Archive for the ‘Risk’ Category

Revisiting the concept of Risk Appetite

October 25, 2021 20 comments

Carol Williams has written a thoughtful post, Risk Appetite: Bridging The Gap Between Two Extremes that I recommend reading.

Before diving into it, I want to thank her for her comments about this blog and how it sparks useful discussion among practitioners.

Carol is a believer in risk appetite, but I am not.

My primary argument is that leaders of the organization should be managing the business, not a list of potential harms.

Risk appetite focuses only on potential harms absent the context of whether they should be taken on business grounds.

There are other problems with the concept, including:

  • They are of little value if they don’t affect decision-making.
  • They are harmful if they lead to decisions that consider only the downside, not whether risks should be taken.
  • Business conditions are changing all the time, so we need decisions made based on current and future conditions, not some “statement” made in the past that is unchanging.
  • It is impossible to establish a meaningful risk appetite, defined by COSO as the amount (whatever that is) of risk you are willing to accept in the pursuit of objectives, for risks like:
    • The possibility of physical harm, even death, of personnel, or
    • The possibility of non-compliance with applicable laws and regulations
  • Risk appetite statements such as “we are risk averse” are meaningless. If you are risk-averse and want to minimize potential harms as much as possible, you should not be in the business.
  • They don’t help anybody know what risks to take.
  • People aggregate disparate sources of risk to create a meaningless number. That helps nobody.

Carol quotes my good friend, John Fraser. John as usual makes a good point, that these statements can spark a discussion. Anything that gets people talking is, of course, healthy and desirable. But do they lead to informed and intelligent decisions?

I don’t deny that people need to know when there are limits on the risks they should be taking. (I prefer the idea of taking risk to the passive language of accepting it.)

But that can be done through risk limits and other policies that are meaningful, with specific numbers and guidance (such as requiring more senior managers to be involved in the decision) instead of attitude statements. It can also be done by making sure people know how to make decisions that weigh both the positive and negative potential effects of what might happen.

Let’s take a moment to consider Carol’s argument that when people in management have different attitudes about risk-taking, there’s a problem. I don’t see it that way at all!

I don’t want my Sales and Finance leaders to have the same attitude about risk-taking. I want my sales team to be more imaginative and creative than my accounting folk. I am sure you do as well.

What is important is that when there is an important decision to be made, the right people are at the table with reliable information about what might happen. That can mean that the risk-taking EVP Sales and the risk-averse General Counsel are talking and listening to each other. Any risk appetite statement is unlikely to come up in discussion.

Here’s my bottom line:

How can you make sure that people are making informed and intelligent decisions, taking the right level of the right risks, considering all the things that might happen?

If risk appetite factors into your solution to that mission, great. It would not at any of the companies where I worked.

I welcome your thoughts.

The auditor’s responsibility for fraud

October 20, 2021 7 comments

Today, I want to discuss the topic, first about the external auditor’s role, and then internal auditing role.


Francine McKenna is a lady you should follow[1] (@retheauditors) if you are interested in the external audit profession. She never holds back on her criticisms of the accounting profession, especially the so-called “Big Four”.

Her latest online newsletter is The Dig. That is where she recently wrote a provocative piece, Busting the myth about auditors and fraud.

She asserts that there is a common myth that “The [external] audit is not designed to detect fraud”.

It is very easy to get confused with this topic, and the ‘myth’ is both true and false.

  • True: the external auditors are not required to detect every fraud.
  • False: they are required to perform procedures that will provide a reasonable level of assurance that the financial statements filed with the SEC are free of material misstatements due to fraud.

Francine provides a link to a PCAOB[2] paper from 2012, Consideration of outreach and research regarding the auditor’s approach to detecting fraud. The paper says:

Under PCAOB standards, the auditor is required to plan and perform the audit of the financial statements to obtain reasonable assurance, which is a high level of assurance, about whether the financial statements are materially misstated due to error or fraud. As this wording suggests, these auditor responsibilities are focused on fraud that results in material inaccuracies in, or omissions from, the financial statements.

They use the term, “financial statement fraud”.

The paper continues:

Existing PCAOB auditing standards require the auditor to, among other things, (1) perform procedures to identify fraud risks; (2) plan and perform audit procedures to address those risks, including certain specified procedures to address the risk of management override of controls; and (3) consider fraud in evaluating the results of the audit.

It’s a very useful paper that summarizes existing PCAOB requirements.

Francine provides some additional insights, but one of the challenges is the notion of “reasonable assurance”. The audit firms have defended failures to detect massive financial statement frauds with statements like “management lied to us and withheld information”. Is that reasonable? Probably is sometimes, and probably is not other times.

One myth that Francine doesn’t discuss in her article is whether the external auditors have a clue about what is happening in the business. In my experience, there is a great deal that escapes them, but on the other hand they have very smart people who usually do the best they can.

I will defer to Francine, the PCAOB inspectors, and the courts on whether the firms are obtaining “reasonable assurance”.


One point is clear, though:

The external auditors are NOT responsible for detecting every fraud. They are only responsible for detecting frauds (one or more) that are at least reasonably likely to lead to a material misstatement of the financial statements filed with the SEC.

There are a great many other frauds. For example, the first fraud my audit team uncovered was of the safety numbers. These numbers affected the perception of performance, and therefore the continued employment and compensation of the safety officer and his staff.

At Solectron, my team discovered quite a few accounting frauds that resulted in the misstatement of the results and financial position of different business units. However, they were not material (individually or in aggregate) to the consolidated financial statements; KPMG was an interested observer and, to my knowledge, performed no additional procedures. I was surprised at the time and remain surprised today at their apparent complacency. But as I told the audit committee, I believed that the risk of material misstatement of the consolidated financial statements was not high – especially as we got the units’ financials corrected.


To summarize:

  1. The audit firms are not responsible for detecting immaterial financial statement frauds.
  2. They are also not responsible for anything relating to other types of fraud.
  3. Even when there has been a major financial statement fraud, we shouldn’t leap to the conclusion that the auditors failed. They may have performed everything required of them by the PCAOB or other regulators. Reasonable assurance is not perfect assurance.


What is the internal auditor’s responsibility for fraud?

This is also an area of myth: that it is internal audit’s responsibility to detect fraud.

Let’s get something straight:

Preventing and detecting fraud is a management responsibility.


Understanding the risk of fraud is a management responsibility.

That’s not to mean that internal audit has no role in this.

  1. Internal audit should consider the risk of fraud in its engagement planning.
  2. Internal audit should assess whether management understands fraud risk and has appropriate preventive and detective controls.
  3. Internal audit should also consider the influence of culture and the tone at the top on the possibility of fraud.
  4. Internal audit usually, but not always, has a role in investigating suspected violations of the company’s code of ethics and values.

We should be focused on fraud that could be a significant source of risk to enterprise objectives. In addition, we should be concerned about fraud that:

  • Involves senior management or even the board
  • Affects the health and safety of individuals, whether employees or not. For example, I have seen fraud involving the safety training of contractors
  • Could lead to reputational damage
  • Would be of a magnitude that would be of concern to top management or the board

I suggest that the responsibilities of internal audit in relation to fraud should be discussed with both top management and the board. That could lead to management and the board asking the CAE to take on additional fraud-related responsibilities as a consulting service.


What do you think?

[1] I consider her a friend, although we rarely have been able to see each other. We live in different parts of the country.

[2] The Public Company Accounting Oversight Board oversees and provides standards for the external auditors of larger public companies with securities registered in the US.

Who owns and is responsible for a risk?

October 15, 2021 19 comments

There is a maxim that every risk should have a “risk owner”. Let’s examine that rule.

But first I want to share what Adrian Wright, CEO of 1GRC, wrote on one of my recent posts:

IMO one of the key tasks of the risk function – be it CRO or Business divisional, is to facilitate the dialog with the business needed to identify risk owners, assign clear responsibilities to them and instruct them on what they need to do to carry them out. Including any assessment and process around risk acceptance.

Where organizations get it wrong is in allowing ownership of all identified risks and remediation thereof to fall to some core risk function that is not within the business.

I totally agree with his last statement. The only risks the risk function owns are around the possibility that they are ineffective or make serious mistakes that lead managers to make poor decisions. For example, if they are tasked with using Monte Carlo to assess a situation and make errors in the process.

In a later comment, Adrian expanded on his point:

Norman, the thrust of my original comment was around assigning the ownership of risks to their appropriate (business) owners, rather than the subsequent risk methodology used. But as we are now talking about contrasting downside risks and potential business (risk) opportunities in order to maximize overall business performance; we are not in disagreement.

To paraphrase some of your own writings, you gave an example that the King IV code now talks about ‘the oversight of risk and opportunity management. And the tools and techniques traditionally used to manage potential harms (downside risks) might be used to manage the potential for gain (opportunities). From this current discussion, we can also add in business performance (as in not impacting it, and potentially enhancing it) through improved RM.

In fact, I was recently moved to produce a Venn diagram in an attempt to illustrate these interactions. It’s not exact, as in the real world the bubbles are not of equal sizes and there are bigger and more overlaps than the diagram can show, but I find it’s a useful start point for starting to get the business to understand the potential benefits that can be achieved.

Venn diagram

I think Adrian has done some excellent work.  His Venn diagram could lead to some interesting discussions.

However, I want to come back to the idea that every risk should have an owner.


What I have said in the past is that whoever owns a performance objective should also own the management of the risks and opportunities that might affect its achievement.


Take the example of the possibility that a cyber breach could result in the loss of customer personal data, intellectual property, business disruption and ransom payments, or damage to the organization’s reputation.

Who is affected?

Who should make the decisions about how much risk to accept, whether the current level of threat is acceptable, how much to invest in reducing the threat, and so on?

A breach could result in a failure to achieve several enterprise objectives, including:

  • Revenue targets
  • Customer satisfaction
  • Organizational reputation
  • Compliance with regulations and the expectations of the community
  • Product competitive advantage (if competitors gain access to our IP)

Does the CISO “own” the risk? Does the head of Sales or Compliance?


