropriate management when risk levels change.

What do you think of the report, the excerpts, and my comments?

Should we continue to talk about GRC platforms? Is it time to evaluate risk management solutions? How about integrated strategy, performance, and risk solutions?

[1] By way of complete disclosure, I have a relationship with a number of vendors of “GRC” solutions, including MetricStream and Resolver. I no longer have a relationship with SAP.

The risk of an ineffective CIO

February 28, 2015 1 comment

According to McKinsey, “executives’ current perceptions of IT performance are decidedly negative”. An interesting piece, Why CIOs should be business-strategy partners, informs us that the majority of organizations are not benefitting from an effective CIO, one who not only maintains the infrastructure necessary to run the business but also works with senior management to drive new business strategies.

Why worry about the “big” risks on the WEF or Protiviti list when the “small” risks that let your business survive and thrive are huge?

For example, the survey behind the report found that:

  • “..few executives say their IT leaders are closely involved in helping shape the strategic agenda, and confidence in IT’s ability to support growth and other business goals is waning”.
  • “IT and business executives still differ in their understanding of the function’s priorities and budgets. Nearly half of technology respondents see cost cutting as a top priority—in stark contrast to the business side, where respondents say that supporting managerial decision making is one of IT’s top priorities.”
  • “In the 2012 survey on business and tech­nology, 57 percent of executives said IT facilitated their companies’ ability to enter new markets. Now only 35 percent say IT facilitates market entry, and 41 percent report no effect.”

With respect to the effectiveness of traditional IT functional processes, few rated performance as either completely or very effective:

  • Managing IT infrastructure – 43%
  • Governing IT performance – 26%
  • Driving technology enablement or innovation in business processes and operations – 24%
  • Actively managing IT organization’s health and culture (not only its performance) – 22%
  • Introducing new technologies faster and/or more effectively than competitors – 18%

There was a marked difference when the CIO is active. “Where respondents say their CIOs are very or extremely involved in shaping enterprise-wide strategy, they report much higher IT effectiveness than their peers whose CIOs are less involved.” McKinsey goes on to say:

“We know from experience that CIOs with a seat at the strategy table have a better understanding of their businesses’ near- and longer-term technology needs. They are also more effective at driving partnerships and shared accountability with the business side. Unfortunately, CIOs don’t play this role of influential business executive at many organizations. The results show that just over half of all respondents say their CIOs are on their organizations’ most senior teams, and only one-third say their CIOs are very or extremely involved in shaping the overall business strategy and agenda.”

The report closes with some suggestions. I like the first one:

“The survey results suggest that companies would do well to empower and require their CIOs and other technology leaders to play a more meaningful role in shaping business strategy. This means shifting away from a CIO with a supplier mind-set who provides a cost-effective utility and toward IT leadership that is integrated into discussions of overall business strategy and contributes positively to innovating and building the business. Some ways to encourage such changes include modifying reporting lines (so the CIO reports to the CEO, for example, rather than to leaders of other support functions), establishing clear partnerships between the IT and corporate-strategy functions, and holding both business and IT leaders accountable for big business bets.”

Is your CIO effective, both in supplying the infrastructure to run the business and in working in partnership with business leaders to enable strategic progress?

Is this a risk that is understood and being addressed?

I welcome your comments.

KPMG and I talk about changes at the Audit Committee meeting

February 21, 2015 11 comments

I am used to seeing some new thinking from our Canadian friends. That is hardly the case when you look at a recent publication from KPMG Canada, Audit Trends: The official word on what’s changing and how audit committees are responding.

That title not only sets the expectations high, but sets KPMG up for a fall.

This is how they start us off, with an astonishing headline section:

ACs TODAY DEAL WITH A BROAD RANGE OF ISSUES, AND ACCOMPANYING RISKS, THAT ARE BEYOND FINANCIAL STATEMENTS, REPORTING AND INTERNAL CONTROLS OVER FINANCIAL REPORTING – THEIR TRADITIONAL AREAS OF RESPONSIBILITY.

These include CFO succession management; forecasting & planning; liquidity; M&A; environmental, social and governance factors; fraud and more.

My first audit committee meeting, as the chief internal auditor, was about 25 years ago. If memory serves me well, the only audit committee meetings that focused only on “financial statements, reporting, and internal controls over financial reporting” over those 25 years were short calls to review earnings releases, and so on. Not a single in-person meeting was limited to these few topics.

