Archive for the ‘Risk’ Category

Do your leaders see the big picture, or just pieces?

December 27, 2022 6 comments

Let me share a story (based on a real event) that you are watching on multiple monitors.

On the first screen, management of the company’s largest oil refinery are planning a major capital project to build a new processing unit. One of the refinery’s existing units produces not only highly valuable jet fuel, diesel, and gasoline, but also a variety of medium and low value byproducts (“midstream”). The new unit will reprocess the low value midstream products and convert them to medium value midstream or even gasoline and diesel.

You can see the refinery’s risk officer consulting with the management team. He is helping them with safety, compliance, and a variety of other sources of risk to the project.

The second screen shows the trading floor, where management is monitoring both the prices they will have to pay for the crude oil that is the raw material for the refinery, and the prices that the different products of the refinery can obtain in the market. You can see the trading floor risk officer, monitoring futures and derivative trading and other risks.

In response to a question from refinery management, the traders share the projected prices for the range of products that the new unit will produce.

Using that information, refinery management designs the new unit to generate the optimal mix of products.

Screen three has the financial team preparing forecasts for the rest of the year. They get a projection from refinery management that includes when the new unit will come online, its operating costs, and projected revenue.

The fourth screen shows the Treasury department. They are managing short-term investments and cash flow, based at least in part on forecasts and projections from Finance. The Finance risk officer is tracking and reporting currency, interest, and other sources of risk.

Four months pass.

Turning your attention to the refinery, you see that excellent progress is being made. The new unit is close to 70% complete. It is on schedule and on budget. The refinery risk officer is reporting that all remaining risks are within acceptable limits.

The traders continue to monitor raw material and product prices. They decide to change their derivatives trading strategy, as they are seeing a significant shift in the market.  Product prices are shifting. The low value midstream products are increasing in value, while prices for gasoline and the medium value byproducts are falling. But while they (with the help of their risk officer) report that to senior management, they are focused on their own operations. They optimistically project no change in revenues, although there is a significant possibility that total revenues will fall.

Finance and Treasury continue as before.

Another two months go by.

The traders raise the alarm that revenue is dropping. Product prices have fallen steeply and are not expected to come back in the near future. They apologize for not warning everybody earlier.

Finance hurries to update the forecast and the executives meet to decide whether to change the projections they have shared with analysts and others.

Management at the refinery are innocently continuing to work on completing the new unit, which is scheduled to start operations in thirty days. Everything is looking good.

Meanwhile, Finance has shared its updated forecast with Treasury. With the drop in projected revenue, Treasury alerts the CFO and top management that cash flow is drying up. They will have to cut back 100% on capital spending, at least for the next month or more.

You see the CFO meeting with the refinery manager, asking him to defer any capital spending for three months. Words are exchanged, and the CFO is told that the money has already been committed on the new unit. Canceling or deferring the remaining construction will delay opening by three to six months, increasing costs, and reducing revenue.

The CFO replies that there is no cash to spend, and he cannot obtain new funding quickly.

Reluctantly, the refinery manager calls in his team and they figure out how to cut back work on the new unit.

Three months later, the executive team meet to celebrate the opening of the new unit.

However, refinery management and Finance tell them that it will not generate the anticipated return on investment that had been expected due to the change in product prices.

The refinery manager informs the CEO and the rest of the executive team that had they known, months earlier, that the prices for the mix of products of the new unit were changing, they could have modified the design. They could have made some adjustments to increase the volume of what were now higher value products.

But they didn’t know. Nobody told them, and they didn’t ask.

The Lesson Learned

People talk about the problem created when risk is managed in silos. That problem is what enterprise risk management (ERM) is intended to address.

But while it is true that risk is interconnected and so on, I would express the problem differently.

In this tale (again, based on a true story from my time at the oil refining and marketing company), the company was being managed in silos.

I have seen this time and time again.

When management is managing just their piece of the puzzle, they may optimize that piece at the expense of the whole picture.

I have seen:

  • Two divisions of one company competing against each other for the same contract
  • The three business units of another company fighting against the CIO’s proposal for a company-wide ERM. As a result, each business unit purchased their own systems that were not connected or integrated in any way.
  • A factory that made enclosures for the company’s products deciding to sell them to a third party instead of their sister factory. The enclosure factory generated more revenue but forced their sister to purchase their enclosures from a third party at much higher cost.

When we see this, we need to ensure top management and, if necessary, the board know what is happening.

Managing the company in silos, perhaps enabled by addressing risk in silos, is a serious inhibiter of success.

Is this something you see in your organization?

I welcome your comments.


My Duel with Richard Chambers on Audit Opinions

December 24, 2022 1 comment

I recently debated with Richard Chambers (thank you to Jon Taber) the value of an audit opinion.

You can find it here:

Please share your thoughts.

Internal audit and risk management

December 23, 2022 2 comments

The results from my recent survey (thanks to the 75 internal audit practitioners who responded) are interesting. (You can see the results of the earlier survey here.)

First, I will review the answers about auditing risk management.

Q1: Does your internal audit function audit the organization’s management of risk?

62 (83%) indicated that they do, in one form or another. That’s good news.

Skipping the next two for a moment:

Q4. If you audit risk management, which of these is your approach? Check all that apply.

  • 37 (50%) said “We assess whether risk management practices meet the needs of the organization for decision-making”. That is my favorite answer.
  • 42% (56%) audit compliance with policies and procedures. Maybe necessary, but not sufficient IMHO.
  • 29 (39%) assess the accuracy of management’s risk reporting. I have an issue with this if internal audit is seen as knowing better than management what the level of risk is. It’s also a moving target, so I would have to see what these functions are doing.
  • 22 (29%) use a maturity model. I like this approach and included one in Risk Management for Success.
  • 36 (48%) use a standard or framework:
    • 16 use the ISO 31000 risk management standard
    • 13 prefer COSO’s ERM Framework
    • 7 use a different framework

Q5. If you don’t audit risk management, why is that? Answer all that apply.

  • 12 said there is no risk management function to audit. However, IMHO that just changes the audit. It shouldn’t be an audit of the function; it should be an audit of how well management addresses risks to objectives.
  • 7 said they don’t have the support of management for such an audit. I don’t think that should be a sufficient deterrent.
  • But 7 said they don’t have the support of the board! I hope the CAE made sure the audit committee understood why this is a problem.
  • 5 said that other functions, such as the external auditor, assesses risk management.
  • 5 said it’s not a priority. Hopefully, that’s because the CAE has confidence (such as from a prior audit) that the risk of poor risk management is low.
  • 3 don’t have sufficient experience. I hope they work around that.
  • 1 doesn’t have the budget. Hopefully, the CAE is discussing that with the audit committee.
  • 9 cited other reasons.

Going back to the second question:

Q2. Who completes the risk identification and assessment that management and the board rely on? Answer all that apply.

This is a question that will interest Tim Leech. The answers will probably surprise him as much as they surprised me!

  • 19 (25%) said management and the board rely on internal audit’s assessment. I am surprised that it’s so many, and Tim will be surprised that it’s so few. Risk assessment is a management responsibility, and the CAE should be telling the board and CEO that this is a huge problem. As CAE, I would not be comfortable if management relied on my assessment instead of their own. (Of course, internal audit can gain an understanding of the more significant risks when building and maintaining the audit plan.)
  • In 45 (60%) cases, a risk management function is responsible.
  • 24 (32%) said they have separate risk assessments in different parts of the business.
  • 4 don’t have a risk assessment, and 2 didn’t know.

