The SEC is changing the rules for SOX s302 certifications to include cyber risks

You may know that the SEC just published new guidance on the disclosures they are required to make related to cybersecurity.

Here’s a report in the Journal of Accountancy.

But did you realize that the SOX s302 certification now has to address whether disclosure controls are adequate in ensuring that the proper disclosures are made?

Have a look at the SEC guidance.

Here is an extract with the key points highlighted:

Cybersecurity risk management policies and procedures are key elements of enterprisewide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications and to facilitate policies and procedures designed to prohibit directors, officers, and other corporate insiders from trading on the basis of material nonpublic information about cybersecurity risks and incidents.

Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. These rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) “recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms,” and (2) “accumulated and communicated to the company’s management … as appropriate to allow timely decisions regarding required disclosure.”

A company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.  Information also must be evaluated in the context of the disclosure requirement of Exchange Act Rule 12b-20.54 When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents.

Exchange Act Rules 13a-14 and 15d-1455 require a company’s principal executive officer and principal financial officer to make certifications regarding the design and effectiveness of disclosure controls and procedures,56 and Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F require companies to disclose conclusions on the effectiveness of disclosure controls and procedures. These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.

Are you ready for this?

Are your disclosure controls up to the task?

When your CEO and CFO sign the certifications and say that they have not only caused all material information to be made known to them but also assessed and found sufficient the company’s disclosure controls, do they have a reasonable and defensible basis for those assertions?

Love to hear where you are on this.

Advertisement

Evaluating the external auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

• Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
• Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
• Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

Cyber risk and the boardroom

The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.

It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.

Here are some of the points in the discussion worth emphasizing:

“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”

“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”

“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”

“Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”

“Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”

“Cybersecurity is a business issue, it’s not just a technology issue.”

This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.

For example, there are some more points that I would emphasize to boards:

• It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
• Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
• Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
• The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.

I welcome your comments and observations on the article and my points, above.

Lessons Learned from the Transition to COSO 2013

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013.

I especially like this section:

It is presumed that everyone understands that a top-down, risk-based approach remains applicable to Section 404 compliance, and the transition to the 2013 updated Framework does not affect this. While we don’t list this as a lesson, we could have, because some companies either forgot or neglected to apply this approach when setting the scope and objectives for using the Framework. As a result, they went overboard with their controls documentation and testing. We can’t stress enough that the COSO 2013 Framework did not change the essence of, and the need for, a top-down, risk-based approach in complying with SOX Section 404.

The report has a number of excellent pieces of advice. However, I wouldn’t be me if I didn’t have points of disagreement.

The first is on mapping. It is NOT necessary to map all your controls to the principles. If we take principle 10, for example, it states “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels”. Rather than map all your control activities to this principle (or to principle 11, which is the same – just for IT general controls), the organization needs to identify the control(s) it relies on for its assessment that the principles are present and functioning[1]. For principles 10 and 11, that will be the SOX scoping exercise. For the principle on fraud, the control that should be identified is the fraud risk assessment, not every control relied on to detect or prevent fraud.

Then there is the assertion that indirect controls are the same as entity-level controls. COSO (both 1992 and 2013) tell us, correctly, that activities in each of its components may operate at any level within the organization. For example, let’s say that an account analysis is prepared by Corporate Finance as part of the period-end close. This entity-level control may operate with sufficient precision to be relied upon to detect a material error or omission in that account. But the entity-level control is a direct control, not an indirect control. (A direct control can be relied upon to prevent or detect an error. An indirect control is one that serves to increase or decrease the likelihood that other, direct, controls will function effectively. Hiring, integrity, oversight by the board – these are indirect controls where a defect would increase the likelihood that affected direct controls would fail.)

Another example that helps us understand the difference is the hiring process (related to principle 4, in the Control Environment). The hiring process most often is at a lower level than the entity-level, often as deep as the activity level as that is where most hiring managers reside. Controls in the hiring process in this situation are activity level (or what I call ‘intermediate level’ controls, operating at a location or business unit rather than either the top or the bottom of the organization) and are indirect controls.

I could quibble with one or two more points, but I don’t want to detract from the report. I want, instead, to encourage you to read and discuss it.

What do you think?

What additional lessons have you learned?

[1] Full credit for this wording goes to the E&Y national office, who used it in a conversation I had with them about the firm’s training of its audit staff.

The most important sentence in COSO

In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.

That sentence is:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.

The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.

To me, this means that:

1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
2. You need to know the risk to those objectives
3. You need to know what is an acceptable level of risk for each objective, and
4. You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels

You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.

In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.

This is how that section starts:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

• Each of the five components of internal control and relevant principles are present and functioning
• The five components are operating together in an integrated manner

There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.

In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.

Let’s have a look at the very next paragraph in the section:

When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.

How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.

An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.

Let’s translate this as well:

1. If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
2. If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
3. When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
4. That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.

So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.

Do you see what I mean?

Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!

Why are so many blind to this most important sentence?

I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)

Do you have a better theory?

Can you explain the blindness of so many to the most important sentence in the entire Framework?

Cybersecurity is broken

At least, that is what one expert has to say in a provocative piece in SC magazine.

Here are some excerpts, but I recommend you read the short article.

The author, the CEO of a software vendor of cybersecurity products, starts with these points:

…user-driven technology has progressed so rapidly that it has significantly outpaced technology’s own ability to keep data protected from misuse and guarded from cyber vulnerabilities…….

A lack of reliable security is the price we’ve paid for this eruption of amazing new cloud-based services and keeping vital data out of the wrong hands is an uphill battle.

He then spells out a truth that we should all acknowledge:

Anyone who tells you that your data is secure today is lying to you. The state-of-the-art that is cybersecurity today is broken. There must be a better way. But don’t lose hope, there is.

The article then takes a new direction (at least for me):

CIOs today need to adopt an entirely new security philosophy – one that hinges on the fact that your files and information will be everywhere……..

