Designing efficient and effective audits

Before I start today’s post, may I ask the internal auditors who haven’t already done so to respond to my latest survey, here?

 

Yesterday, I fought a duel (up to you to decide who won) with my good friend, Richard Chambers. It was hosted by Jon Taber (see footnote for the links) on the topic of audit opinions.

At one point, Richard made the excellent point that you shouldn’t provide an opinion without having done the work to support it.

My reply was that you should start the audit with the end in mind.

If you plan to express an opinion at the end of the planned audit on the adequacy of controls to manage specific risks, then the scope of the audit should be designed to provide to enable that opinion.

Do enough work to reach and support your opinion – and no more, unless you desire to audit controls and processes that are not relevant to your audit objectives (“muda”).

One of the fights I have been engaged in for a long time now is against full scope audits, especially those performed on a cyclical basis.

We should (as guided by the IIA’s Standards) be performing risk-based auditing.

That means that we should be auditing the controls over the more significant risks to the achievement of enterprise objectives. That is not the same as auditing the controls over a business process!

When you audit an entire process or business unit, you are going beyond the things that matter (controls over significant enterprise risks) to things that don’t matter to leadership (risks to the process or business unit that don’t have much effect on the achievement of enterprise objectives).

The key to efficient and effective auditing is focusing exclusively on what matters; stop auditing what doesn’t matter to the achievement of enterprise objectives.

Audit the controls over enterprise risks, not controls over local risks.

The excellent magazine of the IIA features a piece by my pal, Dave Salierno.

Brief, highly focused internal audits can produce rapid results for audit clients features comments by Hassan Khayal, an internal audit manager at Scope Investment (based in Dubai). The CAE there is Vijesh Ravindran.

Dave tells us:

…one internal audit function has fundamentally transformed its approach to audits. Responding to the need for increased agility and speed, auditors at a private investment firm based in Dubai, United Arab Emirates, began performing fewer large-scale, traditional audits in favor of faster engagements with a much narrower scope. These “burst audits” enabled the audit function to conduct operational risk assessments quickly and on short notice, and provide near-immediate feedback.

He continues with:

“Throughout the company, people were trying to address new challenges and quickly find solutions,” Khayal says. Clients asked how internal audit could help them. “Many of our clients suddenly needed quick assessments and recommendations.”

Providing those assessments through traditional audits could take months for each engagement. To meet the moment, the internal audit team began performing short, operational risk reviews that gave clients the rapid recommendations they needed. As small issues began arising throughout the firm, auditors started performing these reviews regularly — one- to two-week engagements that each covered a narrow, highly focused area. The approach enabled practitioners to make a quick impact and then swiftly move on to the next area in need of attention.

Unfortunately (in my opinion), the company continues to perform “large-scale, traditional audits” that cover an entire process or business activity.

If you can narrow your focus to providing an opinion (an “evaluation” per the Standards) as to whether controls are adequately designed and operating effectively over specified risks to objectives, ALL your audits can be “burst” audits that last weeks instead of months, delivering the assurance, advice, and insight that leadership needs, when they need it.

Why is it necessary to perform fast, efficient, focused audits?

Every hour saved by not auditing what doesn’t matter is an hour that can be spent on an additional audit that addresses something that does matter.

Can we eliminate full scope audits?

Can we move to enterprise risk-based audits?

I welcome your comments.

 

Footnote:

You can find the duel on LinkedIn (which is where you can vote for the winner), Apple podcast, or Spotify.

A survey of internal auditors and their approach to risk management

I would appreciate your help with another short survey.

This time its about how internal auditors address risk management, including whether and how they audit it; who performs the risk assessment for management and the board; and how the audit plan is built.

You can find it here.

Thanks in advance. I will share the results in a future post.

Some auditors need to kick bad habits

The Institute of Internal Auditing is in the process of updating its International Professional Practices Framework (IPPF), which includes the International Standards for the Professional Practice of Internal Auditing.

It is necessary, as some in the profession need a kick.

A friend recently told me that they connected with audit leaders at peer organizations (other mid to large, complex organizations) to understand how long/large their audits typically are. They perform cyclical audits of auditable entities (an audit universe) that last up to 12 weeks. 

So cyclical audits are alive and well, even though the practice should have died off decades ago.

Also alive and well are long audits of an entire process or business unit.

Too few are taking a risk-based approach to internal auditing.

Audit the controls over the risks, not entire business processes!

Don’t waste your or management’s time auditing more than you need to provide the assurance, advice, and insight management and the board need.

I have asked the IIA to use the opportunity of the IPPF update to jolt people out of these poor practices.

They replied, “That is our goal too, business objective-based and risk-based audit”.

Excellent!

Let’s have a quick look at what the IIA currently says about the role of internal audit.

The Definition of Internal Auditing is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The Mission of Internal Audit takes the ideas to a higher and more active level:

The mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

This is supported by the last three of the IIA’s Core Principles for the Profession of Internal Auditing:

• Provides risk-based assurance.
• Is insightful, proactive, and future-focused.
• Promotes organizational improvement.

I don’t think you achieve these through full scope, cyclical audits of business processes or units.

I think you achieve them through audits that focus on the more significant risks to the enterprise: enterprise risk-based auditing.

That is what the current Standards say:

2010 – Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation:

To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

 

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

• • Achievement of the organization’s strategic objectives.
  • Reliability and integrity of financial and operational information.
  • Effectiveness and efficiency of operations and programs.
  • Safeguarding of assets.
  • Compliance with laws, regulations, policies, procedures, and contracts.

Frankly, I don’t understand how an internal audit function passes a Quality Assurance Review when they practice cyclical or full scope auditing.

Moving on, the IIA has shared a draft Purpose statement. I’m not sure how a Purpose statement differs from a Mission statement, and why you need both. But here it is:

Internal auditing enhances the organization’s success by providing the board and management with independent advice and assurance.

Tim Leech doesn’t like it (see here). He prefers:

Ensure the board and CEO are receiving reliable information on the likelihood/risk top value creation and preservation objectives will be achieved with a level of uncertainty acceptable to the board

I prefer something more active, more than providing assurance on risk reporting. Frankly, the draft is weaker than the existing Mission statement.

I would like to see something like:

Provide the risk-based assurance, advice, and insight that leaders of the organization need for success.

Why this?

• It talks about risk, while the current draft does not. It just talks about advice and assurance, but does not say on what.
• The current and proposed guidance allows for any level of assurance. Mine requires a more complete level of assurance. An Interpretation statement would explain that the assurance should be on the risks that matter to the achievement of enterprise objectives.
• I have added “insight”, which is an important source of value to our customers.
• It makes it clear that we should provide what our customers need, not just what we think is valuable or would contribute to their success.
• Independence is a given, and anyway objectivity is more important.

What do you think?

1. How do we persuade CAEs to discard cyclical auditing and full scope auditing, replacing them with risk-based auditing?
2. How would you modify the Purpose statement?

Excellent points made by a prominent CRO

Earlier this week, I enjoyed a conversation with Joshua Rosenberg, Executive Vice President and Chief Risk Officer of the Federal Reserve Bank of New York.

I was great to chat with a gentleman who has a prominent position, and whose thinking on risk management appears to be well aligned with mine (with a few exceptions, like risk appetite and risk registers).

His October speech to the Central Bank of Nigeria’s Second National Risk Management Conference made some excellent points, including:

