The biggest mistake of my long career

I have made many mistakes over the years. I am very human.

The one that I consider my greatest mistake was at Solectron, where the situation as I joined was far more fluid than I had been told.

During the interview process for the vice president of internal audit, I met with many people. They included the CFO, Corporate Controller, VP Tax, VP Treasurer, and the CEO as well as the chair of the audit committee. I liked them all and the interviews were excellent.

The CEO, Ko, was very welcoming and we had an excellent wide-ranging conversation. It was less an interview than a discussion of many topics. He told me stories, and I listened and learned from this dynamic individual who had taken the company to great heights. It not only dominated the industry (contract electronics manufacturing) but had won two Malcolm Baldrige awards for quality.

Ko told me that I could stop by anytime and lent me a book to read.

As you might expect, the position was to report functionally to the chair of the audit committee and administratively to the CFO – a lady I liked and respected.

But things changed even as the interviews were proceeding.

The day that I joined, I found out that the CFO had delegated my reporting to one of his direct reports. Within a week, during which I saw neither the CFO nor her delegate, I heard that the CFO had been moved into a new role overseeing mergers and acquisitions. A new CFO was to be appointed.

I met him the next week and received a shock. He instructed me that I did not report to the audit committee, but to him alone. Later, the audit committee chair told me he was not going to dispute that change.

I stayed with the job, although I did start looking without success.

The next shoe to drop was the termination of the CEO!

My new CFO boss told me that I was forbidden to talk to the new CEO. I could only talk to him, and he would discuss anything with the CEO.

That is when I made my mistake. I should have insisted on access to the CEO. I have no idea whether he would have tried to fire me (probably), but I should not have given in so easily. (Again, the audit committee chair was of no use.)

Did it hurt? Probably, as I never had a good relationship with the CFO. He never interfered with my audit process or reporting, but when I had a serious issue to discuss with the board he refused to allow me to meet first with the CEO.

I can only speculate that if I had met with the CEO (apart from the few times I ran into him and exchanged a few words), things might have changed.

In my other positions, I not only had free access to the CEO but built a solid relationship with him – to the point that I maintained contact with them after I left those companies.

Why am I sharing this story? It’s to make sure others don’t repeat my mistake.

Get to know the CEO. They can be a great source of insight that will help you in audit planning and reporting. They can also help you in other situations within the enterprise.

What has been your experience?

Why do we write audit reports? Are they necessary?

I apologize in advance to all my friends who make a living (at least in part) by helping people write what they believe are “effective” internal audit reports.

Every so often, we should challenge everything we do, but today I am focusing on internal audit reports.

After all, does the General Counsel write a report after every review they perform of a contract? Does the CIO write a report after a project is completed? In fact, are there any other functions within an organization that feel the need to write as many and as detailed reports as we do?

There are several possible answers. Let’s discuss some of the more obvious ones.

1. We have always written audit reports. It’s what we do.

This should never be our answer. We don’t accept an answer like this from management during an audit, do we. There has to be a reason based on the value to our customers in management and on the board.

2. We are required to write audit reports by IIA Standards.

This is a very weak argument. We should never do something just so we can say we comply/conform with the IIA’s Standards. There has to be at least as much value to our customers as it costs us in scarce resources. Remember that every hour on an audit report is an hour not auditing or providing advice on a risk that matters. It’s not as if we are going to get sued or fired (with very rare exceptions) for not writing an audit report.

In fact, let’s have a careful look at the new Global Internal Audit Standards:

Standard 11.3: The chief audit executive must communicate the results of internal audit services to the board and senior management periodically and for each engagement as appropriate.

Standard 15.1: For each engagement, internal auditors must develop a final communication that includes the engagement’s objectives, scope, recommendations and/or action plans if applicable, and conclusions.

Note that it requires a “communication” rather than a “report”. Now I believe Standard 15.1 goes much too far when it dictates what must be included in the communication. It’s a rule when the Standards should be principle-based. In 20 years as a CAE, I would not permit my team to have a section on the engagement “objectives”, and the “scope” would either be described in the title of the final communication or in the first sentence. (Yes, we provided reports, but they were short e-mails with attachments. What our customers needed to know was shared in a half-page email and they could read the attachments for more if they needed.)

3. Management and the board expect a report.

Maybe they do because that is what they are used to. But is it what they need? Do they understand that there are options?

Are they reading them out of duty or because they need the information to do their jobs?

In fact, I would bet that the majority of senior managers (and even many if not most board members) don’t read the entire report.

1. At Home Savings, the President had his assistant read them and highlight what he needed to know. She would tell him and maybe, only maybe, he would read the report.
2. At Tosco, the President used the audit reports to prop his door open. (This was before I joined and talked to him about what he needed.) He relied on his direct reports to tell him if there was anything he needed to know.
3. At Solectron, the COO did essentially the same. He didn’t have a door (just cubicles), but he didn’t read the audit reports. (He left soon after I joined, and the new President did read my much shorter and concise communications.)

If the reports contain information they need, do they also contain information they don’t need? What can we eliminate to stop wasting their (and our) time?

4. The regulators require an audit report.

Do they? Again, aren’t they looking for evidence that a source of risk has been audited and the results communicated with management? Is the traditional audit report the only form of evidence we have? I hope not! Maybe we should talk to them and agree on expectations.

5. The reports drive action. It’s how we get management to address issues and make changes.

An audit report is a very poor way of persuading management to make a change.

If you haven’t persuaded them when you met and talked about the issues and the risks they represent, why should you think an audit report will be more persuasive?

Remember, we are expected to discuss potential issues as they arise during the course of the audit, agree on the facts, their implications, and what should be done by who and when.

Remember also that all of this should be discussed and confirmed during the closing meeting.

So who needs persuading?

6. The report documents the corrective actions that will be taken.

Is it needed just for that? Isn’t there a better way, such as writing a memo to confirm what was agreed at the closing meeting?

7. The audit report demonstrates our value. It shows we did a thorough job of high quality.

If you need to write an audit report to justify your existence….

So why should we write audit reports?

Is there a good reason based on the value to the organization and our customers in management and on the board?

We need to provide them with the information they need, when they need it, in a concise form that is actionable and easy to consume. We don’t need to provide them with more, making them figure out what matters and what doesn’t.

Let’s not hide our gold nuggets in a haystack of trivia.

Do you know what they need? Have you discussed and agreed on it with each customer?

As a generality, they need to know:

1. Are there any serious issues that threaten our success and that need to be addressed promptly?
2. Is there anything I need to do myself?
3. Is there anything I should make sure my team are doing? Is there anything I should monitor?

Maybe you need to write a report. Maybe you don’t.

Maybe you only need to write a memo that confirms what was discussed at the closing meeting.

Maybe you can rely on regular quarterly meetings with senior managers and the board where you share and discuss the information they need.

Maybe you have more open discussions with senior management after each audit – maybe not after every audit, but after a few or when there are serious issues.

But you need to know what information they need and when.

You need to have a valid business reason for any and all communications.

Don’t waste their time or yours. When they know that you are only bothering them and asking for their precious time when it’s important, you will have greater credibility and trust.

But help them do their job with the assurance, advice, and insight they need from you when they need it.

Free book for a limited time

In celebration of my novel being published and getting several nice reviews, I am pleased to announce that the Kindle version of World-Class Internal Audit: Tales from my Journey will be free between May 6th and 10th. 

This is how the novel, Mystery in (garbled), is described on Amazon:

In Norman Marks’ second novel, Daniel is kidnapped off the streets of Chicago and taken to a strange world where the main characters have taken on the personas of famous actors from old movies.

In order to get back home, he is told he has to save their business from a competitor that has stolen their technology. If he fails, the violent people who took him will probably kill him.

Along the way, he meets a peace-loving people, the original inhabitants of this odd place. His captors invaded their world by force, and they are now servants and slaves. One is a beautiful young lady of indeterminate age who captures his imagination.

Enjoy!

It’s Time to Ditch the Annual Audit Plan

So says Hal Garyn in his latest article for Internal Audit 360⁰.

I agree.

Both Richard Chambers and I have been preaching that we should “audit at the speed of risk”, as well as at the speed of the business, for a long time. In fact, my last internal audit book was Auditing at the Speed of Risk with an Agile, Continuous Audit Plan (rated 4.4/5 on Amazon) and Richard wrote The Speed of Risk: Lessons Learned on the Audit Trail.

Hal explains it very well and if you haven’t already seen his piece, rush to read it!

He clearly agrees with what I said in the description of my book:

We need to stop auditing the past and turn towards auditing what matters today and will matter in the future.

This new book by Norman Marks, globally recognized as one of the most influential thought leaders in internal auditing, builds on his previous publication, Auditing that Matters

(rated 5 stars on Amazon). It explains the value and practice of updating the audit plan continuously.

Risks and business conditions change all the time, so an annual plan or even one that is updated quarterly, won’t lead to auditing what matters today. You audit what used to matter.
We need to audit at the speed of risk and the business.

That requires making sure you understand changes in risk and the business as they happen, anticipate the risks the business and its leaders will face in the coming period, and update the audit plan accordingly.

Rather than an audit plan that is annual, semi-annual, or even quarterly, it needs to be updated on a far more continuous basis – at the speed of risk. A rolling audit plan that reflects what should be audited now and soon helps an internal audit activity remain both relevant and valuable.

Norman Marks dives into practical guidance on risk assessment, what should be in the audit plan, how to communicate it, and more.

He shares detailed examples of audit plans from three of his companies, as well as many stories about specific situations and how the continuous approach led to audits that delivered huge value to executives and the board.

Norman was privileged to have a review board of distinguished practitioners and leaders of the profession, who made sure this book will lead internal auditors towards the goal of world-class performance.

Hal has some solid suggestions on how to move to a continuously updated plan:

1. Establish the annual audit plan, knowing it will undoubtedly change, on leveraging the resources available to the internal audit department (both on-staff resources and co-sourcing dollars) based on the risk assessment.
2. Present the first three to six months of your plan to the audit committee with some level of certainty on these planned projects.
3. Update the audit committee on what could or is changing as time goes on, with the rationale for what internal audit wants to add and what could be deferred.
4. Start to prepare the audit committee to expect changes in the audit plan to more of a rolling quarterly plan as time goes on.