KPMG continues:

THE DAYS WHEN THE AC AGENDA WAS SOLELY DOMINATED BY AUDIT MATTERS AND TECHNICAL ACCOUNTING DISCUSSIONS ARE GONE.

Sorry, KPMG, but the world does not spin around the axis of the CPA firm.

Here’s another silly profundity, a highlighted quote from the Vancouver practice leader:

“Organizations today rely heavily on technology to manage internal processes and external customer relationships, it is therefore essential for ACs to understand what management is doing to mitigate IT risks.”

In 1990, my company was totally reliant on technology. Not only was it relied upon for internal business processes, but our oil refineries were highly automated. So-called IT risks (so-called, because the only risks are risks to the business – which may come from failure in the use or management of technology) were so extensive that I dedicated a third of my budget to IT audit. Going back even further, the savings and loan companies I worked for in the mid to late-1980s relied “heavily on heavily on technology to manage internal processes and external customer relationships”.

So what are the changes that should be happening at the audit committee? Here are six ideas:

  1. The audit committee should be asking management to provide assurance that it has effective processes for addressing risk (both threats and opportunities) as it sets strategies and plans, monitors performance, and runs the business every day. The audit committee should not be limited to a review of the “risk de jour”; it should require that management explain how it has embedded the consideration of risk into the organization’s processes and every decision.
  2. The audit committee should insist that it obtain a formal report, at least annually, from the chief audit executive, with an assessment of the adequacy of management’s processes for managing risk, including the adequacy of the controls over the more significant risks.
  3. With the enormous potential for both harm and strategic value of new, disruptive technology, the audit committee can help the full board by challenging management on its approach to new technology. Does the IT function have the agility, resources, and capability to partner with the business and take full advantage of new technologies, while managing downside risk?
  4. Continuing with that theme, is the organization hamstrung by legacy infrastructure and systems that inhibit its agility, its potential for moving quickly as business conditions and opportunities change? Is it able to change systems and processes fast enough?
  5. The COSO 2013 update of the Internal Controls – Integrated Framework is an opportunity to revisit a number of issues. One that should be high on the agenda is whether the company is providing decision-makers across the organization, from Strategy-setting to Marketing to Finance to Operations, with the information it needs to drive success? This is not just about the deployment of Big Data Analytics because that is just a tool. It is about (a) understanding what information is available and can be used to advantage, (b) obtaining it at speed, and then (c) delivering it everywhere it should be used in a form that enables prompt use and action.
  6. With all the demands on the audit committee, there is a need to re-examine its composition and processes. Do its members have all the experiences and skills necessary to perform with high quality, addressing issues relating to the management of risk, the use of technology, the changing global world, and so on? Should it receive more periodic briefings from experts on these topics? Do its members even have the ability to dedicate the time they need? Are they receiving the information they need to be effective (studies say they do not)?

If the audit committee is spending more than 20% of its precious time on “financial statements, reporting, and internal controls over financial reporting”, something is seriously wrong.

I welcome your comments – especially on these six suggestions.

Drive business results by harnessing uncertainty

February 7, 2015 4 comments

I am very pleased to see new guidance on risk management from Ernst & Young (EY) that recognizes that risk management is not a defensive activity designed only to protect value. It can and should be used to drive business performance and results.

I usually have significant criticism for the consulting and auditing firms when it comes to their risk management guidance, so I was surprised to see so much “good stuff” in their latest.

Drive business results by harnessing uncertainty, appropriately subtitled “Expecting more from risk management”, is important reading for board members, business executives, and risk practitioners.

EY doesn’t say directly that it is not nearly enough to limit risk management to a periodic review of a list of risks (the practice at the majority of risk management functions). But their description of what risk management needs to do and look like makes it clear that they, at least, have moved on.

Here are some excerpts, but I encourage you to read the three-part piece (just click ‘Next’ at the foot of each page to get to the next one).

They start with this commentary:

In an increasingly competitive, fast-paced world, organizations need to continually advance their risk management practices, building on the strong foundation of protection and compliance into an expanded focus on risk factors that impact strategic decision-making and operational performance.

For many global organizations, risk management is still seen as only a high-level compliance exercise to educate the board and audit committee. As a result, there are often no clear lines of sight from the boardroom to the operations themselves.