If we can build a new security approach from the ground up based on the premise that data will escape, and are then able to secure everything no matter where it is, we end up debunking the concept of the “leak” entirely.

I do agree that the traditional, exclusive, focus on preventing an intrusion cannot continue. He says:

That’s why my biggest frustration coming out of the recent Sony and Anthem hacks is companies opting for reactive solutions to fortify firewalls and secure siloed tunnels of information. For example, there was a major uptick in company-wide email-deletion policies in the wake of the Sony attack. Now that’s just dumb. Those are band-aid strategies that fail to address the heart of the problem.

He continues to press his point:

Maintaining a level of security in a boundaryless world means security and policy follow exactly what you’re trying to protect in the first place — the data……

Usable security, where users can choose how they want to access, store and share data, can only be made possible by providing a seamless user experience, so security is integrated into the daily work of everyone. A great user experience is one major obstacle security vendors (and arguably, all enterprise services) have yet to conquer. If we can do it, we will move away from panic-inducing scare tactics used to encourage adoption, and instead empower users with a solution they actually like to secure data…..

In order to be a security company, enterprises need to rethink a few things. First, users have to be in control of their data at any given point in time and should be able to revoke access when they want by utilizing familiar technology. They should have complete peace of mind that their data truly stays theirs. Second, in a cloud and mobile world there are no real controlled end-points anymore, unless we want to take a step back into the stone ages. And third, the firewall model is broken and trying to extend the perimeter out simply doesn’t work anymore. It’s about protecting the information, wherever it is, and not about locking everything down where it’s hard to access, use and share for your employees and partners.

So he is presenting a new cybersecurity world where the security follows the data, using encryption and other methods.

I think that is something that every organization should consider – especially encryption.

But is it enough?

For a start, how secure is encryption in the face of the sophisticated attacker? Maybe it is reasonably secure now, but we cannot be sure it will remain secure. Consider how encryption was broken by researchers, with the story told in this 2013 article.

I think you need at least three levels of protection: prevention, encryption, and detection, followed by response.

We can no longer assume that the bad guys cannot get in, and I am reluctant to assume that my encryption will not be broken if they have time.

So, we need the ability to detect any intruders promptly – so we can shut them down and limit any damage.

Too few have sufficient detection in place. Just look how long hackers were inside JP Morgan, and then how long it took the company to expel them!

I welcome your views.

Going crazy with COSO 2013 for SOX

For some reason, I only just saw a new PwC publication, Present and functioning: Fine-tuning your ICFR using the COSO update, dated November 2014.

PwC provided the project team for the COSO 2013 update of the Internal Controls – Integrated Framework, so their advice and insight should merit our attention.

The trouble is that it very easy to go overboard and do much more work than is necessary to update your SOX program for COSO 2013.

I fear that PwC may help people go crazy, rather than perform the few additional procedures necessary. I respect those who have said, rightly in my view, that if you were able to comply with the requirements of COSO 1992 (the original version) and either the SEC guidance (in their Interpretive Guidance) or PCAOB Standard Number 5, you should already be in compliance with COSO 2013.

The key is to be able to demonstrate that.

We need to remember these facts:

1. Neither the SEC nor the PCAOB has updated regulatory guidance for management or the external auditor since the release of COSO 2013. That guidance, reinforced by the PCAOB October 2013 Staff Practice Report) mandates a top-down and risk-based approach. It requires a focus on the potential for a material error or omission in the financial statements filed with the SEC.
2. COSO 2013 says that internal control is effective when it reduces the risk to the achievement of objectives to acceptable levels. For SOX, that means that there are no material weaknesses.
3. COSO 2013 also says that a principle can be deemed present and functioning if there are no “major deficiencies” that represent a significant level of risk to the achievement of the objective – in other words, there are no material weaknesses due to a failure of elements relating to a principle.

Now let’s have a look at what PwC has to say.

“With the COSO’s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time for companies to use the updated framework to evaluate the effectiveness of their systems of internal control over financial reporting.”

I agree with this statement. This is a great opportunity to ensure an effective and efficient program is in place.

“The updated framework formalizes 17 principles that stipulate more granular evaluative criteria to help a company’s management assess the design and operating effectiveness of its ICFR.”

They forget to say that COSO informs us that internal control is effective if it reduces risk to the achievement of objectives to acceptable levels. They also forget to remind us that the SOX assessment must be top-down, risk-based, and focused on the potential for a material error or omission.

“We don’t believe that implementation of the 2013 framework affects management’s existing control activities…. assuming that a company’s control activities have been assessed as effective, reevaluating them according to the 2013 framework is not necessary.”

While there is an element of truth to this, organizations should not be assessing control activities in isolation – they should be assessing whether the combination of controls provides reasonable assurance that there are no material errors or omissions. Focusing on one component by itself is insufficient and, I believe, incorrect.

In addition, the selection of controls for reliance should always be re-evaluated as the business is likely to have changed, including materiality, significant accounts and locations, and so on.

“We believe the most immediate value of applying the 2013 framework lies in the opportunity it provides for taking a fresh look at indirect entity-level controls.”

Again, the SOX scoping should be focused on the combination of controls that provides reasonable assurance. In addition, some principles (such as the hiring and training of employees, or the provision of training and obtaining certification of employees in the code of conduct) are performed at the activity level. COSO tells us that activities in each of the COSO components may exist at any level of the organization. So, we need to recognize that indirect controls may operate at the entity (corporate) level, activity level, or any level in between (such as at the business unit or regional level).

Having said which, the principles do offer us a new opportunity to determine which of these indirect controls need to be included in scope because a failure would represent an unacceptable level of risk – because they raise to an unacceptable level the likelihood that one or more key direct control relied on to prevent or detect a material error or omission might fail.

But, it all has to be within the context that we are focusing the scope, and the SOX program as a whole, on the risk of a material error or omission!