In my experience (I had a rolling three-month audit plan at my several companies during my 20-year tenure as a CAE), both management and the board recognize the value and need of an audit plan that adapts as risks and value change.

So I join Hal (and Richard) in advising everybody to ditch the annual plan. Be agile. Adapt and make sure you are addressing the enterprise risks of today and tomorrow.

I welcome your thoughts.

Norman’s list of top (downside) risks

Everybody seems to be sharing their list of top risks with potentially significant negative effects on the organization.

Of course, every organization should determine what are its greatest sources of downside risk to the achievement of its own objectives, given its unique facts and circumstances.

Blindly following someone else’s list is a risk in itself.

But these lists are food for thought. Here is my list of 15 things to consider. (Of course there are more.) It’s nothing like the other lists I have seen!

In fact, I would suggest that they are usually not included in either the CRO’s or the CAE’s list of top risks.

These are not necessarily in order of their significance. That’s for each enterprise to decide.

• Cash and cash flow. Cash is king, but if you don’t have the liquidity to be agile, you will become a pauper.
• Selfish executives, very often including the CEO, who put their interests ahead of the team and the organization.
• A failure to innovate. (Such as with products and services, technology adoption, and so many more areas.)
• Poor quality product development, production, and management.
• Inattention to customers and their feedback.
• An unwillingness to take risks. It’s often more dangerous than taking too many.
• Poor decision-making processes.
• Decision-makers who know it all and don’t listen.
• Unreliable, incomplete, or untimely information.
• Stale technology and infrastructure.
• A lack of loyalty to employees. (An example is fast and across-the board layoffs, with slow training and staff development. Another is unwillingness to pay performing individuals.)
• Poor teamwork.
• Human Resources inhibiting the hiring of the people you need to excel.
• A blindness to reality, both to the current situation and to what lies ahead.
• A board that is dominated by the CEO.

What do you think of them?

What would you change, delete, or add?

A risk “quant” speaks out against qualitative risk assessments, and explains very useful tools

I am privileged to call Alexei Sidorenko “friend”. I first met him when he invited me to come to Moscow and speak at a risk management conference he organized,

He is an experienced and insightful risk practitioner and CRO whose thoughts I listen to and recommend you do the same.

Recently he shared his opinion and advice on his Risk Academy blog, Quant models overthrow traditional risk management: embrace or perish?

It’s an odd title, but the content is interesting. I like these statements:

Multiplying single number likelihood with single number consequences is bad risk management. You can sometimes use the resulting expected losses for budgeting, but most of the time this resulting number is useless (strike that, replace with misleading and negligent) for risk mitigation, insurance or risk reporting. Just don’t do it. It’s like trying to loose [sic] fat with arsenic, sure, women did before 1900s, but thank God we realised it is just poison.

Instead replace likelihood and consequence number or rating with distributions. They look and feel the same but preserve the correct mathematical relationships which allows risks to be calculated correctly and added together.

Alex has done us al a great service by explaining how you can use very inexpensive tools and techniques to do this.

Where he and I start to part ways is when he dismisses the value of qualitative risk assessments. I happen to agree with another risk practitioner who wrote about this. Stefan Hunziker asked the question on LinkedIn, Do decision-makers prefer qualitative or quantitative risk reporting? He went on to say:

Imagine a risk management system that does not lead to organizational action. What a spooky idea! Whether decision-makers prefer qualitative or quantitative risk reporting is a heavily underrated topic. Risk management frameworks, norms, standards, and education often overlook the decision-maker perspective. But whose viewpoint could be more important?

Quantitative risk reporting involves a numerical description of risks, often presented as statistical output. On the other hand, qualitative risk reporting involves an alphabetical description of risks, typically in the form of text or ordinal scales. As the name suggests, a hybrid approach combines quantitative and qualitative methods.

Refrain from falling prey to the fallacy of equating qualitative risk analysis with subjective (inferior) and quantitative risk analysis with objective (superior). I’m afraid that’s not right. Numerical risk analysis may tend to obscure that it relies on little evidence or subjective, biased opinion. Subjectivity is always present, even with purely quantitative methods. Risk managers typically choose quantitative approaches based on subjective criteria.

Quantitative risk analyses and their reporting may testify to the risk manager’s competence but tend to be perceived by decision-makers as more critical and less reliable than qualitative risk analyses. Depending on cultural aspects, decision-makers show skepticism towards quantification and favor “practical wisdom” (qualitative).

Interestingly, quantitative risk reporting leads to less organizational action if decision-makers do not supplement it with qualitative risk analyses. In the case of strategic risk reporting (i.e., the most crucial risk category), qualitative or hybrid risk analysis increases risk information’s perceived relevance and reliability.

Also, the less data available for risk quantification, the more significant decision-makers’ skepticism toward quantitative risk communication. Decision-makers tend to prefer qualitative expert analysis to quantitative, algorithm-based analysis (even in cases where it is not justified!).

Different cultures value the relevance of human judgment differently. In companies with mature strategic, future-oriented risk management, human judgment in risk analysis is more appreciated than in companies with a more data-driven, past-looking risk culture.

Qualitative, quantitative, or hybrid risk reporting significantly impacts the decision-makers perceptions of the overall risk management process’s relevance, reliability, and quality. Inadequately presented quantitative risks lead to incorrect risk communication with potentially serious consequences. Also, quantitative risk reporting requires more explanation to decision-makers.

This is my view: give the decision-makers the information they need, when they need it, in an actionable form – that will enable them to make an informed decision.

Sometimes, decisions have to be made at speed based on the information readily at hand. Sometimes, there is time to make a more thoughtful decision, time that allows for a quantification of the risk.

I have a problem when only the downside is assessed, so it is impossible to balance risk and reward.

I have a problem when risk (upside and downside) are assessed in terms of dollars instead of (per ISO 31000) the effect on [enterprise] objectives.

So I don’t rule out the value and dismiss qualitative assessments AS LONG AS they mean something. “High” may mean something, but usually it does not.

Back to Alex. I shudder when he talks about risk registers, but maybe he means risk reports to decision-makers.

I do like this closing of his:

But what if our company is not using excel and we use “state of the art” GRC software platform and they cannot handle ranges, distributions and don’t have Monte Carlo engine? Sue them and recover all fees and compensation back, they have been lying and taking your annual licence fees for nothing all these years. Probably the easiest money your company will ever make. GRC vendors were selling snake oil all these years and now you know it.

So what do you think? Do you like Alex’s guide to quantification?

Are you in favor of:

1. Quantification of risks
2. Qualitative assessments
3. Something else
4. A hybrid approach

I welcome your comments.

Are you an effective leader?

One of my tests of a leader, perhaps the most important, is whether people are willing (if not eager) to follow them.

Being the titular head with staff reporting to you doesn’t make you a leader. It may make you a boss, but not a leader.

History is rife with stories of soldiers who killed their officer. There’s even a name for it: fragging. History channel reported in 1971:

As the Vietnam war continues, the Pentagon releases figures confirming that fragging incidents are on the rise. In 1970, 209 such incidents caused the deaths of 34 men; in 1969, 96 such incidents cost 34 men their lives. Fragging was a slang term used to describe U.S. military personnel tossing of fragmentation hand grenades (hence the term “fragging”) usually into sleeping areas to murder fellow soldiers. It was usually directed primarily against unit leaders, officers and noncommissioned officers.

In 2024, I don’t think there’s a risk that you might be fragged by one of your team.

But there are risks that:

• They leave.
• They fail to give you their best work.
• They hesitate to follow directions.
• They don’t respect or trust you.
• They doubt your direction.
• They may even badmouth you in a way that reaches your own boss.
• You get a reputation and find it difficult to hire.

If you want to be a leader, especially an effective one, you have to work hard at it. I like to think I was one; my former team members say I was, and I had people follow me from one company to my next.

I am reading a book (thanks to Dan Swanson) on leadership that I will review at some point, but it has me thinking about some tips I want to share.

These are not necessarily in order of their importance. They are all important.

• It starts with recognizing that you are one and they are many. Your effectiveness is not the product of your work, it is the product of theirs. So give up some of your priorities for the good of the team.
• Make sure they are happy in their work. If not, do something.
• Give them every opportunity to make a difference. Give them meaningful work that is important to the success of the organization.
• Don’t be a roadblock. If they have to wait for you to reply to an email or to review what they have done, you are almost always at fault. You are wasting their time and that can be frustrating. My team was astonished that I was usually able to reply within an hour regardless of where in the world I was.
• Take your time when you work with them. Give them your full attention.
• Give them a direction and then get out of their way.
• Don’t over-manage.
• Eliminate to the extent possible “rework” such as multiple reviews of the same draft report, correction of working papers, etc. It is frustrating, wastes precious time, and adds little value.
• Eliminate unnecessary red tape that might “conform” to somebody else’s standards but adds little value.
• Help them give leaders of the organization what they need when they need it, and not what they don’t want that wastes their and your time. Examples include Background, Scope and Objectives, or similar sections in an audit report.
• You have to care about your people. In fact, it is important to get to know them beyond work.
• If you want loyalty from them, you have to be loyal to them.
• Be there for them. If they need you, drop everything and run to help.
• Listen to them and then listen again. Make sure you hear clearly and fully. Back them up and don’t criticize in front of others. But give honest and constructive feedback in private.
• Let them fail and fail again. Encourage them to take risks but be there to help them as they need.
• Have a clear vision and share it effectively. Make sure they are on board with it and with you. If they are not, you will probably fail.
• There are times when it is right to tell them what to do, times to be the authoritarian. But most of the time you need to let them be part of any decision.
• Delegate even to the point that it hurts, to the point where you are uncomfortable with the risk you are taking.
• Trust them. If you can’t, look in the mirror. If you see no fault there, you need to change your team.
• Only hire people with integrity.
• Demonstrate integrity and trust every moment, in every situation.
• Honor your commitments.
• Don’t have favorites. Be fair and just.
• Spoil them, just like you would your grandkids. Make sure they are well compensated. Fight for them with HR and your own boss if necessary.
• If they have a question, try not to give them the answer. Help them find it within themselves. Make them think. Don’t accept doing what something because they have always done it that way or because the standards/best practice say so.
• Make their development and career growth your priority. Expose them to senior management so their quality is evident.
• Don’t take their credit. It’s not about you.
• Help them leave when it is right for them (even if not for you).
• Always have a smile for them.
• Stay in touch when they leave.
• Listen to their feedback on your own performance.
• If you are angry or upset, go to your room so you don’t infect or take it out on them.
• Set your ego aside.