Q3. When you perform an audit, do you review management’s risk assessment of the area and provide an opinion on its accuracy?

  • 35 (47%) not only said that management has a risk assessment for the area under audit, but it is reviewed as part of the audit. That is encouraging – more than I expected.
  • 21 (28%) said management doesn’t have a risk assessment for the area being audited.
  • 18 simply said No, and 1 didn’t know.

The next two questions are important.

Q6. Do you use management’s risk assessment in building the audit plan

12 replied that management doesn’t have a risk assessment, so they can’t use it. Of the 63 who do:

  • 40 (63%) said Yes.
  • 20 (32%) said that rely to a limited extent.

Q7. Is your audit plan based on an assessment of risks to the enterprise?

  • 32 (43%) said that they “audit the controls over the more significant risks to the enterprise and its objectives. We don’t perform full scope audits of processes or units”. This is my preferred approach.
  • 31 (41%) audit “those business units and processes that represent the greatest risks, and then audit the controls over the risks to those units and processes”. This is the traditional approach that I hope people are starting to realize is misguided. You will audit risks that matter only to middle management, if that, and not limit your work to what matters to the success of the enterprise.
  • 6 (8%) still use the antiquated cyclical approach.
  • And another 6 have taken a different approach (undefined).

Q8. Are you changing your approach in 2023 and beyond?

  • 34 (45%) are staying with the same approach.
  • 23 (31%) are definitely changing.
  • 19 (25%) might change.

I welcome your thoughts on the results.

My opinion of audit opinions

December 19, 2022 4 comments

Last week, I was in a duel with Richard Chambers on the topic of internal audit opinions.

Neither of us had much time to express our views, so I am taking the opportunity of today’s post to share some insights that might be useful.

Last month, I ran a survey that asked internal auditors “How do you communicate your overall opinion?” The answers were:

  • We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
  • We use traffic lights, such as red/yellow/green… 19.0%
  • We use language like “the controls are effective, adequate, or ineffective”… 41.3%
  • We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
  • Other… 7.9%

Consider four identical manufacturing companies where internal audit has completed an audit of their inventory management processes. This is a critical activity for them (as it is for businesses in many sectors, such as retail and wholesale, oil and gas, and more).

Imagine that you are on the boards of each company and reading the audit reports.

All the audits found the very same six issues. But they reported them differently.

The auditors of Company A wrote that they had completed their audit of inventory management processes and found a number of issues of concern. In their Findings section, they explained that six controls were not functioning as designed. The auditors went on to recommend that management ensure they function properly in future, and management responded that they would.

Company B’s auditors had a different report. While they also reported that they had completed their audit of inventory management processes and found a number of issues of concern, they commented that the controls over inventory management “needed improvement”.  They listed the six findings in the Executive Summary and put a traffic light color next to each, indicating their opinion of the severity of the finding.

Company C was different again. The report was similar to that for Company B, but this time the opinion specified the risks that had been audited, not just the controls. The auditors’ opinion was that the controls over inventory-related risks, such as ensuring the accuracy of inventory records and the quality of materials, needed improvement.

Finally, there is Company D. This time, the audit opinion was:

“Several controls were not operating properly, and management has agreed. As a result, there is an unacceptable level of risk that insufficient raw materials will be on hand when needed for production. In addition, what material is in inventory may not be of the appropriate quality. Should that occur, sales and customer satisfaction will be severely impacted and the company’s revenue targets for the quarter (if not the year) might not be achieved.

“Management has agreed with this assessment and has already started the process of upgrading the controls, scheduled for completion next month.”

My survey indicated that less than a quarter of internal audit departments (if the survey is representative) would include an opinion like that of Company D.

In the duel, Richard and I both agreed that we needed to provide the assurance, advice, and insight that management and the board need.

Which of the four company’s audit departments did that?

The auditors at Company D had to do more work, primarily sitting down with management and having a constructive discussion to (a) confirm the facts, (b) agree on what the facts meant, (c) consider options for addressing the risks, (d) review the language that will be in the report, and (e) discuss how best to communicate the situation to senior management.

But there is huge value in that additional work.

Where are you?

Are you going to adopt Company D’s approach?

I welcome your comments.

By the way, if you haven’t responded to my second survey, please do so.

Designing efficient and effective audits

December 16, 2022 7 comments

Before I start today’s post, may I ask the internal auditors who haven’t already done so to respond to my latest survey, here?


Yesterday, I fought a duel (up to you to decide who won) with my good friend, Richard Chambers. It was hosted by Jon Taber (see footnote for the links) on the topic of audit opinions.

At one point, Richard made the excellent point that you shouldn’t provide an opinion without having done the work to support it.

My reply was that you should start the audit with the end in mind.

If you plan to express an opinion at the end of the planned audit on the adequacy of controls to manage specific risks, then the scope of the audit should be designed to provide to enable that opinion.

Do enough work to reach and support your opinion – and no more, unless you desire to audit controls and processes that are not relevant to your audit objectives (“muda”).

One of the fights I have been engaged in for a long time now is against full scope audits, especially those performed on a cyclical basis.

We should (as guided by the IIA’s Standards) be performing risk-based auditing.

That means that we should be auditing the controls over the more significant risks to the achievement of enterprise objectives. That is not the same as auditing the controls over a business process!

When you audit an entire process or business unit, you are going beyond the things that matter (controls over significant enterprise risks) to things that don’t matter to leadership (risks to the process or business unit that don’t have much effect on the achievement of enterprise objectives).

The key to efficient and effective auditing is focusing exclusively on what matters; stop auditing what doesn’t matter to the achievement of enterprise objectives.

Audit the controls over enterprise risks, not controls over local risks.

The excellent magazine of the IIA features a piece by my pal, Dave Salierno.

Brief, highly focused internal audits can produce rapid results for audit clients features comments by Hassan Khayal, an internal audit manager at Scope Investment (based in Dubai). The CAE there is Vijesh Ravindran.

Dave tells us:

…one internal audit function has fundamentally transformed its approach to audits. Responding to the need for increased agility and speed, auditors at a private investment firm based in Dubai, United Arab Emirates, began performing fewer large-scale, traditional audits in favor of faster engagements with a much narrower scope. These “burst audits” enabled the audit function to conduct operational risk assessments quickly and on short notice, and provide near-immediate feedback.

He continues with:

“Throughout the company, people were trying to address new challenges and quickly find solutions,” Khayal says. Clients asked how internal audit could help them. “Many of our clients suddenly needed quick assessments and recommendations.”

Providing those assessments through traditional audits could take months for each engagement. To meet the moment, the internal audit team began performing short, operational risk reviews that gave clients the rapid recommendations they needed. As small issues began arising throughout the firm, auditors started performing these reviews regularly — one- to two-week engagements that each covered a narrow, highly focused area. The approach enabled practitioners to make a quick impact and then swiftly move on to the next area in need of attention.

Unfortunately (in my opinion), the company continues to perform “large-scale, traditional audits” that cover an entire process or business activity.

If you can narrow your focus to providing an opinion (an “evaluation” per the Standards) as to whether controls are adequately designed and operating effectively over specified risks to objectives, ALL your audits can be “burst” audits that last weeks instead of months, delivering the assurance, advice, and insight that leadership needs, when they need it.

Why is it necessary to perform fast, efficient, focused audits?

Every hour saved by not auditing what doesn’t matter is an hour that can be spent on an additional audit that addresses something that does matter.

Can we eliminate full scope audits?