“…fine-tune the design and related documentation of indirect ELCs [entity-level controls] through mapping them to principles.”

Many have misguided organizations, telling them to “map their controls to the principles”. The proper guidance is to “identify the controls you are relying on to provide reasonable assurance that the principles are present and functioning”. Again, we need to remember that the principles can be deemed present and functioning if a failure would not represent a material weakness.

It is correct to say that if you have indirect controls (at entity or another level) that are not required to provide that reasonable assurance, they do not need to be included in scope for SOX.

“…we have noted the following areas in which management’s assessment has indicated room for optimization or improvement in control documentation.”

I suspect that the issue is not limited to control documentation! There is always room for improvement and it is useful to see what PwC has identified.

“Leading companies are formalizing or clarifying and incorporating into their evaluations of ICFR certain indirect ELCs that support existing human resources policies. Such controls usually consist of approvals of new hires and employee transfers (including background checks and assessments of requisite skills and experience when appropriate), requirements for professional certifications and training (e.g., in new and complex accounting standards), succession planning and retention of competent employees, and periodic reviews of employee performance to assess requisite skill levels and conduct. Compensation programs aligned with expected performance, competencies, and behaviors are also important to support ICFR objectives.”

If you believe that any organization’s HR policies and practices provide the assurance you need that every single key control is performed by individuals with the appropriate experience, knowledge, training, and so on, I have a bridge to sell you!

While it is very important to have excellence in hiring, training, supervision, career development, promotion and so on, I do not believe that for SOX it is productive to spend much time on controls in this area.

I very much prefer to assess the capabilities and competence of each control owner as part of the evaluation of the design and operation of each individual key control.

“In many organizations, the evaluation of fraud risks related to financial reporting is integrated into the overall assessment of financial-reporting risks……… In identifying and evaluating those risks, management investigates incentives, pressures, opportunities, attitudes, and rationalizations that might exist throughout the company in different departments and among various personnel.”

The first statement is (I hope) true, although I personally perform a separate assessment of fraud risk (focused on the risk of a material error or omission due to fraud) and generally find that they are addressed by the controls already identified for mistakes.

PwC talks about ‘scenarios’, while I talk about ‘fraud schemes’. In each case, we are talking about ‘how’ the fraud would be committed – an essential step in understanding the true nature of the risk and the controls that would prevent or detect it, if material.

However, going crazy about the fraud triangle is not recommended. We should focus on how we can provide reasonable assurance that a material error or omission due to fraud might be prevented or detected, and remember that the number of people with the ability to commit such a fraud is limited. More than 80% of reported material frauds have been perpetrated by the CEO and CFO acting together, not individuals “throughout the company in different departments and among various personnel.” Rationalization, for example, is an intensely personal action and not something that can be detected by looking broadly at even a segment of the workforce.

“Companies taking a thoughtful approach in transitioning to the 2013 framework—rather than viewing it as a mere compliance exercise—are finding value in the identification of opportunities to strengthen their ICFR.”

We are back on solid ground.

The focus has to remain solidly grounded on identifying and then testing the design and operation of the controls relied upon to prevent or detect a material error or omission. A top-down and risk-based approach is mandated.

Going beyond this may have value in improving operations and the achievement of other (than SOX) business objectives.

But let’s not go crazy!

I welcome your comments and, especially, your experiences with COSO 2013 and your external auditors.

By the way, I think it is well past time for COSO to issue a statement or other guidance to set people straight on the COSO 2013 principles when it comes to SOX. They need to explain that the primary evaluation criterion for effective internal control is whether there is reasonable assurance that risk to the achievement of principles is at an acceptable level. Then they need to explain that the principles offer more granulated guidance that can be used in assessing that risk and whether it is acceptable, but assessing the principles without the context of risk is misunderstanding COSO 2013.

Do you agree?

 

The effective audit committee

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
4. They need to be willing to ask a silly question.
5. They need to persevere until they get a common sense response.
6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leveraging the COSO Internal Control Update for Advantage

PwC, who led the project for COSO that updated the Internal Control – Integrated Framework, have shared 10 Minutes on why the COSO Update deserves your attention.

PwC has taken credit for writing the update – and I happy to give them the credit, but if they want that then they also have to recognize the limitations.

Personally, I think they have exaggerated the value of the update. For example, they say that the updated version is “applicable to more business objectives”. Frankly, that is nonsense. The 1992 framework could be and was being applied by practitioners (including me) to any and all objectives, including internal financial reporting and all forms of non-financial reporting (contrary to PwC’s views in this latest document).

Nevertheless, I agree with PwC that the update provides an excellent opportunity to revisit both the effectiveness and efficiency of your internal controls.

PwC shares their approach, which I don’t think is correct as it is not risk-based.

Here is mine:

1. Do you understand the risks to your mission-critical objectives?
2. Do you have the controls in place to give you reasonable assurance that those risks are being managed at acceptable levels? (If you are concerned about satisfying the new COSO Principles, remember that they can be assessed as present and functioning as long as there are no major weaknesses that indicate that risks are not managed at acceptable levels).
3. Do you have the right controls? Are they the most effective and efficient combination of controls? Do you have too many (COSO doesn’t ask this question, nor whether you have the best combination of controls)?
4. As you look at your strategies and plans for the next year or so, do you have to make changes to your internal controls so they can support changes in your business and its operations?

I welcome your views.

Leading the 21st century organization

I have been a fan of Tom Peters (author of “In Search of Excellence” and many more books) for more than 20 years.

While CAE at Tosco Corporation, I attended a presentation by him on something he called Wow! The concept, which I not only wrote about for the Internal Auditor magazine in 2001 but tried to incorporate into my internal audit practice, is to turn every project into something that you would tell your grandchildren about (Wow! indeed).

Tom is now 71 but hasn’t slowed down. He is amazingly actively presenting all over the world, writing books, and on Twitter (where we interact from time to time).