There’s so much more. What would you add?

A good kind of lazy auditor

My congratulations to David Dufek for his recent article for the IIA’s Internal Auditor magazine, Building a Better Auditor: Be Lazier.

He makes several excellent points, but misses one: it can take hard work to be what he calls “the good kind of lazy”.

He says, and I agree with him:

Being the good kind of lazy doesn’t compromise your responsibility — and can boost performance.

This is the central theme:

Auditing too much or too often can lead to diminishing returns.

He says a lot in a couple of sentences:

If you’re spending more time on minor details than the big picture, you might be auditing too much. We do not need to prove every opinion we have.

1. We should not be spending any time at all on minor details. Let me repeat that: we should spend zero time on low risks, risks that don’t matter to the success of the organization. As I say in the title of my ground-breaking book on internal auditing, we should only audit what matters – to the board and top management as they endeavor to lead the organization to success.
2. We are entitled to have a professional opinion. We do not have to prove that we are right; we are not in a court of law where controls are effective until proven guilty. We spend far too much time as a profession (and in the Standards) documenting why we have made an assessment. Do we require this of doctors, mechanics, or other professionals? OK, the external auditors have to go to extremes, but we are highly unlikely to be sued for making an honest mistake. Investors are not relying on our opinions.

I also like this paragraph:

If your work only confirms what’s already known without adding new insights, you need to reassess your focus. Don’t fall into the trap of telling management what it already knows. Management has identified an issue? Great! Give them credit, agree to remediation for future follow-up, and move on.

3. Telling people what they already know adds some but not much value. It is valuable, I agree, to confirm that controls are effective. But telling them they are not when they have already reported that to the board, for example, is anything but a good use of our time. I have written about the time when I was a vice president in IT and my team was in the process of implementing the ACF2 security package. The internal audit team took the list of outstanding items from our status report to management and turned them into “findings” without saying where they got (‘found’) them, and not giving us credit for having them on our project plan for imminent completion.

David tells us:

Aside from regulatory requirements, if you find yourself doing the same tests in the same way three years after the last audit, have you fallen into habit, rather than auditing based on true risk?

That’s the bad kind of lazy!

4. If you are auditing the same area three years in a row because the risk is high and you have found control weaknesses, then you failed in prior years. You have failed to work effectively with management to get the controls fixed.
5. If you are auditing the same area three years in a row because the risk is high, but you have not found serious control weaknesses in the past, where is the value? Go audit something where you can share not only your assurance, but valuable advice, insight, and foresight.
6. If you are auditing the same area three years in a row and the risk is not high, shoot whowever put the audit plan together. This is laziness personified.

I really like this:

Knowing what not to audit is as important as knowing what to audit.

Only audit where there is value to your customer. In fact, only perform work that has value to your customer, the rest is by definition (in Lean) muda or waste.

David shows great wisdom when he says this:

As professionals, we should look to our own processes with the same critical eye we use to evaluate management. Where are we lacking efficiency, scalability, and speed? Where are we failing to meet our stakeholders’ needs? In doing so, we should be asking all the ways in which we perform unnecessary work, where we duplicate efforts, and where we haven’t freed ourselves from the practices of 20 years ago.

7. We should examine all our business processes, including risk assessment (continuing vs. annual); audit planning; audit staffing; control identification, testing, and assessment; and reporting. What can be eliminated without seriously affecting the value we deliver to our customers? How can we streamline those processes? Are all the controls, such as working paper review, necessary? Can our processes and controls be improved, streamlined, etc. Are we making intelligent use of technology, where it delivers a great return on investment (measured in value to our customers) than it costs in dollars and hours?
8. Can we rely more effectively on the work of others?
9. Are we doing things because we always have, rather than because they are the best way to deliver value to our customers?
10. Are we doing things because somebody (maybe “the auditors” – IIA Standards – or the regulators) told us to? Do we really have to? Where is the value and where is the risk if we don’t? Can we modify what we do to comply (or confirm, whatever the difference is) at the lowest possible cost?

He closes well:

So, be lazier. Let’s be sure our efforts correspond with the underlying risks. Do no more than that.

Other than again recommending everybody read Auditing that matters, I don’t have much to add except that this good kind of lazy works!

I welcome your thoughts.

An open letter about the definition of risk

I have been open for years about my preference for the ISO:31000 global risk management standard over the COSO products. (I first explained my position at Alex Dali’s ISO 31000 Conference in Paris in 2011.)

Back then, we had the 2009 version, which included a definition of risk and a set of principles. The definition then and now is:

The effect of uncertainty on objectives.

The principles were truly outstanding:

a. Risk management creates and protects value.

Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.

b. Risk management is an integral part of all organizational processes.

Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.

c. Risk management is part of decision making.

Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.

d. Risk management explicitly addresses uncertainty.

Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.

e. Risk management is systematic, structured and timely.

A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.

f. Risk management is based on the best available information.

The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.

g. Risk management is tailored.

Risk management is aligned with the organization’s external and internal context and risk profile.

h. Risk management takes human and cultural factors into account.

Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives.

i. Risk management is transparent and inclusive.

Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

j. Risk management is dynamic, iterative and responsive to change.

Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.

k. Risk management facilitates continual improvement of the organization.

Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.

The principles have been changed since 2009, and I am not persuaded that they have been improved. But that’s a discussion for another time.

This “Open Letter” is about the definition of risk as:

The effect of uncertainty on objectives.

The current (2018) version of the standard includes these notes to the definition of risk:

Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.

Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.

Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

I’m going to discuss this sentence in three phases, working from the last part to the first.

First: Objectives

The standard talks about risk and risk management (by inference) with respect to objectives. In other words, not in terms of dollars and cents (or information assets), but how objectives may be affected.

It is critical in my opinion to understand what effective risk management is all about: objectives.

I prefer to talk about enterprise objectives, although 31000 can be applied to objectives at any level.

Another critical requirement to the effective management of risk – in fact, the effective management of the organization – is that all other objectives support the achievement of enterprise objectives. I like to talk about cascading enterprise objectives down and through the organization.

Far too often, objectives at the business unit or functional level are disconnected from enterprise objectives. Instead, they should be based on what is necessary for the business unit or function to deliver if enterprise objectives are to be achieved.

There’s another critical but subtle point: we are talking about the achievement of objectives. That word, achievement, should be inserted whenever you are talking or thinking about this definition.

Then: Uncertainty

ISO guide 73:2009 added a definition of uncertainty (it is not in the standard itself) as:

Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

While the standard talks about managers taking uncertainty into account, it also talks about a “new uncertainty” appearing.

Frankly, this definition of uncertainty doesn’t make any sense to me. While it may be the common English use of the word, it doesn’t work in this context. (My understanding is that when the definition was being debated among the various constituents, they found it very difficult to agree on a word or phrase because it had different meanings in different languages and ‘uncertainty’ was a compromise.)

The lack of knowledge, the lack of certainty of a potential future “event, its consequence, or likelihood” does not have a direct effect on objectives (at any level).

We should be looking at what would have an effect on the achievement of objectives! That is not a lack of information.

The quality of information impacts how management can address or treat risk (I prefer talking about taking risk), but it doesn’t directly affect the achievement of objectives.

Only actions based on information affect the achievement of objectives.

Events and situations can affect the achievement of objectives.

Events and situations may have an effect on the achievement of objectives.

I like simple terms, so I refer to “what might happen”. So we have:

Risk is the effect of what might happen on the achievement of objectives.

Finally, let’s consider Effect.

For some reason, perhaps under the influence (pun intended) of COSO, the standard defines ‘effect’ as:

…a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.

But we are, or should be focused on the achievement of objectives, not on any deviation from the expected.

What does that even mean, deviation from the expected?

Using that word, expected, already implies some consideration of probability.

Rather than debating whether you can stretch an argument to make sense of this, let’s consider what leadership needs.

They need to achieve enterprise objectives, and they are (or should be) concerned with the likelihood of achieving them.

So let’s measure the effect of risk in terms of how the likelihood of achievement might be affected. As the standard says, that may be positively, negatively, or both.

ISO 31000 is the product of an international organization, and it has been adopted by the standards organizations of many nations around the world.

The International Organization for Standardization is an independent, non-governmental, international standard development organization composed of representatives from the national standards organizations of member countries.

For a while, I was a member of the US national standards body’s (ANSI) working group on the update of the ISO 31000 standard.

ISO has a technical committee, TC262, that is considering updates of the current (2018) version of 31000 and related standards.

This Open Letter is addressed to the memberships not only of TC262 but also the working groups of each of the national standards organizations working to update it.

My advice is to leave the definition unchanged but fix the underlying definition of terms and explain what it all means.

An alternative is to update the definition to say:

Risk is the effect of what might happen on the achievement of objectives.

I welcome your thoughts.

Announcing a new novel

I had a lot of fun writing my new novel. Hopefully people will pick it up and enjoy it as well.

You can find it on Amazon in both paperback and e-reader form: Mystery in (garbled)

As a bonus and because it’s my birthday next week, I have discounted my first novel (e-reader form) to the lowest price Amazon permits. You can find it here: Adventures in the Audit Trade.

CRO speaks the truth about risk management

It’s shocking, but it’s the truth.

Multiple news organizations reported this month that the UK’s Lloyds Banking Group is going to make significant cuts in its risk management function.

Background: Lloyds is one of the largest banks in the UK with revenue of £28 billion and next income of just under £5 billion. It has over 62,500 employees and something like 30 million customers.

It is in the process of a transformation project. According to the Telegraph, “Chief executive Charlie Nunn is seeking to overhaul Lloyds by cutting costs and driving up sales as the environment becomes harder for UK banks this year”.

Now for the truth.

This is what another UK newspaper, the Independent, reported (with my highlights):

Lloyds Banking Group is shaking up its risk management team in a bid to speed up transformation, as a top executive said some processes are time-consuming and blocking the business’s progress, according to new reports.

The restructuring will put a number of roles under threat of redundancy, but will create jobs in other areas.

Lloyds told staff it is “resetting our approach to risk and controls”, according to an internal memo sent last month from chief risk officer Stephen Shelley, seen by the Financial Times.