• …by integrating risk management into plans, decisions, and actions, we can succeed over a wider range of possible futures, not just the future we expect (or hope for).
• … potential misunderstandings that might prevent us from getting the most out of risk management. The first is that risk management is mainly a way to stop bad things from happening. Of course, risk management should help us reduce the frequency and size of negative events and then recover more quickly and effectively when negative events occur. But, risk management, in my view, should also help the right things happen by giving us tools to work more effectively.
• Second, risk management could be misunderstood as primarily the responsibility of risk management specialists. Actually, effective risk management is a way for everyone in an organization to help things go right. From the economic analysts to the cash processing operators to the software engineers, we can make better plans, decisions, and actions when we are prepared for change and have the capacity to adapt to surprises. So, most of the risk management that occurs in an organization will be done by people who don’t have the word “risk” in their job title.
• And third, risk management could be misinterpreted as an attempt to create a contingency plan for every possible thing that could go wrong. It is important to prepare by scanning the horizon, exploring the range of possible futures, and understanding how those futures could help or impair desired outcomes. We do want to invest in effective responses to key scenarios. However, no organization has the resources to prepare for all possibilities. And, no matter how creative we are, we still can’t imagine every one of them anyway. As it is said, “Things that have never happened before happen all the time.” So, effective risk management is more than planning. It is creating the capacity to adapt to and recover from unexpected shocks, which is what we often mean when we talk about resilience.
• To me, successful risk management is as much about culture as it is about structure…. To me, there are four central aspects of culture that support effective risk management: learning, listening, helping, and speaking up. In a learning culture, we think about and plan for what might happen. And, we learn from experience, what went well and what didn’t, so we can improve for next time. In a listening culture, we seek advice, appreciate a fresh perspective, and are open to new ideas and feedback so we can improve. In a helping culture, we work together across the organization, building on each other’s strengths, and helping when we have an opportunity. And, in a speaking up culture, we let our colleagues know when we see a problem or after something goes wrong so that we can get started fixing it. Risk management is a creative, social process. It is a way of thinking, doing, and interacting. To bring it to life, we need to work together across the organization, staying continuously curious about the changing risk landscape and possible futures.
• A foundational component of resilience is that an organization can operate as a coordinated system in order to successfully adapt to changes in the environment.
• Here’s the realism: while we might prefer never to be surprised, we will be. The optimism is: effective risk management can help us be less surprised and respond better when we are. And, a strong risk management ecosystem will be self-sustaining because it generates demonstrable value – that is, practical and timely solutions to material problems – to help our organizations succeed in all environments.

In his role, Josh is naturally focused on the downside of risk, rather than the need to take the right level of the right risks so you can seize opportunities and achieve objectives.

Setting that aside, he has a practical approach to risk management that sees huge value in helping his organization and its leaders succeed – and not just manage and mitigate risks.

I welcome your comments.

When the board insists on a list of the top risks

Recently, Tim Leech asked this question in a LinkedIn post:

What should a CRO or CAE do if the board insists they still want a list of “top risks” plotted on a color risk profile; and soundly reject the ISO view “risk” is “effect of uncertainty on objectives”, and COSO position “risk” is “the possibility that events will occur and affect the achievement of strategy and business objectives.”

My comment in response was:

The roles of the CRO and CAE should not be mixed up like this.

If the company is managing a list of risks instead of the business, the CRO has a clear opportunity and obligation (IMHO) to show a better way.

Continue to provide a list of risks (it still has some value), but team with performance management to provide (as I explain in my books) a list of objectives, their current status, and the likelihood they will be achieved by the end of the period.

The CAE is in a very different position, unless they are also CRO (in which case, the above applies).

The CAE should not assess and provide an opinion on whether the company is in compliance with its risk management policies.

Instead, the CAE should provide an opinion on whether risk management practices meet the needs of the organization. That will entail pointing out how a list of risks fails to drive decision-making and success.

While it is difficult, as Tim points out, to tell the boss that they are wrong, whether we are the head of risk management (CRO) or internal audit (CAE), we have a professional responsibility to provide leaders with what they need.

Sometimes, they don’t know what they need!

Their experience, which may be at other organizations, has put them in a box. If they liked what they had before, it can be difficult to change.

As I said in my comment, we shouldn’t mix up the roles and responsibilities of the CAE and CRO.

The CRO is responsible for helping management and the board understand what might happen, so they can make the appropriate strategic and tactical decisions necessary for success.

The CRO helps management and the board take the right level of the right risks.

While a list of top risks has some value, it is not enough to inform decision-making.

In fact, it is rare for a decision-maker to refer to the list of top risks in making an important business decision – whether strategic or tactical.

In fact, a list of top risks is going to be out of date very soon after it is prepared, since business conditions and risks are changing all the time.

A list of top risks has value when it comes to making sure the risks that merit specific and continued attention are getting it.

But the business is run every day.

Every day, decisions have to be made that not only need to consider what might happen (risk and opportunity) but will also create or modify existing sources of risk and opportunity.

The CRO and their team add more value when they enable daily activities and decisions to be of high quality.

I have advised CROs, management teams, and board to integrate performance and risk management. The CRO should work with the CFO and others to ensure leaders understand whether, considering current status and what lies ahead, the organization is likely to achieve its objectives for the period.

When I have shown them examples of such reports, explained in my books (such as Risk Management for Success), they have embraced them.

A list of top risks becomes a secondary source of information.

The CAE is in a different position.

The CAE has a responsibility for providing assurance to the board and management that risk management practices are effective.

But that is not achieved when it is limited to the periodic review of a list of top risks.

When that is all the board receives, board oversight of risk management is insufficient.

My advice to the CAE is to work with the CRO first. Try to get the CRO to provide the board and top management with an integrated risk and performance report.

After all, it is risk to objectives that needs to be addressed, not risk in a silo, out of context of running the business.

I would also work with the CEO (or other top management influencer, but the CEO is going to be the decision-maker), helping them understand what is missing.

Help them understand how effective risk management helps them succeed, not just avoid hazards and tick the compliance box.

The CAE should audit risk management and report its deficiencies, the primary one being that a list of risks (or a heat map) is insufficient.

So much more value can be derived.

I welcome your thoughts.

New US government guidance on cyber risk

I was surprised and pleased, surprised and flattered, and then disappointed by a new publication by NIST (the US Department of Commerce’s National Institute of Standards and Technology).

NIST published NISTIR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response this month.

I have been saying that in order to understand how a cyber breach might affect the business, a business impact analysis (such as contingency planners have been using for decades) should be performed. The analysis should be a joint effort between operating management (who understand the business) and the technical teams (who understand how a breach might happen).

I was surprised and pleased that NIST decided to respond with this new guidance, even to the extent of using some of my language.

The Abstract says:

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions (i.e., what must go right) and the potential risk scenarios that jeopardize those functions (i.e., what might go wrong).

While I noticed that NIST remains focused on assessing risk to information assets, instead of to enterprise objectives or (as they say) the enterprise mission, I was surprised and flattered to read the following in the Acknowledgments:

The authors also thank… individual commenters Simon Burson and Norman Marks.

But the guidance is disappointing.

The Abstract continues with:

The process described in this publication helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on those factors, enterprise leaders provide risk directives (i.e., risk appetite and tolerance) as input to the BIA. System owners then apply the BIA to developing asset categorization, impact values, and requirements for the protection of critical or sensitive assets. The output of the BIA is the foundation for the Enterprise Risk Management (ERM)/Cybersecurity Risk Management (CSRM) integration process, as described in the NIST Interagency Report (IR) 8286 series, and enables consistent prioritization, response, and communication regarding information security risk.

There are some good sections, like this from the Executive Summary:

Risk is measured in terms of impact on enterprise mission, so it is vital to understand the various information and technology (IT) assets whose functions enable that mission. Each asset has a value to the enterprise. For government enterprises, many of those IT assets are key components for supporting critical services provided to citizens. For corporations, IT assets directly influence enterprise capital and valuation, and IT risks can have a direct impact on the balance sheet or budget. For each type of enterprise, it is both vital and challenging to determine the conditions that will truly impact a mission. Government agencies must provide critical services while adhering to priority directives from senior leaders. In the commercial world, mission priority is often driven by long-term goals and factors that might impact the next quarter’s earnings call. Therefore, it is highly important to continually analyze and understand the enterprise resources that enable enterprise objectives and that can be jeopardized by cybersecurity risks.

However, they continue to justify the use of a cybersecurity risk register and a focus on managing and mitigating risk to information assets:

The NIST Interagency Report (IR) 8286 series has coalesced around the risk register as a construct for storing and a process for communicating risk data [NISTIR8286]. Another critical artifact of risk management that serves as both a construct and a means of communication with the risk register is the Business Impact Analysis (BIA) Register. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets and stores the results in the BIA Register. An asset criticality or resource dependency assessment identifies and prioritizes the information assets that support the enterprise’s critical missions. Similarly, assessments of asset sensitivity identify and prioritize information assets that store, process, or transmit information that must not be modified or disclosed to unauthorized parties. In the cybersecurity realm, the use of the BIA has historically been limited to calculations of quality-based and time-based objectives for incident handling (including continuity of operations and disaster recovery).

Because the BIA serves as a nexus for understanding risk (which is the measurement of uncertainty on the mission), it provides a basis for risk appetite and tolerance values as part of the enterprise risk strategy. That guidance supports performance and risk metrics based on the relative value of enterprise assets to communicate and monitor Cybersecurity Risk Management (CSRM) activities, including measures determined to be key performance indicators (KPIs) and key risk indicators (KRIs). The BIA supports asset classification that drives requirements, risk communications, and monitoring.

