The state of the internal audit profession

April 6, 2017 18 comments

My friend Richard Chambers has written a couple of posts that merit our careful attention.

Frankly, all of his posts merit our attention, but these are important.

I ask that you review:

I have not spoken to Richard about either of his posts nor about his motivation for writing them. (See Note at conclusion.)

However, I suspect that they were sparked by articles such as this, Internal Audit Losing Prestige, Survey Finds. To quote that piece:

In the eyes of CFOs and many other senior executives and board members, the internal audit function is fast losing prestige, a new study suggests.

The reason? Most internal auditors are slow to help their employers prepare for and respond to major corporate “disruptions” like big regulatory changes and cyber attacks, according to PwC’s 2017 State of the Internal Audit Profession Study.

The portion of “stakeholders” — internal auditors, senior executives, and board members — reporting that “internal audit adds significant value” plummeted from 54% in 2016 to 44% in 2017, reaching the study’s lowest level in the five years PwC has been tracking the metric.

Tim Leech of Risk Oversight was more gloomy about the current state of internal audit when he wrote a piece with the highly provocative title of Is Internal Audit the next Blackberry.

Full disclosure requires that I tell you that I have known both Richard and Tim for a very long time.

  • Richard and I come from different backgrounds but tend to see things in similar ways (while he served as CAE in the US public sector, I served as CAE for global public companies; he worked with PwC in the consulting and audit services area before becoming CEO and President of the IIA, while I started my career with PwC in public accounting). His position requires him to be diplomatic while I tend to be more provocative. I served many years on IIA committees and task forces and Richard and I have collaborated on a number of AuditChannel broadcasts.
  • Tim and I also have different backgrounds. While he also started with PwC (in Canada) before moving into internal audit, he has been a consultant for the last 30 years. Tim and I often disagree but have a mutual respect. Recently he has shared drafts of his work with me for comment before they are published.

Richard is far more provocative than usual in his March 27 post when he says:

It is a truism that negative news tends to generate more attention, and of late there has been too much of it directed at internal audit. I wouldn’t go so far as to characterize it all as “fake news,” but much of it is “hyped news” at best. Whether it’s a media headline trumpeting a purported decline in stakeholder confidence in internal audit or pundits characterizing the profession in such stark terms as the next Blackberry, a few sensational “sound bites” can easily become fodder for those who are quick to relegate the profession to irrelevancy.

Naturally, Tim sees this as labeling his writing as “fake news”.

Richard is 100% correct when he states:

No one has been more open and transparent about challenges and opportunities facing our profession than I have been. Along with other leaders of The IIA, we have continuously challenged internal auditors to acknowledge and address any shortcomings that surface. Internal audit should never shy away from fair critique of its work. However, superficial interpretation of data about the profession can quickly morph from valid encouragement for continuous improvement to destructive criticism.

Equating survey results indicating that less than half the respondents believe “internal audit adds significant value” with a loss of prestige is fallacious. The fact that internal audit functions are able to add staff may indicate that they are being given more resources so they can do more and add greater value.

I don’t believe internal audit is “losing prestige”. My belief is that internal audit can and should do more to deliver the value that our stakeholders need.

Unfortunately, internal audit at many if not most organizations does not have a lot of prestige and the argument should be about increasing rather than losing it.

Let’s look at some more information.

My friend Joe McCafferty of MISTI recently wrote about comments by a panel that included other friends, Larry Harrington and Angela Wizany, along with Brian Christensen of Protiviti. Joe’s piece is titled Stakeholders are sending a clear message to internal audit to step up its game.

I strongly recommend reading the piece and noting the eight action items.

One quote by Brian caught my eye:

Stakeholders are challenging us to get out of our swim lanes. We as auditors are so accustomed to doing our behaviors. We have our audit plans, we have our pencils. But [stakeholders] talked to us about the fact that things change. Be adaptable, be flexible, and be receptive to embracing new challenges and taking them on.

I have worked with IIA Malaysia in the past, including talking on their behalf to the Malaysia Securities Commission and presenting to board members. The profession appears to be strong there, but a recent survey indicates that more is needed.

An article in the local business newspaper reported that:

Public listed companies (PLCs) in the country still have much room to strengthen their internal audit functions, according to a year-long survey commissioned by the Institute of Internal Audit Malaysia (IIAM).

In a statement, IIAM said 54% of the PLCs on the Main Market preferred to outsource their internal audit function and almost all (90%) of these PLCs that outsourced paid RM100,000 or less in a year.