I could argue that the management team “owns” the risk, but that is not particularly helpful.


Let’s take another example: the possibility that a customer could default on their account.

Who does that affect? It can affect several enterprise objectives, including:

  • Revenue targets
  • Cash flow (and the use of that cash for marketing initiatives or major projects)
  • The company’s share price

Who “owns” the risk? Is it a useful concept?


Here’s my suggestion.

Instead of defining an owner for every risk, determine who will make related decisions and who will take related actions, including monitoring.

These are not necessarily the same people!

In fact, identifying “action owners” instead of “risk owners” can lead to the sort of discussions among the various involved parties that can lead to taking the right level of the right risks.


This is a new concept. What do you think?

The Role of the Risk Officer

October 11, 2021 11 comments

A friend and colleague[1] has written a bit of a rant on risk management in a new blog post: How Can So Many Get Risk Management Wrong? 3 Ways to Fix Your Approach.

Doug Anderson has a wise head on his shoulders, and I agree with everything he says in this piece – which I recommend.

I especially like how he summarizes his position:

When I was part of a management team acquiring and divesting businesses, evaluating capital projects, setting pricing strategy, and exploring investments in new technology, risks were an integral part of each decision. I may have addressed the risks poorly or well, but I was still doing “risk management” as an integral part of making the decision. RM may be best thought of as a mindset and discipline – supported by tools, expertise, and process.

The question is not whether to manage risk, but how to manage risk. Will it be through ad hoc, inconsistent, or poorly-executed actions? Or, through disciplined thinking and structure to make sure it is managed correctly?

I challenge you to rethink how you view RM – a centralized, formal process that has no substantive impact on your organization or a functional discipline that improves decision making. Don’t immediately start with lists of risks, mathematical models, charts, and endless meetings. Instead start with understanding your business, the decisions to be made, and how the risks that are an integral part of your decisions will impact your business’ success.

If risk officers are not viewed by managers as helping them be successful, helping them make informed and intelligent decisions, they are not effective.

It is not enough to try and help; it is necessary to help in a way that is recognized as significant by your customers in management.

My favorite measure of risk management effectiveness is this. Ask your managers and executives whether risk management, as practiced in the organization and by the risk team, makes a significant and sufficient difference in your ability to make the informed and intelligent decisions necessary for success. Alternatively, ask them whether (as Deloitte once put it) risk management helps them set and then execute on business strategies.

What do you think?

[1] He was chair of the IIA’s Professional Issues Committee when I was a member.

I disagree with Richard Chambers on Opinions and Ratings

October 5, 2021 9 comments

It is not often that I disagree with my friend, Richard, but on this occasion I have very different views.

He has shared the results of a recent survey and then his opinion on opinions in a post for his new company, Auditboard. In How do we rate? Assigning Ratings and Opinions on the Basis of Audit Results, he says:

As internal auditors strive to serve the needs of various business stakeholders as well as management and the board, we must always be cognizant of how we communicate our findings. A key part of this is providing information that stakeholders need in a manner that is clear and accurate. What I’ve observed over the course of more than two decades is that management and audit committees are typically appreciative of audit results that have been synthesized in an easy-to-digest manner. More often than not, any mechanism that can help to focus their attention, as well as any predetermined indicator of what is urgent, is greatly welcomed by executive readers.

In this, he is absolutely right. I especially like the point about “providing information that stakeholders need” rather than what we want to say. He doesn’t mention the need for the communication to be concise and timely, which I am sure he believes.

He summarizes the survey results:

  • A recent AuditBoard survey of 175+ CAEs found that audit ratings continue to be a widespread practice among internal auditors, although methodology and frequency range widely among different audit departments and companies.
  • Our CAE survey found 63% of audit departments assign overall ratings for each audit report. In addition, nearly 63% of respondents also rate individual findings in their audit reports.
  • Our survey found a range of rating schemes that differed from department to department. The most common method —preferred by nearly 70% of respondents — is using adjectives (Satisfactory, Needs Improvement, Unsatisfactory) to summarize an audit report. A less popular method is a numerical rating scheme, with about 14% of respondents indicating they prefer this method. Considering auditors are typically criteria-focused, I expected more to prefer numerical ratings to adjectival ratings. Perhaps this is one of the factors that contributes to friction or tension between internal audit and operating management when ratings are assigned.
  • Another popular method used to distinguish audit reports is color-coding (e.g. red, amber, or green): almost half (47%) of respondents employ this rating scheme both in findings and in the title of report summaries. In particular, assigning color codes to risks observed, based on findings — e.g. a lack of adequate controls, heightened risk areas, controls that may leave the organization vulnerable — can be useful for directing a reader’s eyes to urgent areas requiring attention.
  • Our survey also found that nearly 70% of respondents also assign overall opinions on internal controls periodically to management and the board.

All of this is factual with only a little of Richard’s opinions injected.

But then he says this:

  • While there are benefits to doing so, I believe that assigning opinions creates potential risk for internal auditors. Whereas external auditors offer opinions based on a specific set of standards, there is sparse guidance for internal auditors regarding issuing opinions. This is why internal auditors must exercise caution whenever assigning opinions.
  • An example of safeguarding your opinion by providing negative assurance is wording such as: “Based on the work we conducted… nothing came to our attention that would indicate the organization is not well-controlled.”
  • As audit is a profession that heavily relies on its relationships with all of its stakeholders, audit leaders must be as diplomatic and conscientious as possible when assigning ratings — being mindful of preserving relationships for the future in the process of providing assurance.

Richard is a smart guy with many years of experience.

However, my many years of experience take me down a very different path.

The clue to Richard’s position (IMHO) is in this phrase that he uses: “friction or tension between internal audit and operating management”.

Here is a summary of my position:

  1. If, as Richard has eloquently advocated over the years, internal audit is a profession, then we must act as professionals.
  2. Professionals are entitled to an opinion. That opinion can be borne of experience rather than objective facts. For example, in one audit where there had been serious accounting errors, my opinion was that the root cause was a failure of management. The manager of the accounting function didn’t trust his people, was ineffective as a manager and leader, and his treatment of them was not only demoralizing but had led to past errors and, unless changed, would lead to future errors. Was there objective “proof” of this? No. But when I shared my opinion with the CEO he agreed and appropriate actions were taken.
  3. As professionals, we are entitled to and must use our professional judgment. Contrary to what Richard says about the external auditors relying on a “specific set of standards”, they exercise a great deal of judgment. So do we, and so should we.
  4. Every conclusion on the adequacy of a control and how well it manages risk is an opinion where we use professional judgment. Even the sample size in testing is a judgment call.
  5. Management and the board are entitled to seek and obtain the opinion of the professionals they employ. Wimping out with negative assurance is failing to provide all the value our leaders and the organization deserve.
  6. The formal audit report is the last communication with management and the board, not the first. It should contain no surprises. “Friction or tension between internal audit and operating management” are best avoided by having an open two-way, constructive discussion with management at each level before the report is issued. In fact, discussions about the “findings” should be held with responsible management as soon as possible – not just to agree on facts and assessment, but so that management can take corrective actions promptly. The overall audit opinion should also be discussed. By that, I do not mean that internal audit tells management what the opinion or rating is. I mean that internal audit works with management to agree on the facts, assessment, and corrective actions (if any); they also agree on how this will be communicated to more senior management and the board. If absolutely necessary, internal audit has the final say. But that should only after seeking to find words that are fair and balanced.
  7. Any and all communications need to be fair and balanced. Our goal is not to catch management out – and that is what a report that only lists findings does – but to provide management with assurance that they can rely on their organization, systems, processes, and controls to work as needed.
  8. We must tell them what they need to know, when they need to know, so they can act as needed.
  9. Reports should not have “findings and recommendations” with management providing a response. That indicates a failure to communicate! They should have agreed assessments and action plans. Wherever possible, give management credit when they have already started or even finished work on the action items. Consider dropping issues if they have been fixed and top management and the board simply don’t need to know about them. Go even further and give credit for high performing teams and staff. I have named names, with the CEO making a personal call to junior staff to congratulate them.
  10. Negative assurance is not assurance. If you take your ailing child to the doctor and they report that they have run several tests and have not found any serious issues, is that assurance? Is that of much use at all? If you take your car to your mechanic before a log trip and they report that they have not found any issues, is that something that will give you confidence to get on a busy freeway and drive at 75mph?
  11. Don’t hide the elephant in the room. Be brave and point it out. Don’t let your concern, your fear of “friction or tension between internal audit and operating management” prevent you from doing the right thing. If controls are poor because there aren’t sufficient people to do the work, or the people don’t have the experience or ability to perform controls, you need to say so. But do it quietly, in person (Zoom is fine) and find a way to avoid HR issues with anything in writing. In the situation with the accounting manager, I glossed over it with careful words in the report but had more open discussions with the audit committee.
  12. Where possible, remember that the primary goal when there are issues is to get them fixed. The goal is not to rack up points with your audit reports. In audit committee meetings, I presented serious issues jointly with responsible senior management. That way, the board can see the issue is being handled and we are working effectively with management. The “friction” is minimal.
  13. I hate ratings. What do they mean? Would you appreciate a report that your child brings back from school that says he or she is “satisfactory”? What does “high risk” mean? High risk to what? What does it mean to the business? Do I need to change my strategy? English is a very rich language, so why not use it to explain how the results of the audit might affect the achievement of objectives?

I close with some IIA guidance that I recommend. It was written when many people opposed providing an opinion because they were afraid of being wrong. Times have changed.

It’s a Practice Guide, which is recommended guidance: Formulating and Expressing Internal Audit Opinions. (Full disclosure: I was on the IIA team that developed the guidance.)

I welcome your thoughts.