Can we move to enterprise risk-based audits?

I welcome your comments.



You can find the duel on LinkedIn (which is where you can vote for the winner), Apple podcast, or Spotify.

A survey of internal auditors and their approach to risk management

December 13, 2022 5 comments

I would appreciate your help with another short survey.

This time its about how internal auditors address risk management, including whether and how they audit it; who performs the risk assessment for management and the board; and how the audit plan is built.

You can find it here.

Thanks in advance. I will share the results in a future post.

Some auditors need to kick bad habits

December 12, 2022 7 comments

The Institute of Internal Auditing is in the process of updating its International Professional Practices Framework (IPPF), which includes the International Standards for the Professional Practice of Internal Auditing.

It is necessary, as some in the profession need a kick.

A friend recently told me that they connected with audit leaders at peer organizations (other mid to large, complex organizations) to understand how long/large their audits typically are. They perform cyclical audits of auditable entities (an audit universe) that last up to 12 weeks. 

So cyclical audits are alive and well, even though the practice should have died off decades ago.

Also alive and well are long audits of an entire process or business unit.

Too few are taking a risk-based approach to internal auditing.

Audit the controls over the risks, not entire business processes!

Don’t waste your or management’s time auditing more than you need to provide the assurance, advice, and insight management and the board need.

I have asked the IIA to use the opportunity of the IPPF update to jolt people out of these poor practices.

They replied, “That is our goal too, business objective-based and risk-based audit”.


Let’s have a quick look at what the IIA currently says about the role of internal audit.

The Definition of Internal Auditing is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Mission of Internal Audit takes the ideas to a higher and more active level:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

This is supported by the last three of the IIA’s Core Principles for the Profession of Internal Auditing:

  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I don’t think you achieve these through full scope, cyclical audits of business processes or units.

I think you achieve them through audits that focus on the more significant risks to the enterprise: enterprise risk-based auditing.

That is what the current Standards say:

2010 – Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.


To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.


2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

    • Achievement of the organization’s strategic objectives.
    • Reliability and integrity of financial and operational information.
    • Effectiveness and efficiency of operations and programs.
    • Safeguarding of assets.
    • Compliance with laws, regulations, policies, procedures, and contracts.

Frankly, I don’t understand how an internal audit function passes a Quality Assurance Review when they practice cyclical or full scope auditing.

Moving on, the IIA has shared a draft Purpose statement. I’m not sure how a Purpose statement differs from a Mission statement, and why you need both. But here it is:

Internal auditing enhances the organization’s success by providing the board and management with independent advice and assurance.

Tim Leech doesn’t like it (see here). He prefers:

Ensure the board and CEO are receiving reliable information on the likelihood/risk top value creation and preservation objectives will be achieved with a level of uncertainty acceptable to the board

I prefer something more active, more than providing assurance on risk reporting. Frankly, the draft is weaker than the existing Mission statement.

I would like to see something like:

Provide the risk-based assurance, advice, and insight that leaders of the organization need for success.

Why this?

  • It talks about risk, while the current draft does not. It just talks about advice and assurance, but does not say on what.
  • The current and proposed guidance allows for any level of assurance. Mine requires a more complete level of assurance. An Interpretation statement would explain that the assurance should be on the risks that matter to the achievement of enterprise objectives.
  • I have added “insight”, which is an important source of value to our customers.
  • It makes it clear that we should provide what our customers need, not just what we think is valuable or would contribute to their success.
  • Independence is a given, and anyway objectivity is more important.

What do you think?

  1. How do we persuade CAEs to discard cyclical auditing and full scope auditing, replacing them with risk-based auditing?
  2. How would you modify the Purpose statement?

Excellent points made by a prominent CRO

December 8, 2022 3 comments

Earlier this week, I enjoyed a conversation with Joshua Rosenberg, Executive Vice President and Chief Risk Officer of the Federal Reserve Bank of New York.

I was great to chat with a gentleman who has a prominent position, and whose thinking on risk management appears to be well aligned with mine (with a few exceptions, like risk appetite and risk registers).

His October speech to the Central Bank of Nigeria’s Second National Risk Management Conference made some excellent points, including:

  • …by integrating risk management into plans, decisions, and actions, we can succeed over a wider range of possible futures, not just the future we expect (or hope for).
  • … potential misunderstandings that might prevent us from getting the most out of risk management. The first is that risk management is mainly a way to stop bad things from happening. Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur. But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively.
  • Second, risk management could be misunderstood as primarily the responsibility of risk management specialists. Actually, effective risk management is a way for everyone in an organization to help things go right. From the economic analysts to the cash processing operators to the software engineers, we can make better plans, decisions, and actions when we are prepared for change and have the capacity to adapt to surprises. So, most of the risk management that occurs in an organization will be done by people who don’t have the word “risk” in their job title.
  • And third, risk management could be misinterpreted as an attempt to create a contingency plan for every possible thing that could go wrong. It is important to prepare by scanning the horizon, exploring the range of possible futures, and understanding how those futures could help or impair desired outcomes. We do want to invest in effective responses to key scenarios. However, no organization has the resources to prepare for all possibilities. And, no matter how creative we are, we still can’t imagine every one of them anyway. As it is said, “Things that have never happened before happen all the time.” So, effective risk management is more than planning. It is creating the capacity to adapt to and recover from unexpected shocks, which is what we often mean when we talk about resilience.
  • To me, successful risk management is as much about culture as it is about structure…. To me, there are four central aspects of culture that support effective risk management: learning, listening, helping, and speaking up. In a learning culture, we think about and plan for what might happen. And, we learn from experience, what went well and what didn’t, so we can improve for next time. In a listening culture, we seek advice, appreciate a fresh perspective, and are open to new ideas and feedback so we can improve. In a helping culture, we work together across the organization, building on each other’s strengths, and helping when we have an opportunity. And, in a speaking up culture, we let our colleagues know when we see a problem or after something goes wrong so that we can get started fixing it. Risk management is a creative, social process. It is a way of thinking, doing, and interacting. To bring it to life, we need to work together across the organization, staying continuously curious about the changing risk landscape and possible futures.
  • A foundational component of resilience is that an organization can operate as a coordinated system in order to successfully adapt to changes in the environment.
  • Here’s the realism: while we might prefer never to be surprised, we will be. The optimism is: effective risk management can help us be less surprised and respond better when we are. And, a strong risk management ecosystem will be self-sustaining because it generates demonstrable value – that is, practical and timely solutions to material problems – to help our organizations succeed in all environments.

In his role, Josh is naturally focused on the downside of risk, rather than the need to take the right level of the right risks so you can seize opportunities and achieve objectives.

Setting that aside, he has a practical approach to risk management that sees huge value in helping his organization and its leaders succeed – and not just manage and mitigate risks.

I welcome your comments.

When the board insists on a list of the top risks

December 5, 2022 3 comments

Recently, Tim Leech asked this question in a LinkedIn post:

What should a CRO or CAE do if the board insists they still want a list of “top risks” plotted on a color risk profile; and soundly reject the ISO view “risk” is “effect of uncertainty on objectives”, and COSO position “risk” is “the possibility that events will occur and affect the achievement of strategy and business objectives.”

My comment in response was:

The roles of the CRO and CAE should not be mixed up like this.

If the company is managing a list of risks instead of the business, the CRO has a clear opportunity and obligation (IMHO) to show a better way.

Continue to provide a list of risks (it still has some value), but team with performance management to provide (as I explain in my books) a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.