Mr. Shelley said two-thirds of executives think risk management is a blocker to its strategic transformation, while less than half of its workforce believe “intelligent risk-taking is encouraged”, according to the reports.

The Independent also said that:

Around 175 permanent jobs in the bank’s risk division and related roles are under threat of redundancy as a result of the change.

But it is expected to create about 130 roles which are focused on specialist risk and technical expertise.

City AM told us that Shelley said:

“We know people are frustrated by time-consuming processes and ingrained ways of working that impede our ability to be competitive and leave us lagging behind our peers,” Shelley added.

This is sad news for the practitioners at Lloyds.

But it should be a HUGE wake-up call for risk practitioners everywhere!

I have said for a long time that the way to determine whether risk management is effective is to find out whether operating and senior management believe it is helping them make the best decisions and take the right risks.

Lloyds found that woefully lacking.

My congratulations to their leadership for recognizing that and for their decision to make necessary changes.

Do I know whether those changes will be successful? I have no insights, but I certainly hope so.

My advice is for risk practitioners everywhere, with the help of the board, internal audit, and senior/executive management:

• Focus on what decision-makers need if they are to make the decisions, taking the right risks, necessary for success (achieving enterprise objectives).
• Make sure they have the reliable information they need, when they need it, in a readily actionable form.
• Ditch heat maps, risk registers, etc. that are not useful in decision-making.
• Be flexible and adapt with agility to the changing needs of decision-makers.
• Be sensitive for the need for speed in decision-making. Sometimes it is fast, but not always.
• Talk to and listen to decision-makers all the time, at every opportunity.
• Eliminate work that they don’t value and use.
• Don’t be a blocker. Be an enabler! Change your mindset.
• Make risk management something executives want instead of a compliance activity, something they have to do.

…and make sure the board knows when risk management is not effective.

I also suggest reading Risk Management for Success.

I welcome your thoughts.

An open letter to the IIA Board

The release of the draft Cybersecurity Topical Requirement for public comment has sparked some very serious negative reactions from thought leaders (notably on LinkedIn). I agree with many of their comments.

My overriding concern is whether the IIA is leading the profession in the right direction.

Is it leading practitioners to provide stakeholders with the risk-based assurance, advice, insight, and foresight they need as they lead the organization to success (achieving enterprise objectives)?  The GIAS draft hardly mentioned the need for a risk-based approach (risks to enterprise objectives, that is, not risks to a business unit or process within the organization). The final GIAS is better, but still doesn’t provide sufficient guidance on enterprise-based audit risk assessment, planning, execution, and reporting.

Or is the IIA leading the profession back to the dark days of full-scope audits (with a pre-defined standard scope) and standardized audit programs?

Is it encouraging us not to think but to follow standards and rules (notably, the Topical Requirements (TRs))?

Even the PCAOB, which some commentators believe the IIA is trying to emulate, mandates (LOL) that the auditors use their judgment!

I also have questions about the governance of the IIA, and whether it is able to provide effective oversight and challenge when so many of its members are functioning as management. I recommend that the Board consider a two-tier board, similar to that found in some European and explained in this article. The Supervisory Board should have no more than 7 members.

Why has this TR provoked these negative comments?

There are two reasons, in my opinion. One is fundamental, the concept behind TRs, and the other detailed, the content of the TR.

It appears from the content of the draft and earlier writings from the IIA that there is a belief that practitioners need to perform their audits the same way, with the same scope, as everybody else. Consistency, in their eyes, promotes professionalism and quality.

There are several problems with that, which I will illustrate through examples based on my experience as a financial auditor (Chartered Accountant and CPA) and then IT audit manager in public accounting for a decade, a financial and IT internal audit manager, five years in IT management with responsibility inter alia for information security, and then twenty years as a CAE.

Consistency is the enemy of judgment.

At Tosco Corporation, information security was a source of significant risk to the company. (The way we defined it, it incorporated cybersecurity) However, contrary to what the TR infers, the risk was not consistent across the organization and could not be addressed in a single audit.

• The greatest area of concern was the security of our several oil refineries. A breach could enable somebody to change temperature or pressure settings in a processing unit, leading to a fire or explosion that could kill people.
• Each refinery was separate, with its own systems, security, and monitoring. They were managed separately by the local staff.
• The data center was totally separate from the refinery systems, managed by different people.
• Different teams managed the various parts of the infrastructure, with different processes and tools.
• While the external auditors at one point decided to audit information security over our convenience stores (>6,000 local servers), they soon realized the risk was low and stopped.

Our approach was to identify the information security-related sources of business risk (risk to enterprise rather than cybersecurity objectives) and perform audits where the risk was highest. Separate audits were performed at different times of:

• Application security, with separate audits for specific systems.
• Application change management and data center security (usually as part of an ITGC audit of the data center).
• Windows/Unix/Linux security and patch management.
• Network management.
• Disaster recovery, including breach or incident response.

We also did some white-hat hacking of our own, a form of independent penetration testing. We found serious holes that were fixed immediately.

At Solectron Corporation, the challenges were very different. This was a company with over one hundred locations around the world, each of which had its own IT function (even different CIOs), different business applications, and different ways to address information security. However, it also had a corporate CIO and a corporate information security team.

While information security-related risks were addressed as part of individual audits of the higher risk plants, we also assessed:

• Corporate information security policies and standards.
• The positioning of the InfoSec team (not addressed in the TR).
• The competence of the InfoSec team.
• The risk assessment performed by the corporate InfoSec leader.

One example stands out.

The KPMG IT audit team identified what they considered a serious weakness in our security measures. Access to the router in Taiwan through which all communications between Asia and the rest of the world passed, was not secure. Transactions were not encrypted. Their observation was that access to the router would enable hackers to access other parts of the network as well as change, delete, or add transactions.

We were able to determine that access to the router did not enable access to the broader network, and that the risk to the business related to transactions was very low indeed.

This demonstrates my point, that cybersecurity risk is not uniform. We need to audit where the risk to the business is high. Risks that are low need not be audited.

Far more significant was our reporting that the InfoSec function was too low within the IT function; it had next to no visibility or access to senior management, and its influence was minimal.

Furthermore, the staffing was insufficient both in terms of the quantity and the quality of resources.

Finally, they had not completed (and didn’t know how to complete) an InfoSec risk assessment.

Turning to a different type of illustrative example, consider a situation where a full scope audit of cybersecurity was completed last year. It found a few areas of weakness, but most areas were strong. Discussions with management have determined that little has changed. Risks are assessed as the same, and the same control mechanisms are in place.

Does it make sense to perform the same full scope audit again?

Or is it better to focus on the areas where weaknesses were identified in the last audit? Those may be addressed in a series of audits rather than a single, larger one.

Now add to that the fact that there are other sources of risk that require the attention of the IT audit staff (which can include co-sourced resources). Those areas, such as the deployment of generative AI, are seen as presenting higher risk and our involvement would add significant value.

The enterprise risk-based audit approach would lead the auditor to focus on the higher areas of risk, with limited follow-up through discussion with management on the status of corrective actions.

I am going to limit my comments on the content of the TR.  Here are some thoughts for consideration:

• Distinguish cybersecurity from information or data security, and explain why and when IA should audit one rather than the other.
• Focus more on the technical competence of the management cyber team.
• Emphasize detection, investigation, and response.
• Recognize that some audits might only include (appropriately, based on risk) some and not all of the areas discussed.
• Include the need for cybersecurity management to have a voice within the organization.
• The TR has some good content, especially around auditing management’s risk management process (which could and probably should be a separate audit).

But above all, allow and even mandate (LOL) the need for judgment and flexibility in determining which audits to perform at what time and with what scope.

How to move forward. We need to move forward by reflecting on wise words from the former CEO and President of the IIA. In a 2010 interview he said:

…. if you are really for where and how an internal audit department can add the most value, I just have three words: Follow the risk. If you, as an internal audit department, are constantly monitoring where the risks are in your company and you are focusing your internal audit efforts closely to those risks, I think you are going to generate value almost every time.

He has remained true to this message, saying just this month that IA should:

When in doubt, follow the risk, but remember that it is a moving target. Establish risk-based criteria for prioritizing your audit coverage. Without that, you won’t know where to start.

However, the TR (and to a large extent GIAS in general) is moving away from allowing auditors to use their judgment and audit where the risk to enterprise business objectives is highest.

The TR is a form of standardized audit scope mandate at a time when risks are dynamic, how management addresses them is changing, and judgment is required if an audit team is to provide the assurance, advice, insight, and foresight our leaders need.

We need to move forward by returning to what worked: Standards that establish the principles for effective internal auditing, and recommended guidance for achieving them.

Keen eye seeks the truth,

Risks and controls in the light,

Trust for a strong path.

 

Google’s Gemini AI

IIA Board

Sally-Anne Pitt

Michael Levy

Anthony J. Pugliese

Terry Grafenstine

Karen Brady

Benito Ybarra

Stefano Comotti

Jorge Badillo Ayala

Emmanuel Johannes

Michael Varney

Elizabeth Honer

His Excellency Dr. Hussam Al Angari

Hiroshi Naka

Huibo Liu

Stacey L. Schabel

Larry Herzog Butler

Elizabeth Sullivan

Red flags of ineffective risk management

I congratulate José David Pino for his brave attempt to call attention to ineffective risk management in his article for the IIA’s magazine, On the Frontlines: How Mature is Your Risk Management?

He correctly reports something I earlier shared in a blog post:

In the 2023 report, The State of Risk Oversight: An Overview of Enterprise Practices, published by the American Institute of Certified Public Accountants and NC State, only 29% of risk leaders surveyed say their organization’s risk management oversight processes are mature, while 35% describe them as evolving, 21% say they are in the development stage, and 15% indicate they are very immature.

It’s important to note that these answers came from more than 400 organizations, including large organizations (with revenues greater than $1 billion), publicly traded companies, financial services entities, and not-for-profit organizations.

Further analysis reveals that 17% of the respondents say they have no structured risk management processes for identifying and reporting top risk exposures to the board. An additional 18% of respondents indicate that they mostly track risks by individual silos of risks, with “minimal reporting of top risk exposures to the board.” Additionally, 25% responded that they mostly have informal and unstructured risk management processes, with “ad hoc reporting of aggregate risk exposures to the board.”