The IIA fails again on risk management

September 30, 2021 20 comments

I have reached out to people at the IIA with a plea to come on board with the latest thinking about risk management: that it is not about managing or mitigating risk, but about taking the right level of the right risks to achieve your objectives.

No reply, unfortunately. (Even though they replied to other initiatives regarding the Standards.)

Now we have a new report from the IIA that cements their feet in the concrete of failure. Yes, failure. Risk management practices are not seen by executives as contributing to how they make decisions and run the business. As a result, they don’t participate with enthusiasm or provide the resources risk practitioners need.

The new IIA report is OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk.

The marketing blurb says that the report will “will change the way organizations view and understand risk”. Wrong!

The report says:

  • C-suite executives, and chief audit executives [are] the key players in risk management
    • Comment: this ignores any risk practitioners as well as the fact that operating management at multiple levels are the ones making decisions and taking risks every day.
  • The OnRisk approach is grounded in an innovative methodology that uniquely brings together the perspectives of the major stakeholders in organizational governance — the board, executive management, and chief audit executives. Alignment of these stakeholders’ views on personal knowledge, organizational capability, and risk relevance is a significant step toward achieving strong risk management in support of effective governance.
    • Comment: yes. Asking these people for a list of the higher risks is certainly innovative (not!).
  • One technology C-suite executive articulated a more sophisticated approach to risk management, which adds needed perspective: “We have a formal ERM process, with a person that leads annual reviews for the entire organization. Risks get rated, gaps get identified, and then the likelihood and significance as well as tolerance is determined. Two hundred risks are assessed and grouped together in different categories. I think because we have this process and our audit function is so tuned-in to risk, we have sufficient assurance.”
    • Comment: this is shockingly awful
  • “Some risk reports are maybe too detailed, which makes it difficult for extracting insights. Detail is good, but there should be summaries of relevant info for stakeholders, board members, etc.”
    • Comment: this is correct!!
  • [Internal audit should] perform organizational risk analysis, leveraging the OnRisk methodology.
    • Comment: this is a management responsibility! If management is not capable of anticipating what might happen and take necessary actions, the CAE should raise this to the audit committee as a very serious deficiency!
  • The OnRisk 2022 report continues The IIA’s groundbreaking approach in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success.
    • Comment: your feet are in the cement and you are not breaking anybody’s ground.
  • The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial impacts.
    • Comment: this hyperbole is not supported by facts. I have written frequently about this and will say no more here.

While I will again share this post with IIA leadership, I ask that everybody who agrees with me contact Anthony Pugliese (@AJPugliese1 on Twitter) and urge the IIA to challenge their old-fashioned thinking, lift their feet out of the cement (which will be hard – pun intended), and get on board with risk management that works – what I have described as risk management for success and Tim Leech refers to as objective-centric risk management.

This continued emphasis on managing risks instead of the business discredits this fine profession.

I welcome your comments.

How effective are your systems of governance, risk, and control/compliance (GRC)?

September 27, 2021 13 comments

The IIA likes to talk about GRC as an acronym that stands for governance, risk management, and internal control. The rest of the world has ‘compliance’ as the last part.

That doesn’t really matter.

The point is that we are talking about the organization, systems, processes, and related controls that management relies on to not only manage ‘risks’ but achieve their objectives.

They rely on them to function properly and do what is asked of it.

One of the valued services that internal audit provides is assurance, as expressed in the last part of the IIA’s Definition of Internal Auditing:

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.

But too few provide an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities.

This is something I did at each of my companies and I was part of the team that developed a Practice Guide in 2009: Formulating and Expressing Internal Audit Opinions. Its Background section stated:

Internal auditors are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

I strongly recommend that every internal audit leader become familiar with the Practice Guide. Since 2009, I have developed reservations about a grading system as discussed in the Guide. However, it covers very important issues such as:

  • The form and scope of the opinion
  • The work required to support it
  • Reliance on the work of others

I covered this important topic in Auditing that Matters (my essential book for practitioners). I said:

I am a strong advocate that the CAE should provide a formal overall assessment of the systems of internal control and risk management[1] to the audit committee (or full board) and top management on an annual basis.

While some do not think this is necessary or even achievable, a growing number of governance codes around the world require internal audit to provide an overall opinion. I believe that in time this will be recognized as not only best practice but mandatory.

I started doing this in the mid 1990’s at Tosco and have not looked back. The board very much appreciated the assessment, as did management.

I believe this is the primary value that internal audit can provide to any organization.

It provides leadership of the organization with confidence that they can rely on its people, processes, and systems to support their initiatives and achieve enterprise objectives.

It provides leadership with the confidence to take the risks necessary for success.

An opinion on the overall systems of internal control and risk management does not mean that the CAE is opining on the management of every risk. It represents the CAE’s professional opinion on whether there is reasonable assurance that the risks that matter, the risks addressed in the audit plan, are at desired levels.

Let me break that down.

An opinion is just that, an opinion.

As professionals, we are capable of forming and communicating our opinion.

Every professional provides an opinion. It’s not a statement of fact, it’s an opinion – and we are not only entitled to form but to share that opinion.

There is a possibility that we are wrong, but if we and our team perform the work to appropriate professional standards we should be able to stand behind it and provide an overall assessment of the condition of the controls over the risks that matter.

I argue that if we don’t provide that opinion, we are shirking our professional responsibilities.

There’s a huge difference in the quality and value of assurance provided by an overall opinion compared to the value of individual reports with opinions on the management of specific risks.

The overall opinion is clear, concise, and actionable.

When only individual reports are provided, the CAE is leaving the audit committee and management to determine for themselves whether, overall, the systems of internal control and risk management are adequate.

Why make them make that assessment, guessing whether deficiencies in one area mean that the overall assessment is that it is deficient?

I think the CAE should step up, take the risk, and share his opinion.

When I provide my opinion, it:

  • Is formal, in writing
  • Is an assessment of the systems of risk management and internal control over the more significant risks to the organization and its objectives, based on the work performed during the year; that work is reflected in the audit plan and reports on the audit engagements that have been completed
  • Is based in part on the insights obtained by auditing by walking around, talking to management, and being present. The assessment is not limited to the formal audits that have been completed
  • Is a positive statement, rather than a ‘negative’ opinion. The latter is where you point out the risk and control issues but don’t make a positive assertion on the condition of the risk and internal control systems. I dislike the negative opinion as it makes the board and top management guess what our real opinion is
  • Where there are risk and control issues that merit special attention, or where parts of the organization are of concern, they are highlighted

In other words, I try to provide the board and top management with the information they need if they are to understand the condition of the risk and internal control systems, whether risks are being managed at acceptable levels, and whether action is required by them.

For example, while at Tosco, I highlighted the issues at the Avon refinery in Northern California while praising the strength of the Bayway refinery in New Jersey. The contrast was especially useful to the audit committee.

I explained that controls over financial reporting were fine, but those over some operational risks were not. I told them what they needed to know.

My communication is intended to help the board and top management discharge their governance and oversight responsibilities. It is not about telling them how good we are and how successful we have been in identifying deficiencies.

Because my primary end product is this annual assessment, I design the audit plan to give me the input, the information about the management of risk that I need.

In the book, I provide an example of the opinion I shared with the audit committee of the board at Tosco Corporation. I also share how I developed the audit plan and the team to execute it.


  1. Do you provide an opinion on each audit rather than ratings or a list of weaknesses?
  2. Do you provide an overall opinion annually?
  3. Do you do the right work to support that opinion?
  4. Do you do work that is not necessary for that opinion – and if so why?

I welcome your answers and comments.

[1] I consider governance processes to be part of the systems of internal control and risk management. Technically, internal control exists to manage risk, so I could readily make the case that we should just be assessing the management of risk – but it is easier to talk about the more traditional view of internal control and how it helps manage the risks that matter.

There are some that believe internal audit should provide assurance on governance, risk management, and compliance (or control). I don’t agree with this position. Internal audit can provide advisory services to help the board assess its practices, but I don’t believe internal audit should put itself in the position of assessing the competence, integrity, or performance of either the board or executive management. Instead, I believe we should assess whether there are processes and controls in place that address the risk of ineffective governance. We can also share best practices in governance. But going further is a step too far, in my opinion.

How great is your cyber risk?

September 16, 2021 3 comments

Recently, I read a piece directed at CFOs. The question was asked, “You may have a cyber breach that costs $25 million. Don’t you think it’s prudent to invest $1 million to prevent it?”

This is the state of the hyper-active consultants.

Let’s examine the question.

First, each of us needs to understand the potential cost of a breach in our organization. Not what others have reported, the extremes, but what applies in our specific facts and circumstances. We need a careful business impact analysis.

Then we need to understand the likelihood of a breach that would have a significant effect. It’s not the likelihood of a breach that we need to be concerned with. It’s the likelihood of a breach with an unacceptable impact on the business.

As I explained with examples in Making Business Sense of Technology Risk, a breach can have a small effect, a moderate effect, or a significant one. There is a range of potential effects, from graffiti on a web site to the loss of essential intellectual property. Each point in that range has its own likelihood.

While we may be concerned with multiple breaches of low impact, most of us are focused on the likelihood of a breach that would disrupt or cost us more than we can tolerate – making it more difficult to achieve our enterprise objectives.


Fortunately, we have some very useful information from IBM. For several years, they have sponsored research into the cost of a breach by the Ponemon Institute. Their latest report is Cost of a Data Breach Report 2021. Here are some key points in this informative publication. I have highlighted key language.

  • Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.
  • The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor. The percentage of companies where remote work was a factor in the breach was 17.5%. Additionally, organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely. IT changes such as cloud migration and remote work increased costs, yet organizations that did not implement any digital transformation changes as a result of COVID-19 experienced $750,000 higher costs compared to the global average, a difference of 16.6%.
  • Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Costs varied widely across industries, and year over year. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021. Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million.
  • Lost business represented 38% of the overall average and increased slightly from $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
  • Customer personally identifiable information (PII) was the most common type of record lost, included in 44% of breaches.
  • Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report.
  • The average cost of a breach was $5.04 million for those without zero trust deployed. Yet in the mature stage of zero trust deployment, the average cost of a breach was $3.28 million, $1.76 million less than organizations without zero trust, representing a 2.3% difference
  • Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. The difference of $3.81 million, or nearly 80%, represents the largest gap in the study when comparing breaches with vs. without a particular cost factor. The share of organizations with fully or partially deployed security AI and automation was 65% in 2021 vs. 59% in 2020, a 6 percentage point increase and continuing an upward trend. Security AI/automation was associated with a faster time to identify and contain the breach.
  • Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million. The percentage of companies where ransomware was a factor in the breach was 7.8%.

Going back to that initial question by the consultant, where did this $25 million number come from, when the average cost of a breach is a fraction of that figure?

Even after performing a business impact analysis and understanding the range of potential effects from a breach, there are additional questions that should be asked when evaluating cyber risk, including:

  • How much can either the potential (range of) impacts be reduced through additional investment in either/or prevention or response?
  • How much can the likelihood of an unacceptable breach be reduced?
  • Will the investment result in an acceptable level of risk? (This is critical.)
  • What is the level and type of investment that makes the most business sense?
  • Are there other actions I can and should take? For example, should I exit a business that represents excessive risk?


I am not saying that cyber is not a serious issue. I am saying that we should take the consultants’ pitches with a huge bucket of salt. I am saying that we should determine our level (range) of cyber risk in our specific organization, given our specific facts and circumstances.


I welcome your comments.

Scenario Analysis is a Great Tool in Risk Management

September 13, 2021 7 comments

I have been a fan of scenario analysis for a very long time. Not only is it a great way to understand the current situation, whether it is a problem, which options are available, and what actions to take, but it is far more effective than making decisions based on a list of risks.

Scenario analysis helps everybody view risks and opportunities together and in context.

I highly recommend a 2019 article How to Use Scenario Analysis to Manage in Uncertain Times.

Here are some high points:

  • Every single decision in an organization is made under a certain degree of uncertainty.
  • Often, leaders make these decisions based on anticipated events, along with corresponding best-case and worst-case predictions about what might happen. Whether or not these predictions will actually come to pass is unknown at the time the decision is made.
  • Scenario analysis is a method for creating responses to various future events with the aim of reducing uncertainty and maximizing the chances of achieving a desired outcome. This process requires investments of people, time, and money. Imagination also comes into play as managers use scenario analysis to determine or invent possible courses of action to take so the organization can reduce its overall risk and maximize its value.
  • Historically, scenario analysis arose out of military planning during World War II. During the war, it was a means to offer specific descriptions of different futures; summarize and synthesize variables into a coherent picture for each possible future; suggest multiple and distinct choices that each future would entail; and increase the likelihood of achieving desired outcomes by exploring a range of responses or solutions.
  • Economic historians say that scenarios were first used in the post-war business world by the Shell Oil Company to evaluate oil price variability and consumption patterns, so that capital investments would be shifted into areas offering the best-predicted financial return. The practice quickly spread, and scenario analysis is now used by companies in most industries.
  • In conducting a scenario analysis, specific future uncertainties and corresponding realities are evaluated by exploring different possible ways to arrive at a desired outcome. This requires assessing internal capabilities, such as the strengths and weaknesses of the operation, and external factors, such as the existing and future opportunities and threats in the business environment.
  • Four features make scenarios analyses a particularly powerful tool for understanding uncertainty and making business decisions.

First, these thought experiments expand thinking by developing a range of possible outcomes, each backed by a sequence of events that could lead to the desired outcome. According to psychologists, this is particularly valuable because it helps counteract the common biases of expecting the future to resemble the past and expecting that change will occur only gradually. By demonstrating how and why things could quite quickly become much better or worse in new and unexpected ways, scenarios improve readiness for the range of possibilities the future may hold.

Second, these analyses help protect against groupthink, which can inhibit the free flow of ideas. In business meetings, people often agree with whatever the highest-ranking person in the room says. This is especially true in hierarchical companies, where employees will wait for the most senior executive to state an opinion before venturing their own, which often magically reflects that of the executive. Scenarios allow companies to break out of this trap by providing several established options, which can serve as a “political safe haven” for contrarian thinking.

Third, in large corporations there is typically a strong status quo bias. Scenarios can help challenge conventional wisdom when status quo-based assumptions may no longer hold true. Having alternatives built into the process provides a less threatening way to deviate from the status quo.

Fourth, scenarios are particularly useful in navigating the kinds of extreme events recently seen in the world economy, such as natural disasters, pandemics, terrorism, active shooters, or ransomware. Scenario analyses enable management to steer a course between the false certainty of a single forecast and the confused paralysis that often strikes in chaotic times. When well executed, they allow strategy to be based on a sophisticated understanding of probabilities that maximize the chances of a desired outcome.

Risk officers can lead scenario analysis discussions as a facilitator, but they can also help management understand the several ranges of potential effects and their likelihoods (both benefits and harms) under each scenario.

My internal audit team has also facilitated such discussions.

What do you think?

Misunderstanding what is effective risk management

September 9, 2021 10 comments

I want to commend Tim Leech for his persistence in pointing out how few organizations understand, let alone practice effective risk management.

In his latest post Tim reviews an EY publication, The Board Imperative: Is now the time to reframe. He comments:

New EY survey reports 84% of board directors don’t think companies they oversee have highly effective risk management….. EY has identified a big performance gap and a huge opportunity, but, in my view, not how to fix the problem/the way forward.

I agree.

But I have a somewhat different view from Tim (which may be more language than anything else).

Here are some good points made by EY:

  • A new survey of board members reveals that decisive action is required to optimize risk oversight and seize new strategic opportunities.
  • In the current uncertain environment, risk management has become essential to strengthen resilience and create sustainable value.
  • Boards have an opportunity to reframe their organization’s approach to risk management, but first they need to reconsider how the board itself thinks and acts.
  • Enhanced risk management has become a top priority for boards: 79% believe that improved risk management will be critical in enabling their organizations to protect and build value in the next five years. CEOs share this view. When asked which areas of the enterprise they expect will change most in the next three years, they ranked risk management first.
  • …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
  • “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”

The problem I have with the EY perspective is that despite these comments they are still focused on managing or mitigating harms, and harms alone. They end the article with:

As the risk landscape around their organizations becomes more and more complex, board members need to ensure that their organizations are doing all they can to effectively identify, mitigate, manage and even predict new threats. That means getting proactive.

While it is clearly necessary to address potential harms, there has to be a balancing between the possibilities for harm and those for reward. Risk management should ensure people have the necessary information to make the informed and intelligent decisions necessary for success, knowing which risks and opportunities to take if they are to achieve their business objectives.

That requires that comparable information be available for both upside and downside effects of what might happen (which some refer to as uncertainty and others as ‘risk’).

Unfortunately, EY’s criteria for effective risk management don’t do this. So we have to consider their numbers on high performers overly optimistic.

To repeat two salient points from EY’s own publication:

  • …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
  • “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”

What do you think? I welcome your comments.

Remove the shackles of the audit report format!

September 6, 2021 5 comments

A short while ago, I was talking to an internal audit manager whom I had been helping with her audit of enterprise risk management at her company.

Not surprisingly, her team found a great many issues. Communicating her opinion, that the risk management team and related activities were not seen as helping management make informed and intelligent decisions, was not going to be easy.

Part of the problem was that there were some significant failings at a detailed level, such as not updating risk limits and other guidance on a regular basis as the business changed. It would be too easy to get distracted by the trees, rather than the state of the forest.

In addition, her manager (the CAE) was strongly of the opinion that the organization needed a risk appetite statement – which the manager realized was not the issue (and we agreed that it was not a great concept).

The CAE had dictated that every audit report had to follow a strictly enforced format.

So even though the best way to communicate an assessment of risk management is using a maturity model, that would not be permitted.

All I could do was sympathize and offer to meet with her CAE. I hope she can find her way through this.

My suggestion was to put a lot of effort into communicating the results of the audit through face-to-face meetings, even if they have to be through Zoom or similar. Constructive give-and-take discussions about what she found and why it matters would be of far more value and far more persuasive than any text document.

As CAE myself, I gave my team a great deal of flexibility when it came to the audit report. There were some rules, of course, but they were principles rather than detailed regulations.

I had an exemplar format, but I wanted the team to do what would work best rather than what would adhere rigorously to a standard.

For example, the opinion of the auditor had to be upfront, the first thing the customer read – unless it was really necessary to explain the context first.

Another principle was that the auditor needed to use plain English, a rich language that can be used creatively to communicate the auditor’s opinion. Requiring standard language, such as a rating system, is limiting.

If the auditor wanted to say that controls, etc. were not effective or adequate, that had to be explained in a way that the customer would readily understand.

In fact, I encouraged them to write the way they would speak.

Suggestions for improvement had to be practical and what the auditor would do themselves if they were in charge.

The audit report had to be concise and readily consumed by the busy executive.

It had to communicate what they needed to know, and no more.

We are not limited to a rigorously enforced standard for communicating in person. Why should we be limited when we are writing?

There is value to standardization, but it can also be a drag on effectiveness and the ability to deliver maximum value.

I welcome your thoughts.

The importance of IT General Controls

August 30, 2021 8 comments

Matt Kelley of Radical Compliance has shared an interview he had with a couple of people from the IIA about IT General Controls (ITGC). It’s in a podcast that you can find, with a write-up, here.

Matt’s piece is worth reading, although I have slight disagreements with these comments:

IT now drives business functions — so your ability to understand and assess IT risk is essential to govern operational, finance or compliance risks as well. You can’t assess and manage those risks independent of considering how IT systems support those business processes, and how weaknesses in IT control might undermine them too.

