PwC’s latest Risk In Review study makes some very interesting points. It carries the title of “Managing risk from the front line” and I recommend downloading and reading it.
I like how it begins (with emphasis added):
Today a collaborative approach to risk management with risk accountability sitting squarely in the first line of defence can be the key to greater organisational resiliency and growth. That means an engaged first line that makes risk decisions in alignment with strategy. It means a proactive second line that influences decision making through effective challenge and timely consultation and collaboration. And it means a diligent, independent third line focused on its core missions of protecting the organisation and delivering value.
This recognizes that risk is being taken every hour of every day by decision-makers across the extended organization.
This is emphasized in a quote:
Melissa Lea, SAP AG chief global compliance officer, says that at her organisation, that direct connection is paramount. “We’re very first-line heavy. The more we can get risk responsibility out into the field—first into management’s hands and then to employees to make sure they’re armed with the right expectations to make the right decisions—the more successful we’ll be. We try to get people—either on the ground, in-country, or with the best lines of sight into how a particular risk might materialise—to really own that mitigation approach.”
Is the report perfect? No. For example, they still seem to believe that a risk appetite statement can drive the business decisions that take risk at all levels of the organization. I don’t.
They also don’t emphasize reporting to top management and the board the likelihood of achieving each and all enterprise objectives (i.e., the aggregate effect of risk, positive and negative in terms of the likelihood of success).
But let’s give them some credit for the pieces they got right and hope the emphasis on decision-making extends to the update of the COSO ERM Framework.
I welcome your thoughts.
If you want the internal audit team to address the risks that matter to the success of the organization, they have to know what they are.
I addressed this in detail in Auditing that matters.
In the section on Being Present, I said:
Some internal audit departments live in an ivory tower, part of a corporate organization that is at the center of the enterprise. While there are advantages in being at the center, with information flowing in and with access to corporate officers and executives, the disadvantage is that you may not know what is really happening in the business – where the front lines extend across the globe and the men and women in the trenches feel disconnected with the corporate bureaucracy.
I like to have my office in the headquarters area, but I put my staff where the action is. When business units are headquartered in other areas of the country or the globe, those are where I position my direct reports.
For example, at Tosco we had multiple refineries. Each was a major operation in itself, so I had staff located there. But, my director for the Tosco Refining Company was based at that division’s headquarters in New Jersey and the director for the Marketing Company was at their HQ in Tempe, Arizona. At Business Objects, we had a regional structure; I was at the California office, co-located with the CEO and CFO. But I also had staff in the Vancouver, Paris and Singapore offices, co-located with the Americas, Europe, and Asia/Pacific executives.
I require my direct reports to build a strong relationship with the management of the areas they are responsible for. They attend those executives’ staff meetings and have periodic one-on-one meetings with them. They are part of the local management team in some ways, dedicated to helping that part of the business succeed, although they retain their organizational independence and objectivity.
When they are present, when they are seen, they are able to listen.
My experience is that people will think of coming to you, whether to provide information or to seek advice, if they see you. If they don’t see you, the likelihood they will call on you is significantly diminished.
At Solectron, my team was scattered across the organization – again, to remain in touch with the pulse of the organization.
One of my team, Jeff Mullis, was based in Charlotte, North Carolina. On one of my visits to Charlotte, I arrived outside Jeff’s office a few minutes early for a scheduled meeting with him. As I neared his office, I heard voices inside. I waited outside while he finished the meeting he was having with two members of local management; it was clear that they had come to him for advice on an operational issue (he had been in local operating management prior to joining the audit team).
When they left and I entered his office, Jeff apologized for keeping me waiting. He asked if I had a problem that he spent time talking to local management like this rather than spending all his time on assigned audit engagements. My reply was to congratulate him!
I was very pleased that he had retained his connections with operating management and made himself available when they needed his advice and insight (that ‘magic’ word, again). He knew what was going on in the business, had his finger on the pulse, and as a result could not only be a more effective auditor but help the entire internal audit team understand the risks and opportunities across the organization.
If you want to address the risks that matter to the success of the organization, you have to do more than listen to the members of the board and executive management team.
You have to, using the words of Tom Peters, “talk to the janitor”.
The members of the audit team have to be where the action is, where the risks are being taken, and where the front lines are in manufacturing, sales, procurement, and so on.
How can we expect an occasional visit to help us understand what is really happening? Is it sufficient for the CAE or an audit manager to fly in once a quarter to talk to local management?
Let’s face it: most internal audit “findings” are where they find that what is happening in real life is different from what those in the ivory tower believe is happening.