Risk management approaches need to change to better reflect the dynamics of today’s rapidly evolving global marketplace. What carried companies through in the past is not good enough anymore.

We believe a paradigm shift in risk management is beginning, which is:

  • Tied to the increasingly complex world in which companies now operate
  • Based on the awareness that uncertainty is embedded in (and impacts) everything we do
  • Focused on both capturing upside opportunities as well as protecting the business

EY includes a meaningful list of questions. Here are the first four:

  • Does your company view risk management as a key component in managing business performance?
  • Is there continuity of understanding in the risks associated with your plans and objectives, which carries through from strategic planning to capital allocation and operational execution?
  • In addition to protecting your business, is your risk management providing direct benefit to your growth efforts as well?
  • Is risk management integrated into the “rhythm” of your business processes, versus a later lens or add-on?

They make this key point:

You need [risk management] to become part of the rhythm of the business: meaning within the flow of strategic and business planning, operations, oversight and monitoring that runs from the board to the line.

There are several key business processes, and structural and functional components that make up this rhythm of the business, working together to deliver business value creation. Within these components of the business, we see four basic business process suites:

  1. Strategic oversight and planning — board and executive management level activities
  2. Business level planning/budgeting — management translation of strategies into business plans and allocation of capital
  3. Operational execution — value creating implementation of plans and strategies
  4. Monitoring and compliance — audit and compliance activities

I like their reference to “risk-enabled decision making”. It recognizes that risk is created or modified with every business decision; only when all options are considered, with an understanding of not only the uncertainty that exists as managers make decision but the uncertainty that will result from the decision, will great decisions be made that drive improved performance and results.

Is this a perfect piece of guidance? No, and much of what it has to say is not new to many risk thought and practice leaders (especially some of the more advanced advocates of the ISO 31000:2009 global risk management standard). However, it is great to see one of the firms talking this way instead of focusing on the “risk de jour” and how important it is for the board to discuss it.

COSO is embarking on an update of their Enterprise Risk Management – Integrated Framework. They should give this document their careful attention. I think its thinking is far ahead of what the current framework promotes; I would like to see the project team and its advisors take careful note of the need to make risk management part of how you succeed rather than how you avoid failing.

What do you think of the piece? How could it have been improved?

What should the audit committee focus on in 2015?

January 31, 2015 1 comment

Every year, the audit firms provide audit committees with their ideas of what the agenda should include in the coming year. Their ideas are usually good, although typically (and understandably) focus on matters of interest to the audit firms. Each year, I have wondered (and blogged) why they don’t include any discussion of obtaining formal assurance from internal audit on the effectiveness of risk management.

This year, the publication from Deloitte is more interesting than usual. In their Audit Committee Brief, November/December 2014, they ask What’s on your agenda for 2015? They highlight:

  • Effectively managing IT
  • The audit committee report (as filed in the 10-K)
  • Internal controls, in particular the focus by the PCAOB on material weaknesses and the work of the external auditor, as well as the update of the COSO internal controls framework
  • Globalization and its effect
  • Finance talent
  • Anti-corruption
  • Risk oversight
  • Tax considerations

Addressing the risk oversight issue first, Deloitte has made some progress this year. They make the important statement:

“Regardless of who in the company is in charge of risk, the most important consideration is that the company has a clear view of where risk monitoring and related activities are housed and that risk issues are being adequately covered.”

All of the topics in the Deloitte document are food for thought, but none more, in my opinion, than the topic of IT.

While Deloitte understandably focuses exclusively on the negative risk from technology (cybersecurity and so on), they make the excellent point that they need to get face time with the CIO. I think it is an excellent idea for the CIO to attend every other audit committee meeting.

Deloitte suggests questions for the audit committee to ask about technology-related risk, I think additional questions should be considered, including:

  • How do you assess and manage business risk relating to technology? Are you engaged with the enterprise risk management process?
  • How much risk is enough and how much is too much?
  • How do you determine how much to invest to address technology-related risks?
  • Are you taking enough risk when it comes to new technology that might advance the business? How do you know? Who do you work with to assess whether and when to deploy new technology?
  • How do you know that the IT function is delivering the value it should to the business?
  • How involved are you with the company’s strategy-setting processes? Is this the right level of involvement?

I welcome your comments.

Hire people who can think

December 13, 2014 14 comments

I am often encouraged by surveys of the attributes executives look for when they hire.