There is value in understanding what systems and data need to be protected, but NIST is still not assessing the risk to the mission (the business) of a breach: the range of potential effects and their likelihoods.

This is how I see the issue:

1. The organization needs to prevent, to the extent that is reasonably possible, a cyber breach. However, the entrance point of a breach is not necessarily in a critical information asset.
2. It should invest in cyber commensurate with the risk to the business. That requires understanding the range of potential effects and their likelihoods.
3. The potential effects of a breach should be minimized where possible, using tools and techniques such as encryption, backup or even redundant systems, etc. Understanding the critical information assets is necessary to do this well.
4. The organization needs to be able to respond and recover promptly from a breach, minimizing any damage. This requires knowing that a breach has occurred (a major problem since past breaches have not been discovered for up to a year), what has been affected (also a major challenge), and taking appropriate actions to restore service – including reprocessing transactions, etc., communicating with third parties, and more.

If there is a risk tolerance or other criteria that should be used to assess whether the level of cyber risk is acceptable, it should be based on the level of risk to the business, not to individual information assets.

I am concerned that a focus on risk to information assets will not enable:

• An intelligent determination of the appropriate level of business investment in cyber risk prevention, resilience, and response
• The ability to make an informed and intelligent decision on whether to take the cyber risk involved in an early rollout of a new product because of the potential for reward.
• The protection of non-critical assets that can be a gateway to access to critical ones.
• The consideration of all sources of business risk, including but not limited to cyber, when making strategic and tactical business decisions.

There is value in understanding which information assets are critical to the business, but only once the level of risk to the business of a breach is understood.

Once the level of investment in cyber has been determined, then and only then does understanding which information assets are critical have value. It can help allocate resources between them.

However, I return to the point that a vulnerability to a non-critical asset can lead to damage to a critical one.

It’s a long time since I was responsible for information security at a major financial institution, so maybe I am missing something.

Your comments and insights would be appreciated.

Putting cyber risk into business perspective

I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.

I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.

I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.

They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.

Money, as we know, does not grow on trees.

Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.

As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.

I added a note to the PCH language for each of the four that puts the scale of the breach into business perspective.

1. Solarwinds, a company that makes business software, was compromised at some point in 2020. This was an advanced persistent threat (APT) that proved very hard to detect. In total, the company reported losses of $25 million to its investors.

Note: Solarwinds revenue in 2020 was $1.1 billion, so the losses were 2.27% of revenue.

2. Amazon was targeted with a DDOS attack earlier… and it succeeded. They were only down for a little over an hour, but the total losses were somewhere in the neighborhood of $75 million.

Note: Amazon’s revenue in 202o was $386 billion, so the loss was trivial by comparison.

3. In May of 2021, Brazilian meatpacking company JBS was the victim of a ransomware attack. The ransom alone was $4.4 million, and the loss of revenue might have been even greater.

Note: JBS’s 2020 revenue was $71 billion.

4. On May 6, 2021, the Colonial Pipeline was hacked, and the ransom paid by the company was reported as $5 million.

Note: this was 1% of Colonial Pipeline’s 2021 revenue of $500 million.

IBM has sponsored independent studies by the independent research organization Ponemon Institute of the cost of a data breach for 17 years. Their latest, Cost of a Data Breach 2022, “studied 550 organizations impacted by data breaches that occurred between March 2021 and March 2022. The breaches occurred across 17 countries and regions and in 17 different industries.”

Their insights included:

• The average total cost of a data breach was $4.35 million ($9.44 million in the US); the average cost of a ransomware attack was slightly more, at $4.54 million.
• 83% of organizations that had a breach had more than one incident
• The average time to identify and contain a breach was 277 days. This is a reduction from the 287 days in 2021.

In general, costs are increasing – but that is not universal. Six countries (Germany, Japan, France, South Korea, Scandinavia, and Turkey) saw a year-on-year decrease.

When you look at the cost of a breach by industry, Healthcare suffered the highest average cost, at $10.10 million, with Financial Services next at $5.97 million.

My questions to all of you:

1. How significant is cyber risk at your organization. Is it really a top ten source of risk to the business and its objectives?
2. Are management and the board of your organization able to compare the level of risk to other sources of business risk and opportunity, so they can make informed and intelligent decisions about how much to invest?
3. How confident are you that your organization is obtaining an acceptable return on its investment in addressing cyber risk, given the alternative returns on other investments?
4. How confident are you that management understands the dynamic nature of cyber risk (and most other sources of risk to the business)? It is changing constantly.

I welcome your answers and comments.

The internal audit survey results

I thank the 127 people who answered my survey. I think you will find the results interesting.

As a reminder, I had asked that only internal audit practitioners complete the form.

As with the earlier risk management survey, the results may be a little biased as the respondents are all people who follow me on LinkedIn and/or on my blog.

There are a great many questions I could have asked but limited this survey to 12 questions. If you would like a future survey to address other issues, please add a comment with your suggestions on the blog (i.e., all in one place).

The first two questions were about the length of audit engagements.

X

126 answered the first:

1. What is the average length of an audit or consulting engagement in hours?

• 40 hours or less… 5.6%
• 41-100… 16.7%
• 101-200… 19.0%
• 201-300… 21.4%
• 301-400… 18.3%
• 401-500… 7.9%
• Over 500… 11.1%

Over my two decades as CAE, I led teams with two different approaches to assurance engagements.

At Solectron, I would send a team of about 5 people for 2 weeks to one of our global sites (a manufacturing or assembly operation) where they would assess controls over a variety of significant enterprise risks: financial, operational, technology, and compliance. The average length was about 600 hours. However, we also performed audits of corporate functions that focused on a much more limited number of enterprise risks and averaged closer to 150 hours. Overall, the average length of an assurance engagement was probably around 400, about the same as the average consulting engagement.

At my other companies, consulting engagements (such as pre-implementation reviews) could extend over months (the length of the project), but assurance engagements averaged about 150 hours.

The assurance engagements were short because:

• My team consisted of experienced business-savvy auditors, with no junior staff. They knew what they were doing each time and were able to use their initiative in performing the audit. They were respected by their client.
• Each audit focused on a few risks of significance to the enterprise rather than to the business unit or process being audited.
• We only tested and assessed the controls relied on to address those few sources of risk.
• We were able to stop auditing once we had done sufficient work to form an opinion.
• We talked with (rather than “to”) management throughout the engagement and we able to agree on the facts and their interpretations without difficulty. The fact that the auditors were business-savvy and practical helped a great deal.

You can read more about my approach to internal auditing in Auditing that Matters.

X

125 people answered the next question:

2. What is the shortest audit or consulting project your team performs (in hours)?

• 10 or less… 12.8%
• 11-50… 40.8%
• 51-80… 14.4%
• 81-100… 11.2%
• 101-150… 8.0%
• 151-175… 4.8%
• 176-200… 0%
• 201-250… 3.2%
• Over 250… 4.8%

I find this very encouraging. More than 79% of the respondents had engagements of 100 hours or less, with more than half spending 50 hours or less.

I may be wrong, but this tells me that most of the internal audit activities represented here have found a way to focus at least some of their audits on a single enterprise risk.

Very few are spending at least 200 hours on every audit.

Between these two questions, I am encouraged that “full scope” audits of a business unit or process are a dying breed.

The era of audits that extend over months with a team of auditors is starting to end, if not already over for many.

I will skip the third question for a moment and go to #4, which addresses this issue.

X

125 answered:

4. Do you perform full scope audits or focus on controls over high risks?

• Full scope audits, all the controls over risks important to the entity being audited… 42%
• Our audits focus on controls over risks that are important to the enterprise as a whole… 53%
• Other… 6%

Maybe I spoke too soon! It’s a slim majority in favor of audits that focus on enterprise risks.

X

Coming back to the third question, which was answered by 125 auditors:

3. When do you discuss control deficiencies with management?

• The day we find them… 16.0%
• Within a day or two… 21.6%
• Within a week… 25.6%
• Within two weeks… 6.4%
• At the end of fieldwork… 19.2%
• After we share the draft report… 11.2%

This is again encouraging.

Nearly 80% discuss issues with management before the end of fieldwork, generally within a week or less.

Moving on.

The next question was answered by 126 people:

X

5. Do you perform the same audits every year?

• Never… 38.9%
• Often… 40.5%
• Frequently… 20.6%

When you take a risk-based approach, you don’t audit based on a cycle (designed to audit everything over a period such as five years). You include in the audit plan engagements to address the more significant enterprise risks of today and tomorrow.

This should lead to performing the same audit in consecutive years only on those few occasions where both the risk level and the value of an audit remain high, or where the audit is required by the regulators.