Recently, he was interviewed by McKinsey and I recommend reading the full piece. Here are some excerpts.

“My real bottom-line hypothesis is that nobody has a sweet clue what they’re doing. Therefore you better be trying stuff at an insanely rapid pace. You want to be screwing around with nearly everything. Relentless experimentation was probably important in the 1970s—now it’s do or die.”

“…the secret to success is daydreaming.”

“If you take a leadership job, you do people. Period. It’s what you do. It’s what you’re paid to do. People, period. Should you have a great strategy? Yes, you should. How do you get a great strategy? By finding the world’s greatest strategist, not by being the world’s greatest strategist. You do people.”

“We’re in the big-change business, aren’t we? Isn’t that the whole point? I mean, any idiot with a high IQ can invent a great strategy. What’s really hard is fighting against the unwashed masses and pulling it off—although there’s nothing stupider than saying change is about overcoming resistance. Change is about recruiting allies and working each other up to have the nerve to try the next experiment. You find allies. You encircle the buggers.”

“I’m more than willing to say that today’s two year old is going to deal with his or her fellow human beings differently than you or I do. But the reality is it’s 2014, not 2034, and I would argue that for the next 20 years, we’re still safe believing in the importance of face-to-face contact. I’m not arguing against virtual meetings, but I’m telling you that if I’m running IBM, I want to be on the road 200 days a year as much in 2014 as in 2004 or in 1974. It has nothing to do with the value of the tools, but I’ve got to see you face to face now and then; I don’t think I can do it all screen to screen.”

“At some deep level, people are people, and so I believe passionately that there is no difference between leading now and leading then. What I certainly believe is that anybody who is leading a sizable institution who doesn’t do what I did and take a year off and read or what have you, and who doesn’t embrace the new technology with youthful joy and glee, is out of business.”

This last is 100% consistent with the quote from another McKinsey Quarterly issue I used in Management for the Next 50 Years:

“Those who understand the depth, breadth, and radical nature of the change and opportunity that’s on the way will be best able to reset their intuitions accordingly, shape this new world, and thrive.”

Do you agree?

Leaders of internal audit should never be satisfied

If you think you are world-class, it is time for you to consider change.

Our organizations and the risks they face are changing constantly and the pace of change is increasing.

Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.

Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:

OK, you and your team have been recognized as adding huge value and being world-class.

Do you stop there, confident and happy in your success?

No. What is world-class for your organization today may be insufficient for tomorrow.

The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.

I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.

Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.

We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.

This is what I had to say about the future of internal audit:

Internal audit has made great strides since I first became a CAE in 1990.

We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.

The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.

But that leading edge is a thin one.

Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.

Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.

As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.

Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.

Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.

Those that do will create a competitive advantage for their organizations.

Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?

Are you ready to adapt to tomorrow’s challenges?

I welcome your comments.

Dynamic, iterative, and responsive to change

One of the principles for effective risk management in the ISO 31000:2009 global risk management standard is that risk management should be “dynamic, iterative, and responsive to change”.

I really like that. It captures a number of key ingredients for the effective management of uncertainty and risk.

“Dynamic” implies that risk management operates at the speed of the business. It is far more than the occasional, even if regular, assessment of a list of so-called top risks. “Dynamic” is when the consideration and management of risk is part of the fabric of the organization, and an element in daily decision-making and operations of the organization. It is active and essential.

“Iterative” is about a reliable set of processes and systems for identifying, assessing, evaluating, and treating risk. It means that when management makes decisions, based in part on risk information, there are proven processes and the information is reliable.

Finally, “responsive to change” is essential when risk changes at speed. Every day there is a potential surprise, a new or changed situation to which the organization should at least consider responding. It could be a shift in exchange rates, a change in the government of a nation where you do business, a flood that affects the supply of a critical component, the decision in a court case that affects you directly (because you are a party) or indirectly (because it creates a new interpretation of a regulation with which you must comply), the loss of a key customer, a new product from a competitor, the loss of a key employee, or so on.

Stuff happens and it changes or creates risk.

The organization must be responsive to change, nimble and agile in modifying strategy and execution.

All of this applies not only to risk management but also to internal audit (and to finance and the rest of the organization, in truth).

Is your internal audit function “dynamic, iterative, and responsive to change“?

For that matter, do IT, Finance, Operations, and so on meet the principle behind that phrase?

Or are they slow, scattered, and stubbornly reluctant to change?

Is that a risk to which we must respond?

I welcome your comments.

Where is internal audit world-class?

A conversation I just had with Michael Corcoran left me wondering which companies have now or in the past had what one might consider “world-class” internal audit departments?

My personal view is that the CAE is the last person to say his or her internal audit department should be considered world-class.

Instead, that should only be awarded by members of the audit committee or top executives (although I am not sure I would give as much credence to the opinion of a CFO who wants IA to focus on financial and compliance risks).

I would allow members of the audit team to make the award based on what they hear from senior operational executives.

As a former CAE, I am going to hold to my word and not name any of my prior teams. If they want, they can speak for themselves.

So, please use the comments to identify the IA departments you think are world-class and why.

SEC and SOX plus COSO 2013 News

I want to share two situations/reports. The first relates to SOX, the second to COSO 2013.

 

SEC Charges SOX 302 Violation

On July 30th, the SEC published a press release “SEC Charges Company CEO and Former CFO With Hiding Internal Controls Deficiencies and Violating Sarbanes-Oxley Requirements”.

Here are the key points in the SEC’s remarks:

The Sarbanes-Oxley Act of 2002 requires a management’s report on internal controls over financial reporting to be included in a company’s annual report.  The CEO and CFO must sign certifications confirming they’ve disclosed all significant deficiencies to the outside auditors, reviewed the annual report, and attest to its accuracy.