“The amounts incurred indicate that very junior staff or very few staff were in the audit team and a limited scope was covered. The low amounts are also a sign that the staff are not professional staff and may not have the experience and skillset to effectively carry out the work, thus less is spent,” the institute said.

“PLCs should consider the professional qualifications, certification and experience of their OSPs (outsourced service providers) in relation to the scope of the work required to ensure adequate coverage of risk areas and reliable reports are issued.”

Tim has every right to challenge the current state of internal auditing and I know Richard respects that.

I don’t agree with Tim’s reference to a “direct report internal audit paradigm”. While he has explained what he means to me in private conversation, I strongly doubt that many know what he is referring to. However, I do agree that internal audit should provide assurance on the effectiveness of risk management and its ability to help the organization make intelligent decisions and achieve objectives.

There is some merit to Tim’s thinking, but I always struggle with the way he says it. (Sorry, Tim).

Nevertheless, we need people like Tim to challenge us.

Now is the time to step back and think about why the surveys are saying what they are saying, and then talk about what needs to be done about it.

Richard and I have both shared our views with new books.

I would like to think that between us we have charted a way forward.

Internal auditors need to be “proactive” and “forward-looking” according to our Principles for Effective Internal Auditing.

Let’s adopt that mindset for our own practices and profession.

Forward ho! The future is bright. Internal auditing in 2020 and beyond may well be quite different than it has been in the past.

I welcome your comments.

 

 

NOTE: I shared a draft of this post with both Richard and Tim. Neither has a concern, although Tim and I remain at odds over his terminology and perhaps more.

The Current State of Risk Oversight: Useful or Useless?

April 2, 2017 6 comments

For quite a few years, the people at the Enterprise Risk Management Initiative have researched and provided reports on The State of Risk Oversight:  An Overview of Enterprise Risk Management Practices.

In February, they published the 8th edition of their report.

I have covered their reports in the past, highlighting:

  • According to the authors, very few organizations have what they consider to be “mature” or “robust” risk management processes.
  • They don’t provide detail on what they consider constitute “mature” or “robust” risk management processes. My educated guess is that they leave it to the respondents to form their own definition.
  • It seems that their idea of risk management is maintaining an “inventory” of risks (i.e., a risk register), updating it every so often, and reviewing it at board and executive management meetings.

There is some useful information in the report.

But does it add value to continue to focus on practices that don’t work?

All the surveys, including this one, report that executives do not believe risk management practices at their organization are making a significant contribution to the development and execution of their strategies.

Here, they found that “Only about one-quarter of the respondents describe their ERM processes as an important strategic tool with no real differences in that assessment across types of organizations.”

When your risk management processes are designed to identify risks rather than to assess the likelihood of achievement of objectives and then do something to increase the likelihood and extent of success, are they doing what is really needed?

When you think that risk management needs to be “integrated” with strategic planning instead of acknowledging that strategic planning already includes the consideration of what might happen and what we should do about it, I think you are wrong.

Effective strategic planning is not a separate activity from strategic risk management!

So, is this report useful or useless?

Is the traditional practice of risk management, where a risk register is maintained and discussed, useful or useless?

Is it just a compliance exercise (the view of most executives) that ‘ticks the box’?

Rather than track and monitor the maturity of practices that don’t work, let’s figure out what will work.

We need practices that will:

  • Inform and enable more intelligent decisions
  • Increase the likelihood and extent of success

Right or wrong?

I welcome your thoughts.

 

 

The risk of material errors in the quarterly financial statements

March 10, 2017 1 comment

Audit Analytics has released some interesting statistics on financial restatements and SOX.

According to them, in 2015 about 5.3% of companies assessed their internal control over financial reporting (ICFR) as ineffective. This is down from 5.8% in 2014 but otherwise the highest level since 2008.

This is the key section of their report:

One criticism of SOX 404 is that many material weaknesses are not disclosed until after a company has restated its financial statements. The PCAOB found that 80.4% of companies with a restatement in 2014 did not have ineffective ICFR prior to the disclosure of the restatement. This raises doubts about whether SOX 404 has much of an effect.

The last statement is faulty logic.

SOX 404 is about the assessment at the end of the year.

The point here is that organizations had ineffective ICFR earlier in the year, presumably in earlier quarters.

Logically, this means that the certification per SOX 302 by the CFO and CEO that is included in the quarterly financial statements was wrong.

Let’s look at that certification. This is taken from the SEC’s Final Rule, Certification of Disclosure in Companies’ Quarterly and Annual Reports. I have highlighted the most relevant portion.