I am pleased to see a substantial number answering this, “never”.

X

The next question is about audit reporting, answered by 126 people:

6. Do your reports include recommendations or agreed action items?

• Recommendations and management responses are separate… 4.0%
• Recommendations and management responses are both in the report… 67.5%
• Agreed action items… 27.8%
• Other… 0.8%

When I started, in the Stone Age of internal auditing, the audit report would be issued and management asked to provide separate responses. While there are still a few CAEs that haven’t discovered fire, most have moved on.

A significant number have progressed to including agreed action items, but the great majority continue to include both internal audit recommendations and management responses. My view on this is that it fails to demonstrate that internal audit and management are working together, and it leaves the reader to determine whether the two are in agreement, given what may be different language.

The audit committee needs to know whether internal audit and management are, in fact, working together effectively.

I will skip the next question to address another about the audit report. It was answered by 126 auditors.

X

8. How do you communicate your overall opinion?

• We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
• We use traffic lights, such as red/yellow/green… 19.0%
• We use language like “the controls are effective, adequate, or ineffective”… 41.3%
• We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
• Other… 7.9%

This is a very important topic for me.

Our objective as internal auditors is to provide “assurance, advice, and insight”.

“Assurance” comes first in that list, as it should.

That requires us to communicate clearly to our customers in top management and on the board whether the risks we addressed are being effectively managed by adequately designed and effectively operating controls.

When there are issues with the controls, our customers need to know what that means – in terms relevant to their running the business. What enterprise objectives, plans, and strategies are at risk, and by how much? Only then can they assess how those issues are being addressed by operating management and whether they need to get involved themselves.

What does “adequate” mean to someone leading the business? They know it’s less than “effective”, but should they be worried?

That is why I told my team to use the full breadth of the English language to communicate our assessment. What risks to what objectives are affected by identified control issues, and does this mean that my business, my strategies, my plans, and my success are at risk?

But I can see that only 23% have followed my example.

X

9. How long is your Executive Summary in your typical report?

• We don’t have an Executive Summary… 2.4%
• One page or less… 65.1%
• Two pages… 26.2%
• More than two pages… 5.6%
• Don’t know… 0.8%

It was answered by 126 people.

65% got it right.

X

Returning to question 7, which was answered by 126 practitioners:

7. Do you change the scope of an audit after the Opening Meeting?

• No… 7.1%
• We listen to management and are open to changing the scope… 23.8%
• We can change the scope of the audit at any time, depending on what we hear from management and see for ourselves… 68.3%
• Other… 0.8%

No comment on this, other than it is encouraging.

X

Then we have this, with responses from 126:

10. How often do you change the audit plan?

• Our audit plan is for longer than a year and does not change… 0%
• Our audit plan is for longer than a year, but we can change it annually… 5.6%
• Our audit plan is for longer than a year, but we can change it more frequently than annually… 8.7%
• We have an annual plan that doesn’t change… 4.0%
• We have an annual plan with time for special projects to accommodate change. Otherwise it is a fixed plan… 55.6%
• Quarterly… 7.9%
• Monthly… 0%
• Continuously, as risks and the business change… 18.3%

A number have an audit plan that is longer than a year (even in today’s disruptive climate), and a few still have a rigid annual plan.

The majority allocate a portion of the audit plan to accommodate changes, while a (hopefully) growing number have recognized the need to change the audit plan as the business and risks change.

X

Moving on, we have a question answered by 126:

11. Does your audit plan only include financial and compliance risks?

• Yes… 19.0%
• No… 81.0%

This speaks for itself.

X

The final question was answered by 125 people:

12. Do you use canned checklists or audit programs?

• Yes… 5.6%
• We use them as a basis but modify them as needed… 53.6%
• We use customized audit programs… 35.2%
• We don’t have audit programs… 5.6%

This also is encouraging. It tells me that people are thinking about what they are going to do, rather than doing automatically what was done last time or by someone else, somewhere else.

Overall, I can see progress in internal audit practices.

I hope everybody, whether they answered the survey or not, compares their activity to those reflected here – and put appropriate corrective actions in place where needed.

As I said, if you have questions you would like included in a future survey, please let me know in the comments.

Your thoughts on the above are welcome.

Is risk-based internal auditing a myth?

Are internal auditors fooling themselves when they say they are using a risk-based approach?

My good friend and esteemed[1] risk management practitioner and thought leader, Alexei Sidorenko, challenged me to disagree and comment on one of his latest posts: Creating a risk-based audit plan, is it a myth?

Have a look at what he wrote and then come back to my comments.

You might be interested in a debate Alex and I had on ERM, integrating risk assessment into decision-making and success management.

Alex is correct with several of his observations, including several criticisms of the IIA’s May 2020 practice guide (PG), Developing a Risk-Based Internal Audit Plan.

He quotes the second part (italicized for convenience) of this section of guidance (recommended, not mandatory guidance):

Organizations that have implemented ERM may have created a comprehensive risk register (also known as a risk inventory or risk universe). Internal auditors may use management’s information as one input into internal audit’s organizationwide risk assessment. However, in alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately. 

The notion that internal audit should “validate that all key risks have been documented” is wrong- explained in a bit.

Returning to earlier in the PG, it says:

This practice guide describes a systematic approach to creating and maintaining a risk-based internal audit plan. The CAE and assigned internal auditors work together to:

• • Understand the organization.
  • Identify, assess, and prioritize risks.
  • Coordinate with other providers.
  • Estimate resources.
  • Propose plan and solicit feedback.
  • Finalize and communicate plan.
  • Assess risks continuously.
  • Update plan and communicate updates.

This ignores the fact that MANAGEMENT IS RESPONSIBLE FOR RISK ASSESSMENT AND MANAGEMENT of the organization.

Internal audit should assess whether MANAGEMENT is doing this sufficiently well to make informed and intelligent strategic and tactical decisions. That is not the same as doing “their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately”. Audit the effectiveness of the ongoing processes, not a single point-in-time assessment, as Alex points out towards the end of his piece.

If it reliable, internal audit should base their own audit plan on management’s risk assessments.

Some additional work will be needed to define audit activities at an appropriate level of granularity.

If management is not doing this well:

1. Make sure senior management and the board realize the risk (pun intended) they are taking by not having an acceptable understanding of what lies ahead.
2. Perform sufficient work (and no more) to understand the more significant risks where an audit project can add value, and base the audit plan on that.

Before continuing with Alex’s points, three more of my own.

The PG states:

Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.

A quarterly update, or a more continuous one that is limited to “minor changes”, is probably insufficient. As Richard Chambers and I have been saying for many years, the audit plan should be updated at the speed of risk and the business, i.e., continuously if needed. That may mean major changes!

It also says:

Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?

When will everybody understand that risks have to be taken and not necessarily mitigated if you are to succeed? Sometimes, the best business decision is to take more!

Then there’s this:

Once the major strategies and objectives have been identified, the CAE may want to create or review the audit universe, which is a list or catalog of all potentially auditable units within an organization. Auditable units may be any “topic, subject, project, department, process, entity, function, or other area that, due to the presence of risk, may justify an audit engagement.”

 An audit universe simplifies the identification and assessment of risks throughout the organization. It is a step toward discovering which auditable units have levels of risk that warrant further review in dedicated internal audit engagements.

The PG doubles down on this error with:

This organizationwide risk assessment enables the CAE to focus on those risks that rate among the most significant and to identify manageable, timely, and value-adding engagements that reflect the organization’s priorities. This typically results in a plan that addresses around 15 auditable units on average.

We are not in the business of auditing “auditable units”.

We are not in the business of auditing risks to those “auditable units”.

We are in the business of providing assurance, advice, and insight related to risks to the enterprise as a whole!

The concept of an audit universe should be discarded. It is not only obsolete but it is leading internal audit organizations astray, auditing risks that may be important to a unit but not to the enterprise.

Instead, we should have an (enterprise) risk universe.

Those are what we may audit. The risks in that universe may exist and depend on activities at one or more entities within the organization, but our objective is (should be) to provide assurance, advice, and insight on those enterprise risks.

Alex also criticizes the notion of ‘inherent risk’. While I share his concern, I can see situations where we need to know more than the current level of risk, which assumes that controls are adequately designed and functioning effectively.

The level of risk may be acceptable if quality controls are in place. But we need to audit those areas where the risk level would be unacceptable if the controls were deficient.

That’s my first area of disagreement, although it is mild.

Then he picks on another issue: the use of heat maps. He quotes the PG:

Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.