I do not believe it is advisable to base the audit plan on input and advice from the top and then go audit to find out the risks are different, or at least managed differently.
The audit plan should reflect reality, not ivory tower beliefs.
How confident are you that your audit plan addresses the risks as they appear in the front lines?
Is that acceptable? If not, what are you doing about it?
I welcome your comments.
My friend Richard Chambers has written a couple of posts that merit our careful attention.
Frankly, all of his posts merit our attention, but these are important.
I ask that you review:
- The State of Internal Audit: Facts vs. Conjecture, and
- For Internal Audit, the Best Defense Is a Strong Offense
I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)
However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:
In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.
The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.
The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.
Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.
Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.
- Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
- Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.
Richard is far more provocative than usual in his March 27 post when he says:
It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.
Naturally, Tim sees this as labeling his writing as “fake news”.
Richard is 100% correct when he states:
No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.
Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.
I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.
Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.
Let’s look at some more information.
My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.
I strongly recommend reading the piece and noting the eight action items.
One quote by Brian caught my eye:
Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.
I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.
An article in the local business newspaper reported that:
Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).
In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.
“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.
“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”
Tim has every right to challenge the current state of internal auditing and I know Richard respects that.
I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.
There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).
Nevertheless, we need people like Tim to challenge us.
Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.
Richard and I have both shared our views with new books.
- Auditing that matters takes on the issue of auditing the risks that really matter to the success of the organization and then sharing with executive management and the board what they need to know.
- Trusted Advisors: Key Attributes of Outstanding Internal Auditors discusses the “top attributes needed to excel as an internal audit professional and be viewed as the go-to person within the entity”.
I would like to think that between us we have charted a way forward.
Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.
Let’s adopt that mindset for our own practices and profession.
Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.
I welcome your comments.
NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.
For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight: An Overview of Enterprise Risk Management Practices.
In February, they published the 8th edition of their report.
I have covered their reports in the past, highlighting:
- According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
- They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
- It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.
There is some useful information in the report.
But does it add value to continue to focus on practices that don’t work?
All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.
Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”
When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?
When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.
Effective strategic planning is not a separate activity from strategic risk management!
So, is this report useful or useless?
Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?
Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?
Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.
We need practices that will:
- Inform and enable more intelligent decisions
- Increase the likelihood and extent of success
Right or wrong?
I welcome your thoughts.
Audit Analytics has released some interesting statistics on financial restatements and SOX.
According to them, in 2015 about 5.3% of companies assessed their internal control over financial reporting (ICFR) as ineffective. This is down from 5.8% in 2014 but otherwise the highest level since 2008.
This is the key section of their report:
One criticism of SOX 404 is that many material weaknesses are not disclosed until after a company has restated its financial statements. The PCAOB found that 80.4% of companies with a restatement in 2014 did not have ineffective ICFR prior to the disclosure of the restatement. This raises doubts about whether SOX 404 has much of an effect.
The last statement is faulty logic.
SOX 404 is about the assessment at the end of the year.
The point here is that organizations had ineffective ICFR earlier in the year, presumably in earlier quarters.
Logically, this means that the certification per SOX 302 by the CFO and CEO that is included in the quarterly financial statements was wrong.
Let’s look at that certification. This is taken from the SEC’s Final Rule, Certification of Disclosure in Companies’ Quarterly and Annual Reports. I have highlighted the most relevant portion.
1. I have reviewed this quarterly report on Form 10-Q of [identify registrant];
2. Based on my knowledge, this quarterly report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this quarterly report;
3. Based on my knowledge, the financial statements, and other financial information included in this quarterly report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this quarterly report;
4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-14) for the registrant and we have:
a) designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this quarterly report is being prepared;
b) evaluated the effectiveness of the registrant’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this quarterly report (the “Evaluation Date”); and
c) presented in this quarterly report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;
5. The registrant’s other certifying officers and I have disclosed, based on our most recent evaluation, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent function):
a) all significant deficiencies in the design or operation of internal controls which could adversely affect the registrant’s ability to record, process, summarize and report financial data and have identified for the registrant’s auditors any material weaknesses in internal controls; and
b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal controls; and
6. The registrant’s other certifying officers and I have indicated in this quarterly report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of our most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
Disclosure controls include internal control over financial reporting. This is how they are defined by the SEC:
“…controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. “Disclosure controls and procedures” include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure.”
If ICFR is not effective, then disclosure controls are not effective.
The CEO and CFO need to have a reasonable basis for their assessments of disclosure controls and ICFR.