1. I have reviewed this quarterly report on Form 10-Q of [identify registrant];

2. Based on my knowledge, this quarterly report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by this quarterly report;

3. Based on my knowledge, the financial statements, and other financial information included in this quarterly report, fairly present in all material respects the financial condition, results of operations and cash flows of the registrant as of, and for, the periods presented in this quarterly report;

4. The registrant’s other certifying officers and I are responsible for establishing and maintaining disclosure controls and procedures (as defined in Exchange Act Rules 13a-14 and 15d-14) for the registrant and we have:

a) designed such disclosure controls and procedures to ensure that material information relating to the registrant, including its consolidated subsidiaries, is made known to us by others within those entities, particularly during the period in which this quarterly report is being prepared;

b) evaluated the effectiveness of the registrant’s disclosure controls and procedures as of a date within 90 days prior to the filing date of this quarterly report (the “Evaluation Date”); and

c) presented in this quarterly report our conclusions about the effectiveness of the disclosure controls and procedures based on our evaluation as of the Evaluation Date;

5. The registrant’s other certifying officers and I have disclosed, based on our most recent evaluation, to the registrant’s auditors and the audit committee of registrant’s board of directors (or persons performing the equivalent function):

a) all significant deficiencies in the design or operation of internal controls which could adversely affect the registrant’s ability to record, process, summarize and report financial data and have identified for the registrant’s auditors any material weaknesses in internal controls; and

b) any fraud, whether or not material, that involves management or other employees who have a significant role in the registrant’s internal controls; and

6. The registrant’s other certifying officers and I have indicated in this quarterly report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of our most recent evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

Date: ……………

_______________________
[Signature]
[Title]

Disclosure controls include internal control over financial reporting. This is how they are defined by the SEC:

“…controls and other procedures of an issuer that are designed to ensure that information required to be disclosed by the issuer in the reports filed or submitted by it under the Exchange Act is recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms. “Disclosure controls and procedures” include, without limitation, controls and procedures designed to ensure that information required to be disclosed by an issuer in its Exchange Act reports is accumulated and communicated to the issuer’s management, including its principal executive and financial officers, as appropriate to allow timely decisions regarding required disclosure.”

If ICFR is not effective, then disclosure controls are not effective.

The CEO and CFO need to have a reasonable basis for their assessments of disclosure controls and ICFR.

If they know, or should know, that there were potential material weaknesses at the end of any quarter, they should not have signed the 302 certification as if there were none and ICFR and disclosure controls were effective.

This is what I recommend in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:

…prudence suggests that management:

  • Has a reasonably formal, documented process for making the quarterly assessment that is included in the 10-Q and supports the Section 302 certifications.

    • I suggest that this can be included in the activities of the company’s disclosure committee, which most of the larger companies have established.
    • The process should include the assessment of all internal control deficiencies known to management, including those identified not only during management’s assessment process but also by either the external auditors in their Sarbanes-Oxley work or by internal audit in its various audit activities.
    • As discussed below, the system of ICFR must provide reasonable assurance with respect to the quarterly financial statements and the annual statements. The quarterly assessment is against a lower—typically one quarter the size—determination of what constitutes material.
    • The process and results should be reviewed and discussed with the CEO and CFO to support their Section 302 certifications.
  • Confirms that the external auditors do not disagree with management’s quarterly assessment.

  • Understands―which requires an appropriate process to gather the necessary information―whether there have been any major changes in the system of internal control during the quarter. A major change can include improvements and degradations in the system of internal control. While Section 302 only requires the disclosure in the 10-Q of a material weakness and the communication to the audit committee of a material or significant deficiency, the correction of a significant deficiency may be considered a major change and should be disclosed (see item #6 in the certification, above).

I welcome your comments.

Is your compliance program strong enough?

March 4, 2017 1 comment

My thanks to Maurice Gilbert, who shared news about guidance from the US Department of Justice (DOJ). It describes how investigators will assess an organization’s compliance program as part of an investigation into that company.

The DOJ Guidance, Evaluation of Corporate Compliance Programs, should be read and considered by all governance, compliance, risk, and audit practitioners.

Every organization should address every one of the Topics and underlying questions in the document.