The SEC’s Enforcement Division alleges that CEO Marc Sherman and former CFO Edward L. Cummings represented in a management’s report accompanying the fiscal year 2008 annual report for QSGI Inc. that Sherman participated in management’s assessment of the internal controls.  However, Sherman did not actually participate.  The Enforcement Division further alleges that Sherman and Cummings each certified that they had disclosed all significant deficiencies in internal controls to the outside auditors.  On the contrary, Sherman and Cummings misled the auditors – chiefly by withholding that inadequate inventory controls existed within the company’s Minnesota operations.  They also withheld from auditors and investors that Sherman was directing and Cummings participating in a series of maneuvers to accelerate the recognition of certain inventory and accounts receivables in QSGI’s books and records by up to a week at a time.  The improper accounting maneuvers, which rendered QSGI’s books and records inaccurate, were performed in order to maximize the amount of money that QSGI could borrow from its chief creditor.

According to the SEC’s orders, Sherman and Cummings signed a Form 10-K and Sherman signed a Form 10-K/A each containing the false management’s report on internal controls over financial reporting.  And each signed certifications required under Section 302 of the Sarbanes-Oxley Act in which they falsely represented that they had evaluated the report and disclosed all significant deficiencies to the auditors.

What is new is that the executives were found to have violated not only the annual Section 404 requirement that the SOX compliance program is generally focused on, but the quarterly Section 302 certification process.

I have been warning, in both my SOX book for the IIA and in my training classes that ‘one of these days’ somebody would be charged with a Section 302 certification violation. In my conversations with the SEC when I was writing my SOX book for the IIA, they indicated that Section 302 violation was a future rather than a current focus.

But here they are now.

In the Section 302 certification, the CEO and CFO personally sign, and therefore are liable, that the following statements are true:

“The registrant’s other certifying officer and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and ICFR (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

• Designed such disclosure controls and procedures, or caused such disclosure controls and procedures to be designed under our supervision, to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this report is being prepared;
• Designed such internal control over financial reporting, or caused such ICFR to be designed under our supervision, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles;
• Evaluated the effectiveness of the registrant’s disclosure controls and procedures and presented in this report our conclusions about the effectiveness of the disclosure controls and procedures, as of the end of the period covered by this report based on such evaluation; and
• Disclosed in this report any change in the registrant’s ICFR that occurred during the registrant’s most recent fiscal quarter (the registrant’s fourth fiscal quarter in the case of an annual report) that has materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting; and

“The registrant’s other certifying officer and I have disclosed, based on our most recent evaluation of internal control over financial reporting, to the registrant’s auditors and the audit committee of the registrant’s board of directors (or persons performing the equivalent functions):

• All significant deficiencies and material weaknesses in the design or operation of ICFR which are reasonably likely to adversely affect the registrant’s ability to record, process, summarize and report financial information; and
• Any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal control over financial reporting.”

In the book, I say:

“…. prudence suggests that management:

• Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.
  • This can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
  • The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
  • The system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower — typically one quarter the size — determination of what constitutes “material”.
  • The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
• Confirms that the external auditors do not disagree with management’s quarterly assessment.
• Understands ― which requires an appropriate process to gather the necessary information ― whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and, if so, should be disclosed.”

Question: Have you discussed with and obtained guidance from your legal team whether a potential material weakness identified by your periodic SOX testing means that the CEO and CFO should not say, in their current quarter Section 302 certification, that the disclosure controls are effective?

 

Mapping of Controls to COSO 2013 Principles is Wrong

I am still trying to get information on what the major auditing firms are telling clients about COSO 2013.

I was able to get on a call with a Deloitte practice partner and one of the SOX/COSO leaders in the Deloitte head office.

It was refreshing to hear that they understand that the top-down and risk-based approach mandated by PCAOB Auditing Standard Number 5 remains at the heart of the firm’s approach.

The head office leader made a comment that I like very much.

She said that many registrants are trying to map all their (key) controls from 2013 to one or more of the COSO principles.

This is wrong.

There is no such requirement, nor is it useful.

What is needed is to demonstrate which controls are being relied upon to support management’s determination whether the principles are achieved.

I cover this in detail in the SOX book and in my SOX Master Class training. Basically, my approach is to determine how a failure to achieve a principle might raise the level of risk of a material error or omission above acceptable levels; we then identify the key controls that will be relied upon to address such risks. Where the risk is assessed as low, management’s self-assessment of the controls may be sufficient.

Unfortunately, I know of at least one Deloitte senior manager who doesn’t understand.

I wonder how many other external audit teams are ‘requiring’ that companies do more than is necessary.

Please share through comments or private email to me at nmarks2@yahoo.com.

 

I welcome your insights and observations.

World-Class Internal Audit

Over the years, I have had the privilege of leading world-class internal auditors – world-class people who deliver world-class internal audit services to our customers on the board and in management.

I hesitate to call the teams I have led world-class. There has always been room for improvement.

But our customers and peers have called us world-class. For example, executives and audit committee members have said:

• “Internal audit provides us with a competitive advantage”
• “You have yet to perform an audit I wouldn’t gladly pay for”
• “You help the audit committee sleep through the night”
• “You are not a typical internal auditor”

When Arthur Andersen (and then Protiviti with KnowledgeLeader) built their on-line repository of best practices, ours was the first internal audit function profiled.

Now that I am retired (even if still busy), I have found the time to collect stories from my professional life in a new book: World-Class Internal Audit: Tales from my Journey (see below for links to the book). These are stories about experiences that have shaped me as a leader as well as how I approach internal audit.

My hope is that the book will not only be an easy and entertaining read, but my successes and failures, together with my reflections, will help you as you consider your own career.

Some stories are, I hope, amusing. Some are about learning experiences (i.e., mistakes and embarrassments) from which I grew.