My problem, slight as it may be, is with the very first part, that “IT drives business functions”. It certainly should not!

Technology supports business functions, as the last part of the excerpt correctly states.

It is important to understand that, similarly, risks to IT processes, systems, and assets only matter in terms of how they affect business risks, and enterprise business risks at that.

In order to understand ITGC as a source of business risk, you need to understand how business controls rely on technology, and then how weaknesses in ITGC processes could affect the continued and proper functioning of (the automated part, including reports of) controls in business processes relied upon to manage business risks.

The IIA has a proven and broadly-adopted methodology for understanding ITGC-related risks as they relate to SOX in the GAIT Methodology (available to IIA members)[1]. It is considered recommended guidance – and I certainly recommend it[2].

The other thing that Matt says as an offhand comment is:

I understand the IIA’s commercial interest in talking up the need for better knowledge of ITGCs, since selling training and certifications is what the IIA does.

That is not “what the IIA does”. The IIA supports the profession of internal auditing and one of the ways it does that is by providing training and certification. It is not a commercial, for-profit organization.

One new training course provided by the IIA is a half-day session on IT General Controls. I realize you can only cover so much in a half day, but I am very surprised that GAIT is not mentioned.

The GAIT Methodology is only one of three GAIT family methodologies (all of which are hidden, so I will share the links). The other recommended guidance are:

You can also find a very useful FAQ on their web site.

Please note that the GAIT Methodology family dates back to 2007 and 2008, but the content is not at all dated – only the references to the PCAOB standards, which have been updated.

There is one more point to be made: increasingly technology does more than support business processes. It is an essential component of an organization’s products (think of a smart refrigerator or car) and equipment (advance manufacturing). ITGC are critical to understanding related risks here as well.

I hope you enjoy these materials. Please share your comments.

[1] In the past, it was easy to find in the section of the IIA website under Standards and Guidance, and Technology. Now it is essentially hidden from view, so you find it either with a search or using the link I provided.

[2] I should: I am the author.

Understand your own bias as a practitioner

August 16, 2021 7 comments

Alexei Sidorenko has shared an interesting article with the title of If cognitive biases in decision making are a given, how do risk managers overcome them?

I recommend it and like the infographic he has included.


But there’s a different issue, which he has not addressed in his piece: the bias of the practitioner.


Whatever your role, you have biases. These cognitive biases are likely to affect your own decision-making and the information you provide to leadership.

For example:

  • If you don’t like or respect a department manager, you are more likely (as an auditor) to rate his or her area as high risk and include it in your audit plan. You are also less likely to trust their controls and their response to any issues you might identify. As a risk officer, you might similarly be more likely to question their ability to identify and assess risks and opportunities.
  • If you like a department head, you are more likely to accept without question what they have to say. You are also more likely to listen to them and be willing to partner with them on assessments, corrective actions, and so on.
  • If you have had poor experiences in the past with a particular process or function, that will influence your attitude today – even if your prior experience was with another company.


We need to understand our own biases and how they affect our thinking, actions, and decisions.


We need to ensure they do not adversely influence the quality of our work.


Do you know your own cognitive biases?

Have you made sure they do not affect your work?

I welcome your feedback.

If you are interested in risk management

August 16, 2021 3 comments

There’s a great virtual conference coming up in October. Risk Awareness Week (RAW) 2021 is hosted by Alexei Sidorenko and will feature 30 or so excellent speakers including:

  • Hans Læssøe
  • Douglas Hubbard
  • David Koenig
  • Kurt Nelson

I will be speaking on the topic of “The board’s role in risk governance”, and others will dive into more detailed topics like:

  • Scenario planning
  • Business continuity
  • Resilience
  • Stochastic decision trees
  • Uncertainty
  • Risk-taking
  • Risk measurement fallacies

The 5-day conference is one I recommend and is quite inexpensive.

I hope to see you there!

How should the IIA change its Standards and other Guidance?

August 10, 2021 9 comments

The IIA’s Internal Audit Foundation is asking for practitioner member input. You can find the survey here on their web site. It is available through the end of August.

They say:

2021: Research Focus: Assessing Internal Audit Practices

The Foundation has selected this topic to gather perspectives and insights of importance in understanding the global practice of the profession and to understand the current relevance and potential improvements of the International Professional Practices Framework (IPPF) and International Standards for the Professional Practice of Internal Auditing (Standards).

Overall Study Objectives:

  • Assess internal audit practices at the internal audit activity and practitioner levels.
  • Understand the value and relevance of the IPPF and Standards toward ensuring internal audit effectiveness.
  • Ensure continued applicability and effectiveness of the IPPF and Standards.

I started the survey, but when I indicated that I was retired they threw me off because they only want the survey completed by “current practitioners”.

Of course, that will not prevent me from sharing my views – which I shall in this post.

I haven’t seen the questions, so I am making some general rather than specific points.

  • The Standards and other guidance require a “risk-based plan” (Standard 2010 – Planning), which I support. However, the Standards lead you away from identifying risks to the enterprise as a whole and towards risks to individual processes, business units, etc.

This is because Standard 2201 – Planning Considerations asks that the auditor consider “The significant risks to the activity’s objectives, resources, and operations”.

Standard 2210 – Engagement Objectives dictates: “Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment”.

The auditor needs to focus on the risks that matter to the enterprise as a whole, and not risks to individual activities within the enterprise. The auditor should strive to audit processes and related controls at an activity that could lead to a failure to achieve enterprise objectives.

  • In a previous iteration of the Standards, the word “should” was globally replaced with “must”. As a result, certain aspects of the organization. For example, Standard 2110 – Governance states:

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:

    • Making strategic and operational decisions.
    • Overseeing risk management and control.
    • Promoting appropriate ethics and values within the organization.
    • Ensuring effective organizational performance management and accountability.
    • Communicating risk and control information to appropriate areas of the organization.
    • Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

While each of these may be high risk, mandating them flies in the face of the risk-based approach.

The correct approach is to require auditors to consider these matters in their risk assessment and audit planning activities, including related projects in the plan when and where justified based on enterprise risk.

  • Several standards mandate work that is neither necessary nor of value. The IIA Standards Board should take a pencil in hand and delete them. We need every internal auditor to be agile, responding promptly to changes in business conditions and risks, and auditing at speed. Excessive bureaucratic red tape does not help you run fast.

For example, Standard 2200 – Engagement Planning states:

Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.

In my many years as CAE, I cannot think of a single audit where all of this was needed. I want my auditors to audit, not write a lot of documents.

Standard 2240 – Engagement Work Program is far too onerous. 2240.A1:

Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.

Why document all of this? I see little value in most cases. Let the auditors go!

  • The approach to risk management needs an overhaul and update, reflecting leading thinking on what constitutes effective risk management. Frankly, this is an area where IIA seems to lag.

For example, the definition of risk management in the Glossary needs to go further. It defines it as:

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

What is missing is the link to decision-making. Risk management enables the informed and intelligent decisions necessary to achieve enterprise objectives.

  • I would like to see more guidance, including standards, that leads practitioners to limit their scope to what matters, audit at speed, and then communicate effectively and promptly.
  • A number of excellent Practice Guides and Advisories were developed in the past but are no longer available. That is unfortunate since the guidance was very good.
  • Recent GTAGs have been less than satisfactory. They should have never been issued. See previous posts on this blog for details.

I will leave it there. I am, however, open to discussing these and related questions with IIA leaders.

Please share your thoughts as well – with the IIA in their survey and here, as comments to this post.

How do we fix risk management?

August 5, 2021 12 comments

I want to commend Tim Leech for his passion, consistency, and his recent posts on LinkedIn.

His first post sets the stage for today’s discussion. He asked:

How did the world go so wrong interpreting what the term ‘risk management’ means?

I agree with most of his comments. Please read his first post before considering my following thoughts.


First, let’s consider why the regulators (in particular, the US Securities and Exchange Commission) want ‘risk’ discussed in corporate disclosures. Tim traces it back to 2008 and the financial crisis, but it is older. If you are familiar with the regulations, I suggest skipping to the next section of this post.


US Compliance Requirements

This is from a 2013 SEC Report on Review of Disclosure Requirements in Regulation S-K:

The requirement for disclosure of a summary of risk factors relating to an offering was first set forth in 1968 in Guide 6.251 Item 503(c) was added to Regulation S-K in 1982 as part of the adoption of the integrated disclosure system, combining the provisions of Guide 6 with the provisions of Guide 5 calling for disclosure of risks arising out of a lack of a trading market.

In 1995, this provision was amended to add a requirement that the risk factors section of a prospectus be captioned with the heading “Risk Factors” and that the section be presented following the summary. In 1998, in connection with the plain English disclosure amendments, this provision was revised to include guidance on presenting risk factors. In 2005, the Commission added risk factor disclosure requirements to annual reports and quarterly reports.

Item 105 of the SEC’s Regulation S-K requires that registrants “provide under the caption “Risk Factors” a discussion of the material factors that make an investment in the registrant or offering speculative or risky”.

The requirements in Regulation S-K were updated in 2020, but there was no change to the overall requirement that registrants disclose “the material factors that make an investment in the registrant or offering speculative or risky”.


The SEC has additional requirements for registrants in some but not all sectors. They seem to have focused on companies in the financial sector.

For example, in 2017 the SEC published Self-Regulatory Organizations; The Options Clearing Corporation (OCC); Notice of Filing of Proposed Rule Change Related to a Comprehensive Risk Management Framework. They said:

This [sic] purpose of the proposed rule change is to adopt a comprehensive Risk Management Framework Policy, which would describe OCC’s framework for comprehensive risk management, including OCC’s framework to identify, measure, monitor, and manage all risks faced by OCC in the provision of clearing, settlement and risk management services.