Aspects I like include:

  • A focus on not just the tone but the conduct at the top
  • The stature, autonomy, empowerment, and funding of the compliance function
  • An assessment of the risk management activity, although the questions are a bit shallow
  • The independence and performance of investigations by the organization
  • Whether managers as well as employees are held accountable, and who participated in disciplinary decisions and actions
  • The role of internal audit
  • The consideration of how the actions of third parties, for example in outsourced operations or by agents, could affect compliance
  • Whether there is sufficient due diligence around compliance during M&A

While it would be easy to leave the assessment of compliance activities to internal audit, and I believe this is an area they should actively consider, senior management should take ownership of the need for an effective compliance program.

How does your organization stack up?

Would it pass an evaluation using this guidance?

Shouldn’t the board insist on a periodic assessment by executive management?

I welcome your comments.

Embedding risk into strategic planning and more

February 25, 2017 16 comments

It is easy to say that risk management should be embedded into business processes such as strategic planning. But is it that easy to accomplish in practice?

I think it’s fair to say that in most organizations they are quite separate.

I would also say that many times risk management focuses on harms and strategy on opportunities, almost as if one was a pessimist fearing the worst and the other a cock-eyed optimist hoping for the best.

My good friend, Dan Swanson, shared a link to a series of questions about strategic planning from the consultancy firm of Bain & Company.

Is your strategic planning world class has twelve questions, each of which is relevant and useful.

Please go through the twelve and come back here for further discussion.

==========================================================================

So, did you see any mention of risk or risk management?

Did you see any indication that risk is embedded in any way into strategic planning?

Let’s consider another source, another major consultancy firm, McKinsey. In 2007, they published How to improve strategic planning.

Have a quick look.

==========================================================================

Correct. No mention of risk management.

One final source, the Boston Consulting Group.  Four best practices for Strategic Planning.

I will pause while you check it out.

==========================================================================

So, none of these major management consulting companies mention risk management.

Is that because they don’t understand its value and how it should should be integrated or embedded into strategic planning?

Possibly so.

So how does a risk officer get involved? How can he or she ensure that risk is considered?

Well, to me it starts with the same point I have been making for a long time now.

STOP TALKING ABOUT RISK

Risk is a word that blocks thinking. While risk officers understand that it is about helping people make better decisions and achieve their objectives (exemplified by the organization’s stated strategies), executives see it as a compliance activity that is focused on avoiding harm.

There’s a huge difference between avoiding harm and achieving objectives.

If you want to eliminate cyber risk, destroy all your computers.

In real life, we have to take risks – and the key is to take the right level of the right risks.

A risk practitioner can bring the discipline, process, and tools that are associated with risk management to strengthening the strategic planning process.

If I were CRO, I would work with the CEO/COO and head of strategy to answer these questions:

  • What assumptions have been made in defining the (internal and external) business environment and how it will change over the next period? What is the level of confidence in them?
  • What has and will be done to confirm, monitor, and (to the extent possible) realize the assumptions? Can the likelihood of realizing the assumptions be improved?
  • How confident are you in the quality of the information being used to understand the business environment and its future? Can that be improved?
  • How were the potential consequences of each strategic option assessed? Were the likelihoods of each level of achievement estimated with confidence? Is the likelihood of the desired set of consequences at an acceptable level?
  • Were potential adverse situations or events considered? How were they assessed?
  • How were potential adverse and positive effects and outcomes assessed in aggregate?
  • What is the level of confidence that the strategies will be achieved to the level of the goals and targets that have been set?
  • Is that level of confidence acceptable? What can and will be done to improve it?
  • Will performance against targets be measured in a way that incorporates changes in the potential for both positive and adverse effects in the future?
  • Can strategies and targets be modified as conditions now and expected in the future change?

I am sure there are more questions that can be asked. What should be added?

I welcome your thoughts.

 

 

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

The current state of risk management

February 11, 2017 35 comments

The Ponemon Institute, which I have previously referred to in my posts as the publisher of reports on cyber, recently shared the results of their survey on risk management.

The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management has some interesting content.

The results are disturbing, but unfortunately what I had anticipated.

It is important to note that the 641 who answered the survey were involved in risk management within their organization. So the results are skewed towards having some level of formalized risk management. In other words, they are better than the general population. It is also important to recognize that most of the respondents are IT folk and some of the questions reflect the author’s IT orientation as opposed to a general business one.

The report, as so many, has to define risk management in its own way. But, frankly, it’s not bad. They break it down into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language, and effectively use realtime information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. They don’t define what they mean by a risk management strategy, so I can’t comment further.

But this is key.

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire.

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53 percent of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8 percent of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question.

If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30 percent of respondents say no one person has overall responsibility to ensure the risk management program is well executed”.

The Appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.