I have also included comments and observations from members of my teams, some of whom followed me as I moved to other companies. For example, a current chief audit executive who worked with me at two different companies had this to say:

“Norman had a unique leadership philosophy where he adapted to the demands of the situation, the abilities of the staff and the needs of the organization. He was able to move between leadership styles utilizing the one needed for the challenges that the company was facing. He was at times visionary along with a coaching emphasis while not micromanaging. Norman set high standards, was democratic but occasionally would utilize a classic authoritarian style when needed with certain employees and situations. Norman moved easily between leadership styles which resulted in developing World Class departments. As the Chief Audit Executive for a semiconductor company I still consult Norman on various audit topics and practice leadership techniques I learned under his tutelage.”

The book is available in paperback (or on Amazon) or as an e-book (Kindle).

Here’s one of the stories in Chapter 5 on the topic of “the value of writing and teaching”. The ‘David’ referred to was my boss at Coopers, David Clark.

My next adventure took me into a new and smaller world: the world of microprocessors.

People I knew were buying do-it-yourself microcomputer ‘kits’ from mail order stores, and the technical computing journals were starting to hint that these devices had the potential to move from a hobby to a business tool. In 1974, a company called Zilog was founded and in 1976 they introduced the Z80, an 8-bit microprocessor that was a significant advance from the early Intel 8080 model. The Z80 allowed more powerful devices and the military, in particular, used it extensively. The Z80 powered early business computers, such as the Osborne, Kaypro, Xerox 820, Radio Shack TRS 80, and Amstrad. I purchased a Radio Shack TRS 80 Model II a little later – but that’s another story.

I believed in the potential and wanted to share that vision with the rest of CAG. After obtaining materials directly from Zilog and accumulating a number of pieces from journals, I started to write. I was smart enough to include diagrams, but not smart enough to please David with the initial drafts of my paper.

After I had exhausted my patience and wanted to give up, and David had nearly exhausted his patience with me, he gave me two pieces of sage advice:

1. Tell him (in person) why this is important. Say it and then write what you said. As you are saying it, learn from the listener (David) how to express your thoughts in a way that will be understood – and learn what not to say because it will not be understood.
2. Avoid technical language and use ordinary English where possible. If you have to be technical, explain the terms clearly so that the non-technical person will understand.

I ended up writing a much longer piece, but it worked. While not everybody would share my opinion of the potential, everybody understood what I was talking about.

Later that year, I was asked to be one of the teachers at the off-site training session for people joining CAG. This was a wonderful learning experience for me. The task of teaching meant that I had to master the fundamentals of what I needed to teach. It was also essential that I avoided technical language when plain English could be used – and that I explain the technical in easy-to-absorb-and retain terms.

This set of experiences led me to require all of my staff to:

• Write and speak for the people who are listening, the people you are trying to influence, inform, or persuade
• Write and say what they need to hear, rather than what you want to say
• Use language they understand. If they don’t start with a decent understanding of the topic, explain any technical terms in ways they can understand
• Give examples and use diagrams; they are of great value in expressing ideas, especially to those who are visually oriented (i.e., absorb concepts from seeing better than they do by reading). I became used to getting up and using a chalkboard to diagram and explain what I was trying to communicate
• Master the fundamentals: you won’t get far explaining anything unless you have deep understanding of the topic yourself

I hope you enjoy this story and consider the book.

Advancing the Practice of Internal Audit

As I mentioned earlier, I was honored to be a member of the Re-Look Task Force that has proposed changes to the IIA’s standards framework (IPPF).

One of the changes is to introduce Core Principles for the Professional Practice of Internal Auditing.

The first nine are “motherhood and apple pie” restatements of what I hope we all know are necessary attributes of internal auditing, such as our integrity, resources, and ability to communicate. They are important to restate because although they may be obviously necessary, they are not all always present in practice.

For example, I continue to meet CAEs who don’t have sufficient resources to address more than a handful of critical risks. The last has been charged with all the SOX work without being given the resources necessary to provide both his core internal audit assurance work and the consulting services necessary to manage the SOX program.

The three that I think will help advance the professional practice of internal auditing are the last three on the list (which should be the first three).

10. Provides reliable assurance to those charged with governance.

11. Is insightful, proactive, and future-focused.

12. Promotes positive change.

What is “assurance”? Our stakeholders need to know if the processes for governance, management of risk, and the related controls can be relied upon to manage critical risks at acceptable levels: whether they will enable the organization to take the right risks with confidence and achieve or surpass objectives.

They need our professional opinion.

I hope this principle will advance the practice of providing such an opinion, a formal one, to the board and top management.

A list of deficiencies is not assurance.

#11 is very interesting. Surveys continue to tell us that our stakeholders on the board and in executive management want more from us. In addition to focusing on the right risks (a deficiency in our practice according to recent PwC and KPMG surveys), they value our insight – what we can tell them about management processes and practices beyond what we might put in the audit report.

Our traditional role is to report on what has happened (and gone wrong) in the past – hindsight. We should instead help our organizations, their executive team and board, manage into the future.

This means moving from hindsight to foresight with insight into current and foreseeable conditions.

We should be proactive in looking at changes in business systems and processes, organizational structures and staffing, and more – providing consulting services to help ensure our future is one with adequate management of risk, including security and controls.

The great Canadian ice hockey player, Wayne Gretzky, was asked “what is the secret of your success?” His answer:

“I skate to where the puck is going to be”

We need to audit where the risk is going to be.

The last talks about the need to do more than make a recommendation and let management respond. We need to promote positive change. I ask that you read and comment on my article in the August issue of the Internal Auditor magazine on “The Internal Audit Evangelist”.

In another article in the same issue, the author talks about his department achieving an acceptance rate of 84% on its recommendations. Management accepted and implemented 84% of internal audit ratings.

My comment?

That is a 16% failure rate!

Where is the value when management only occasionally listens to us?

How will management see us if we frequently are unable to see business risks and needs in the same light as they see them?

There is zero value in recommendations.

There is only value in positive change.

We should work with management to ensure we agree on the facts, agree on the risk to objectives (specifying which are at risk), agree on whether that risk should be accepted or treated, and then agree and help them determine the best path forward.

