Audit Analytics has released some interesting statistics on financial restatements and SOX.
According to them, in 2015 about 5.3% of companies assessed their internal control over financial reporting (ICFR) as ineffective. This is down from 5.8% in 2014 but otherwise the highest level since 2008.
This is the key section of their report:
One criticism of SOX 404 is that many material weaknesses are not disclosed until after a company has restated its financial statements. The PCAOB found that 80.4% of companies with a restatement in 2014 did not have ineffective ICFR prior to the disclosure of the restatement. This raises doubts about whether SOX 404 has much of an effect.
The last statement is faulty logic.
SOX 404 is about the assessment at the end of the year.
The point here is that organizations had ineffective ICFR earlier in the year, presumably in earlier quarters.
Logically, this means that the certification per SOX 302 by the CFO and CEO that is included in the quarterly financial statements was wrong.
Let’s look at that certification. This is taken from the SEC’s Final Rule, Certification of Disclosure in Companies’ Quarterly and Annual Reports. I have highlighted the most relevant portion.
1. I have reviewed this quarterly report on Form 10-Q of [identify registrant];
2. Based on my knowledge, this quarterly report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this quarterly report;
3. Based on my knowledge, the financial statements, and other financial information included in this quarterly report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this quarterly report;
4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-14) for the registrant and we have:
a) designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this quarterly report is being prepared;
b) evaluated the effectiveness of the registrant’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this quarterly report (the “Evaluation Date”); and
c) presented in this quarterly report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;
5. The registrant’s other certifying officers and I have disclosed, based on our most recent evaluation, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent function):
a) all significant deficiencies in the design or operation of internal controls which could adversely affect the registrant’s ability to record, process, summarize and report financial data and have identified for the registrant’s auditors any material weaknesses in internal controls; and
b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal controls; and
6. The registrant’s other certifying officers and I have indicated in this quarterly report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of our most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Disclosure controls include internal control over financial reporting. This is how they are defined by the SEC:
“…controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. “Disclosure controls and procedures” include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure.”
If ICFR is not effective, then disclosure controls are not effective.
The CEO and CFO need to have a reasonable basis for their assessments of disclosure controls and ICFR.
If they know, or should know, that there were potential material weaknesses at the end of any quarter, they should not have signed the 302 certification as if there were none and ICFR and disclosure controls were effective.
This is what I recommend in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:
…prudence suggests that management:
Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- I suggest that this can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- As discussed below, the system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower—typically one quarter the size—determination of what constitutes material.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
Confirms that the external auditors do not disagree with management’s quarterly assessment.
Understands―which requires an appropriate process to gather the necessary information―whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and should be disclosed (see item #6 in the certification, above).
I welcome your comments.
My thanks to Maurice Gilbert, who shared news about guidance from the US Department of Justice (DOJ). It describes how investigators will assess an organization’s compliance program as part of an investigation into that company.
The DOJ Guidance, Evaluation of Corporate Compliance Programs, should be read and considered by all governance, compliance, risk, and audit practitioners.
Every organization should address every one of the Topics and underlying questions in the document.
Aspects I like include:
- A focus on not just the tone but the conduct at the top
- The stature, autonomy, empowerment, and funding of the compliance function
- An assessment of the risk management activity, although the questions are a bit shallow
- The independence and performance of investigations by the organization
- Whether managers as well as employees are held accountable, and who participated in disciplinary decisions and actions
- The role of internal audit
- The consideration of how the actions of third parties, for example in outsourced operations or by agents, could affect compliance
- Whether there is sufficient due diligence around compliance during M&A
While it would be easy to leave the assessment of compliance activities to internal audit, and I believe this is an area they should actively consider, senior management should take ownership of the need for an effective compliance program.
How does your organization stack up?
Would it pass an evaluation using this guidance?
Shouldn’t the board insist on a periodic assessment by executive management?
I welcome your comments.
It is easy to say that risk management should be embedded into business processes such as strategic planning. But is it that easy to accomplish in practice?
I think it’s fair to say that in most organizations they are quite separate.
I would also say that many times risk management focuses on harms and strategy on opportunities, almost as if one was a pessimist fearing the worst and the other a cock-eyed optimist hoping for the best.
My good friend, Dan Swanson, shared a link to a series of questions about strategic planning from the consultancy firm of Bain & Company.
Is your strategic planning world class has twelve questions, each of which is relevant and useful.
Please go through the twelve and come back here for further discussion.
So, did you see any mention of risk or risk management?
Did you see any indication that risk is embedded in any way into strategic planning?
Let’s consider another source, another major consultancy firm, McKinsey. In 2007, they published How to improve strategic planning.
Have a quick look.
Correct. No mention of risk management.
One final source, the Boston Consulting Group. Four best practices for Strategic Planning.
I will pause while you check it out.
So, none of these major management consulting companies mention risk management.