An increasing number recognize that education, certifications, and even experience are insufficient. The so-called soft skills are of critical importance.

The surveys say that hiring managers look for communication skills and an understanding of the business as well as, or even ahead of, what the resume has to say about the candidate.

But I don’t see these attributes rated highly enough:

  • Intelligence
  • Curiosity
  • Imagination
  • The ability and willingness to challenge traditional thinking
  • Leadership

There’s an old story about the candidate who told the hiring manager he had ten years’ experience performing a particular job. After a few questions and answers, the hiring manager observed that “You don’t have ten years’ experience; you have one year, repeated ten times.”

I have been very fortunate over the years to have brought onto my team some exceptionally talented, intelligent, curious, imaginative, leaders.

I like to think that I was able to select these stars with an unconventional interviewing technique that enabled me to see whether they would be able to think. This excerpt from World-Class Internal Audit: Tales from my Journey, describes my experience and approach.

Too many auditors are trained not to think. They are told to follow an audit program or checklist that somebody else created (in some cases, the checklist may have been developed some years earlier when the environment was different, and in other cases taken from a textbook without specific tailoring for the organization being audited). One of my tasks, as a manager and developer of these people, was to break those chains and insist that they think for themselves.

I had to find a way to assess each candidate’s intellect, curiosity, imagination, and ability to learn during my interviews with them. The standard questioning based on the resume would not work, especially as candidates were generally prepared and trained by the executive recruiter on how to answer such questions.

When I interviewed with the chairman of the Tosco audit committee, Michael Tennenbaum, I learned a lesson in non-traditional interviewing. It didn’t help that I had been told that this brilliant man was eccentric, driving a pink Rolls Royce Corniche to and from his aerie office near Beverly Hills (he was a Vice Chair with Bear, Stearns) and at the age of 74 skied a grand slalom course at Vail. I entered the meeting with the great man already a little intimidated, but I was somewhat prepared for the barrage of questions about why I had twice postponed my interview. He tested my ‘mettle’ and whether I could stand up to him and for myself. (This helped him assess whether I would be able to stand up to management should the need arise.)

I was not ready for the next line of questioning. Instead of asking about my prior experience, he asked me what I read. He explored how my mind worked, whether I was open to new ideas, could work with management and not just be a thorn in their side, and whether I had the intellectual ability to contribute as a direct report to the audit committee and an advisor to top management.

When I interviewed potential new hires, I wanted to obtain the same kind of insights into their mind – brilliant or stale. So, I developed a style of interviewing that many find unusual. It has multiple benefits: in addition to helping assess people’s ability to think, it gets past the barriers created when recruiters train their candidates how to answer questions during an interview because I ask questions they cannot predict.

The essence of the interviewing technique is to help the candidate first become comfortable by asking them questions about their resume and why they have applied. They are ready for this and confident in their replies.

Then, I describe a situation (based on a real life experience that they should understand, at least in principle) and ask how they would approach an audit. If they ask for an audit program, that would conclude the interview. But, if they ask questions to improve their understanding of the underlying risks they would earn points of respect.

It doesn’t matter whether they come up with the same approach that I would take, or even if they overlook an important issue. What matters to me is whether they are able to think through a situation they have never encountered and suggest an audit approach that makes sense and demonstrates that they have an intellect and can use it.

I have been told that candidates are not able to read whether I am satisfied with their answers and whether they are doing well in the interview. But they do say that I make them feel comfortable and stretch their ability to think ‘on the fly’. That is what I am trying to achieve and it seems to have worked well over the years.

In hindsight, I have been blessed to have had the support of some brilliant people over the years. I am very proud of the teams I have led. Of course I have made mistakes and some of the hires didn’t work out as well as I had hoped. But, most of the mistakes occurred when I made the mistake of placing too much trust in an individual’s resume and too little on their intelligence, or placed too much trust in a direct report to hire well without ensuring that they understand how to assess intellect, curiosity, and imagination.

I welcome your comments.

How do you hire?

Why Internal Audit Fails at Many Organizations

December 6, 2014 31 comments

When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.

With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.

My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.

Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.

The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)

Let’s look at what they did well:

“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”

This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.

“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”

Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.

“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”

The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.

“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”

If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.

Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.

While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.

What did they miss?

  1. The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
  2. The audit committee should challenge any audit activity that is not designed to address a risk that matters.
  3. The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
  4. The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
  5. The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
  6. The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
  7. Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.