The CAE is in a very different position, unless they are also CRO (in which case, the above applies).

The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.

Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and success.

While it is difficult, as Tim points out, to tell the boss that they are wrong, whether we are the head of risk management (CRO) or internal audit (CAE), we have a professional responsibility to provide leaders with what they need.

Sometimes, they don’t know what they need!

Their experience, which may be at other organizations, has put them in a box. If they liked what they had before, it can be difficult to change.

As I said in my comment, we shouldn’t mix up the roles and responsibilities of the CAE and CRO.

The CRO is responsible for helping management and the board understand what might happen, so they can make the appropriate strategic and tactical decisions necessary for success.

The CRO helps management and the board take the right level of the right risks.

While a list of top risks has some value, it is not enough to inform decision-making.

In fact, it is rare for a decision-maker to refer to the list of top risks in making an important business decision – whether strategic or tactical.

In fact, a list of top risks is going to be out of date very soon after it is prepared, since business conditions and risks are changing all the time.

A list of top risks has value when it comes to making sure the risks that merit specific and continued attention are getting it.

But the business is run every day.

Every day, decisions have to be made that not only need to consider what might happen (risk and opportunity) but will also create or modify existing sources of risk and opportunity.

The CRO and their team add more value when they enable daily activities and decisions to be of high quality.

I have advised CROs, management teams, and board to integrate performance and risk management. The CRO should work with the CFO and others to ensure leaders understand whether, considering current status and what lies ahead, the organization is likely to achieve its objectives for the period.

When I have shown them examples of such reports, explained in my books (such as Risk Management for Success), they have embraced them.

A list of top risks becomes a secondary source of information.

The CAE is in a different position.

The CAE has a responsibility for providing assurance to the board and management that risk management practices are effective.

But that is not achieved when it is limited to the periodic review of a list of top risks.

When that is all the board receives, board oversight of risk management is insufficient.

My advice to the CAE is to work with the CRO first. Try to get the CRO to provide the board and top management with an integrated risk and performance report.

After all, it is risk to objectives that needs to be addressed, not risk in a silo, out of context of running the business.

I would also work with the CEO (or other top management influencer, but the CEO is going to be the decision-maker), helping them understand what is missing.

Help them understand how effective risk management helps them succeed, not just avoid hazards and tick the compliance box.

The CAE should audit risk management and report its deficiencies, the primary one being that a list of risks (or a heat map) is insufficient.

So much more value can be derived.

I welcome your thoughts.

New US government guidance on cyber risk

November 28, 2022 2 comments

I was surprised and pleased, surprised and flattered, and then disappointed by a new publication by NIST (the US Department of Commerce’s National Institute of Standards and Technology).

NIST published NISTIR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response this month.

I have been saying that in order to understand how a cyber breach might affect the business, a business impact analysis (such as contingency planners have been using for decades) should be performed. The analysis should be a joint effort between operating management (who understand the business) and the technical teams (who understand how a breach might happen).

I was surprised and pleased that NIST decided to respond with this new guidance, even to the extent of using some of my language.

The Abstract says:

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).

While I noticed that NIST remains focused on assessing risk to information assets, instead of to enterprise objectives or (as they say) the enterprise mission, I was surprised and flattered to read the following in the Acknowledgments:

The authors also thank… individual commenters Simon Burson and Norman Marks.

But the guidance is disappointing.

The Abstract continues with:

The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

There are some good sections, like this from the Executive Summary:

Risk is measured in terms of impact on enterprise mission, so it is vital to understand the various information and technology (IT) assets whose functions enable that mission. Each asset has a value to the enterprise. For government enterprises, many of those IT assets are key components for supporting critical services provided to citizens. For corporations, IT assets directly influence enterprise capital and valuation, and IT risks can have a direct impact on the balance sheet or budget. For each type of enterprise, it is both vital and challenging to determine the conditions that will truly impact a mission. Government agencies must provide critical services while adhering to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals and factors that might impact the next quarter’s earnings call. Therefore, it is highly important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

However, they continue to justify the use of a cybersecurity risk register and a focus on managing and mitigating risk to information assets:

The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. Another critical artifact of risk management that serves as both a construct and a means of communication with the risk register is the Business Impact Analysis (BIA) Register. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA Register. An asset criticality or resource dependency assessment identifies and prioritizes the information assets that support the enterprise’s critical missions. Similarly, assessments of asset sensitivity identify and prioritize information assets that store, process, or transmit information that must not be modified or disclosed to unauthorized parties. In the cybersecurity realm, the use of the BIA has historically been limited to calculations of quality-based and time-based objectives for incident handling (including continuity of operations and disaster recovery).

Because the BIA serves as a nexus for understanding risk (which is the measurement of uncertainty on the mission), it provides a basis for risk appetite and tolerance values as part of the enterprise risk strategy. That guidance supports performance and risk metrics based on the relative value of enterprise assets to communicate and monitor Cybersecurity Risk Management (CSRM) activities, including measures determined to be key performance indicators (KPIs) and key risk indicators (KRIs). The BIA supports asset classification that drives requirements, risk communications, and monitoring.

There is value in understanding what systems and data need to be protected, but NIST is still not assessing the risk to the mission (the business) of a breach: the range of potential effects and their likelihoods.

This is how I see the issue:

  1. The organization needs to prevent, to the extent that is reasonably possible, a cyber breach. However, the entrance point of a breach is not necessarily in a critical information asset.
  2. It should invest in cyber commensurate with the risk to the business. That requires understanding the range of potential effects and their likelihoods.
  3. The potential effects of a breach should be minimized where possible, using tools and techniques such as encryption, backup or even redundant systems, etc. Understanding the critical information assets is necessary to do this well.
  4. The organization needs to be able to respond and recover promptly from a breach, minimizing any damage. This requires knowing that a breach has occurred (a major problem since past breaches have not been discovered for up to a year), what has been affected (also a major challenge), and taking appropriate actions to restore service – including reprocessing transactions, etc., communicating with third parties, and more.

If there is a risk tolerance or other criteria that should be used to assess whether the level of cyber risk is acceptable, it should be based on the level of risk to the business, not to individual information assets.

I am concerned that a focus on risk to information assets will not enable:

  • An intelligent determination of the appropriate level of business investment in cyber risk prevention, resilience, and response
  • The ability to make an informed and intelligent decision on whether to take the cyber risk involved in an early rollout of a new product because of the potential for reward.
  • The protection of non-critical assets that can be a gateway to access to critical ones.
  • The consideration of all sources of business risk, including but not limited to cyber, when making strategic and tactical business decisions.

There is value in understanding which information assets are critical to the business, but only once the level of risk to the business of a breach is understood.

Once the level of investment in cyber has been determined, then and only then does understanding which information assets are critical have value. It can help allocate resources between them.

However, I return to the point that a vulnerability to a non-critical asset can lead to damage to a critical one.

It’s a long time since I was responsible for information security at a major financial institution, so maybe I am missing something.

Your comments and insights would be appreciated.

Putting cyber risk into business perspective

November 22, 2022 14 comments

I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.

I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.

I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.

They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.

Money, as we know, does not grow on trees.

Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.

As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.

I added a note to the PCH language for each of the four that puts the scale of the breach into business perspective.

  1. Solarwinds, a company that makes business software, was compromised at some point in 2020. This was an advanced persistent threat (APT) that proved very hard to detect. In total, the company reported losses of $25 million to its investors.

Note: Solarwinds revenue in 2020 was $1.1 billion, so the losses were 2.27% of revenue.