I have to smile when I read his response:

Ok, this is all you really need to know about IIA level of competency when it comes to risk management. Heatmaps have been scientifically proven to misprioritise risks and be “worse than useless”  Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea.

I also hate heat maps, and I have explained that multiple times in this blog and in my books.

But let me make one point.

Since it is a MANAGEMENT responsibility to assess risks to the enterprise, I did not share my risk assessment in any level of detail with management or the audit committee.

My responsibility was to share my audit plan and be prepared to explain why each project was included and others were not.

I did not want to lead management to rely on my risk assessment in running the business.

I did not follow the advice in the PG when it says:

CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.

I met with management:

1. To obtain THEIR assessment of enterprise risks, and later
2. To review and discuss the audit plan.

Alex asserts:

The biggest lie IIA ever sold business is that auditors understand risk management.

This is only partially true.

Many auditors understand risk management. (How many risk practitioners do, Alex?)

They understand it to the level needed to build and maintain an audit plan that will provide valuable assurance, advice, and insight on the more significant sources of risk to the enterprise.

The fact that the PG is seriously deficient is not proof that the whole profession is incapable of risk-based internal auditing.

In fact, the Chartered Institute of Internal Auditors (the IIA’s UK affiliate) shared an excellent position paper on Risk-Based Auditing in 2003. Why it hasn’t been updated and used by IIA Global escapes me!

There is, admittedly, a long way to go for many internal auditors, which I why I have written and urge them to read Auditing that Matters and the follow-up, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.

By the way, I 100% disagree with Alex’s checklist at the end of his post. He has forgotten to stress that risks should be assessed based on how they might affect the achievement of enterprise objectives.

I welcome your thoughts.

By the way: I have over time received criticisms for the way I have come down on guidance from others, whether it be guidance from the IIA, Grant Thornton, or someone else. I hear that. But when people are spreading misguidance, I feel an obligation to make it clear why it should not be followed.

[1] Alex has received extensive recognition from the risk management community, including, FERMA 2021 Risk Manager of the Year; 2021 RIMS ERM Award of Distinction – International Honoree; RUSRISK 2014 Best ERM Implementation; and RUSRISK 2014 Best Risk Management Training. He runs the Risk Awareness Week series of presentations, which I recommend.

Survey of internal audit practitioners

I have a short questionnaire that I would appreciate those of you who are internal auditors completing. I will share the results next week.

You can find it here.

 

If there are issues you would like included in a future survey, please let me know.

Good and bad advice on cybersecurity audits

It happens so often, its almost not worth my time writing about it.

Grant Thornton, like the other external audit firms, provides internal audit services as well. To promote them, they offer advice on matters such as how to perform audits of an organization’s cybersecurity measures and practices.

This week, they published It’s time to upgrade cybersecurity internal audits.

They do share a useful chart on the average cost of a data breach in the US. However, they fail to point out that at $9.44 million, it shouldn’t represent a serious risk to the achievement of an organization’s objectives, let alone its survival. Yes, its rising (a little) every year. But how much return on investment would an organization obtain from further investments in cybersecurity?

Is cyber really a top-ten risk?

In order to know, every organization needs to conduct and continuously (or close to it) update its cyber risk assessment – within the context of the enterprise risk management program so it can be compared to other sources of business risk.

Like so many other misguided consultants, Grant Thornton looks to internal audit to perform the risk assessment.

When will people get it?

ASSESSING RISK AND UPDATING THE ASSESSMENT WHEN IT CHANGES IS A MANAGEMENT RESPONSIBILITY[1]!

The role of internal audit is to assess whether management is doing that sufficiently well to drive informed and intelligent strategic and tactical business decisions.

Internal audit should assess whether risk management activities, which include cyber, meet the needs of the organization – in other words, go further than just compliance with policies and regulations.

Yet, Grant Thornton tell us:

“You need to begin with a thorough and independent assessment of cybersecurity risk.”

If management has not completed that thorough and reliable assessment of cybersecurity risk, within the context of enterprise risk and the achievement of enterprise objectives,

REPORT A SERIOUS RISK AND CONTROL DEFICIENCY TO TOP MANAGEMENT AND THE BOARD

One of the very tough challenges with cyber risk assessment is the rapidity of change in threats and vulnerabilities.

If cyber is a major source of risk, you need to ensure that the risk assessment is always up to date so you can ensure you have appropriate measures in place, including responses to a breach.

The people at Grant Thornton who wrote this made another serious error. They said:

When the cybersecurity audit identifies your security risks, you need a well-defined plan to address them. Your plan needs to be clear and concise about your capabilities and goals, taking the organization’s performance and financial goals into account. It should align with leading practices and industry standards, and must have executive management support. Most importantly, it needs to be a dedicated multi-year plan that is part of your broader audit plan.

Do you seriously think cyber risks and controls won’t change in five years? They may well change in five weeks or less!

How can you have a multi-year audit plan in these days?

Even an annual plan needs to be updated at the speed of risk and the business.

I’ve said enough about this foolish (yes, I will go that far) article.

I have explained my approach to auditing cyber several times in the past. It includes:

1. Has management completed and properly maintained an assessment of cyber risk?
2. Is it part of the enterprise-wide management of business risk (i.e., not assessed and managed in a silo)?
3. Are those responsible for addressing cyber risk competent and experienced? Are they adequately staffed? Do they report at a level that enables them to get management attention and action as appropriate? Do they have a sufficient budget and tools? Do they talk in business language or in technobabble that management and the board cannot translate into business language?
4. If one or more of the above are answered “no”, determine the value of further audit activity. A high-level independent risk assessment (don’t spend hundreds of hours) might identify areas meriting an audit because of the clear level of risk. Report the situation immediately to senior management and the board as a serious issue.
5. Work with the information security team and operating management to understand where the more serious risks are and incorporate them into the overall audit plan.
6. Don’t try to audit every cyber risk at the expense of other and more serious sources of business risk.
7. Over time, help management build and maintain an acceptable information security activity and practices.
8. Keep management and the board informed of the level of risk to enterprise objectives.

I welcome your thoughts.

[1]Even when the CAE is also the CRO, internal audit should not be assessing risks to drive management decisions. They should be facilitating management’s assessment.

Risk Management Survey Results

I want to thank the 102 people who responded to my survey. The results are quite interesting.

First, there is an inherent bias in the responses. These are all people who are reading my posts and are therefore more likely (I believe) than the general population to agree with what I have been advocating.

Having said that, there is still a lot of room for improvement in practices.

=====================================================================================

The 102 identified as:

• Board members – 4
• Management – 10
• Risk practitioner – 33
• Internal audit – 41
• Information security – 2
• Consultant – 6
• Compliance – 2
• Other – 4

When it came to assessing the maturity of their organization’s management of risk, the responses were:

• There is no formal risk management activity. We rely on individuals – 19
• It’s a compliance activity and doesn’t affect decision-making – 24
• Risk management is fully integrated with strategic planning – 10
• Risk management is fully integrated with strategic planning and tactical decision-making – 17
• Risk management is recognized as helping us make timely, informed, and intelligent decisions – 28
• Risk management provides us with a competitive advantage – 8

79 said they maintain a list of the more significant risks, updated:

• Annually – 20
• Quarterly – 36
• Monthly – 5
• Continuously – 18

22 said their program addresses both positive and adverse effects, while 26 said they are limited to adverse.

When it comes to whether each source of risk is quantified:

• 17 said they quantified a single effect and its likelihood
  • 4 in dollars
  • 13 in terms of the effect on objectives
• 24 quantify a range of effects and their likelihoods
  • 4 in dollars
  • 20 in terms of the effect on objectives
• 46 don’t quantify, using a risk register or heat map to communicate
• 12 don’t have a formal enterprise-wide risk assessment. (Curious that this is less than the 19 who said there is no formal risk management activity. The other 7 must have chosen a different response to this section, one of those above.)
• 3 responded, “Other”

When it comes to whether risks are aggregated in some way to inform an objective or decision, the answers were:

• Yes – 36
• No – 52
• Maybe – 13
• Other – 1

=====================================================================================

For 43 of the 102, risk management was either a compliance activity or they relied on individuals rather than a coordinated activity.

That’s not good.

Of the 79 who maintained a list of the more significant risks, 20 only updated annually.

That’s not good.

46 use a list of risks or a heat map.

That’s not good at all.

28 said risk management is recognized as enabling informed and intelligent decisions, which shows progress.

Just 8 said it provided a competitive advantage.