The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?

That’s my challenge to you – in addition to welcoming your comments.

The effective audit committee

November 22, 2014 7 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leveraging the COSO Internal Control Update for Advantage

November 15, 2014 4 comments

PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.

PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.

Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).

Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.

PwC shares their approach, which I don’t think is correct as it is not risk-based.

Here is mine:

  1. Do you understand the risks to your mission-critical objectives?
  2. Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
  3. Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
  4. As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?

I welcome your views.

Technology, Strategy, Cyber, and Risk

November 8, 2014 2 comments

How do you assess the risk of missing the opportunity to leverage disruptive technology?

Does being on the “bleeding edge” still scare you?

Are you scared of cyber risk that you are rooted in place?

With incredible advances in technology coming at us from all sides, the potential for organizations to offer new products and services, as well as make dramatic improvements in how they run the enterprise, is huge.

Yet, each of these new technologies also introduces new risks that are of concern to information security, risk, and assurance professionals.

I am concerned that organizations are not prepared to survive let alone thrive in this environment.

I want to share some questions for your consideration, but let’s look first at one new technology that is emerging as disruptive to manufacturing and other sectors: additive manufacturing, commonly known as 3-D printing. These two sites explain some of the potential:

For most of us, 3-D printing is something from the world of science fiction or TV series. But, it is real and it is now.

Do you think every organization that could be affected by this technology has taken the necessary steps to determine how it should affect their organizational objectives and strategies? Do they even know how it could affect them?

My questions:

  1. Is your organization monitoring new technology and able to identify how it could affect your organization?
  2. Do you know what your competitors may be doing with it?
  3. Do you know what other organizations are doing or planning to do that might turn them into competitors (think Apple and Rolex)?
  4. Are the right people thinking about how the technology could affect your organization?
  5. Do they have the ability to come up with ways to use the technology that are novel and different from others?
  6. When new technology is considered, does your organization have reliable processes to assess related risks?
  7. Is the voice of risk heard – and understood?
  8. Is your organization prepared to take the risks necessary to succeed?
  9. Do you understand the risk of not taking the risk?
  10. Is your organization sufficiently agile to cast old ideas aside and seize the opportunities?
  11. Is your organization willing to wait when the (adverse) risk exceeds the opportunity?
  12. Do your information security, risk management, internal audit, and other assurance providers steer you to take the right risks or are they only a drag, pointing out the negative?

Do you agree with this list? What would you change?

I welcome your comments.

Information Security and Risk

October 24, 2014 4 comments

Should information security (or cyber, if we follow the latest fad) be based on risk? What is that risk, is it risk to the information or other IT resources, or is it risk to the business?

I congratulate John Pironti and Dark Reading for the intelligent perspective in a short video interview.

Two points stand out for me:

  1. The investment in information security/cyber should be based on the risk to the business and the achievement of business objectives.
  2. Information security professionals need to talk to the business in the language of the business – which is risk and performance. That means that the CISO and team need to understand the business objectives and how a failure in cyber might impair the ability to achieve them.

Information security professionals will be able to get and retain the attention of executives when they are able to explain how investments in information security help managers and the business as a whole succeed.

While information security professionals should continue to advance their understanding of technical issues, most need to upgrade their understanding of the business and business risks. Risk management guidance, such as the ISO 31000:2009 global risk management standard, should be required reading in addition to business and technical journals.

I welcome your comments.

Leading the 21st century organization

October 6, 2014 1 comment

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Management for the next 50 years

October 3, 2014 3 comments

An article in McKinsey’s Quarterly Journal that I strongly recommend is on the topic of Management intuition for the next 50 years. My only quibble is that title implies that there is time to act; I believe organizations that prepare now for the changes described in the article will thrive immediately and their competitive advantage grow in the next decade let alone 50 years.

I recommend a careful read of the entire piece. Here are some key excerpts to whet your appetite (emphasis added):

“We stand today on the precipice of much bigger shifts…., with extraordinary implications for global leaders. In the years ahead, acceleration in the scope, scale, and economic impact of technology will usher in a new age of artificial intelligence, consumer gadgetry, instant communication, and boundless information while shaking up business in unimaginable ways. At the same time, the shifting locus of economic activity and dynamism, to emerging markets and to cities within those markets, will give rise to a new class of global competitors. Growth in emerging markets will occur in tandem with the rapid aging of the world’s population—first in the West and later in the emerging markets themselves—that in turn will create a massive set of economic strains.”