The SEC notice referenced rule changes in 2016[1]. The updated rules require that covered clearing agencies:

“[E]stablish, implement, maintain and enforce written policies and procedures reasonably designed to … [m]aintain a sound risk management framework for comprehensively managing legal, credit, liquidity, operational, general business, investment, custody, and other risks that arise in or are borne by the covered clearing agency, which … [i]ncludes risk management policies, procedures, and systems designed to identify, measure, monitor, and manage the range of risks that arise in or are borne by the covered clearing agency, that are subject to review on a specified periodic basis and approved by the board of directors annually . . .”

In the SEC document, there is a sentence that makes clear the purpose of the regulations by the SEC:  while the OCC requires “a sound framework for comprehensively managing risks”, they are primarily concerned with “potential clearing member default scenarios”. Those could be the result of either “financial exposures [or] service disruptions”.


Other US regulators are concerned with risk management, notably the Office of the Comptroller of the Currency[2] (a different OCC than above) and the Federal Reserve. The OCC regulates banks and is concerned broadly with “the safety and soundness of the national banking system” and specifically to “protect the national bank charter.” Deloitte has a good explanation of the OCC requirements here.

One of the OCC mandates is that the risk function is independent of management and provides the board with its own aggregation and assessment of risk. It seems to view the risk officer as being the sheriff in town to make sure the cowboys in management don’t threaten the health of the town and its citizens. However, when the risk practitioner sees him or herself as the sheriff instead of a partner to management, they will find themselves behind (less visible) bars.



In other parts of the world, the regulators have gone further in requiring an effective risk management activity, including it in their corporate governance framework. When I was with SAP, the company engaged EY to perform a mandated audit of their risk management activity.


Should we get the regulators to change?

There is nothing wrong, IMHO, with the regulators wanting current and potential investors to understand what might happen that would threaten the results or even the viability of the organization. (Although a list of risks without any indication of the likelihood of a severe effect, or of management’s ability to manage any threat, is of dubious value.)

Equally, there is nothing wrong with management and the board wanting a reliable process underlying their risk disclosure.

However, management and the board should require a risk management activity (whatever you call it, which I will come back to later) that not only manages the risk of failure (meeting any compliance requirement), but actively and significantly contributes to the achievement of enterprise success.

If risk management is to be accepted and valued for its contribution to success, it cannot be seen as the sheriff out to lasso the bad guys into acceptable behavior. Please see my post from last month, How to build credibility with management.

If I had the ability to influence the regulators, it would be to tone down their emphasis on positional independence and make it clear that management is responsible for the identification, assessment, and reporting of risks – with the assistance of the risk function. The latter should have the ability to escalate within the management team and then to the board, if absolutely necessary, any inappropriate cattle-taking (ok, risk-taking).

But let’s recognize that the regulators have a different focus and set of responsibilities than management, or rather that management and the board have interests that extend beyond those of the regulators.


What does the word ‘risk’ mean?

Tim makes a good point, that ISO 31000 and COSO ERM (at least in their executive summary) define risk as including not only bad things that might happen, but good things too (a.k.a. opportunities).

But, while this may be understood by (many but not most) risk practitioners, the general use of the four-letter ‘r’ word is limited to the downside.

  • Merriam Webster defines risk as

1: possibility of loss or injury

2: someone or something that creates or suggests a hazard

3a: the chance of loss or the perils to the subject matter of an insurance contract, also: the degree of probability of such loss

b: a person or thing that is a specified hazard to an insurer

c: an insurance hazard from a specified cause or source

4: the chance that an investment (such as a stock or commodity) will lose value

    • MacMillan Dictionary:
      • to do something that makes it possible for something important or valuable to be destroyed, damaged, or lost
      • to be in a situation in which something unpleasant or dangerous could happen to you
      • to do something although you know that something bad could happen as a result
    • Investopedia:

Risk is defined in financial terms as the chance that an outcome or investment’s actual gains will differ from an expected outcome or return. Risk includes the possibility of losing some or all of an original investment.

The great majority of businesspeople understand the ‘R’ word as relating to threats and their effects.

Do we get them to change, to learn the technobabble of the practitioner, or do we get practitioners to use better, common business language? Now I appreciate that in some companies, especially financial services organizations, practitioners believe that their management team “get it” – that ‘risk’ is not limited to the downside. But I wouldn’t rely on that myself. It’s easy to use common English rather than technical terms. See this.

Grant Purdy talks about the language issue in his book, Deciding, which I reviewed last year. He and his co-author, Roger Estall, allocated an entire chapter to its discussion. I think he summarizes their position well in a comment on my blog in January:

… no one can agree on what the ‘r’ word means – and it is used variously as a noun, verb and adjective – with none of the uses consistent.

In fact, the word ‘risk’ has become a nonsense as, of course are any compounds like ‘risk management’ that are based on it.

If I was facetious, I might suggest that it’s just too risky to use the word ‘risk’. But I wouldn’t say that, because that statement would mean nothing sensible at all.


As I have said many times in the past, I prefer to use the expression “what might happen” as it is easier to have a shared understanding of that and a constructive conversation with management using plain English.

How about ‘risk management’?


When did risk management start?

It predates the 2008 Great Recession that Tim mentions.

The second edition of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives (which I recommend) has a chapter on a Brief History of Risk Management. Authors John Fraser and Felix Kloman trace back the origins of risk management hundreds of years They identify several milestones starting in 1914 with the formation of what later (in 2000) became the Risk Management Association.

The focus of all the early standards, books, etc. was on managing the downside. Grant Purdy, also in January in a blog comment, shares the history of risk registers (a list of risks that you manage or mitigate, recently renamed a risk profile by COSO):

Risk registers came into being during the 1970s. In the UK under successive editions of the Factories [Act] (including the 1961 version that I enforced) there was a requirement for a factory occupier to maintain a ‘general register’. This was standard form that contained information such as when the walls were last painted, a list of lifting tackle, steam boilers and air receivers together, in some cases with list of women whom the factory owner had “good reason to believe” were pregnant!

When the UK moved to ‘enabling legislation’ in 1974 and later adopted the European safety requirements, the general register was also used to list ‘hazards’.

In all cases, its purpose was to demonstrate that the factory occupier had thought about how his employees could be injured and also, their well-being. It was also supposed to help the Factories Inspector (of which I was one) do his or her job by giving them a ‘heads up’ what to look for on their inspection.

Of course, what was a list of hazards eventually morphed into a list of risks (because a lot of people could not tell the difference) and with the advent of spreadsheets (I first used VisiCalc) we could then play tunes on them by ascribing ratings, conducting arithmetic and sorting and ranking and even drawing graphs.

This was all well and good, but these registers were never intended to be used in any form of decision making and, as we now know, they have taken on a life of their own such that, for many organisations, ‘risk management’ (whatever that means – and I don’t know), merely involves the updating of this spreadsheet, normally on an annual basis.

Grant makes the excellent point that these lists of risks were not intended for use in decision-making.

The problem, as Tim reminds us, is that people seem to believe that the periodic review of a list of risks is not only sufficient to comply with any regulations but is all that risk management can and should be.

That belief is, IMHO, very wrong.


Should we stop using the ‘R’ word entirely?

There’s a good argument that using the ‘R’ word obstructs not only common understanding and constructive discussion of business problems but what we are trying to achieve with risk management.

Risk is not only seen as being about avoiding failure, but risk management is viewed by 80% of executives (according to all the surveys I have seen) as a compliance activity.

We need to recognize that regulators (and boards) require us to manage risk and to have effective risk management. They are using plain English, not ISO or practitioner technobabble. Much as we might be inclined to do so, we can ignore the reality that regulators, investors, and boards believe they want ‘risk management’ of the downside. They are not that interested in the upside; its not their remit.

Regulators are not likely to change their requirements any time soon.

Executives and board members might be persuaded to use other terms for risk management, but that takes time we simply don’t have.

Therefore, I will continue to use the term ‘risk management’, even though I have suggested that practitioners change the name of their function to Decision Support or similar.

I just have to explain what effective risk management is.

Similarly, asking directors and executives to learn ISO technobabble is misguided, IMHO. It is far easier to have practitioners use language their leaders will completely not only understand but be able to seed how ‘risk management’ helps them individually as well as the organization be successful.

What I have done, and while this may annoy some on purist grounds, is accept the reality.

  • When I can, I use ‘what might happen’ instead of the four-letter ‘R’ word.
  • When I can’t, especially if I want to emphasize that what might happen could be either (usually both) good and bad, I talk about ‘risk and opportunities’. This is consistent with my favorite corporate governance framework, South Africa’s King IV.
  • I talk about ‘risk management’ but explain that it should refer to the ability to anticipate what might happen and then use that to enable the informed and intelligent decisions necessary to achieve objectives.
  • I explain that those informed and intelligent strategic and tactical decisions enable people to take the right level of the right risks, leading the organization to optimize the likelihood of achieving enterprise objectives.
  • If I can, I refer to ‘success management’ or even the simple idea of effective management. After all, that is what it is.


Tim’s second post sets out eight suggestions for change. I encourage you to read and consider them now.

My primary issue with his suggestions is his description of effective risk management. I dislike the idea of “an acceptable level of residual risk/uncertainty”; it is hard to understand, and I can’t see CEOs or board members readily accepting more technobabble. Don’t use a term you have to define, especially if it takes time and diagrams, when you can use plain English. Personally, I have little tolerance (pun intended) for the notion of residual risk.

He also talks about “certainty management”. But you can’t manage certainty; you can only reach a level of certainty. However, you can estimate the likelihood of something happening or not happening and the range of its potential effects.

I prefer to talk about ‘an acceptable likelihood’ that enterprise objectives will be achieved – and this is what I built my Risk Management for Success around.

Boards and executives set and then are measured (and compensated) on their ability to achieve objectives for the organization. They see, in my experience, the tremendous value in being able to:

(a) understand where they are relative to those objectives (from performance reporting),

(b) what might happen to affect their achievement (from ‘risk management’), and

(c) estimate the likelihood of getting there by the end of the period (the integration of both). They can then decide whether that likelihood is acceptable or not.