There is some good news:

• More people recognized that the level of risk is a range and not a point (24 vs 17).
• 22 said they addressed positive effects, nearly as many as the 26 who said they are limited to adverse effects.
• 8 said that their risk management activity provides a competitive advantage. Not enough, but something.
• 18 are updating their risk assessments continuously, and that is progress..

I was curious to see whether the risk and audit practitioners would answer differently. They were very much in line with each other.

I welcome your thoughts.

Twitter and Risk

The purchase of Twitter by Elon Musk is being followed by mass layoffs.

For me and probably others, the potential changes (including the abandonment of the platform by many of my followers) is likely to present a challenge. Its one of the ways I receive and then share information.

But for many employees of Twitter, the challenge is far more direct and challenging. They may lose their jobs with (apparently) next to no notice.

All of this brings back memories, especially two situations where risk was not properly considered when the company that employed me made significant workforce reductions.

In the first, I recall one of the managers in IT that was coordinating with HR as IT layoffs were being planned making an astonishing admission. At least, I was astonished at the time.

She told me that they were targeting males under 50 for layoffs to avoid potential regulatory intervention, as females and those over 50 were ‘protected’.

I was shocked, not because I was male and under 50, but because they were not basing the layoffs on employee performance.

They had completed a minimal level of what we might call risk assessment, determining where they could afford cuts without seriously affecting services.

But they missed two important HR-related risks.

The first was that the analysis of who should be released was maintained on a spreadsheet – and I saw it. If that had become public, it would have been damaging.

The second is that I was a very clear target for the incoming SVP of Data Center Services, as I was a good friend of the former SVP. I was told they were eliminating my position. But they didn’t eliminate it; they split the duties (without adding anything) between two people with the same ethnicity as the new SVP whose positions were being eliminated.

I considered a discrimination lawsuit but decided to focus my energies on finding a new position.

Looking back, the company did a reasonable but less than ideal job of assessing the risks in determining how many and then which people to let go.

Not so with my second example.

This company was struggling to stay profitable, and the CEO persuaded the board that layoffs of 15% were necessary.

The CEO then directed his direct reports to let 15% of each of their employees go: 15% in HR, 15% in IT, 15% in Marketing, and even 15% in internal audit (which I led).

I met with the CFO and tried to explain to him that a blanket 15% cut in every department was foolish. I had to be very careful with my words. I don’t think I said it was ‘foolish’, but at least I didn’t say what I really thought, that it was madness.

I told him that while 15% might be a target, they should see where they could afford to make cuts, and where the cuts might be dangerous.

Deciding where to cut should be a risk-based decision, with a solid understanding of related risks.

Instead, the CFO got angry with me and told me the board was backing the CEO.

I called the chair of the Audit Committee, who told me to back off. He said he understood what I was saying but he would be the only one on the board who would.

With his support, I was able to push back on the 15% cut in internal audit staffing by reducing other expenses. I showed the Audit Committee what the effect would be on the audit plan, and they gave me their support. The CEO didn’t press.

The company let many of the wrong people go, such as sales personnel with critical relationships with major customers.

They rehired quite a few, but some refused to return.

The CEO had taken what was, for him, the easy route to cutting costs and returning to acceptable profitability.

What they should have done was radically change the company’s footprint, closing several of their more than a hundred factories and consolidating operations. Instead, they kept everything open with reduced staffing.

It didn’t work, and it was not long before the company failed.

Oh, by the way, after the layoffs the CEO obtained a million dollar budget to upgrade the executive offices and received a large bonus for making the cuts.

Would you join a company like this?

The lesson, that Elon Musk clearly didn’t learn, is that when you need to cut costs you need to:

• Take your time
• Consider all the options
• Understand the risks and opportunities in each option
• Execute with grace

Would you join a company that let so many people go with next to no notice, or paid the CEO a bonus for doing it?

Feedback on my books

I have published quite a few books now, with perhaps one more to come in 2023.

It is always refreshing to get feedback, especially when it seems I have made a difference and influenced others on their journeys as practitioners.

Here are a few that I very much appreciate. Thanks!

==================================================================================

Risk Management for Success

5.0 out of 5 stars Practically useful and conceptually valuable

Recently finished the book. Thanks to Norman that he pushes the Risk Management practice to the proper position in companies. This is book is essential, who wants to get the value from risk management. The approach of strategic risk management and practical aspects are useful to implement this approach. Not just suggest but even want every risk practitioner read this book.

==================================================================================

World-Class Risk Management 

5.0 out of 5 stars Favorite book on risk management I’ve read so far

Great book that goes in depth about risk management from what I would consider a more holistic approach. This is not “How to run a risk management department” but instead “why it’s imperative that risk management be a central competency throughout the enterprise.”

The author is obviously really familiar with the standards, quotes from them at length, compares them but also offers his take when he thinks one (or all) of the available standards is lacking. Excellent book if you’re interested in improving your company’s risk management. Definitely targeted more at enterprises than medium or small businesses, although I think even a small business owner could learn a lot.

5.0 out of 5 stars Packed with a lot of good insights and force us to re-examine the way we …

A very refreshing view of how risk management should be. Packed with a lot of good insights and force us to re-examine the way we think of risk management, its value to an organisation and to be relevant to the organisation objectives.

 

==================================================================================

Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking

5.0 out of 5 stars Short and sweet!

Provides easily digestible and highly effective concepts of “success” management. The key points made provide enough details to generate actionable thinking and implementation.

5.0 out of 5 stars Five Stars

Excellent read as always from Norman Marks. Simple, clear and thought leadership.

==================================================================================

Auditing at the Speed of Risk with an Agile, Continuous Audit Plan

5.0 out of 5 stars Auditing at the speed of risk

Auditing at the Speed of Risk with an Agile, Continuous Audit Plan is a good book to have if you are an auditor

==================================================================================

World-Class Internal Audit: Tales from my Journey

5.0 out of 5 stars Great Read -Entertaining and Relateable

I thoroughly enjoyed Norman’s book. My one regret is not buying it in hard copy, so I could tab it, highlight it, scribble in the margins, etc. It’s the type of book I keep on my desk, available for quick reference or inspiration when the need arises. In his Introduction, Norman states his hope in writing World-Class Internal Audit is that it “…will amuse as well as provide some insights…” and that he wrote the book to “…stimulate some thinking…” I believe he succeeded on all three points.

World-Class Internal Audit is not a textbook or reference book containing audit programs or other details which can be used verbatim; there are many great resources available for this purpose. What I liked most about Norman’s book is that the story of his personal career journey highly is relatable, despite being nothing like my own. He presents short stories about specific moments in his career with brutal introspection, explaining how he adapted or evolved his thinking along the way. His stories are relatable because they’re not a load of hooey coming from on-high from an “all-knowing” internal-audit God; he is fallable, admits mistakes and mis-steps, and offers his lessons-learned. These stories lay the foundation for his view of World-Class Internal Audit and explain how he came to have this view.

I particularly liked Norman’s views which are unconventional or contrary to “…the ways things have always been done” such as over-documented work papers, concise audit reporting, and the position that external auditors are not trained to think.

4.0 out of 5 stars Got passion? Read this book!

Norman, well Done!

Anyone that is passionate, motivated, and enthusiastic about the internal audit and enterprise risk management profession should read this book!

It will inspire you further to strive for continuous improvement, professional development, greater quality of the services you perform, and finally, it will infuse you with greater enthusiasm and determination in the pursuit of a world class internal audit organization.

==================================================================================

Auditing that matters

5.0 out of 5 stars Driving greater impact

This book is packed with helpful nuggets to drive a more impactful audit scope. I look forward to implementing these insights!

5.0 out of 5 stars A must read for all auditors!

I have really enjoyed reading this book. As a young auditor it is great to see the progression through Norman’s career and the lessons learned along the way. I have a laundry list of meaningful changes I plan on bringing forward to my CAE based on best practices outlined in this book.

==================================================================================

Is your internal audit world-class? A maturity model for internal audit

5.0 out of 5 stars Excellent

Great book for Internal Auditors

Norman’s Survey of Risk Management Effectiveness

I would appreciate your helping me with a short survey.

It should only take a few minutes.

The questions ask for your assessment of the management of risk at your organization, whether you are a board member, in management, a practitioner, a consultant, or hold a different position.

I will share the results next week.

After completing it, please share your thoughts on the survey and what else we should ask.

Thanks

Agility and Resilience

How agile is your organization?

Is it able to react at speed to changes in business conditions, recognizing new or changed risks and seizing new or changed opportunities?

Does it have timely and sufficient information about what is changing?