Any one of these shifts, on its own, would be among the largest economic forces the global economy has ever seen. As they collide, they will produce change so significant that much of the management intuition that has served us in the past will become irrelevant. The formative experiences for many of today’s senior executives came as these forces were starting to gain steam. The world ahead will be less benign, with more discontinuity and volatility and with long-term charts no longer looking like smooth upward curves, long-held assumptions giving way, and seemingly powerful business models becoming upended.”

The article discusses three key trends while acknowledging that there are many more:

  • Dynamism in emerging markets
  • Technology and connectivity
  • Aging populations

This is what it says about technology and connectivity:

“As information flows continue to grow, and new waves of disruptive technology emerge, the old mind-set that technology is primarily a tool for cutting costs and boosting productivity will be replaced. Our new intuition must recognize that businesses can start and gain scale with stunning speed while using little capital, that value is shifting between sectors, that entrepreneurs and start-ups often have new advantages over large established businesses, that the life cycle of companies is shortening, and that decision making has never had to be so rapid fire.”

I think this is very well said! They go on to say:

Emerging on the winning side in this increasingly volatile world will depend on how fully leaders recognize the magnitude—and the permanence—of the coming changes and how quickly they alter long-established intuitions.”

“It will be increasingly difficult for senior leaders to establish or implement effective strategies unless they remake themselves in the image of the technologically advanced, demographically complex, geographically diverse world in which we will all be operating.”

Technology is no longer simply a budget line or operational issue—it is an enabler of virtually every strategy. Executives need to think about how specific technologies are likely to affect every part of the business and be completely fluent about how to use data and technology…… Technological opportunities abound, but so do threats, including cybersecurity risks, which will become the concern of a broader group of executives as digitization touches every aspect of corporate life.”

“New priorities in this environment include ensuring that companies are using machine intelligence in innovative ways to change and reinvent work, building the next-generation skills they need to drive the future’s tech-led business models, and upskilling and retraining workers whose day-to-day activities are amenable to automation but whose institutional knowledge is valuable.”

McKinsey closes with a reiteration of the problem that is also an opportunity for those prepared to take the risk and embrace the need for change:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

I welcome your comments.

Auditing Risk Appetite

September 27, 2014 9 comments

Regulators around the world are calling for organizations to establish a risk appetite framework. This is primarily for financial services organizations and especially their financial-related risks. But some are extending the idea to organizations in other sectors and for non-financial risks.

The regulators have not heard the risk experts who disparage the concept of risk appetite. While I agree that it is a flawed concept, we have to recognize that it is a required practice for many and should find a way to address related regulations.

What is risk appetite?

In 2013, The Financial Stability Board (FSB) published “Principles for an Effective Risk Appetite Framework” (intended to apply only to financial services organizations) in which it included a number of definitions:

Risk Appetite: The aggregate level and types of risk a firm is willing to assume within its risk capacity to achieve its strategic objectives and business plan.

Risk Appetite Statement: The articulation in written form of the aggregate level and types of risk that a firm is willing to accept in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures, liquidity and other relevant measures as appropriate. It should also address more difficult to quantify risks such as reputation and money laundering and financing of terrorism risks, as well as business ethics and conduct.

Risk Appetite Framework (RAF): The overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the firm, as well as to the firm’s reputation vis-à-vis policyholders, depositors, investors and customers.

The FSB document includes some useful language (emphasis added):

“An effective RAF should provide a common framework and comparable measures across the firm for senior management and the board to communicate, understand, and assess the level of risk that they are willing to accept. It explicitly defines the boundaries within which management is expected to operate when pursuing the firm’s business strategy. Firms that implement a RAF most effectively are those that incorporate the framework into the decision making process and into the firm-wide risk management framework, and communicate and champion the framework throughout the organisation, starting from the top. However, it is important to check that the ‘top down’ risk appetite is consistent with the ‘bottom up’ perspective. The assessment of a firm’s consolidated risk profile against its risk appetite should be an ongoing and iterative process. Implementing an effective RAF requires an appropriate combination of policies, processes, controls, systems and procedures to accomplish a set of objectives. The RAF should enable risk capacity, risk appetite, risk limits, and risk profile to be considered at the legal entity level as well as within the group context. As such, an effective and efficient RAF should be closely linked to the development of information technology (IT) and management information systems (MIS) in financial institutions.”