Tim has, as I said, eight suggestions to fix risk management.

Here are mine:

  1. Everybody should accept that there is a compliance requirement to manage the downside, but as Alexei Sidorenko suggests, this should be accomplished with the least number of resources. Obviously, that will depend on the specific regulations affecting each organization. Alex calls this Risk Management 1, or RM1.
  2. Everybody should also accept that there is more to effective risk management, whether you like my concepts, Tim’s, or somebody else’s. Each organization should work to determine what would work best for them if they are to be successful. Then they should strive to implement RM2: risk management that enables the informed and intelligent decisions necessary to achieve enterprise objectives.
  3. Those who have the ear of the regulators should ask them to refine their position on the independence of the chief risk officer, recognizing that behaving as the sheriff instead of a partner can alienate those trying to run the business for success. The CRO’s job should be to help management do the right thing, not catch them out and throw them in the hoosegow when they don’t. The regulators should also acknowledge that there is more to risk management than avoiding failure.
  4. Those responsible for the ISO and COSO standards should try to avoid the unnecessary and useless competition between them. Converge around new or updated guidance that:
    1. Uses plain English and avoids technobabble. Include board members, CEOs, and other executives in the guidance process to ensure that it will not only be clear and understood, but that leaders of the enterprise will see how it will help them and their organizations succeed.
    2. Explains clearly that events and situations almost always have multiple potential effects, or ranges of potential effects, some of which are advantageous and others are harmful.
    3. Drives risk management top down, pointing out that we are concerned with risk to objectives. Explains how objective and strategy-setting depend on an understanding of what might happen; risks are not only defined after strategies and objectives are established.
    4. Not only explains risk identification, assessment, and evaluation, but how to see the big picture – evaluating all the things that might happen, weighing the pros and cons to enable effective decision-making. They should help demolish risk silos.
    5. Clarifies the role of risk management in enabling informed and intelligent decisions.
    6. Defines effective risk management as contributing to the success of the enterprise, preferably as I have described it.
  5. The bodies responsible for corporate governance frameworks should similarly be persuaded to adapt their guidance.
  6. Each of the practitioner organizations (such as RIMS, IRM, RMA, PRMIA, IIA, ISACA, etc.) should be persuaded to bring their standards and guidance in line.
  7. The IIA in particular should, as Tim says, require internal audit teams to assess and report on the effectiveness of risk management at their organization. However, my recommendation is to assess whether it ‘meets the needs of the organization’. In other words, understand what is needed, by whom and when, so that the informed and intelligent decisions necessary for success (achieving objectives) are made. That would include risk disclosures.
  8. Board members, hopefully with the guidance of national Institutes of Directors (such as the NACD in the US), should press the CEO to report personally to the board on the effectiveness of risk management and decision-making.
  9. Everybody reading this post should share it, even if they don’t fully agree, so that we can all have a constructive discussion about the effectiveness of risk management.
  10. Finally, the consulting firms and those conducting research should modify their focus to how organizations can be successful as a result of effective risk management (anticipating what might happen). Stop promoting products and services that continue practices like heat maps, especially when isolated from what the organization is trying to achieve. The ERM Institute should define what it means by effective risk management, hopefully on the lines of what I have suggested, and only then survey organizations and their practices.


This is one of the longest posts I have written. I hope it is of interest and ask that you share your thoughts and comments.

[1] Rule 17Ad-224 and Rule 17Ab2-2 5 pursuant to Section 17A of the Securities Exchange Act of 1934 and the Payment, Clearing and Settlement Supervision Act of 2010

[2] The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States

The risk of excessive red tape

August 2, 2021 2 comments

I recently finished an excellent book, The Code Breaker, which covers the discoveries that led to gene editing and more. Towards the end of that book, the author discusses how that science was used to build tools and techniques for COVID-19 testing. (There is also a section on the mRNA that is used in several of the vaccines.)

Several labs were working in haste on COVID tests when the CDC declared a health emergency. That meant that the tests the labs had come up with couldn’t be used without FDA and CDC approval. It was a major problem as the CDC’s own tests didn’t work properly.

One lab tried to get regulatory approval but was confounded by a mountain of red tape. They had to fill in page after page of detailed forms. Then they were told they would have to do more tests using material that the FDA wouldn’t grant them permission to obtain.

It took intervention by Dr. Fauci to get their and then other labs’ tests approved.


In my books, I share a couple of real-life incidents where excess red tape hindered the business. In one, the CEO mandated that he had to approve every request for capital expenditures. As a direct result, a modest request to spend $10,000 to reap many times that reward was delayed until after the opportunity had passed. In the other, the Legal team performed the same review on sales contracts for $10,000 as they did on contracts for $10,000,000. In both cases, my internal audit team persuaded management to change.


More recently, I have been affected by unnecessary bureaucracy myself.

As a retiree and occasional speaker or consultant, I have a one-man small business. When I accept an invitation to speak, especially at an event run by a company (as opposed to a professional association), I am often asked to sign a legal agreement.

Signing a contract or other agreement is perfectly fine.

What amuses me (most of the time) or frustrates me (sometimes) is the length of the agreement and the time the process takes both for me and for the company. In one case, it took more than three months!

The cost to the company of the process far outweighs my fee let along any potential risk (if you can find one).


Sadly, when asked why they have so much unnecessary red tape – well beyond what is needed to manage the risk – people often reply that it is because the auditors told them to do it.


Practitioners need to have the courage to stimulate management to remove controls and other procedures that cost more than they are worth.

Practitioners should consider not only the cost (even if only time spent) of a process, but the time it takes. Is it so long that it puts grit in the machine that is the business? Does it mean that a response to potential harm is delayed or that an opportunity is lost? We can lead them to make appropriate changes and streamlining.

Yes, that means taking more risk.


Practitioners also need to be careful of their own, self-inflicted red tape. Are you auditing at the speed of risk, or the speed of molasses? Are you weighed down by unnecessary review and approval protocols, or the need to document and justify every finding and recommendation – even if management agrees with them?

Can you provide management and the board with the assurance, advice, and insight they need when they need it, without taking more time or spending more money than necessary?


I welcome your thoughts – and please share your success stories.

Risk Management and Cloud Computing

July 29, 2021 6 comments

There’s a new COSO preacher in town. Is he or she a threat or an enabler of a peaceful and safe community?

Should we embrace him or her and listen to their advice?

Enterprise Risk Management for Cloud Computing is an interesting document.

I am not a fan of the document, but if you are in IT or responsible for addressing IT-related risk you might find it of some interest.

It starts reasonably well with:

Leveraging cloud computing in some industries may have been a strategic advantage at one point. What the pandemic brought to light was the need for more remote and flexible work environments and the IT infrastructure to support the organization in that effort. Utilizing cloud computing has become an essential element to compete in the marketplace.

The speed at which cloud computing can be procured and implemented is one of its many valuable traits. However, facing the inertia of accelerated access to cloud based capabilities, some organizations may not have had the capacity to implement appropriate controls designed to mitigate the risks in their cloud environments.

Let’s acknowledge, though, that cloud computing is not new. It has been with us for many years.

I am (just) old enough to remember some of the first database systems. I was a manager with a major public accounting firm, responsible for the technical IT audit approach, when I heard Tom Gilb address the British Computer Society.

Tom shared his experiences helping a major Swedish car company implement an integrated set of applications using one of the first database management systems from IBM on their newest and most powerful mainframes.

He told us that he was often asked about the differences in deploying database vs. traditional systems. His answer was:

“It’s just another file structure.”

In many ways, cloud is similarly a simple evolution rather than a gigantic leap. Many of the issues related to managing a traditional outsourced computing system continue in a cloud environment. There are a few more challenges, but not so many that IMHO justify a publication from COSO specifically on cloud computing.

COSO would have done better if they had simply shared their thoughts on integrating IT-related risk into enterprise risk and performance (or success) management. (Actually, they would have done better to read and build on my book, Making Business Sense of Technology Risk).

They get this right:

An organization’s management is responsible for managing the risk to the organization. Management must incorporate the board and key stakeholders into the ERM program so that risk management is integrated with the organization’s strategy and business objectives. Effective ERM involves multiple departments and functions; it should be integrated into the strategy of the organization and embedded into its culture. Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value.

The rest of the document takes each of the five components of the COSO ERM Framework and explains how they relate to cloud computing, with suggestions on how each of the related principles might be addressed.

But, and it is a huge but, they start with Governance and Culture. Now I agree that is an important topic, but you don’t establish governance structures and processes before you understand the risks and related processes.

They are starting with the COSO model and plugging cloud into it, rather than understanding what risks (both positive and negative) flow from the use of cloud and only then determining what governance-related processes and structures are needed.

So, let’s leave COSO behind and take a far simpler approach:

  1. Understand what the organization is trying to achieve, its business objectives.
  2. Consider what might happen (a phrase I far prefer to the four-letter word starting with ‘R’) that could affect the achievement of those objectives: the extent and likelihood of achievement.
  3. Include consideration of both what is needed to go right (to achieve enterprise business objectives) and could go wrong.
  4. Understand how the above depend on or are the consequences of the use of technology. You might define a subset of things that involve cloud computing.
  5. Given all that, are we OK? Is the likelihood of success (achieving enterprise business objectives) acceptable?
  6. If not, what are you going to do about it?
  7. Is it best to change processes and such that relate specifically to cloud, or is there a better way?

One concern with starting, as this COSO guidance does, with a focus on cloud is that you might end up dedicating scarce resources to a source of minimal risk to the enterprise.

There is, as always, more to be said. The COSO document can be of value by considering all of its detailed suggestions as ‘food for thought’.

But I cannot recommend adopting it as a framework.

I welcome your thoughts.

Let’s talk about audit reporting

July 26, 2021 5 comments

Richard Chamber, the former CEO and President of the IIA, has moved on to a new stage in his professional career. That includes a new consulting firm, Richard F. Chambers and Associates, which is where he now shares his blog posts.