If they know, or should know, that there were potential material weaknesses at the end of any quarter, they should not have signed the 302 certification as if there were none and ICFR and disclosure controls were effective.
This is what I recommend in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:
…prudence suggests that management:
Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
- I suggest that this can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
- The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
- As discussed below, the system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower—typically one quarter the size—determination of what constitutes material.
- The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
Confirms that the external auditors do not disagree with management’s quarterly assessment.
Understands―which requires an appropriate process to gather the necessary information―whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and should be disclosed (see item #6 in the certification, above).
I welcome your comments.
My thanks to Maurice Gilbert, who shared news about guidance from the US Department of Justice (DOJ). It describes how investigators will assess an organization’s compliance program as part of an investigation into that company.
The DOJ Guidance, Evaluation of Corporate Compliance Programs, should be read and considered by all governance, compliance, risk, and audit practitioners.
Every organization should address every one of the Topics and underlying questions in the document.
Aspects I like include:
- A focus on not just the tone but the conduct at the top
- The stature, autonomy, empowerment, and funding of the compliance function
- An assessment of the risk management activity, although the questions are a bit shallow
- The independence and performance of investigations by the organization
- Whether managers as well as employees are held accountable, and who participated in disciplinary decisions and actions
- The role of internal audit
- The consideration of how the actions of third parties, for example in outsourced operations or by agents, could affect compliance
- Whether there is sufficient due diligence around compliance during M&A
While it would be easy to leave the assessment of compliance activities to internal audit, and I believe this is an area they should actively consider, senior management should take ownership of the need for an effective compliance program.
How does your organization stack up?
Would it pass an evaluation using this guidance?
Shouldn’t the board insist on a periodic assessment by executive management?
I welcome your comments.
It is easy to say that risk management should be embedded into business processes such as strategic planning. But is it that easy to accomplish in practice?
I think it’s fair to say that in most organizations they are quite separate.
I would also say that many times risk management focuses on harms and strategy on opportunities, almost as if one was a pessimist fearing the worst and the other a cock-eyed optimist hoping for the best.
My good friend, Dan Swanson, shared a link to a series of questions about strategic planning from the consultancy firm of Bain & Company.
Is your strategic planning world class has twelve questions, each of which is relevant and useful.
Please go through the twelve and come back here for further discussion.
So, did you see any mention of risk or risk management?
Did you see any indication that risk is embedded in any way into strategic planning?
Let’s consider another source, another major consultancy firm, McKinsey. In 2007, they published How to improve strategic planning.
Have a quick look.
Correct. No mention of risk management.
One final source, the Boston Consulting Group. Four best practices for Strategic Planning.
I will pause while you check it out.
So, none of these major management consulting companies mention risk management.
Is that because they don’t understand its value and how it should should be integrated or embedded into strategic planning?
So how does a risk officer get involved? How can he or she ensure that risk is considered?
Well, to me it starts with the same point I have been making for a long time now.
STOP TALKING ABOUT RISK
Risk is a word that blocks thinking. While risk officers understand that it is about helping people make better decisions and achieve their objectives (exemplified by the organization’s stated strategies), executives see it as a compliance activity that is focused on avoiding harm.
There’s a huge difference between avoiding harm and achieving objectives.
If you want to eliminate cyber risk, destroy all your computers.
In real life, we have to take risks – and the key is to take the right level of the right risks.
A risk practitioner can bring the discipline, process, and tools that are associated with risk management to strengthening the strategic planning process.
If I were CRO, I would work with the CEO/COO and head of strategy to answer these questions:
- What assumptions have been made in defining the (internal and external) business environment and how it will change over the next period? What is the level of confidence in them?
- What has and will be done to confirm, monitor, and (to the extent possible) realize the assumptions? Can the likelihood of realizing the assumptions be improved?
- How confident are you in the quality of the information being used to understand the business environment and its future? Can that be improved?
- How were the potential consequences of each strategic option assessed? Were the likelihoods of each level of achievement estimated with confidence? Is the likelihood of the desired set of consequences at an acceptable level?
- Were potential adverse situations or events considered? How were they assessed?
- How were potential adverse and positive effects and outcomes assessed in aggregate?
- What is the level of confidence that the strategies will be achieved to the level of the goals and targets that have been set?
- Is that level of confidence acceptable? What can and will be done to improve it?
- Will performance against targets be measured in a way that incorporates changes in the potential for both positive and adverse effects in the future?
- Can strategies and targets be modified as conditions now and expected in the future change?
I am sure there are more questions that can be asked. What should be added?
I welcome your thoughts.