He lists several of what he considers “red flags that may arise in situations with poor risk management practices or where ERM initiatives are not as effective as planned”.

• Poor involvement of the organization’s tone at the top in ERM initiatives.
• Risk culture not reflected in the way an organization is doing its business.
• Risk incidents occurring continuously, and the root cause is not identified.
• Risk management not integrated in strategic planning.
• Reactive rather than proactive approach.
• Key personnel unaware of the extent of risks, given significant changes in the size or operations of the organization.
• Absence of internal control structures and personnel ownership of risk and control responsibilities.

I believe there are more red flags. These are more important and often easier to see:

• When you ask leaders about risk management, they don’t know what to say. Perhaps they talk about managing or mitigating risks, but without any confidence because it’s not something that means a great deal to them.
• Risk management is not seen as helping them run the organization for success. They do it because they have to rather than because they want to.
• Only downside effects of what might happen are considered in risk management.
• Management believes compiling a list of risks is sufficient, even if they are reviewed frequently.
• Risks are managed in silos using different assessment tools, measures, and language.
• They are managing risks instead of the achievement of objectives.
• Risks are assessed based on the likelihood of a single potential effect instead of a range of effects.
• Risks are assessed based on their potential financial impact, i.e., quantified using dollars or similar, rather than on the effect on objectives.
• Some risks are assessed based on their effect on information assets, rather than business objectives.
• Risks are evaluated and decisions made on addressing them one at a time, instead of looking at all sources of risk (the big picture) together.
• The board has separate committees for risk and strategy. The risk committee only talks about downside risks.
• Risk is not considered in setting objectives, goals, or strategies.
• Risk is not included in performance reporting.
• Everybody gets the same risk reports.
• …and yes, there are a lot of surprises (a.k.a. risk events) that indicate a lack of thought about what might happen, not using the information available, or poor decision-making processes.

What other red flags are there?

Do you like my list?

I welcome your comments.

Your words can imperil your independence

I believe every internal audit executive would agree with me that our independence from management is critical.

We need to be able to operate without undue interference from management.

That means that they are not able to stop or change our audit reporting, our opinions, or our assessments.

It also means that they cannot stop us from performing an audit, and they cannot change its scope. They also cannot command that we perform other activities (even other, lower risk audits), diverting our limited resources from our essential responsibilities.

But if we use the wrong words injudiciously when talking to management, we may give them reason to believe they can do all of that.

So what are the right words to use?

When we develop and update (continuously) our audit plan, the schedule of audits we plan to perform, we will seek input from management.

We want to know:

• Their concerns about risks and controls.
• Their ideas and assessments of the more significant risks to enterprise objectives.
• Their plans for change.
• How they see us adding value.
• Whether they have task forces or similar projects reviewing areas that we might target for an audit.
• Their thoughts on the audit projects we are considering.

We want their collaboration on our audit plan.

But it remains OUR audit plan.

We can put that at risk by careless use of words.

For example, if we seek their approval for our audit plan (as indicated in the sample charter recently published by the IIA and supported by prominent members of our profession – see this LI post and comments), we are saying that they can say “no”. They can disapprove. They can stop us from performing audits we believe are essential; they can demand changes in their scope; and they can add other projects we do not believe are high risk/value.

Some believe it is necessary to obtain their concurrence with it.

So what happens when they say they do not concur or approve?

These people say that internal audit can elevate the dispute to the board and its audit committee.

I believe that is giving management excessive power over our audit plan – and us – and our independence is weakened. We are put on the defensive, trying to justify what is in OUR audit plan.

We may have reasons for an audit that we don’t want to share with management, such as concerns about the integrity or competence of those same executives. They may even be hiding something from the board.

The disagreement may be an honest one about the level of risk. But that is not always the case. In fact, they may want to close their eyes to risk that we see as real and high, because their jobs or compensation depend on moving forward with a risky situation or venture.

There have been times when management simply didn’t want us poking our noses into their business, because they were afraid of what we might see.

NO. We don’t seek their approval or concurrence. We obtain their input. We discuss their thoughts and listen carefully should they say that the related risks are low or that there would be little value in an audit. We especially listen when they ask us to add an audit of an area where they believe the risk is high and/or we can add great value for them.

But it is OUR audit plan as a function that must be independent of management, free from undue influence.

I was the Chief Audit Executive for several public companies for about twenty years. During that time I had these difficult experiences.

Penang

My predecessor had been careless in his use of words and asked management of our Penang operation for their approval of his audit plan. The next year, I did not. I shared it with them as a draft and asked for their input and comments before obtaining audit committee approval, and then shared it again after that approval had been obtained.

When it came time for an audit to start in Penang, my team sent them a notification a month in advance. They did not reply.

But when the team arrived, they were locked out! Penang management told them they had not approved the audit!

I was able to override local management by getting the regional President to make a call and explain that management did not have the ability to approve or disapprove of the audit plan.

Business Objects (BOBJ)

When BOBJ announced that it was going to be acquired by SAP, a lot of critical people left. That included our entire Infosec team and our entire Customer Credit department in the UK.

Risks to our continued business and to the success of the acquisition and integration were very high indeed. This was especially true since the SAP CFO decreed that BOBJ would migrate to the SAP ERP from our current Oracle platform within six months! An unheard-of speed.

I moved my entire internal audit team to help management address these new sources of risk.

Then I contacted my SAP counterpart and asked him to join me in the endeavor. Initially he agreed, but then demurred. He said this was not in his annual audit plan (!) and any changes to the audit plan required the approval of the CEO!!!

Fortunately, the SAP CRO helped out, but ….

Solectron

This was a company where my team started finding financial statement frauds at a number of unrelated subsidiaries in the US. None of them were material (thank goodness) to the consolidated financial statements, but they reflected an environment where many subsidiaries were struggling to stay afloat. They were barely, if at all, profitable and were afraid of being closed down. Some resorted to cooking the books, only for my team to uncover the frauds.

In fact, the company as a whole was struggling and the CFO had started working with an investment bank to raise money through a bond offering.

He was worried that the frauds we were uncovering would dissuade the bankers from underwriting the bonds.

So he carefully asked me not to perform any more audits where we suspected fraud, or at least delay them.

This put me in a very difficult position. I equally carefully responded with words that made sure we both agreed it was my audit plan and he was not going to be able to stop me from going ahead if I decided to do so. Of course, he could appeal to the audit committee, but that was a perilous approach (for him).

I maintained my independence and was able to provide the bankers with assurance that all the frauds I was finding, and any that I suspected, were immaterial to the consolidated results and position of the company.

I deferred but did not cancel additional audits for a month or so, by which time the crisis had passed.

But it was my decision, and my audit plan – and the CFO knew that.

MY ADVICE AND PRACTICE

Be careful with your words.

We are seeking input and advice from management when we are developing and updating the audit plan.

We listen and pay attention, especially when they identify areas where they see more risk than we do, as well as those where they see less. We seek to understand why.

But it remains OUR audit plan.

We want to be able to tell the audit committee that we have discussed the audit plan with management.

Management can raise an objection with the audit committee, but in my experience that doesn’t happen if you have engaged them in constructive discussions as you developed YOUR plan.

The charter should make it clear, and both the audit committee and management should understand, that internal audit is independent of management. Our plan is our own, the result of obtaining management input and collaboration, and we have not sought their approval or concurrence.

It’s a little different when it comes to audit reports.

Here we seek to come to an agreement with management on:

• the facts,
• what they mean, and
• what needs to be done.

But again we do not seek their approval. I can accept concurrence, but agreement is a better word in my opinion.

What do you think?

I believe these may be semantic differences, but it is very important for management to have a clear understanding of our independence and the lines they cannot cross.

Thinking about risk appetite and risk appetite statements

I have written a lot over the years about risk appetite and the value of risk appetite statements, both here on this blog and also in my books, especially World-Class Risk Management (2015) and Risk Management in Plain English: A Guide for Executives, Enabling Success through Intelligent and Informed Risk-Taking (2018).

I am going to write more today, excerpting my writing from a few years ago before summarizing, as best I can, my current thinking.

This is from Risk Management in Plain English (with my highlights), a concise discussion of effective risk management for the time-burdened executive (discussed further in Risk Management for Success (2020)):

The concept of “risk appetite” has been popularized by consultants, regulators, and others. It is defined as:

“The types and amount of risk, on a broad level, an organization is willing to accept in pursuit of value”.

This is not particularly useful.

It’s not about managing risk; it’s about managing the achievement of objectives.

While this is true, the regulators like and sometimes require that an organization define and disclose (to a degree) its risk appetite.

There are times when a risk appetite and reports of whether it is being exceeded are useful.…

…when making a decision that exposes you to a loss (such as when you are considering making a bet), it is essential to know if you can afford [should take the risk of] that loss.

Risk appetite statements are supposed to guide decision-makers, telling them how much the organization is willing to put ‘at risk’.

• Limits on risk-taking are set and approved by top management and the board. More than one limit is generally required as there are multiple sources of risk and it usually doesn’t make sense to try to aggregate them. For example, how do you aggregate safety and creditrisks?
• Decision-makers are to stay within those limits.
• Monitoring is in place to ensure the limits are not exceeded.
• On a periodic basis, compliancewith the limits is reported to top management and the board.

But the amount of loss you are willing to expose yourself to will vary depending on the potential for gain or value. So the COSO definition, which is used broadly by regulators, is not particularly useful.

The term doesn’t really make sense when you are talking about compliance or safety risk. No reputable organization will say anything other than they have no tolerance for any compliance violation or safety incident. But the only way to eliminate these risks is to exit the business.

In real life, there is a limit to the resources an organization is willing to commit to avoiding compliance or safety problems.

The concept is most useful when we are talking about a financial portfolio, such as those held by banks, insurance companies, and other financial institutions.

I then quoted the risk appetite statements from Deutsche Bank and the Reserve Bank of Australia. The latter disclosed (again with my highlights):

The Bank faces a broad range of risks reflecting its responsibilities as a central bank. These risks include those resulting from its responsibilities in the areas of monetary, financial stability and payments system policy, as well as its day-to-day operational activities.

The risks arising from the Bank’s policy responsibilities can be significant. These risks are managed through detailed processes that emphasise the importance of integrity, intelligent inquiry, maintaining high quality staff, and public accountability.