Is the management team able to understand what is happening or, better, what is likely about to happen?

How fast can it change direction, whether in manufacturing, sales, marketing, engineering, or strategic planning?

If it is not sufficiently agile, it is hardly likely to be sufficiently resilient.

It will be taken by surprise and slow to act.

Competitors will leave it behind.

Customers will seek better, more efficient, or cheaper suppliers.

Does it have sufficient reserves to deploy when needed? Cash management is key to both agility and resilience.

If you are on the board, you should be concerned.

If you are in management, you should be doing something.

If you are a risk practitioner, you should be ranking it as a high risk.

If you are an internal auditor, you should be helping management and the board understand the hole they are in.

Is your organization sufficiently agile and resilient?

Are you doing enough?

I welcome your thoughts.

Is Technology the Solution for Internal Audit?

I recently spoke at a conference organized by Corporate World Intelligence.

I was honored to be the opening speaker of the conference, talking about “Selecting the Technology for Internal Audit in 2022 and Beyond”.

My theme was that before you dive in and spend internal audit’s limited budget on some of the fancy technology advocated by consultants and vendors, we should follow the advice we give to the business.

• Understand your needs and the value you seek to obtain.
• Identify the solution that best meets or exceeds your needs.
• Acquire it only if justified by the return on investment.

Unfortunately, many purchase technology tools and only then look for a way to use them.

In these days of dynamic change and business disruption, risks are changing all the time and internal audit’s risk assessment and planning needs to be almost continuous – at the speed of risk.

Enterprise risk-based auditing means that you are always striving to address what matters most to the success of the organization, the risks that matter today and will tomorrow. You eliminate audits, or parts of audits, of stuff that might matter to middle management but not to the senior leadership.

We need to be:

• Agile, able to change the plan at short notice, removing risks that are no longer a priority and adding those that now are.
• Highly flexible, completing audits with speed. Once you have done enough work to express an opinion, stop!
• Performing short audits that focus on the risks that matter and not on those that don’t.
• Discarding the notion that everything needs to be audited! No more cyclical audit plans, and no more full scope audits.
• Performing different audits every year (with a few exceptions for risks that remain a priority and there is value in a re-audit).

In this environment, investing time and our limited resources to build new audit solutions with our new toys, obtaining an acceptable ROI for the use of new technologies is more limited than when we performed many of the same audits every year.

That is why I advocate:

• Use the technology already owned by the organization and used by financial and operations analysts in running the business. Learn from these experts; use the same reports, etc. where it makes sense, and modify where that is better.
• Equip the team with tools they can use with speed, like mobile analytics.
• Acquire new tools where there is a clear ROI, now and in the future.
• DO NOT acquire tools so you can monitor transactions when that is a management responsibility. DO NOT become the detective control.
• DO NOT acquire tools so you can anticipate new risks. That is a management responsibility. Teach them to fish!
• DO NOT try to automate a broken process (more in a moment).

Mine was a short presentation with a lot of questions from the (virtual) audience.

One that struck a discordant note was this:

“We are a large and complex company, but only have six internal auditors. We complete twelve audits each year. Should we get technology so we can provide greater insights?”

Unfortunately, I didn’t have time to get more information, but here are my opening thoughts:

1. Twelve audits per year for a large and complex company sounds like they are barely touching the risks that matter.
2. Each of those twelve audits must be massive. Assuming 1,250 hours per person per year, each audit would average about 625 hours.
3. Each audit is almost certainly not focused on only the risks that matter. They sound like full scope audits.
4. They need to move to an agile, enterprise risk-based approach first, targeting audits of not more than 250 hours. Eliminate work where results wouldn’t matter to top management and/or the board.
5. They should set a goal to at least double the number of audits per person per year.
6. The company may well not have enough auditors. They should identify what they are unable to get to and have a serious discussion with top management and then with the audit committee, even if management is reluctant to increase the internal audit budget.
7. Their need for more people resources (even after improving their audit processes) is probably greater than their need for new technology.
8. If they could benefit from new tools, after re-engineering their audit approach and processes, they should go for it. But they need to be specific about the needs and value before starting the evaluation process.

What do you think?

Get on board and help drive transforming change!

This week, I was privileged to attend and contribute to a great conference chaired by my good friend, Gene Kim. His organization is IT Revolution.

The DevOps Enterprise Summit in Las Vegas finished today, but in the video library you can see some of the great presentations. I was only there for half a day, but heard inspiring stories from American Airlines, Mattel, and the US Navy (the videos are in the library – watch them! Mine is there too.) I see there will be a virtual conference in December.

What I witnessed was how companies were able to transform their technology and even product (toys, in the case of Mattel) development processes.

Instead of change taking months or years, new code, apps, or products were being developed and deployed in days or less.

Change like this can transform an entire company, helping it respond with agility to market changes and opportunities.

My role in the conference was to talk about how internal audit can be a partner and help drive the change – but it requires the auditor to jump on board and embrace the revolution, and management to open their eyes, ears, and arms to them.

What is DevOps? This is how Splunk describes it:

DevOps is an approach to IT delivery that combines people, practices and tools to break down silos between development and operations teams. DevOps teams accelerate the development of applications and services and, with a more responsive approach to management of the IT infrastructure, can deploy and update IT products at the speed of the modern marketplace.

DevOps bridges the gap between “dev” and “ops” — in other words, software development, where the code behind applications is created, and IT operations, where those applications are put into production, available to end users, and maintained. DevOps emerged from two earlier trends: The agile development movement and lean manufacturing principles. The former emphasizes short sprints of work and rapid iteration to create a more responsive IT development organization, and the latter minimizes waste and maximizes productivity in factories.

DevOps solves a bottleneck problem associated with agile development. If agile developers are producing new software or code updates at a higher frequency, then traditional operations teams will struggle to get the software tested and live in a timely manner, and the actual value of rapid development is consequently lost. Ultimately, while the agile movement made the design and building of software more iterative and flexible, that approach did not extend through the full software development lifecycle (SDLC) into deployment.

As a culture or philosophical approach, DevOps is dedicated to continuous improvement, collaboration and transparency. DevOps sees IT operations holistically in terms of value. Its goal is not to focus on individual work silos, but on the entire flow from initial idea to available product or functionality — optimizing everything in between, with an eye toward achieving greater business value at a faster pace. High-performing DevOps teams see not only faster code iterations and deployments, but overall shorter time to market for new ideas, fewer bugs and a more stable infrastructure.

I was introduced to DevOps ten years ago when Gene was writing The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win. One of the characters was the head of internal audit, and another was the chief information security officer. I was able to help him with some advice on the two individuals and how they would work with the others to “help the business win”.

It was amazing to hear so many technology and product executives talk about how this book, now in its third edition, had inspired them to what is a true revolution in technology development and deployment.

I told the (my guess) 1,400 participants that I almost wished I hadn’t retired. It would have been exciting to be part of this breaking all the rules, whether I was in IT, audit, or management.

So what should the role be of internal audit?

Is it to stand and watch as the transformation happens?

Is it to write a report that says IT is breaking all the rules?

Or is it to jump on board and help them break the old rules – replacing them with processes, controls, and rules more fitting for the disruptive VUCA world of today and tomorrow?

Forget about writing audit reports when there is so much change.

Be the trusted advisor, the independent friend, rather than the naysayer.

Understand the rationale for change and make sure it is done well.

Help the team with advice and insight on risk, controls, and security.

Help break down any barriers between the developers, InfoSec, and the business.

All on board!

P.S., if you IT team has not embraced DevOps, find out why not. Is it still taking months or longer to provide the business with the technologies they need?

I welcome your sharing.

Good practice guidelines for the Enterprise Risk Management function

I like this review of the guidelines published a couple of years ago by internal auditors in the Nordics.

Guest blogger Marinus de Pooter highlights some good points and areas of weakness.

====================================================================

A steering group drawn from the Institutes of Internal Auditors for the Nordic and Baltic countries issued the ‘Good practice guidelines for the Enterprise Risk Management function’ in 2020. The target group is organizations that would like to establish an ERM function or develop their existing risk management function further.

The aim of this document is to set a common benchmark and to facilitate the Internal Audit function when evaluating the effectiveness of risk management processes. When reading the Guidelines I asked myself this question: To which extent do they help a business manager to run his or her organization(al unit) better?

What I like is that they authors talk about the management of positive and negative uncertainty [p. 1]. Contrary to many approaches, according to them risk management is not only about mitigating events with undesirable consequences.