  1. Amazon was targeted with a DDOS attack earlier… and it succeeded. They were only down for a little over an hour, but the total losses were somewhere in the neighborhood of $75 million.

Note: Amazon’s revenue in 202o was $386 billion, so the loss was trivial by comparison.

  1. In May of 2021, Brazilian meatpacking company JBS was the victim of a ransomware attack. The ransom alone was $4.4 million, and the loss of revenue might have been even greater.

Note: JBS’s 2020 revenue was $71 billion.

  1. On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.

Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.

IBM has sponsored independent studies by the independent research organization Ponemon Institute of the cost of a data breach for 17 years. Their latest, Cost of a Data Breach 2022, “studied 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.”

Their insights included:

  • The average total cost of a data breach was $4.35 million ($9.44 million in the US); the average cost of a ransomware attack was slightly more, at $4.54 million.
  • 83% of organizations that had a breach had more than one incident
  • The average time to identify and contain a breach was 277 days. This is a reduction from the 287 days in 2021.

In general, costs are increasing – but that is not universal. Six countries (Germany, Japan, France, South Korea, Scandinavia, and Turkey) saw a year-on-year decrease.

When you look at the cost of a breach by industry, Healthcare suffered the highest average cost, at $10.10 million, with Financial Services next at $5.97 million.

My questions to all of you:

  1. How significant is cyber risk at your organization. Is it really a top ten source of risk to the business and its objectives?
  2. Are management and the board of your organization able to compare the level of risk to other sources of business risk and opportunity, so they can make informed and intelligent decisions about how much to invest?
  3. How confident are you that your organization is obtaining an acceptable return on its investment in addressing cyber risk, given the alternative returns on other investments?
  4. How confident are you that management understands the dynamic nature of cyber risk (and most other sources of risk to the business)? It is changing constantly.

I welcome your answers and comments.

The internal audit survey results

November 17, 2022 1 comment

I thank the 127 people who answered my survey. I think you will find the results interesting.

As a reminder, I had asked that only internal audit practitioners complete the form.

As with the earlier risk management survey, the results may be a little biased as the respondents are all people who follow me on LinkedIn and/or on my blog.

There are a great many questions I could have asked but limited this survey to 12 questions. If you would like a future survey to address other issues, please add a comment with your suggestions on the blog (i.e., all in one place).

The first two questions were about the length of audit engagements.


126 answered the first:

  1. What is the average length of an audit or consulting engagement in hours?
  • 40 hours or less… 5.6%
  • 41-100… 16.7%
  • 101-200… 19.0%
  • 201-300… 21.4%
  • 301-400… 18.3%
  • 401-500… 7.9%
  • Over 500… 11.1%

Over my two decades as CAE, I led teams with two different approaches to assurance engagements.

At Solectron, I would send a team of about 5 people for 2 weeks to one of our global sites (a manufacturing or assembly operation) where they would assess controls over a variety of significant enterprise risks: financial, operational, technology, and compliance. The average length was about 600 hours. However, we also performed audits of corporate functions that focused on a much more limited number of enterprise risks and averaged closer to 150 hours. Overall, the average length of an assurance engagement was probably around 400, about the same as the average consulting engagement.

At my other companies, consulting engagements (such as pre-implementation reviews) could extend over months (the length of the project), but assurance engagements averaged about 150 hours.

The assurance engagements were short because:

  • My team consisted of experienced business-savvy auditors, with no junior staff. They knew what they were doing each time and were able to use their initiative in performing the audit. They were respected by their client.
  • Each audit focused on a few risks of significance to the enterprise rather than to the business unit or process being audited.
  • We only tested and assessed the controls relied on to address those few sources of risk.
  • We were able to stop auditing once we had done sufficient work to form an opinion.
  • We talked with (rather than “to”) management throughout the engagement and we able to agree on the facts and their interpretations without difficulty. The fact that the auditors were business-savvy and practical helped a great deal.

You can read more about my approach to internal auditing in Auditing that Matters.


125 people answered the next question:

  1. What is the shortest audit or consulting project your team performs (in hours)?
  • 10 or less… 12.8%
  • 11-50… 40.8%
  • 51-80… 14.4%
  • 81-100… 11.2%
  • 101-150… 8.0%
  • 151-175… 4.8%
  • 176-200… 0%
  • 201-250… 3.2%
  • Over 250… 4.8%

I find this very encouraging. More than 79% of the respondents had engagements of 100 hours or less, with more than half spending 50 hours or less.

I may be wrong, but this tells me that most of the internal audit activities represented here have found a way to focus at least some of their audits on a single enterprise risk.

Very few are spending at least 200 hours on every audit.

Between these two questions, I am encouraged that “full scope” audits of a business unit or process are a dying breed.

The era of audits that extend over months with a team of auditors is starting to end, if not already over for many.

I will skip the third question for a moment and go to #4, which addresses this issue.


125 answered:

  1. Do you perform full scope audits or focus on controls over high risks?
  • Full scope audits, all the controls over risks important to the entity being audited… 42%
  • Our audits focus on controls over risks that are important to the enterprise as a whole… 53%
  • Other… 6%

Maybe I spoke too soon! It’s a slim majority in favor of audits that focus on enterprise risks.


Coming back to the third question, which was answered by 125 auditors:

  1. When do you discuss control deficiencies with management?
  • The day we find them… 16.0%
  • Within a day or two… 21.6%
  • Within a week… 25.6%
  • Within two weeks… 6.4%
  • At the end of fieldwork… 19.2%
  • After we share the draft report… 11.2%

This is again encouraging.

Nearly 80% discuss issues with management before the end of fieldwork, generally within a week or less.

Moving on.

The next question was answered by 126 people:


  1. Do you perform the same audits every year?
  • Never… 38.9%
  • Often… 40.5%
  • Frequently… 20.6%

When you take a risk-based approach, you don’t audit based on a cycle (designed to audit everything over a period such as five years). You include in the audit plan engagements to address the more significant enterprise risks of today and tomorrow.

This should lead to performing the same audit in consecutive years only on those few occasions where both the risk level and the value of an audit remain high, or where the audit is required by the regulators.

I am pleased to see a substantial number answering this, “never”.


The next question is about audit reporting, answered by 126 people:

  1. Do your reports include recommendations or agreed action items?
  • Recommendations and management responses are separate… 4.0%
  • Recommendations and management responses are both in the report… 67.5%
  • Agreed action items… 27.8%
  • Other… 0.8%

When I started, in the Stone Age of internal auditing, the audit report would be issued and management asked to provide separate responses. While there are still a few CAEs that haven’t discovered fire, most have moved on.

A significant number have progressed to including agreed action items, but the great majority continue to include both internal audit recommendations and management responses. My view on this is that it fails to demonstrate that internal audit and management are working together, and it leaves the reader to determine whether the two are in agreement, given what may be different language.

The audit committee needs to know whether internal audit and management are, in fact, working together effectively.

I will skip the next question to address another about the audit report. It was answered by 126 auditors.


  1. How do you communicate your overall opinion?
  • We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
  • We use traffic lights, such as red/yellow/green… 19.0%
  • We use language like “the controls are effective, adequate, or ineffective”… 41.3%
  • We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
  • Other… 7.9%

This is a very important topic for me.

Our objective as internal auditors is to provide “assurance, advice, and insight”.

“Assurance” comes first in that list, as it should.

That requires us to communicate clearly to our customers in top management and on the board whether the risks we addressed are being effectively managed by adequately designed and effectively operating controls.