If the great majority of internal audit departments are able to say that:

1. We provide our stakeholders with the assurance they need to manage and direct the organization with confidence
2. We provide insight into current conditions and our work is focused on the risks that will face the organization as it moves forward, and
3. We work with management to effect positive change

the professional practice of internal audit will be one worthy of pride.

I welcome your thoughts and comments.

Updating the IIA Standards

The IIA is asking for its members’ opinion on a set of proposed changes to the framework for its Standards (the IPPF). The detailed Standards are not changing, but the proposed changes are significant and merit every audit professional’s attention.

The proposal was crafted by a select group of practitioners called the “Re-Look Task Force”, and I was privileged to be a member.

The proposal explains the recommended changes and asks a number of questions to elicit members’ opinions and suggestions for improvement.

I encourage all IIA members across the world to read the proposal carefully and provide your input.

You should receive a copy of the proposal from your institute. You can also download it from either the IIA Global or IIA North America web site. In addition, Hal Garyn, a Vice President with The IIA, has recorded a video (http://auditchannel.tv/video/1321/The-IPPF-Is-Evolving-How-You-Can-Help).

I want to share my perspective on the changes, hoping that might be useful to you.

The proposal represents the consensus view. While there were, in a few cases, disagreements among the task force members, those disagreements were minor. The questions we included are designed to address those issues.

The task force discussed whether it was time to make a change to the Definition of Internal Auditing. Quite a few changes were suggested, but in my view they were only tinkering with the words and not changing the underlying message: that ours is an assurance activity (in my opinion this is our primary mission) that also helps our organizations succeed through consulting/advisory services that contribute to the improvement of governance, risk management, and related control processes.

We talked about changing “consulting” to “advisory”. We talked about ways to make the wording more succinct.

But in the end, it was tinkering and we recognized a change could lead to issues where the Definition has been incorporated into other standards, corporate governance codes, and so on.

I think the right decision was made, to leave the Definition unchanged.

We also talked about the Standards being “principle-based” rather than “rule-based”. If so, what are the principles?

Again, we spent a lot of time defining and then wordsmithing the principles.

I think the list included in the proposal is a good one. I will write separately about some of the principles and why I like them.

One of the questions is whether the principles are shown in the best order. This is one area where I was in the minority. While I see the logic of the proposed order, I would put the last three first as they represent what we are all about. The other nine are how we get there. You can share your opinion by answering a question on the order of the principles.

Although presented before the principles, the discussion of a mission came after.  I like it! It is short and sweet and captures the essence of the purpose and value of internal auditing.

I like the other suggestions for supplemental guidance, guidance on emerging issues, and local guidance. The last should be useful where local practices are in a different environment than in other countries. For example, I work with IIA chapters and institutes around the world and know that in some nations there are many family-owned corporations; in others there are a lot of government-owned for-profit companies. There will now be a place for local IIA organizations to craft guidance that addresses local issues in ways global guidance cannot.

If you haven’t already seen the proposal, please watch for it and if necessary check the IIA web site.

Feel free to share your thought here for discussion.

More Poor Guidance on COSO 2013

I continue to be concerned that accounting firms are providing poor guidance to their clients and other organizations.

Let’s look at new guidance from PwC’s Canadian firm, “What does it mean to me? Frequently asked questions about the COSO Updated Framework”.

PwC asks and provides their answers to a few questions, including:

Q: What might happen if my company does not update to the 2013 Framework?

A: There are indications that the SEC will take a close look at any company that doesn’t make this transition. We’re encouraging our clients to transition before December 15, 2014.

Norman: PwC fails to point out that this only applies to the SOX assessment of internal control over financial reporting for organizations subject to that compliance requirement. There is no requirement to adopt COSO 2013 for any other business objective.

Q: Are there new/updated requirements for effectiveness?

A: While the fundamental requirements haven’t changed, there’s greater clarity around what management should assess in determining effectiveness. The requirements are that:

• Each of the five components and relevant principles are present and functioning
• The five components are working together in an integrated manner

Norman: I find it unforgiveable that PwC omits the first and most significant requirement: internal control is effective when it provides reasonable assurance that risk to objectives is at acceptable levels. Unforgiveable because this is the primary and overriding way to assess internal control; it comes ahead of the requirements relating to components and relevant principles in the COSO section on Effectiveness; and PwC really should get this right as they wrote the COSO 2013 update! (By the way, I give PwC kudos for pointing out that the “fundamental requirements have not changed”.)

Q: Isn’t this just a mapping exercise? Can’t you just use the template?

A: The mapping of controls based on the 1992 Original Framework to the updated 2013 Updated Framework is a key part of the transition. Many companies seem to think it’s just a mapping exercise and that there’s little they need to do to apply the update. We’ve heard of other organizations who think that because they had a clean certification last year, there won’t be any challenges this year. However, once they start this mapping, many companies are finding that updates are needed to their system of internal control. The mapping templates help draw this out, and management should expect some level of added effort to the update.

Norman: There is no requirement to map your controls from last year to the Principles. This is a creation of consultants.

The requirement is to demonstrate that the Principles are present and functioning, which will serve to demonstrate that the components are present and functioning and working together in an integrated manner.

I give credit to Deloitte for including this distinction in their firm’s internal training (according to the lady who runs it for them). Companies don’t need to take all their existing controls and map them to the new Principles. Instead, they need to identify the controls that satisfy the Principles.

I again give credit to Deloitte for training their people that there is no need to identify controls for every Point of Focus. The latter are provided to assist in addressing the Principles.

The other major problem, and this applies to every guidance I have seen on COSO 2013, is the failure to note that the requirement to assess internal control over financial reporting using a top-down and risk-based approach has not changed. This is mandated in Auditing Standard Number 5 (which has not been changed), included in the SEC’s Interpretive Guidance (which has not been changed), and strongly reinforced in the PCAOB’s Staff Alert 11 of October, 2013 (published after the release of COSO 2013).