Is that because they don’t understand its value and how it should should be integrated or embedded into strategic planning?
So how does a risk officer get involved? How can he or she ensure that risk is considered?
Well, to me it starts with the same point I have been making for a long time now.
STOP TALKING ABOUT RISK
Risk is a word that blocks thinking. While risk officers understand that it is about helping people make better decisions and achieve their objectives (exemplified by the organization’s stated strategies), executives see it as a compliance activity that is focused on avoiding harm.
There’s a huge difference between avoiding harm and achieving objectives.
If you want to eliminate cyber risk, destroy all your computers.
In real life, we have to take risks – and the key is to take the right level of the right risks.
A risk practitioner can bring the discipline, process, and tools that are associated with risk management to strengthening the strategic planning process.
If I were CRO, I would work with the CEO/COO and head of strategy to answer these questions:
- What assumptions have been made in defining the (internal and external) business environment and how it will change over the next period? What is the level of confidence in them?
- What has and will be done to confirm, monitor, and (to the extent possible) realize the assumptions? Can the likelihood of realizing the assumptions be improved?
- How confident are you in the quality of the information being used to understand the business environment and its future? Can that be improved?
- How were the potential consequences of each strategic option assessed? Were the likelihoods of each level of achievement estimated with confidence? Is the likelihood of the desired set of consequences at an acceptable level?
- Were potential adverse situations or events considered? How were they assessed?
- How were potential adverse and positive effects and outcomes assessed in aggregate?
- What is the level of confidence that the strategies will be achieved to the level of the goals and targets that have been set?
- Is that level of confidence acceptable? What can and will be done to improve it?
- Will performance against targets be measured in a way that incorporates changes in the potential for both positive and adverse effects in the future?
- Can strategies and targets be modified as conditions now and expected in the future change?
I am sure there are more questions that can be asked. What should be added?
I welcome your thoughts.
Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.
I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.
The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.
Humans as a root cause is also a topic I cover in World-Class Risk Management.
As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.
The same thing applies to cyber risk and even compliance risk.
They are all dominoes.
A case study:
- There is a possibility that the manager in HR that recruits IT specialists leaves.
- The position is open for three months before an individual is hired.
- An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
- A system vulnerability remains open because there is nobody to apply a vendor’s patch.
- A hacker obtains entry. CYBER RISK
- The hacker steals personal information on thousands of customers.
- The information is posted on the Internet.
- Customers are alarmed. REPUTATION RISK
- Sales drop.
- The company fails to meet analyst expectations for earnings.
- The price for the company’s shares drop 20%.
- The CEO decides to slash budgets and headcounts by 10% across the board.
- Individuals in Quality are laid off.
- Materials are not thoroughly inspected.
- Defective materials are used in production.
- Scrap rates rise, but not all defective products are detected and some are shipped to customers.
- Customers complain, return products and demand compensation. REPUTATION RISK
- Sales drop, earnings targets are missed again, and …….
- At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
- The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
- Multiple breaches are not detected. CYBER RISK
- Hackers steal the company’s trade secrets.
- Competitors acquire the trade secrets and are able to erode any edge the company may have.
- The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
- Sales drop. Earnings targets are not achieved, and……..
It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.
But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.
One decision at a low level in the company can have a domino effect.
I welcome your comments.
The Ponemon Institute, which I have previously referred to in my posts as the publisher of reports on cyber, recently shared the results of their survey on risk management.
The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management has some interesting content.
The results are disturbing, but unfortunately what I had anticipated.
It is important to note that the 641 who answered the survey were involved in risk management within their organization. So the results are skewed towards having some level of formalized risk management. In other words, they are better than the general population. It is also important to recognize that most of the respondents are IT folk and some of the questions reflect the author’s IT orientation as opposed to a general business one.
The report, as so many, has to define risk management in its own way. But, frankly, it’s not bad. They break it down into risk management and risk intelligence.
In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.
We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use realtime information and forward-looking risk concepts and tools to maximize business performance.
Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. They don’t define what they mean by a risk management strategy, so I can’t comment further.
But this is key.
“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”
I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!
This adds fuel to that fire.
“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53 percent of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8 percent of respondents say these functions fully collaborate in enterprise risk management activities.”
A lack of resources and an inadequate budget are identified as barriers.
But here is the key question.
If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?
This is demonstrable when “30 percent of respondents say no one person has overall responsibility to ensure the risk management program is well executed”.
The Appendix contains some valuable pieces of information. Here are two:
- Only 32% say their organization has a very significant commitment to enterprise risk management.
- On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.
So what do we make of this?
Let’s start with some unpleasant facts!
- Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
- If they saw risk management as helping them make better decisions, you can bet they would invest in it!
- They can be persuaded, not by words but by action.
- Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
- Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
- The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
- Satisfying the board but not top management is not a recipe for long-term success.
- The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.
I welcome your comments.