When there are issues with the controls, our customers need to know what that means – in terms relevant to their running the business. What enterprise objectives, plans, and strategies are at risk, and by how much? Only then can they assess how those issues are being addressed by operating management and whether they need to get involved themselves.

What does “adequate” mean to someone leading the business? They know it’s less than “effective”, but should they be worried?

That is why I told my team to use the full breadth of the English language to communicate our assessment. What risks to what objectives are affected by identified control issues, and does this mean that my business, my strategies, my plans, and my success are at risk?

But I can see that only 23% have followed my example.


  1. How long is your Executive Summary in your typical report?
  • We don’t have an Executive Summary… 2.4%
  • One page or less… 65.1%
  • Two pages… 26.2%
  • More than two pages… 5.6%
  • Don’t know… 0.8%

It was answered by 126 people.

65% got it right.


Returning to question 7, which was answered by 126 practitioners:

  1. Do you change the scope of an audit after the Opening Meeting?
  • No… 7.1%
  • We listen to management and are open to changing the scope… 23.8%
  • We can change the scope of the audit at any time, depending on what we hear from management and see for ourselves… 68.3%
  • Other… 0.8%

No comment on this, other than it is encouraging.


Then we have this, with responses from 126:

  1. How often do you change the audit plan?
  • Our audit plan is for longer than a year and does not change… 0%
  • Our audit plan is for longer than a year, but we can change it annually… 5.6%
  • Our audit plan is for longer than a year, but we can change it more frequently than annually… 8.7%
  • We have an annual plan that doesn’t change… 4.0%
  • We have an annual plan with time for special projects to accommodate change. Otherwise it is a fixed plan… 55.6%
  • Quarterly… 7.9%
  • Monthly… 0%
  • Continuously, as risks and the business change… 18.3%

A number have an audit plan that is longer than a year (even in today’s disruptive climate), and a few still have a rigid annual plan.

The majority allocate a portion of the audit plan to accommodate changes, while a (hopefully) growing number have recognized the need to change the audit plan as the business and risks change.


Moving on, we have a question answered by 126:

  1. Does your audit plan only include financial and compliance risks?
  • Yes… 19.0%
  • No… 81.0%

This speaks for itself.


The final question was answered by 125 people:

  1. Do you use canned checklists or audit programs?
  • Yes… 5.6%
  • We use them as a basis but modify them as needed… 53.6%
  • We use customized audit programs… 35.2%
  • We don’t have audit programs… 5.6%

This also is encouraging. It tells me that people are thinking about what they are going to do, rather than doing automatically what was done last time or by someone else, somewhere else.

Overall, I can see progress in internal audit practices.

I hope everybody, whether they answered the survey or not, compares their activity to those reflected here – and put appropriate corrective actions in place where needed.

As I said, if you have questions you would like included in a future survey, please let me know in the comments.

Your thoughts on the above are welcome.

Is risk-based internal auditing a myth?

November 14, 2022 14 comments

Are internal auditors fooling themselves when they say they are using a risk-based approach?

My good friend and esteemed[1] risk management practitioner and thought leader, Alexei Sidorenko, challenged me to disagree and comment on one of his latest posts: Creating a risk-based audit plan, is it a myth?

Have a look at what he wrote and then come back to my comments.

You might be interested in a debate Alex and I had on ERM, integrating risk assessment into decision-making and success management.

Alex is correct with several of his observations, including several criticisms of the IIA’s May 2020 practice guide (PG), Developing a Risk-Based Internal Audit Plan.

He quotes the second part (italicized for convenience) of this section of guidance (recommended, not mandatory guidance):

Organizations that have implemented ERM may have created a comprehensive risk register (also known as a risk inventory or risk universe). Internal auditors may use management’s information as one input into internal audit’s organizationwide risk assessment. However, in alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately. 

The notion that internal audit should “validate that all key risks have been documented” is wrong- explained in a bit.

Returning to earlier in the PG, it says:

This practice guide describes a systematic approach to creating and maintaining a risk-based internal audit plan. The CAE and assigned internal auditors work together to:

    • Understand the organization.
    • Identify, assess, and prioritize risks.
    • Coordinate with other providers.
    • Estimate resources.
    • Propose plan and solicit feedback.
    • Finalize and communicate plan.
    • Assess risks continuously.
    • Update plan and communicate updates.

This ignores the fact that MANAGEMENT IS RESPONSIBLE FOR RISK ASSESSMENT AND MANAGEMENT of the organization.

Internal audit should assess whether MANAGEMENT is doing this sufficiently well to make informed and intelligent strategic and tactical decisions. That is not the same as doing “their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately”. Audit the effectiveness of the ongoing processes, not a single point-in-time assessment, as Alex points out towards the end of his piece.

If it reliable, internal audit should base their own audit plan on management’s risk assessments.

Some additional work will be needed to define audit activities at an appropriate level of granularity.

If management is not doing this well:

  1. Make sure senior management and the board realize the risk (pun intended) they are taking by not having an acceptable understanding of what lies ahead.
  2. Perform sufficient work (and no more) to understand the more significant risks where an audit project can add value, and base the audit plan on that.

Before continuing with Alex’s points, three more of my own.

The PG states:

Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.

A quarterly update, or a more continuous one that is limited to “minor changes”, is probably insufficient. As Richard Chambers and I have been saying for many years, the audit plan should be updated at the speed of risk and the business, i.e., continuously if needed. That may mean major changes!

It also says:

Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?

When will everybody understand that risks have to be taken and not necessarily mitigated if you are to succeed? Sometimes, the best business decision is to take more!

Then there’s this:

Once the major strategies and objectives have been identified, the CAE may want to create or review the audit universe, which is a list or catalog of all potentially auditable units within an organization. Auditable units may be any “topic, subject, project, department, process, entity, function, or other area that, due to the presence of risk, may justify an audit engagement.”

 An audit universe simplifies the identification and assessment of risks throughout the organization. It is a step toward discovering which auditable units have levels of risk that warrant further review in dedicated internal audit engagements.

The PG doubles down on this error with:

This organizationwide risk assessment enables the CAE to focus on those risks that rate among the most significant and to identify manageable, timely, and value-adding engagements that reflect the organization’s priorities. This typically results in a plan that addresses around 15 auditable units on average.

We are not in the business of auditing “auditable units”.

We are not in the business of auditing risks to those “auditable units”.

We are in the business of providing assurance, advice, and insight related to risks to the enterprise as a whole!

The concept of an audit universe should be discarded. It is not only obsolete but it is leading internal audit organizations astray, auditing risks that may be important to a unit but not to the enterprise.

Instead, we should have an (enterprise) risk universe.

Those are what we may audit. The risks in that universe may exist and depend on activities at one or more entities within the organization, but our objective is (should be) to provide assurance, advice, and insight on those enterprise risks.

Alex also criticizes the notion of ‘inherent risk’. While I share his concern, I can see situations where we need to know more than the current level of risk, which assumes that controls are adequately designed and functioning effectively.

The level of risk may be acceptable if quality controls are in place. But we need to audit those areas where the risk level would be unacceptable if the controls were deficient.

That’s my first area of disagreement, although it is mild.

Then he picks on another issue: the use of heat maps. He quotes the PG:

Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.

I have to smile when I read his response:

Ok, this is all you really need to know about IIA level of competency when it comes to risk managementHeatmaps have been scientifically proven to misprioritise risks and be “worse than useless”  Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea.

I also hate heat maps, and I have explained that multiple times in this blog and in my books.