His latest is Internal Auditors: It’s What You Say – AND How You Say It!

As you might expect, Richard’s comments are valuable and merit our attention.

I think there is more to be said.

In particular, we need to understand why we are writing an audit report in the first place.

I have a fairly lengthy chapter on this in my seminal book, Auditing that Matters – which I strongly recommend for every internal auditor (even though I wrote it).

Here are just a few of the main points:

  • It is critical not only to audit what matters, but to communicate what matters…. It is not about communicating what matters to the auditor. It is about communicating what matters to each of our stakeholders – in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).
  • Our goal is not to find fault[1]. It is to help management improve their processes, where necessary, through our advice and insight.
  • We need to remember that the task is not to write an audit report. It is to communicate… We need to communicate in a way that is easy for the individual with whom we desire to communicate to receive, absorb, and act on the information they need from us.
  • The oldest communication tool is talking… When a simple “everything is OK” is insufficient, I believe the audit report is only the start of the communication… A face-to-face discussion where the auditor can explain what he or she found, the implications, as well as share his or her advice and insight is invaluable…. A meeting provides the executive with the opportunity to ask questions and make sure he or she fully understands the situation before making decisions and taking actions….The auditor needs to be disciplined in these meetings, making sure that he or she is listening actively to the executive.
  • The auditor doesn’t have to wait for the closing meeting, let alone the audit report, to share information with appropriate management…. I expect the audit team to communicate that information, relevant insights about root causes and so on, and actionable advice about how to correct the situation as soon as possible.
  • If management responds with alacrity to correct issues, then this should be recognized in the final audit report[2].
  • There is no harm, and every good, in commending management for their commitment to controls. Apart from complying with Standard 2410.A2 (“Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications”), it helps build a solid relationship with management. In addition, the fact that operating management has shown this commitment should be reassuring to executive management and the board.
  • If there is no value in informing more senior management that there was an issue, then I typically won’t mention it – except, perhaps, to say that “additional issues were identified during the audit that were immediately corrected by management”. If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.
  • Management needs to know and understand what we found before they can be expected to agree on the facts and their interpretation – does this represent a risk of significance, what action is required, by whom, and when… There is no excuse, in my opinion, for failing to confirm the facts at the Closing Meeting and then having a dispute when the draft audit report is shared with management…. Equally, the audit team needs to listen to the management team and their assessment of the risk represented by any deficiency. Disagreements after the report has been drafted are a waste of everybody’s time and do little for the audit department’s reputation.
  • We need to make it easy for busy executives to read, absorb, and then act on the results of our work.
  • I believe it is very important for internal auditors, especially the CAE, to understand that the word ‘finding’ can have negative connotations. It can sound like ‘gotcha’ to management, especially if there are financial or other repercussions for a manager should an audit identify control deficiencies.
  • Change is our final product… A finding and recommendation has no value unless it leads to a necessary and appropriate change by management.
  • We must make every reasonable effort to communicate in a fashion that is not judgmental, is fair and balanced, will not be perceived as ‘gotcha’ auditing, and will influence appropriate and necessary change.
  • The only rule I have is that the auditor communicates in a way that both informs management of what they need to know and promotes positive change.

I want to highlight the next lengthy excerpt, which makes points that are at the core of any disagreement I may have with Richard’s post.

The traditional approach is for internal audit to write the finding and a recommendation. Then they ask management to write a response. So, for each finding there is an explanation of the issue by internal audit, a recommendation by internal audit, and a management response. That response may include commentary on the issue and its severity by management as well as a description of the corrective action, if any, they will take.

In most cases, the recommendation and the management response are aligned. But, sometimes there is a difference of opinion.

A report where there is a difference of opinion between internal audit and management is a ‘lose-lose-lose’ situation.

Internal audit loses because they appear:

  1. at odds with management;
  2. unable to agree with management on the assessment and the appropriate and necessary corrective actions that should be taken; and
  3. to have either failed to understand the business and its operating constraints or to explain to management why the issue is significant and requires correction.

Management loses because the audit committee will question their:

  • commitment to controls and the management of risk;
  • inability to ‘educate’ internal audit in the business and its operating realities;
  • cooperation with the audit team; and,
  • inability to resolve disagreement before it comes to the audit committee.

The audit committee loses because:

  1. they are not sure whom to believe;
  2. they do not receive the assurance they need to fulfil their oversight responsibilities and have to be the judge between audit and management;
  3. their confidence in internal audit effectiveness wilts when the CAE seems unable to work with management; and,
  4. their confidence in senior management wanes when they are unable to work effectively with internal audit.

These days, the great majority of internal audit functions work hard to avoid disagreements with management. While they retain their control and ownership of the audit assessment or opinion, they make every effort to listen to management to understand their perspective. Where disagreement remains, they work equally hard to explain their point of view.

People may disagree. That is real life.

But, when it comes to serious issues, all sides should be able to come together.

If the issues are not serious, perhaps they can be handled without the need to display disagreements in front of top management or the audit committee. In fact, they may not rise to the level where they need either party’s attention and can be omitted from the audit report.

I don’t like the appearance of the format that includes a finding, recommendation, and response.

As a rule, the recommendation and response should be the same – so there is little value in repeating the same information in different words.

I prefer to communicate the issue and then the agreed action items.

If we agree on the actions to be taken, then why disguise them as recommendations and responses.

Let’s call them what they are: ‘agreed action items’.

This sends a clear message that internal audit and management are working together to define and then solve any problem.

The audit committee wants to see this almost as much as they want to understand whether there are any serious issues.

They need to have confidence in both internal audit and the management team.

They want to see a commitment from management to controls and the management of risk, and that internal audit and management are working effectively together to resolve problems and effect positive change.

The agreed action items will show:

  • What will be done
  • By whom
  • When

I have highlighted this because Richard focuses on ‘findings and recommendations’, while I far prefer ‘agreed action items’ and even leaving out issues that don’t really matter.


There’s a ton of points in what I have quoted – with much more in the book.

But there is one more point to be made.

While valuable-to-the-business change is one measure of our contribution to the success of the organization, we should not underestimate the value of assurance.

There is value to the board and top management when internal audit assures them that management’s systems and processes should be effective in addressing a significant source of risk.

There is value, even when there is no change. Our leaders can now go forward, relying on their systems and processes, to direct and manage the organization.


I welcome your thoughts.

[1] The value and quality of internal audit work should never be judged on the basis of how many issues they find.

[2] Consistent with Standard 2410.A2.

Auditing Identity and Access Management

July 22, 2021 4 comments

The IIA has published several useful Global Technology Guides (GTAGs), available to members on their website under Standards and Guidance. They are considered recommended rather than mandatory guidance.

However, their recent GTAG, Auditing Identity and Access Management, second edition, should not be recommended. I recommend setting it aside. In fact, I recommend that the IIA delete it.

The primary problem is that the GTAG does not recognize that “there is no such thing as an IT risk, there is only business risk” (Jay Taylor). There are other major issues, but rather than get into the detail of what was wrong or omitted, I will share some alternative guidance.


  1. Don’t audit access management (or anything else) just because the ’authorities’ say you should. The IIA mandates a risk-based approach and that requires judgment. Audit what matters to the success of your organization.
  2. Where’s the risk? It is important to understand how an access management issue could affect the business. The GTAG falls into the NIST trap of talking about information assets when we should be talking about the potential impact on the business. In fact, access management is not only about limiting who can access information systems and data; it also may limit access to inventory, facilities, people, and equipment! Just think about your card reader at the office.
  3. Any audit of access management should be identified through the singular internal audit planning process, based on which areas represent higher enterprise risk where we can add value. There should not be a separate IT audit risk planning process. Instead, there must be a clear understanding of where access management falls against other sources of business risk – and that will help with the detailed scoping of any audit.
  4. Which access needs to be limited and why? Not all access issues represent a risk of any significance to the business. All audits should focus on what matters to the business. The whole array of controls should be considered in assessing the risk, including business process controls. For example, there may be both card readers, guards, and daily inventory counts around valuable raw materials.
  5. Focus on the business controls (or ITGC key controls) that rely on limiting either individual access or a combination of access. For example, a control that says only certain people can approve a journal entry, or an invoice for payment. Then there is the need to limit who can both set up a new vendor and approve payments to them. Can you see where the GTAG mentions a combination of access, apart from in the Glossary? It does not! We need to understand where controls within business processes specify either restricted access (relying on a limited number of people having access) or a division of duties (representing a fraud risk).
  6. Understand how access is controlled, limiting access to individuals authorized in the system. What systems are involved? Are they purchased or maintained in-house? How do they function, including how access limits are set up, enforced, and periodically reviewed?
  7. Are the controls over access adequately designed and operating consistently? This may require understanding and then assessing related IT general controls. It should include testing that the access limits are properly enforced and exceptions investigated.
  8. Are the controls that monitor access rights adequately designed and operating consistently? For example, if a monthly or quarterly report is provided to business managers to review and confirm, what assurance is there that the report is complete and accurate, that it is properly reviewed, and actions taken as needed?
  9. How is access granted? How does the provisioning system work and is it reliable? Consider the need for the access request to be approved, not only by the user’s manager, but also by the owner of the related risk and/or system. For example, the AP manager should approve all access to several functions within the AP system. When a SOX key control is involved, additional approvals may be needed. Is there assurance that access is changed on a timely basis when the individual’s needs change (e.g., through transfer or termination)?
  10. As new systems and processes are introduced or changes made to existing ones, are there adequate controls to ensure access management is appropriately addressed? I have seen situations where a new code was used to distinguish types of credit notes in an SAP system, but the reports used to monitor who had the ability to approve credit notes was not changed.

I am sure there is more to be said, but the key point is that any audit should be based in design and execution on the level of business risk, and not only any generic standard or list of information assets.


I welcome your thoughts.