The assessment of the Principles should be based on whether any gap represents what COSO calls a major deficiency: one which represents a significant risk to the achievement of the objective of reliable financial reporting to the SEC. Absent such a major deficiency, which basically translates to a material weakness, the Principles can be assessed as present and functioning. I haev confirmed this with COSO and several audit firm partners.

Finally, the mapping templates can be and generally are misused. When consideration of risk is not included, these templates are just checklists. This is why many organizations are warning against the checklist approach to COSO 2013 adopted by firms and registrants alike.

I like how the PCAOB Board Member Jeanette Franzel advised organizations to avoid the checklist approach and use the 2013 Update as an opportunity to revisit the system of internal control’s design, effectiveness, and efficiency.

I have talked to a number of PwC partners about the COSO 2013 update and its effect on SOX. They “get it” so this failure to talk about providing reasonable assurance that risk to objectives is at acceptable levels is not pervasive across PwC. I hope it is limited to this guidance.

These partners know that the assessment of effective internal control over financial reporting is still based on whether there are no material weaknesses. Translating this into COSO language: the objective is to file financial statements that are free of defect; the acceptable level of risk is that they do not contain any material errors or omissions; if there are no material weaknesses, then it should be possible to show that the principles are free of major deficiency and thus present and functioning.

I welcome your comments.

By the way, this is addressed in more detail in the guidance to management on SOX published by the IIA (written by me).

Understanding Governance Risks

How many boards, let alone risk officers, think about the risks to their organization if the governance by the board and top management is ineffective?

Certainly, people talk about the potential for the wrong tone at the top. Frankly, I doubt that members of the board will be able to detect those situations where top executives talk a good game but walk to a different tune; where they put the interests of their pockets ahead of the reputation and long-term success of the organization; where they are prepared to take risks with the organization’s resources without risk to their own..

But governance risks extend well beyond that

Failures to have the time to question and obtain insight in how the organization actually works can leave the enterprise without effective risk management, information security, internal auditing, and more.

Failures to provide the board the information it needs when it needs leaves the directors blind, although they may think they can see.

The governance committee of the board should, in my opinion, consider risks related to governance processes every year. It should engage both the risk and internal audit teams to ensure a quality assessment is performed. Legal counsel should also be actively engaged as issues might have consequences if they are not handled well; for example, any assessment that the board has gaps in director knowledge, experience, or ability to challenge the executive team cannot be communicated outside the firm.

Do you agree? I welcome your comments.

Guidance for Directors on Disruptive Change

Every organization needs to be able to not only anticipate and address the inevitability of change that might disrupt its business, but be prepared to take advantage of the opportunities that will present themselves.

We talk about risk as if every uncertainty has a downside.

We talk about opportunity as if it is something that we choose to seize or not, and do little to ensure we identify and take full advantage. How do we expect to optimize our performance when we are cavalier about moving quickly to take advantage of opportunities that may rise and disappear quickly?

We talk about resilience as if we should stand tall, like a wall, in the face of disruptive change. Perhaps we should move, either out of the way or to align ourselves to benefit from the movement (think Aikidao).

In fact, all of these come into play. Situations and events can have multiple possible effects, some good and some bad, and are not limited to one outcome at a time. As a simple example, the loss of one employee is the opportunity to hire somebody with different skills, reorganize the function, and so on.

What distinguishes our times from years past is the pace of change.

Deloitte recently published Directors’ Alert 2014: Greater oversight, deeper insight: Boardroom strategies in an era of disruptive change. Here are some excerpts:

“Sometimes, changes occur that are more dramatic. In the past, disruptive changes usually happened only periodically and resulted in a sustained plateau – the automated assembly line, for example, which revolutionized industry in the early twentieth century, continues to be a central feature of modern manufacturing. Today, however, disruptive change has become a perpetual occurrence in which one change instantly sparks a chain of others. What’s more, these changes are being generated by a variety of factors – digital disruption created by continuing technological advances, regulatory reforms, economic turmoil, globalization, and shifting social norms and perceptions.”

“In this environment, everything and anything may change at any time as category boundaries are blurred, supply chains are disrupted, and long-standing business models become obsolete. With change, however, comes opportunity. Technological advances enable organizations to generate new revenues by targeting new customers, new sectors, and access new geographies while more fully automating back office activities and divesting of declining assets to reduce costs. The challenge for organizations is to recognize when disruptive change is occurring and to act quickly and decisively when it does.”

“In this environment of ongoing, tumultuous change, organizations and their management and boards of directors must respond quickly and adeptly if they are to effectively address all the disruptive changes that surround and affect them. For boards of directors, this often requires greater oversight – expanding their scope to include activities and areas that were not traditionally part of their mandate. At the same time, boards must ensure that management provides them with deeper insights into the organization’s activities so directors can clearly understand all of the potential opportunities and risks.”

Deloitte takes each area of major change (such as strategy, technology, taxation, regulatory compliance and so on) and includes questions for directors to use in discussions with management.

I am working with ISACA on guidance for directors and executives on how disruptive technology might affect corporate strategy. I came up with a few questions of my own that directors and top executives might use:

1. How does the organization identify the new or maturing technologies that might be of value and merit consideration in setting or adjusting strategies, objectives, and plans?
2. Who is responsible for the assessment process?
3. Who determines whether existing strategies, objectives, or plans should be adjusted?
4. Does the assessment consider the potential for value to be created in multiple areas of the organization, or does each functional area act on its own?
5. Does the assessment consider, with inclusion in the process of related experts, potential compliance and other risks?
6. Does the assessment consider the potential actions of competitors, suppliers, customers, and regulators?
7. Does the board discuss the potential represented by new or maturing technology on a regular basis and as part of its discussions of enterprise strategy?

Do you think these are the right questions? How would your organization fare?

I welcome your comments.