But let me make one point.

Since it is a MANAGEMENT responsibility to assess risks to the enterprise, I did not share my risk assessment in any level of detail with management or the audit committee.

My responsibility was to share my audit plan and be prepared to explain why each project was included and others were not.

I did not want to lead management to rely on my risk assessment in running the business.

I did not follow the advice in the PG when it says:

CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.

I met with management:

  1. To obtain THEIR assessment of enterprise risks, and later
  2. To review and discuss the audit plan.

Alex asserts:

The biggest lie IIA ever sold business is that auditors understand risk management.

This is only partially true.

Many auditors understand risk management. (How many risk practitioners do, Alex?)

They understand it to the level needed to build and maintain an audit plan that will provide valuable assurance, advice, and insight on the more significant sources of risk to the enterprise.

The fact that the PG is seriously deficient is not proof that the whole profession is incapable of risk-based internal auditing.

In fact, the Chartered Institute of Internal Auditors (the IIA’s UK affiliate) shared an excellent position paper on Risk-Based Auditing in 2003. Why it hasn’t been updated and used by IIA Global escapes me!

There is, admittedly, a long way to go for many internal auditors, which I why I have written and urge them to read Auditing that Matters and the follow-up, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.

By the way, I 100% disagree with Alex’s checklist at the end of his post. He has forgotten to stress that risks should be assessed based on how they might affect the achievement of enterprise objectives.

I welcome your thoughts.

By the way: I have over time received criticisms for the way I have come down on guidance from others, whether it be guidance from the IIA, Grant Thornton, or someone else. I hear that. But when people are spreading misguidance, I feel an obligation to make it clear why it should not be followed.

[1] Alex has received extensive recognition from the risk management community, including, FERMA 2021 Risk Manager of the Year; 2021 RIMS ERM Award of Distinction – International Honoree; RUSRISK 2014 Best ERM Implementation; and RUSRISK 2014 Best Risk Management Training. He runs the Risk Awareness Week series of presentations, which I recommend.

Survey of internal audit practitioners

November 11, 2022 1 comment

I have a short questionnaire that I would appreciate those of you who are internal auditors completing. I will share the results next week.

You can find it here.


If there are issues you would like included in a future survey, please let me know.

Good and bad advice on cybersecurity audits

November 10, 2022 2 comments

It happens so often, its almost not worth my time writing about it.

Grant Thornton, like the other external audit firms, provides internal audit services as well. To promote them, they offer advice on matters such as how to perform audits of an organization’s cybersecurity measures and practices.

This week, they published It’s time to upgrade cybersecurity internal audits.

They do share a useful chart on the average cost of a data breach in the US. However, they fail to point out that at $9.44 million, it shouldn’t represent a serious risk to the achievement of an organization’s objectives, let alone its survival. Yes, its rising (a little) every year. But how much return on investment would an organization obtain from further investments in cybersecurity?

Is cyber really a top-ten risk?

In order to know, every organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.

Like so many other misguided consultants, Grant Thornton looks to internal audit to perform the risk assessment.

When will people get it?


The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.

Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.

Yet, Grant Thornton tell us:

“You need to begin with a thorough and independent assessment of cybersecurity risk.”

If management has not completed that thorough and reliable assessment of cybersecurity risk, within the context of enterprise risk and the achievement of enterprise objectives,


One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities.

If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.

The people at Grant Thornton who wrote this made another serious error. They said:

When the cybersecurity audit identifies your security risks, you need a well-defined plan to address them. Your plan needs to be clear and concise about your capabilities and goals, taking the organization’s performance and financial goals into account. It should align with leading practices and industry standards, and must have executive management support. Most importantly, it needs to be a dedicated multi-year plan that is part of your broader audit plan.

Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less!

How can you have a multi-year audit plan in these days?

Even an annual plan needs to be updated at the speed of risk and the business.

I’ve said enough about this foolish (yes, I will go that far) article.

I have explained my approach to auditing cyber several times in the past. It includes:

  1. Has management completed and properly maintained an assessment of cyber risk?
  2. Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
  3. Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed? Do they report at a level that enables them to get management attention and action as appropriate? Do they have a sufficient budget and tools? Do they talk in business language or in technobabble that management and the board cannot translate into business language?
  4. If one or more of the above are answered “no”, determine the value of further audit activity. A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk. Report the situation immediately to senior management and the board as a serious issue.
  5. Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
  6. Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
  7. Over time, help management build and maintain an acceptable information security activity and practices.
  8. Keep management and the board informed of the level of risk to enterprise objectives.

I welcome your thoughts.

[1]Even when the CAE is also the CRO, internal audit should not be assessing risks to drive management decisions. They should be facilitating management’s assessment.

Risk Management Survey Results

November 7, 2022 2 comments

I want to thank the 102 people who responded to my survey. The results are quite interesting.

First, there is an inherent bias in the responses. These are all people who are reading my posts and are therefore more likely (I believe) than the general population to agree with what I have been advocating.

Having said that, there is still a lot of room for improvement in practices.


The 102 identified as:

  • Board members – 4
  • Management – 10
  • Risk practitioner – 33
  • Internal audit – 41
  • Information security – 2
  • Consultant – 6
  • Compliance – 2
  • Other – 4

When it came to assessing the maturity of their organization’s management of risk, the responses were:

  • There is no formal risk management activity. We rely on individuals – 19
  • It’s a compliance activity and doesn’t affect decision-making – 24
  • Risk management is fully integrated with strategic planning – 10
  • Risk management is fully integrated with strategic planning and tactical decision-making – 17
  • Risk management is recognized as helping us make timely, informed, and intelligent decisions – 28
  • Risk management provides us with a competitive advantage – 8

79 said they maintain a list of the more significant risks, updated:

  • Annually – 20
  • Quarterly – 36
  • Monthly – 5
  • Continuously – 18

22 said their program addresses both positive and adverse effects, while 26 said they are limited to adverse.

When it comes to whether each source of risk is quantified:

  • 17 said they quantified a single effect and its likelihood
    • 4 in dollars
    • 13 in terms of the effect on objectives
  • 24 quantify a range of effects and their likelihoods
    • 4 in dollars
    • 20 in terms of the effect on objectives
  • 46 don’t quantify, using a risk register or heat map to communicate
  • 12 don’t have a formal enterprise-wide risk assessment. (Curious that this is less than the 19 who said there is no formal risk management activity. The other 7 must have chosen a different response to this section, one of those above.)
  • 3 responded, “Other”

When it comes to whether risks are aggregated in some way to inform an objective or decision, the answers were:

  • Yes – 36
  • No – 52
  • Maybe – 13
  • Other – 1


For 43 of the 102, risk management was either a compliance activity or they relied on individuals rather than a coordinated activity.

That’s not good.

Of the 79 who maintained a list of the more significant risks, 20 only updated annually.

That’s not good.

46 use a list of risks or a heat map.

That’s not good at all.

28 said risk management is recognized as enabling informed and intelligent decisions, which shows progress.

Just 8 said it provided a competitive advantage.

There is some good news:

  • More people recognized that the level of risk is a range and not a point (24 vs 17).
  • 22 said they addressed positive effects, nearly as many as the 26 who said they are limited to adverse effects.
  • 8 said that their risk management activity provides a competitive advantage. Not enough, but something.
  • 18 are updating their risk assessments continuously, and that is progress..

I was curious to see whether the risk and audit practitioners would answer differently. They were very much in line with each other.

I welcome your thoughts.