The FSB recognized that while it is useful for management to propose and the board to approve “aggregate level[s] and types of risk a firm is willing to assume”, real value is not obtained unless every risk-taker (which amount to every decision-maker) understands how these limits apply to their actions and responsibilities – and acts accordingly. The FSB guidance includes these among the requirements for “business line leaders and legal entity-level management” (emphasis added):

“a) ensure alignment between the approved risk appetite and planning, compensation, and decision-making processes of the business unit and legal entity;

“b) cascade the risk appetite statement and risk limits into their activities so as to embed prudent risk taking into the firm’s risk culture and day to day management of risk;

“c) establish and actively monitor adherence to approved risk limits;”

The most significant problem with this notion is that it is impossible to define every risk that decision-makers might take in the course of running the business, especially when risks are changing constantly and what the business should accept also changes as business conditions change.

Fortunately, the FSB looks to internal audit to ensure that the RAF meets the needs of the organization and is not a static document that is meaningful only to the board.

The FSB publication includes requirements for internal audit to assess the RAF. They say that “internal audit (or other independent assessor) should (emphasis added):

“a) routinely include assessments of the RAF on a firm-wide basis as well as on an individual business line and legal entity basis;

“b) identify whether breaches in risk limits are being appropriately identified, escalated and reported, and report on the implementation of the RAF to the board and senior management as appropriate;

“c) independently assess at least annually the design and effectiveness of the RAF and its alignment with supervisory expectations;

“d) assess the effectiveness of the implementation of the RAF, including linkage to strategic and business planning, compensation, and decision-making processes;

“e) validate the design and effectiveness of risk measurement techniques and MIS used to monitor the firm’s risk profile in relation to its risk appetite;

“f) report any deficiencies in the RAF and on alignment (or otherwise) of risk appetite and risk profile with risk culture to the board and senior management in a timely manner; and

“g) evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF. “

This is useful for anybody who wants to audit risk management, even if for a non-financial institution.

I translate all of the above to answering these questions:

  1. Do those responsible for taking risks, whether in the executive suite or in the trenches of the organization, have the guidance they need to ensure that risks they are creating and/or managing are maintained at levels acceptable to the board? This should include both the mitigation of excessive adverse risk and addressing situations where insufficient risk is taken (e.g., where a manager is overly cautious to the detriment of the organization).
  2. Is that guidance updated and communicated as business conditions (internal and external) change?
  3. When management proposes and the board approves strategies, plans, objectives, and similar, is appropriate consideration given to risks to those strategies and objectives?
  4. Is necessary and appropriate risk information (including the results of risk monitoring) provided to the board, executives, and other managers so they can effectively direct and manage the organization?
  5. Are exceptions appropriate reported and addressed?
  6. Is performance management (especially reporting) adequately integrated with risk management, and are those responsible for driving performance against objectives also held responsible for addressing risks to those objectives?

That ‘guidance’ could be in the form of a risk appetite statement (or similar) as envisaged by the FSB and described in COSO’s ERM – Integrated Framework, or in the form of risk criteria as required by the global risk management standard, ISO 31000:2009.

What I especially like about the FSB list of questions (and reflected in mine) is that it recognizes that mere compliance with an RAF is an insufficient audit approach; it is critical to assess whether it is current, timely, communicated broadly, and meets the needs of the business.

I welcome your comments.

Leaders of internal audit should never be satisfied

September 12, 2014 7 comments

If you think you are world-class, it is time for you to consider change.

Our organizations and the risks they face are changing constantly and the pace of change is increasing.

Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.

Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:

OK, you and your team have been recognized as adding huge value and being world-class.

Do you stop there, confident and happy in your success?

No. What is world-class for your organization today may be insufficient for tomorrow.

The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.

I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.

Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.

We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.

This is what I had to say about the future of internal audit:

Internal audit has made great strides since I first became a CAE in 1990.

We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.

The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.

But that leading edge is a thin one.

Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.

Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.

As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.

Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.

Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.

Those that do will create a competitive advantage for their organizations.

Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?

Are you ready to adapt to tomorrow’s challenges?

I welcome your comments.

Auditing Forward

September 6, 2014 13 comments

One of the new Core Principles for the Professional Practice of Internal Auditing proposed by the IIA’s Exposure Draft (if you haven’t seen it, read it, and responded please do so) is:

  1. [Internal Audit is] insightful, proactive, and future-focused.