The Bank is also exposed to some significant financial risks, largely due to it holding Australia’s foreign exchange reserves. It accepts that the balance sheet risks are large, and manages these risks carefully, but not at the expense of its policy responsibilities.

In terms of operational issues, the Bank has a low appetite for risk. The Bank makes resources available to control operational risks to acceptable levels. The Bank recognises that it is not possible or necessarily desirable to eliminate some of the risks inherent in its activities. Acceptance of some risk is often necessary to foster innovation and efficiencies within business practices.

….

The Bank aspires to be among the world’s leading central banks, measured by the quality and effectiveness of its operations. This requires ongoing development and innovation in its operations through strategic initiatives which often carry significant risk. The Bank has a low appetite for threats to the effective and efficient delivery of these initiatives. It recognises that the actual or perceived inability to deliver strategic initiatives could have a significant impact on its ability to achieve its objectives as well as its reputation.

….

The Bank holds domestic and foreign currency-denominated financial instruments to support its operations in financial markets in pursuit of its policy objectives. These instruments account for the majority of the Bank’s assets and expose the balance sheet to a number of financial risks, of which the largest is exchange rate risk. The Bank does not aim to eliminate this risk as this would significantly impair its ability to achieve its policy objectives. Instead, the risks are managed to an acceptable level through a framework of controls. The Bank acknowledges that there will be circumstances where the risks carried on its balance sheet will have a material impact on its financial accounts. The Bank regards it as desirable to hold sufficient reserves to absorb potential losses.

The Bank has a very low appetite for credit risk. The Bank manages this risk carefully by applying a strict set of criteria to investments, confining its dealings to institutions of high creditworthiness and ensuring that exposures to counterparties are appropriately secured, wherever feasible.

….

Information Technology (IT) risks cover both daily operations and ongoing enhancements to the Bank’s IT systems. These include:

• Technology Service Availability – Prolonged outage of a core RBA system: The Bank has a very low appetite for risks to the availability of systems which support its critical business functions, including those which relate to inter-bank settlements, banking operations and financial markets operations. Service availability requirements have been identified and agreed with each business area.
• Security – Cyber-attack on RBA systems or networks: The Bank has a very low appetite for damage to Bank assets from threats arising from malicious attacks. To address this risk, the Bank aims for strong internal processes and the development of robust technology controls.
• Technology Change Management: The implementation of new technologies creates new opportunities, but also new risks. The Bank has a low appetite for IT system-related incidents which are generated by poor change management practices.

I commented, saying that this risk appetite statement may check the box but has little if any value when it comes to guiding decision-making:

Describing your risk appetite as “low” sounds good but has no practical meaning.

What is “low” and how would you know whether your actual level of risk is “low”?

How would you know whether you are taking more risk than advisable?

In practice, organizations need to set and describe their risk appetite in meaningful terms.

The risk appetite statement has to guide decision-makers, helping them understand whether they are taking more risk than they can afford to take.

In practice, smart executives make investment decisions based on a careful weighing of the potential for both gains and losses, with a minimum expected return – but within limits.

• The board and top management should determine which areas of risk they want to monitor against limits.
• They should establish metrics that provide useful and actionable information about whether people are taking the desired level of the right risks.
• They should ensure, if at all possible, that decision-makers can be guided to stay within those limits.

In practice, the last of these three bullets is hard to achieve. The relevance of an enterprise objective and risk limit may be difficult for a middle manager to understand and apply in decision-making.

Only when you understand how your actions affect the achievement of enterprise objectives can you understand the consequences of those actions. Only then can you know, hopefully with guidance from the senior management team, how the risk to enterprise objectives you are taking is acceptable.

MY CURRENT THINKING

Let me see if I can say this simply and concisely.

1. The board and management should be focused on achieving enterprise objectives, managing the business for success.
2. That requires taking risks, sometimes taking more rather than less (downside) risk.
3. Managing a list of risks out of the context of the potential reward and achievement of enterprise objectives may avoid losses in the short term but will almost certainly limit or even eliminate the potential for success over both the long and the short term.
4. The key is to take the right levels of the right risks given current and anticipated circumstances (which change dynamically) and balancing risk and reward.
5. Those risks are taken through decision-making, which must be informed (seeing the big picture and understanding what might happen) and intelligent.
6. We live in a dynamic world (repeating part of #4), and a risk may be right to take today but not tomorrow or next week. Conditions are changing rapidly, and management must be agile in its decision-making. For example, conditions in Baltimore harbor change the level of supply chain risk for organizations planning to move goods by sea into or out of Maryland. The availability of liquid funds and cash flow can change significantly and dynamically from month to month, even day to day, affecting management’s ability to take risks such as granting longer payment terms to customers, making a large purchase of raw materials, or making an investment in a new system or acquisition.
7. A risk appetite statement is static and not dynamic.
8. There is no single amount of risk. It makes no sense to aggregate disparate sources of risk to enterprise objectives and come up with a single “amount of risk”.
9. However, it does make sense to determine the likelihood of achieving each enterprise objective and determining whether those likelihoods are acceptable. This is my preferred and practical way of thinking about ‘appetite’.
10. Decision-makers need guidance to ensure they are taking an acceptable or even desirable level of risk to enterprise objectives, commensurate with management and board direction.
11. That guidance is NOT conveyed by a single ‘amount of risk’ (the risk appetite) or a single risk appetite statement. It is conveyed through more detailed:
    1. Policies and procedures in multiple business processes.
    2. Spending limits.
    3. Credit and other limits.
    4. Management and board supervision and review.
    5. Risk-taking limits where defined types or levels of risks must be escalated to more senior management.
    6. …and more.

“Do we have a risk appetite statement, and does it meet regulatory requirements?” may be a good question to ensure we check the box.

“Do we have practical and effective guidance for management and board decision-making so that we are assured that the right risks are being taken to achieve enterprise objectives” is a far better question.

Another is “How do we know people are making informed and intelligent decisions, understanding the big picture, and taking the right risks for success – achieving enterprise objectives?”

Finally, “Do we have an acceptable likelihood of achieving enterprise objectives? If not, what are we doing about it?”

If I had to develop and disclose a risk appetite statement, it would explain that we take risks to achieve our enterprise objectives, but do so prudently through relevant guidance, policies, and procedures; we balance risk and reward; and the board exercises oversight of decision-making and risk management in general, including obtaining formal assessments from top management on both. I would have a document for discussion by the board and executive management that lists at least the more significant sources of risk and controls. But my main focus is always on understanding whether there is an acceptable likelihood of achieving (or exceeding) enterprise objectives.

Check the box but run the organization for success.

I welcome your thoughts.

Do you have a risk appetite statement that changes daily tactical as well as strategic decision-making?

The latest information on fraud risk

For 13th years, the Association of Certified Fraud Examiners (ACFE) has shared with us the results of their annual survey, with the latest being Occupational Fraud 2024: A Report to the Nations.

I have been reading and commenting on their reports for years and you can find a few blog posts here using the Search function.

This year’s report is based on 1,921 fraud cases investigated by CFEs between January 2022 and September 2023, of which 38% were in the USA.

The ACFE broke the cases into three categories:

• Asset theft or misuse represented 89% of the cases with a median loss of $120,000.
• Corruption (bribery, purchasing or sales schemes, extortion, etc.) was involved in 48% of the cases, with a median loss of $200,000.
• Financial statement frauds were only 5% but the median loss was $766,000.

38% of the cases had more than one of the above, with 35% of the cases involving both asset theft or misuse and corruption.

The ACFE found it interesting that less than 1% of the cases involved financial statement fraud alone.

The median duration of a fraud was 12 months, and the average loss per month was $9,900.

Internal controls can have a significant impact on reducing fraud risk. The ACFE reported that:

…four controls—surprise audits, financial statement audits, hotlines, and proactive data analysis—were associated with at least a 50% reduction in both fraud loss and duration. Surprise audits and proactive data analysis were among the least commonly implemented anti-fraud controls in our study…, which shows some opportunity for many organizations to reinforce their anti-fraud efforts by considering the addition of these controls.

The report has an interesting chart on this on page 40.

As might be expected, the more senior the perpetrator, the more expensive the fraud.

…frauds committed by individuals at the owner/executive level only represented 19% of cases but caused the highest median losses by far. Perpetrators at the owner/ executive level caused a median loss of USD 500,000, which was more than eight times as much as staff-level employees (USD 60,000) and almost three times as much as mid-level managers (USD 184,000). Frauds carried out by employees and managers were much more common, representing 37% and 41% of the cases submitted, respectively. Similarly, fraud cases perpetrated by individuals at higher levels of authority took longer to detect. The median duration of frauds perpetrated by employees was only 8 months—one-third as long as those perpetrated by owner/executives (24 months)—while frauds committed by mid-level managers had a median duration of 18 months.

There’s a wealth of information in the report, and I will quote just two more factoids:

• …more than half (54%) of the frauds in our study were carried out by multiple perpetrators colluding, rather than a single fraudster acting alone. Schemes committed by sole perpetrators also had the lowest median loss (USD 75,000), and frauds perpetrated by three or more perpetrators caused losses more than twice as high as those perpetrated by only two coconspirators. The higher losses associated with collusive schemes could be related to easier circumvention of controls, such as separation of duties, when multiple perpetrators work together.
• …the vast majority of perpetrators in our study (87%) had never been either charged with or convicted of a fraud-related offense, meaning that traditional criminal background checks would not have prevented the frauds from occurring. Interestingly, 5% of cases involved perpetrators with a prior fraud conviction that either was not known to the victim organization at the time of hiring or did not prevent the organization from hiring them.

None of us will be surprised to see that the more senior the perpetrator, the less likely they will be punished when caught.

That brings us back to what should we do about fraud risk.

Some believe that internal audit is responsible or should be responsible for detecting fraud, assessing fraud risk, etc.

No.

I will repeat what I said in 2018 on this blog:

I am a strong believer that the resources dedicated to addressing fraud risk (by management or by internal audit) should be commensurate with the level of risk.

Those organizations with high risk should allocate more resources. Those with lower levels of risk should spend their precious resources elsewhere – given a basic minimum to keep the risk low, such as a code of ethics with training and annual certification, a whistleblower hotline, and prompt and capable investigation of every allegation.

That brings us to the need for a fraud risk assessment.