We are used to identifying a risk, analyzing the potential consequences and their likelihood, and then establishing a ‘risk level’. We evaluate whether the level of risk is acceptable or not, based on risk appetite, risk criteria, or the like.
But is that sufficient?
Let’s imagine we are planning a trip from our home in Paris to Lyon. The plan is to take a taxi to the train station and then a fast train to Lyon. An uncle will meet the train and bring us to his home, where we will spend a few days.
You and your spouse assess the risks.
There’s a possibility that either of you or the kids will get sick. You assess that risk as low but will monitor it as the date gets closer.
Strikes in Paris are always a possibility and you are vulnerable to either a taxi or train strike. In addition, if the Metro workers go on strike finding a taxi will be hard. Again, you accept the risk but agree to monitor it.
Other risks include the possibility that your uncle or members of his family will be sick, or that either you or your spouse will be called into work to handle an emergency.
Overall, though, the risks are each assessed as low but need to be watched.
The week before the trip, two of your children start to show the symptoms of a bad cold. You are at home looking after them and have to make a decision. Will there be time to treat them so that it’s ok to travel rather than stay home? You decide that more likely than not they will recover in time and the risk is acceptable.
But meantime, your spouse is hearing from a manager that there’s a decent chance (maybe 30%) that a potential major deal will close in a couple of days. If that happens, you will need to cancel the vacation. Your spouse decides that the risk is acceptable.
That evening, you get together and share your assessments of the individual risks.
While each may be acceptable individually, the combination troubles you. You decide to check the weather and see that there’s a 30% chance of rain in Lyon for each of the days you will be there.
Overall, you decide it is better to cancel. The overall situation is not to your liking. You are not going to take the risk.
The same thing can happen with a business situation.
If your company is considering opening an office in Japan, you might identify a number of risks such as:
- Inability to hire Japanese-speaking employees with the experience and contacts necessary to make the new office a success
- The ‘stickiness’ of Japanese companies when it comes to being open to buying products from you rather than their traditional Japanese vendors
- The ability to deliver products to the Japanese market, given the long supply chain from your factories in Europe
- The level of competition from your competitors, including the possibility of their lowering prices to keep you out
- Your unfamiliarity with Japanese customs and regulations, leading to potential compliance risk
- The increase in cyber risk from extending the network into Japan, especially as you expect the staff there to need Japanese language cloud-based systems
- The additional cost of providing materials in the Japanese language
- The ability to find warehouses with the necessary conditions to support sales in Japan
Each of these might be assessed separately, perhaps by different teams.
While each may seem to be individually acceptable, it is possible that the aggregate effect is such that there’s an unacceptable level of risk of failure.
Why is this important?
A risk register or heat map that focuses on individual risks does not easily support business decisions like this.
Your thoughts? How do you address this?
Are you helping decision-makers understand the
My friend and sometime colleague Rick Steinberg has penned an amusing but spot-on piece that was recently published in Compliance Week.
Ten simple ways to manage risk … or not is a quick way to test whether you have an adult’s or a child’s risk management program.
Does your risk management activity ‘check the box’, or does it help the organization succeed by making more intelligent and informed decisions?
Tell me what you think of Rick’s ten. Here are some of my own, in addition to his excellent ones:
- Be satisfied with the periodic review of a list of risks
- Separate the discussions of strategy, performance, and risk
- Ignore the fact that risk is created or modified with every decision
- Don’t question how people make decisions, whether they do so in a disciplined manner that considers what might happen
- Believe that an enterprise risk appetite statement drives decisions and risk-taking at all levels of the extended enterprise
- Fail to assess the reliability of your risk management practices
Let me expand on the latter, a principal theme of World-Class Risk Management.
If you follow the principle that you set objectives, identify risks to those objectives, then ensure that there are measures in place to provide reasonable assurance that the objectives will be met, then we have objectives for risk management. They include:
- Identify the more significant risks to the achievement of enterprise objectives
- Analyze the risks to determine their potential effects (consequences) and the likelihood of those consequences
- Evaluate the risks (individually and in aggregate) to each objective and determine whether they are acceptable
- Respond when the risks are at unacceptable levels
- Monitor the condition of controls to ensure that the likelihood and extent of a failure in controls continues to be at acceptable levels
- Communicate risk information to all who need it, when and how they need it
- Manage all of the above at the speed of risk
There are risks to the achievement of these objectives. In the book, I reference a number of sources of risk, such as:
- Unreliable information
- Failing to involve all the necessary people
- Failing to communicate to decision-makers guidance that will help them take the right level of the right risks
- And many more
Few self-assess their risk management program. Where internal audit assess it, I believe they focus more often on compliance with policy than with the level of risk that risk management will fail.
So, let me leave you with a couple of questions.
- What other signs are there that you have messed up your risk management program?
- Have you defined the objectives of your risk management activity, identified and assessed the risks to their achievement, and reported your assessment to executive management and the board?