I agree that the emphasis should be on assisting decision-makers with dealing with meaningful uncertainty. Risk management’s field of expertise is in evaluating and communicating the uncertain elements so that there is a fully informed basis for taking a decision. [p. 9]

The focus on value for the stakeholders is promising, too. Through the identification and proactive evaluation of threats and opportunities an organisation can protect as well as create value for its stakeholders. [p. 18] However, the reader gets the impression that ‘value’ mainly refers to money than to the many other things in life that stakeholders attach value to, such as safety, environmental protection, social contribution, beauty, customer friendliness and so on.

The authors use the undisputed assumption that risk management is indispensable. The same goes for an independent ERM function. To ensure the operation and implementation of sound risk management in a holistic fashion it has been found necessary to have a person or function dedicated to this activity. [Executive Summary]

The Guidelines state: The organisation should appoint one person with the overall responsibility for the Enterprise Risk Management function. [p. 14] Why do organisations  need such a function to start with? Many family-owned businesses for example are pretty successful without having a risk management function. Apparently they are capable of benefiting from their opportunities and facing their threats.

The Guidelines are mainly about how to run an ERM function. Appendix 1 contains a 17-point plan for the establishment of a risk management function. It lists the typical paraphernalia such as: separate policy, risk appetite statements, implementation plan, job descriptions, risk owners, IT application, risk reports et cetera. Conventional risk management thrives in a compliance-driven context. If not mandated by regulators, would entrepreneurs, directors and managers still create all these risk management phenomena?

The focus of the Guidelines is on dealing with risk. It is not primarily focused on helping management to increase the likelihood of their success through the reconciliation of strategic and operational dilemmas. It states: Executive Management regularly reviews reports showing the development of significant risks as well as the status of actions taken to treat the risks. [p. 18] As a business manager I would rather receive reports expressing the estimated likelihoods of my team underachieving, meeting and overachieving our key performance indicators in the coming period.

The Guidelines state: The objective of ERM is to ensure the correct amount of risk exposure. [p. 2] However, there is no unit of measure to determine the ‘amount of risk’. If you try to express it in financial terms you will soon find out that what you value the most in life cannot be monetized.

ISO 31000 defines ‘risk’ as the ‘effect of uncertainty on objectives’; ‘effect’ being ‘deviation from the expected’. The Guidelines do not address the essential notion that it is all about managing the expectations of your core stakeholders. As a decision-maker you should focus on creating and protecting value for them. Life is not primarily about identifying, assessing, treating and monitoring risks. The future-proofness of your organisation is dependent on whether your core stakeholders remain satisfied with your performance.

Different stakeholders have diverging interests, needs and expectations. Hence, as a decision-maker you always have to reconcile dilemmas. The Guidelines do not address balancing the pros and cons when analysing your options and making your decisions.

According to the Guidelines: Executives should ensure that the risk management process is fully integrated across all levels of the organization and is strongly aligned with objectives, strategy and culture. [p. 3] The typical ERM pitfall is first creating a separate risk management system and then trying to squeeze all these concepts and tools into your regular business management. I don’t know any success story of this myself.

Maintaining risk lists mainly serves compliance purposes. Risk registers aren’t consulted when people have to make important decisions. Approaches for dealing with the uncertain future should start from the perspective of the decision-makers and help them to face their challenges. How can they best be supported to make balanced choices?

The Guidelines promise that ERM becomes a tool for the balanced prioritisation of resource utilization. [p. 4] Do you need separate risk management for the allocation of your scarce resources in order to able to deliver products and services that meet requirements and expectations? Looking ahead and asking questions like ‘what-if?’ and ‘what-can-happen?’ are part and parcel of just (capacity) management.

The ‘three lines of defence’ model is embraced [p. 11] The Guidelines address the common issues of the delineation of the responsibilities of ERM versus other support functions such as Compliance and Internal Audit. [p. 1] The document also talks about the application of a holistic perspective and about avoiding ‘silo’ thinking’. [p. 3] The reality is that the ‘three lines’ model causes lots of fuss about who is part of which line. And particularly about what these colleagues are supposed to do and to refrain from doing.

Does the 2^nd line comprise of all business enabling functions or only of those that control and monitor risks (risk oversight)? Are the support functions primarily advisors, policy makers and challengers? Or are they internal inspectors, too? Do they even have the right of veto? These questions warrant a separate discussion.

The regulators in the Financial Services industry require an independent (sheriff-type) Risk Management function aimed at holding down their colleagues in commercial functions. An inspectorate rather than a decision support function. This background presumably has led to the guideline that it is a prerequisite that the function does not perform or have responsibility for operations or make decisions which affect the business operations. [p. 14] Instead of creating another Compliance or Internal Audit type function I would rather emphasize the benefits of the role of the ‘critical friend’ for decision-makers.

The Guidelines state that employees in the ERM function shall respect and contribute to the organisation’s legitimacy and ethical objectives. [p. 15] However, the ethical dimension in decision-making is not emphasized in the document. Take for example dilemmas associated with the cost implications of employee safety, environmental protection and animal welfare. In addition, the document does not underscore the importance of biases. The same goes for our serious limitations to comprehend the complexity of the future caused by too many actors and factors.

The Guidelines use a deviant meaning for risk tolerance. They state that it is more of a given based on the organisation’s financial robustness, the enforcement by authorities, or other external factors determining the impact when a risk materialises. They refer to it as the level of risk an organisation is able to absorb without significantly impacting the achievement of its strategic objectives. [p. 31] The latter resembles COSO ERM’s definition of risk capacity: The maximum amount of risk that an entity is able to absorb in the pursuit of strategy and business objectives.

The risk profile is featured in the document, too. The conventional risk diagram is presented stating: The green area defines the desired performance and given risk appetite. [p. 32] It has already been discussed in detail elsewhere that the ‘heatmap’ is a misleading tool.

The document mentions a couple of creative additions to the ever expanding risk vocabulary such as risk gaps, risk picture and risk landscape. My recommendation is to try to avoid risk jargon at all costs. The more words you use starting with ‘risk’ the more people are inclined to think that it is all about something different than ordinary management.

Appendix 1 contains an impressive list of 26 reasons for failure in the establishment of ERM. [p. 22-25] It recommends curative actions for each of these items. However, in my view the solution is not to try to fix ERM. Considered closely, it is not about managing risk, but about managing expectations.

• Risks (opportunities and threats) are not an end in themselves; they help arrive at appropriate (hard and soft) controls.
• Controls are also not an end in themselves; they help create more robust business processes.
• Processes are not an end in themselves; they help achieve objectives in a structured way.
• Objectives are not an end in themselves; they help clarify which value you need to create and protect for your core stakeholders in order to keep them satisfied.

Regardless of the sector in which your organization operates the lasting satisfaction of your core stakeholders is the pre-eminent condition for your future-proofness.

Is it worth following the Guidelines presented in the document? I welcome your thoughts.

Marinus de Pooter is owner of MdP | Management, Consulting and Training. Previously he worked as Director of Finance with Ernst & Young Global Client Consulting, as European Director Internal Audit with Office Depot and as ERM Solution Leader with EY Advisory.

Are you trusted and valued?

All of us want to be both trusted and valued by our peers and customers in operating and senior management.

How do we know whether we are? Can we trust the feedback, if any, that we get?

I have developed a tool that you can adapt and use.

It asks each individual to rate whether you exhibit the traits described in words or phrases on a scale of 1 (hardly ever) to 10 (most definitely).

I suggest getting the list to each person in a way that allows them to return their assessment anonymously. One way is to enlist a trusted partner in the Legal or HR team, one that will not share the results with anybody else. Then either you or they send the list to each person you identify and ask for replies to be sent to your partner. Your partner strips the assessment from any email it is attached to and sends you just the assessment.

Here it is.

Dear Executive

(John or Jane Doe) is asking for your help in understanding how they are perceived by their (peers/customers/clients/etc.)

Please rate whether they hardly ever (score of 1) or most definitely (score of 10) demonstrate each of these attributes.

To keep your assessment confidential, please return your assessment to (Barbara Jones) in the (Legal/HR) department. She will forward only your anonymous assessment to (John/Jane).

We would appreciate receiving your completed assessment by (before H freezes over).

Attribute	Rating
Trusted (by you)
Intelligent
Constructive
Listens
Wastes your time
Stubborn
Imaginative
Understands the business
Understands YOUR business
Practical
Flexible
Emotional
Timely
Theoretical
Professional
Delivers on commitments
Fair
A partner
Helps you be successful
Gets in the way

Feel free to tailor it and let me know whether you use it and the results you obtain.

Comments welcome.