I believe that this should ideally be a management responsibility. The CRO can also take it on. But the internal audit team has the expertise to at least assist, at most complete the assessment on behalf of management.

It should be updated at least annually and every time a fraud is detected.

The fraud risk assessment for SOX should be focused on the potential for a deliberate material misstatement of the financial statements filed with the regulators. I prefer it being a separate document than the enterprise fraud risk assessment.

Management should obtain assurance that the controls in place to keep fraud risk at or below desired levels are effective.

Some internal auditors feel it is their obligation to detect and investigate fraud. I agree with the second part for most organizations (some have a separate unit of fraud examiners), but not the first.

It is management’s responsibility to have appropriate controls in place to prevent and detect fraud, not internal audit.

However, the board or audit committee may decide it is better to charge internal audit with fraud detection. I am OK with that as long as it is in the audit department charter and they have additional resources (beyond what they need to address more significant risks).

I encourage you to read the ACFE report. You may want to print and highlight the more interesting statistics and comments, then share them widely within your organization.

My congratulations to the ACFE on yet another excellent study, very well presented.

Where do we sit? Its important!

This may be an odd question to ask, but as a leader of internal audit and risk management it was an important issue for me.

While there is so much talk about artificial intelligence, I believe it is far more important to optimize human intelligence!

Where we sit affects:

• Our ability to know what is happening in the business.
• The perception of us as being part of the business and not in an ivory tower.
• Our understanding of the culture of the organization, including the morale of the people.
• Our ability to have confidential discussions among ourselves and with management – without being overheard.
• People’s ability to visit us without others knowing.
• Ready access to management and staff.
• Our access to files and other information.
• In an odd way, our agility. We don’t have to travel to perform the audit or to meet with people – and meeting with people face-to-face is far superior to a virtual meeting. We can stop by to talk to (or, better, listen to) people without having to schedule a call or meeting.

I liked to embed auditors in the business. If they are local, even in the same trading room for example, they are seen and accessible. They get to know the people leading and performing the business. They are known to them as humans, not just practitioners. You tend to trust people you know, but not so much people from Corporate.

But at the same time, you need to be able to have confidential discussions without being overheard. You need to be able to say or hear things, even use language in private that you would not repeat to management.

It’s also important for the head of the department to have easy access to and by management, as well as to staff. The same goes for managers within the department.

I have run into problems with this in the past, including:

• At one organization, the CFO wanted me to stop hiring employees in the US or even in Singapore. He felt I could outsource staffing to India at lower cost. But we had no operations in India, so this made no sense other than as a way of cutting cost (which was debatable).
• At another where I was interviewing for a CAE position, I would have needed to make an appointment to see any of the C-level executives because they were in a separate, locked, part of the building. I did not accept their offer.
• One company barred me from using the executive coffee room. I liked to go there, less for their coffee (which was admittedly made using an expensive machine) and more to bump into C-level executives. In fact, that was the first place I was able to have a friendly conversation with the COO.

We need to pay attention to our human intelligence in many ways (including employee training, our perception and reputation, and far more).

One often overlooked factor is where we sit.

Are you and the other practitioners in your organization sitting in the best places?

I welcome your thoughts.

A review of the UK’s draft Code of [internal audit] Practice

I have been invited to comment on the draft Code of Practice from the Chartered Institute of Internal Auditors (the UK affiliate of the IIA). You can find it here.

Take the time to review it.

This is an important document not only because of its potential impact on internal auditing in the UK, but also because it might be adopted in other parts of the world.

One thing I like about it is that it is relatively short! But it has a lot of principles, perhaps too many.

I have considered:

• Whether it is necessary given the new Global Internal Audit Standards (GIAS).
• Whether its content is appropriate and desirable.
• Whether it adds value to the profession and its practices.

I will conclude on those at the end. First, let’s review its content.

I like its ambitious start:

The purpose of the Code

The principles which follow are aimed at enhancing the overall impact and effectiveness of internal audit within organisations operating in the UK and Ireland. They are regarded as a benchmark of good practice against which organisations should assess their internal audit function.

It continues with:

The Code should be applied in conjunction with the Global Internal Audit Standards. The Code builds on these Standards and seeks to increase the impact and effectiveness of internal audit by clarifying expectations and requirements.

The Code is principles based. It is expected that the principles are applied proportionately, in line with the nature, scope and complexity of the organisation. Internal audit functions should apply the Code in the context of internal audit regulatory standards applicable to the organisation.

As you may have read in previous posts on this blog, I am not a fan of GIAS. I do not believe it defines what is required for effective internal auditing (it has too much at the same time as omitting stuff). It has not, as proclaimed by the IIA, “elevated the profession”.

But any Code of Practice has to recognize the existence of the Global Standards.

The Code has 36 Principles. I believe in principles-based guidance, especially as I was part of the team that developed the IIA’s Core Principles. I still believe those nine principles were excellent: clear, concise, and sufficient. Do we need the 36 in the draft Code or the 15 in GIAS? Let me remind you what is in the Core Principles.

The Core Principles, above all, define tangible internal audit effectiveness. When all Principles are present and operating cohesively, internal audit function achieves maximum efficiency. Though the way every internal auditor approaches these Core Principles may vary from organization to organization, there’s no denying that a failure to achieve any of the Principles would signal an internal audit activity that’s not performing at its absolute best.

• Demonstrates integrity.
• Demonstrates competence and due professional care.
• Is objective and free from undue influence (independent).
• Aligns with the strategies, objectives, and risks of the organization.
• Is appropriately positioned and adequately resourced.
• Demonstrates quality and continuous improvement.
• Communicates effectively.
• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.

The first Principle in the draft Code is:

The primary role of internal audit should be to help the board and senior management to protect the assets, reputation and sustainability of the organisation.

It does this by:

• providing independent, risk-based and objective assurance, advice, insight and foresight;
• assessing whether all significant risks are identified and appropriately reported by management to the board and senior management;
• assessing whether the organisation is adequately controlled; and
• challenging and influencing senior management to improve the effectiveness of governance, risk management and internal controls, including identifying efficiencies and removing duplicative and/or redundant controls.

The role of internal audit should be articulated in an internal audit charter, which should be publicly available.

There’s a major mistake in that first sentence. The role of internal audit is not limited to helping protect the assets, etc. of the organization. Consider the Mission of Internal Audit that our Core Principles team wrote:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

However the bullets that support the Code’s first principle are excellent. I note that they reference “risk-based and objective assurance, advice, insight and foresight”.

GIAS has received a lot of criticism for mandating board and top management governance and oversight of internal audit. The Code repeats that in its second principle. Board governance should be addressed in a corporate governance code; this draft Code need not and arguably should not include it. I would eliminate that principle.

I like the 6^th and 7^th principles (with my highlights). They form the core of effective internal auditing!

6. Risk assessments and prioritisation of internal audit work.

In setting its scope, internal audit should form its own judgement on how best to determine internal audit coverage given the structure and risk profile of the organisation. It should take into account business strategy and should form an independent view of whether the key risks to the organisation have been identified, including emerging and systemic risks, and assess how effectively these risks are being managed. Internal audit’s independent view should be informed, but not determined, by the views of management, the risk function, or other control functions. In setting out its priorities and deciding where to carry out more detailed work, internal audit should focus on the areas where it considers risks to be higher.

Internal audit should make a risk-based decision as to which areas within its scope should be included in the internal audit plan. It does not necessarily have to cover all of the scope areas every year. Its judgement on which areas should be covered in the internal audit plan should be subject to approval by the board audit committee.

7. Internal audit coverage and planning.

Internal audit plans, including significant changes, should be approved by the board audit committee. Internal audit plans should be dynamic, updated timely, and have the flexibility to deal with unplanned events to allow internal audit to prioritise any work of importance and emerging risks. Changes to the internal audit plan should be considered in light of internal audit’s ongoing assessment of risk.

Principle 8 is long (I am not going to excerpt it here because of its length). It identifies a lot of areas that “should” be addressed.

But is that consistent with a risk-based approach?

I don’t think so.

Any area should only be included in scope where it is justified based on the level of risk to enterprise objectives!

I like the idea of principle 9:

Internal audit should be present at, and issue consolidated reports, to key governance committees, including the board audit committee and any other board committees as appropriate. The nature of the reports will depend on the remit of the respective governing bodies. Internal Audit should also issue relevant consolidated reports to the board risk committee and present as appropriate.

I have always been concerned that the CAE is not present for meetings of the Compliance Committee, Governance Committee, Strategy Committee, Technology Committee and so on. In fact, the CAE should probably attend certain board meeting discussions.

But another long principle, #10, on board reporting again strays into mandating more than may be required. The principle should be to tell them what they need to know, when they need to know, and do so concisely. While the many bullets are nice things to consider, we need to focus on telling them what they need, rather than what we want to say.

I do like #11:

At least annually, internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to. This should support any Board disclosure on the company’s risk management and material controls and should highlight any significant weaknesses identified.

However, this Code is not limited to financial services so this should be removed: “overall opinion on whether the organisation’s risk appetite is being adhered to”. While internal audit should assess, as often as required based on risk, how management knows it is taking the right risks, internal audit should not be separately evaluating the level of risk that is being taken – even if that were possible, which it is not.

Principles 12-14 get into details that I am not persuaded are necessary. I would prefer that the Code be as concise as possible.

Section E contains several principles that are expressed well. I like them and will leave you to read and consider them.

Section F is supposed to cover whether internal audit has the necessary resources to fulfil its mission. It’s done well to a point. That point is that it fails to reference whether there are sufficient resources to address the more significant sources of risk (and opportunity) to the achievement of enterprise risks. It also says nothing about whether the staff are performing at desired levels.

Principle #29 is fine:

The board audit committee is responsible for approving internal audit’s performance objectives and evaluating the performance of the internal audit function on a regular basis. In doing so, it will need to identify appropriate criteria for defining the success of internal audit. This should include assessing internal audit’s value, impact, effectiveness and efficiency. Delivery of the internal audit plan should not be the sole criteria in this evaluation.

But #30 is not:

Internal audit should maintain an up-to-date set of policies, procedures, methodology and performance and effectiveness measures for the internal audit function. Internal audit should continuously improve these in light of industry developments.

Internal audit does not need to be burdened with unnecessary red tape and bureaucracy. It should have the policies and procedures necessary to perform well. Period!