Twitter and Risk

November 4, 2022 4 comments

The purchase of Twitter by Elon Musk is being followed by mass layoffs.

For me and probably others, the potential changes (including the abandonment of the platform by many of my followers) is likely to present a challenge. Its one of the ways I receive and then share information.

But for many employees of Twitter, the challenge is far more direct and challenging. They may lose their jobs with (apparently) next to no notice.

All of this brings back memories, especially two situations where risk was not properly considered when the company that employed me made significant workforce reductions.

In the first, I recall one of the managers in IT that was coordinating with HR as IT layoffs were being planned making an astonishing admission. At least, I was astonished at the time.

She told me that they were targeting males under 50 for layoffs to avoid potential regulatory intervention, as females and those over 50 were ‘protected’.

I was shocked, not because I was male and under 50, but because they were not basing the layoffs on employee performance.

They had completed a minimal level of what we might call risk assessment, determining where they could afford cuts without seriously affecting services.

But they missed two important HR-related risks.

The first was that the analysis of who should be released was maintained on a spreadsheet – and I saw it. If that had become public, it would have been damaging.

The second is that I was a very clear target for the incoming SVP of Data Center Services, as I was a good friend of the former SVP. I was told they were eliminating my position. But they didn’t eliminate it; they split the duties (without adding anything) between two people with the same ethnicity as the new SVP whose positions were being eliminated.

I considered a discrimination lawsuit but decided to focus my energies on finding a new position.

Looking back, the company did a reasonable but less than ideal job of assessing the risks in determining how many and then which people to let go.

Not so with my second example.

This company was struggling to stay profitable, and the CEO persuaded the board that layoffs of 15% were necessary.

The CEO then directed his direct reports to let 15% of each of their employees go: 15% in HR, 15% in IT, 15% in Marketing, and even 15% in internal audit (which I led).

I met with the CFO and tried to explain to him that a blanket 15% cut in every department was foolish. I had to be very careful with my words. I don’t think I said it was ‘foolish’, but at least I didn’t say what I really thought, that it was madness.

I told him that while 15% might be a target, they should see where they could afford to make cuts, and where the cuts might be dangerous.

Deciding where to cut should be a risk-based decision, with a solid understanding of related risks.

Instead, the CFO got angry with me and told me the board was backing the CEO.

I called the chair of the Audit Committee, who told me to back off. He said he understood what I was saying but he would be the only one on the board who would.

With his support, I was able to push back on the 15% cut in internal audit staffing by reducing other expenses. I showed the Audit Committee what the effect would be on the audit plan, and they gave me their support. The CEO didn’t press.

The company let many of the wrong people go, such as sales personnel with critical relationships with major customers.

They rehired quite a few, but some refused to return.

The CEO had taken what was, for him, the easy route to cutting costs and returning to acceptable profitability.

What they should have done was radically change the company’s footprint, closing several of their more than a hundred factories and consolidating operations. Instead, they kept everything open with reduced staffing.

It didn’t work, and it was not long before the company failed.

Oh, by the way, after the layoffs the CEO obtained a million dollar budget to upgrade the executive offices and received a large bonus for making the cuts.

Would you join a company like this?

The lesson, that Elon Musk clearly didn’t learn, is that when you need to cut costs you need to:

  • Take your time
  • Consider all the options
  • Understand the risks and opportunities in each option
  • Execute with grace

Would you join a company that let so many people go with next to no notice, or paid the CEO a bonus for doing it?

Feedback on my books

November 2, 2022 2 comments

I have published quite a few books now, with perhaps one more to come in 2023.

It is always refreshing to get feedback, especially when it seems I have made a difference and influenced others on their journeys as practitioners.

Here are a few that I very much appreciate. Thanks!


Risk Management for Success

5.0 out of 5 stars Practically useful and conceptually valuable

Recently finished the book. Thanks to Norman that he pushes the Risk Management practice to the proper position in companies. This is book is essential, who wants to get the value from risk management. The approach of strategic risk management and practical aspects are useful to implement this approach. Not just suggest but even want every risk practitioner read this book.


World-Class Risk Management 

5.0 out of 5 stars Favorite book on risk management I’ve read so far

Great book that goes in depth about risk management from what I would consider a more holistic approach. This is not “How to run a risk management department” but instead “why it’s imperative that risk management be a central competency throughout the enterprise.”

The author is obviously really familiar with the standards, quotes from them at length, compares them but also offers his take when he thinks one (or all) of the available standards is lacking. Excellent book if you’re interested in improving your company’s risk management. Definitely targeted more at enterprises than medium or small businesses, although I think even a small business owner could learn a lot.

5.0 out of 5 stars Packed with a lot of good insights and force us to re-examine the way we …

A very refreshing view of how risk management should be. Packed with a lot of good insights and force us to re-examine the way we think of risk management, its value to an organisation and to be relevant to the organisation objectives.



Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking

5.0 out of 5 stars Short and sweet!

Provides easily digestible and highly effective concepts of “success” management. The key points made provide enough details to generate actionable thinking and implementation.

5.0 out of 5 stars Five Stars

Excellent read as always from Norman Marks. Simple, clear and thought leadership.


Auditing at the Speed of Risk with an Agile, Continuous Audit Plan

5.0 out of 5 stars Auditing at the speed of risk

Auditing at the Speed of Risk with an Agile, Continuous Audit Plan is a good book to have if you are an auditor


World-Class Internal Audit: Tales from my Journey

5.0 out of 5 stars Great Read -Entertaining and Relateable

I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.

World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.

I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.

4.0 out of 5 stars Got passion? Read this book!

Norman, well Done!

Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book!

It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.


Auditing that matters

5.0 out of 5 stars Driving greater impact

This book is packed with helpful nuggets to drive a more impactful audit scope. I look forward to implementing these insights!

5.0 out of 5 stars A must read for all auditors!

I have really enjoyed reading this book. As a young auditor it is great to see the progression through Norman’s career and the lessons learned along the way. I have a laundry list of meaningful changes I plan on bringing forward to my CAE based on best practices outlined in this book.


Is your internal audit world-class? A maturity model for internal audit

5.0 out of 5 stars Excellent

Great book for Internal Auditors

Norman’s Survey of Risk Management Effectiveness

October 31, 2022 3 comments

I would appreciate your helping me with a short survey.

It should only take a few minutes.

The questions ask for your assessment of the management of risk at your organization, whether you are a board member, in management, a practitioner, a consultant, or hold a different position.

I will share the results next week.

After completing it, please share your thoughts on the survey and what else we should ask.


Agility and Resilience

October 28, 2022 1 comment

How agile is your organization?

Is it able to react at speed to changes in business conditions, recognizing new or changed risks and seizing new or changed opportunities?

Does it have timely and sufficient information about what is changing?

Is the management team able to understand what is happening or, better, what is likely about to happen?

How fast can it change direction, whether in manufacturing, sales, marketing, engineering, or strategic planning?

If it is not sufficiently agile, it is hardly likely to be sufficiently resilient.

It will be taken by surprise and slow to act.

Competitors will leave it behind.

Customers will seek better, more efficient, or cheaper suppliers.

Does it have sufficient reserves to deploy when needed? Cash management is key to both agility and resilience.

If you are on the board, you should be concerned.

If you are in management, you should be doing something.

If you are a risk practitioner, you should be ranking it as a high risk.

If you are an internal auditor, you should be helping management and the board understand the hole they are in.

Is your organization sufficiently agile and resilient?

Are you doing enough?

I welcome your thoughts.