The last two adjectives, proactive and future-focused, translate to internal audit “auditing forward”.

This is an expression I only heard for the first time this year. It may have been one of the other members of the IIA Task Force that used it; but whoever said it, it resonated with me.

I have a chapter on “Auditing Forward” in my book on World-Class Internal Auditing and the best way for me to explain my thinking is through excerpts.

I assess my effectiveness as CAE by my ability to prevent internal control or risk issues when I can, rather than identify them (and find fault) when they already exist and represent an obstacle to organizational success.

If you are familiar with the CSI TV series, you can imagine a crime scene investigator entering a room and telling a detective “you have a dead body”. If I can, I prefer to be working with management to ensure there are reasonable controls that would prevent a dead body.

That means a couple of things: seeing the value of internal audit as helping improve risk management and controls, and “auditing forward”.

“Auditing forward” means being involved in new initiatives and projects [such as a pre-implementation controls review of a new IT system], providing consulting advice that helps management implement a reasonable level of controls and security.

It means seeing our success as linked to the success of management. If management implements a new system without sufficient controls or security, when we had an opportunity to warn them, it reflects as a failure on our part. Either we failed to identify the issue, to persuade management it was important, or to work with them on corrective actions that addressed the problem.

………………………………………………………………………………………….

“Auditing forward” also means auditing the risks that impact today and tomorrow, not limiting your focus to what has happened in the past.

Is there value in somebody telling you that the road in front of the house you lived in last year is being repaired? You only want to know about road conditions where you are likely to drive now or in the future.

In the same way, internal audit needs to provide assurance and consulting advice on the risks of today and tomorrow. Telling management what has been a problem in the past has some limited value, but only to the extent that those conditions continue to exist and similar problems may continue into the future.

Wayne Gretzky’s father advised him to “skate where the puck’s going, not where it’s been”.

Internal auditors need to take this advice to heart and audit where the risk is going to be, not where it has been.

That requires:

  1. Being sufficiently agile to change the internal audit plan as risks and business conditions change; and,
  2. Knowing that risks and business conditions are changing.

………………………………………………………………………………………….

Business leaders and the board like it when internal auditors talk about the business using the language of the business; when we can demonstrate that we understand what the company is doing and where it wants to go; and, where we can show that our work is directed to helping them succeed – arriving safely where they want to go.

Do you “audit forward”?

I welcome your views and comments.

Dynamic, iterative, and responsive to change

August 23, 2014 4 comments

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Where is internal audit world-class?

August 17, 2014 20 comments

A conversation I just had with Michael Corcoran left me wondering which companies have now or in the past had what one might consider “world-class” internal audit departments?

My personal view is that the CAE is the last person to say his or her internal audit department should be considered world-class.

Instead, that should only be awarded by members of the audit committee or top executives (although I am not sure I would give as much credence to the opinion of a CFO who wants IA to focus on financial and compliance risks).

I would allow members of the audit team to make the award based on what they hear from senior operational executives.

As a former CAE, I am going to hold to my word and not name any of my prior teams. If they want, they can speak for themselves.

So, please use the comments to identify the IA departments you think are world-class and why.

SEC and SOX plus COSO 2013 News

August 16, 2014 4 comments

I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.

 

SEC Charges SOX 302 Violation

On July 30th, the SEC published a press release “SEC Charges Company CEO and Former CFO With Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements”.

Here are the key points in the SEC’s remarks:

The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report.  The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.

The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls.  However, Sherman did not actually participate.  The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors.  On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations.  They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time.  The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.

According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting.  And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.

What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.

I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.

But here they are now.

In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:

“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

  • Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
  • Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
  • Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
  • Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

  • All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
  • Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”

In the book, I say:

“…. prudence suggests that management:

  • Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
    • This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
    • The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
    • The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
    • The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
  • Confirms that the external auditors do not disagree with management’s quarterly assessment.
  • Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”

Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?

 

Mapping of Controls to COSO 2013 Principles is Wrong

I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.

I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.

It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.

The head office leader made a comment that I like very much.

She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.

This is wrong.

There is no such requirement, nor is it useful.

What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.

I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.

Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.

I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.

Please share through comments or private email to me at nmarks2@yahoo.com.

 

I welcome your insights and observations.