31-33 talk about quality. I would far prefer a more principles-based description of the CAEs’s responsibility to ensure quality auditing. Period!

Coming back to the purpose of the Code:

The principles which follow are aimed at enhancing the overall impact and effectiveness of internal audit within organisations operating in the UK and Ireland. They are regarded as a benchmark of good practice against which organisations should assess their internal audit function.

…and my considerations:

• Whether it is necessary given the new Global Internal Audit Standards (GIAS).
• Whether its content is appropriate and desirable
• Whether it adds value to the profession and its practices

1. It adds content that is missing from GIAS, which I appreciate. It tends towards elevating the profession! It is also shorter and more concise, which is also excellent. Is it necessary? It is useful, yes – especially if they are modified as discussed above – but it shouldn’t be necessary if GIAS was more effective.
2. Some of the content is desirable, but there should be more about helping the leaders of the organization enhance the upside in addition to protecting against the downside. There is also content that could and should be removed. It is not sufficiently principles and risk based.
3. Will it add value? Yes.
4. Is it sufficient to assess the effectiveness of internal audit? It’s better than GIAS by a long way, but I think there is more to say on topics like enhancing the upside and ensuring the right team is in place.

I welcome your thoughts.

Addressing the risk from generative AI

McKinsey has shared with us some more useful insights and advice, this time in Implementing generative AI with speed and safety.

They tell us (with my emphasis):

Generative AI (gen AI) presents a once-in-a-generation opportunity for companies, with the potential for transformative impact across innovation, growth, and productivity. The technology can now produce credible software code, text, speech, high-fidelity images, and interactive videos. It has identified the potential for millions of new materials through crystal structures and even developed molecular models that may serve as the base for finding cures for previously untreated diseases.

McKinsey research has estimated that gen AI has the potential to add up to $4.4 trillion in economic value to the global economy while enhancing the impact of all AI by 15 to 40 percent. While many corporate leaders are determined to capture this value, there’s a growing recognition that gen AI opportunities are accompanied by significant risks. In a recent flash survey of more than 100 organizations with more than $50 million in annual revenue, McKinsey finds that 63 percent of respondents characterize the implementation of gen AI as a “high” or “very high” priority. Yet 91 percent of these respondents don’t feel “very prepared” to do so in a responsible manner.

That unease is understandable. The risks associated with gen AI range from inaccurate outputs and biases embedded in the underlying training data to the potential for large-scale misinformation and malicious influence on politics and personal well-being. There are also broader debates on both the possibility and desirability of developing AI in general. These issues could undermine the judicious deployment of gen AI, potentially leading companies to pause experimentation until the risks are better understood—or even deprioritize the technology because of concerns over an inability to manage the novelty and complexity of these issues.

However, by adapting proven risk management approaches to gen AI, it’s possible to move responsibly and with good pace to capture the value of the technology. Doing so will also allow companies to operate effectively while the regulatory environment around AI continues to evolve, such as with President Biden’s executive order regarding gen AI development and use and the EU AI Act. In addition, most organizations are likely to see the use of gen AI increase “inbound” threats (risks likely to affect organizations regardless of whether they deploy gen AI), particularly in fraud and cyber domains (early indications are that gen AI will be able to defeat standard antifraud biometric checks). Building fit-for-purpose risk management will help guard against these threats.

McKinsey goes on to list four steps. I’m not a fan of them, but you should consider them.

However, I do like their table that identifies “eight basic categories of generative AI risk”. I also encourage you to read how they recommend addressing each of those sources of risk.

Instead of repeating further what McKinsey is reporting (I leave you to read the article), I suggest these questions:

1. How are the leaders of your organization thinking of using gen AI? Do they have the right people involved and responsible for identifying and prioritizing all the opportunities? Are they taking a disciplined approach and getting everybody on the same page? Or is the potential use of gen AI scattered in silos?
2. Do they have a sufficient understanding not only of the technologies (and there are several competing ones from which to select) but also the challenges in implementing them?
3. Are the following all participating to an appropriate degree?
   • The Risk Officer
   • Information Security
   • Legal
   • IT QA
   • Internal Audit
   • Human Resources (to address the impact on personnel)
   • Strategic Planning
   • Any Internal Controls group, such as one responsible for SOX compliance
   • Government Relations (to monitor related potential and actual laws and regulations across the organization’s landscape)
4. Is there an appropriate process for not only identifying risks and opportunities, but balancing them?
5. Where appropriate, are actions being taken to optimize opportunities and address risks?
6. Is there the right level of board and top management oversight?

There has been talk about rushing to adopt and implement AI. Maybe ‘rushing’ is the same as being too hasty. It also implies that gen AI might be adopted in silos.

Discipline is needed, as is careful thought and planning.

I welcome your thoughts.

The second demand by audit committees of internal auditors

Last week I discussed The most important audit committee demand of internal audit as reported by Richard Chambers based on his interviews with 15 committee chairs.

Today, let’s talk about their second demand, which follows on from their first:

Express an overall opinion on the effectiveness of risk management and controls by “connecting the dots”.

Let’s be clear and honest about this: many if not most internal auditor leaders are reluctant to put themselves out on a limb and express an opinion on the overall condition of the system of internal control.

Reasons they provide (I will let you decide whether these are reasons or excuses, but be open about it – and I will discuss each momentarily) include:

• We don’t have the resources to address all the controls, even all the controls over significant risks to enterprise objectives.
• The audit committee does not expect us to do this.
• The IIA Standards do not require it.
• Others are not doing it.
• It’s too much of a risk to express a positive opinion. The most I can do is report any major findings.

Back in 2009, I was a member of the IIA’s Professional Issues Committee and five of us (Gilbert T. Radford; Bruce C. Sloan; Debbie E. H. Loxton; Norman D. Marks; and Trygve Sorlie) wrote an official IIA Practice Guide (PG), Formulating and Expressing internal audit opinions.

In 2016, the IIA published a far shorter Implementation Guide (IG), Standard 2450 – Overall Opinions.

Both are recommended guidance and worth reviewing.

While I was proud to have had a part in promoting overall opinions through the PG, it was significantly watered down to accommodate multiple dissenting views – people raising the issues listed above.

The IG is far clearer and has a lot of good language, including:

An overall opinion is the rating, conclusion, and/or other description of results provided by the chief audit executive (CAE) when addressing — at a broad level — governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the CAE based on the results of a number of individual engagements and other similar activities — such as reviews by other assurance providers — for a specific time interval.

The IIA loves to talk all the time about “governance, risk management, and/or control processes”. I think that is unnecessary and verbose. An effective system of internal control, as described in COSO’s Internal Control Framework (ICF), includes effective governance (in large part) and risk management.

Therefore, I always provided my opinion (which I did for about twenty years) on the system of internal control over the more significant risks to the achievement of enterprise objectives.

The IG also says (with my edits and emphases for readability):

• Overall opinions differ from conclusions in that a conclusion is drawn from one engagement, and an overall opinion is drawn from multiple engagements. Also, a conclusion is part of an engagement communication, while an overall opinion is communicated separately from engagement communications.
• The CAE then determines the scope of the overall opinion to be provided, including the time period to which the opinion relates, and considers whether there are any scope limitations.
• With this information in mind, the CAE can determine which audit engagements would be relevant to the overall opinion. All related engagements or projects are considered, including those completed by other internal and external assurance providers.
• …an overall opinion may be based on aggregate engagement conclusions at the organization’s local, regional, and national levels, along with results reported from outside entities such as independent third parties or regulators.
• The scope statement provides context for the overall opinion by specifying the time period, activities, limitations, and other variables that describe the boundaries of the overall opinion.
• Upon consideration of the relevant information, the CAE issues an overall opinion, using clear and concise language, and articulates how the opinion relates to the strategies, objectives, and risks of the organization.
• …the CAE decides how to communicate the overall opinion (verbally or in writing). Overall opinions are typically communicated in writing, although there is no requirement in the Standards to do so.
• It is important to note that the CAE is not required to issue an overall opinion; issuance of such an opinion is at the discretion of the organization and would be discussed with senior management and the board.

Now for the excuses (sorry, reasons):

1. Insufficient resources

We never have all the resources we need to address all the risks to enterprise objectives. But our audit plan (continuously updated) should be designed to address the more significant ones. The overall opinion needs to include language that makes it clear that it is based on the results of the engagements performed (including any performed by others, which I would include in an appendix) based on the risk-based audit plan.

This makes it doubly important to make sure that we are not using our scarce and valuable audit resources on risks and issues that will only ever matter to middle management.

We also need to be ruthlessly efficient, eliminating activities that don’t add value to our customer (even if required by the IIA Standards!)

2. The audit committee doesn’t require it

Maybe they should, and maybe they don’t think you are up to it. But if you did share one with them they will almost certainly value it.

3. The IIA Standards don’t require it

This is true, but the Standards don’t mandate every best practice – and I will say no more on that topic.

4. Others are not doing it

Also true. But that doesn’t mean we should not provide the audit committee with information they value very highly.

5. It’s a risk I don’t want to take

True that it is a risk, but I believe we have an obligation and the risk can be addressed.

Which brings me to how I did it at each of my very different companies for about twenty years.

Norman’s Tips

1. Start with the end in mind! Realize that an overall opinion is a great gift for the audit committee and top management. Build your audit plan accordingly. Include audits of the more significant sources of risk to the enterprise’s objectives and make sure you are not wasting scarce resources.
2. Make it clear in the opinion that it is based on the work performed, including (listed in an appendix) any work by others that you have relied upon. A typical example would be the work of the external auditors on financial reporting and related internal controls.
3. Explain that no system of internal control provides more than reasonable assurance. Refer to the exceptions in COSO ICF.
4. Consider all the assessments made over the period and update them with any progress made by management on major control weaknesses (as defined by COSO in their ICF).
5. Provide an opinion as of a specific date and discuss with management, first, whether they agree or disagree with it.
6. Consider adding other useful information, such as an overall opinion on the system of internal controls at major business units, or over compliance with applicable laws and regulations.
7. Remember that we are only taking about whether the system of internal controls provides reasonable assurance, and that this is your professional opinion.
8. Professionals provide opinions.

I welcome your thoughts.

Is this something you do? If so, how do you do it? If not, why not?