Archive

Posts Tagged ‘GRC’

Cybersecurity: A Shared Responsibility

November 26, 2021 4 comments

That is the title of an article ISACA published this month.

It is a high-level, non-technical piece that makes a lot of sense. I like it and you may as well.

To put it in context, I was reading earlier in the week (sorry, I can’t find the article to share) that investments in cyber were flat and not being given a priority by management.

Clearly, there is a growing disconnect between the levels of risk seen by practitioners responsible for cyber and their more senior management.

This article won’t solve that, but it does have some sensible things to say.

Everything starts from the top: C-suite executives and the board. They are responsible for every business decision, so why do they often try and wash their hands of anything cyber?

In my experience, the answer is fear and uncertainty. Executives, either due to lack of technical understanding or complexities in technological solutions, feel overwhelmed or maybe incapable of addressing cybersecurity issues. However, without management’s buy-in, cybersecurity experts have a tough road ahead of them to protect the organization from threats.

As CISOs and other security leaders, our first task is to simplify the cybersecurity language into something most people understand, including the C-suite and the board.

In Making Business Sense of Technology Risk, where cyber is the primary focus, I emphasize the need to talk about the possible harms from a breach in terms that make sense to management: how a breach could affect the achievement of their objectives. I don’t think translating the effects of a breach into either dollars or (and this is meaningless to business leaders) the “effect on information assets” is convincing or effective in communicating the level of risk.

Rather than executive “fear and uncertainty”, I believe the CISOs have not made the business case for additional investment, especially when scarce resources are needed elsewhere.

They need to have a better appreciation of how a breach may, or may not, affect the likelihood of achieving their objectives.

This requires a business impact analysis to understand the business risk, not reliance on consultants, surveys, or news headlines.

As the article says:

When a cybersecurity program is based on risk, everyone from top management to operational teams can relate it to their daily job duties and incorporate the requirements within their processes.

Utilizing a risk-based approach allows the organization to focus on what is critical and most important (not everything!). This allows the top management to prioritize programs and activities appropriately.

All frameworks inherently rely on risk identification, analysis, and mitigation for building a cybersecurity program, whether ISO, NIST or others. Even regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) emphasize a risk-based approach for privacy and security by design.

I am a strong believer that organizations should invest in cyber commensurate with the risk to their success (usually measured in terms of achieving the objectives set by management and the board for the period).

I like the discussion of metrics to measure effectiveness of awareness, and the author’s closing:

Cybersecurity success is reliant on contributions big and small from everyone in the organization. To summarize:

  1. Cybersecurity is a shared responsibility for everyone and starts from the top.

  2. Get top management buy-in to ensure everyone is onboarded on the requirements.

  3. Success of any program and shared responsibility depends on good communication and awareness.

  4. Measure the programs as a whole and each step of the program.

I welcome your thoughts.

Auditing Risk Culture

November 22, 2021 4 comments

Earlier this year, the Institute of Internal Auditors Australia published Auditing Risk Culture, A practical Guide.

It’s a very interesting publication. They start with a definition of ‘risk culture’, something that I believe is a challenge in practice but that they address well.

Culture is a characteristic of a group of people – the shared perceptions about what behaviour is ‘correct’, prioritised and likely to be rewarded. Organisations pursue many different strategic priorities and operate in different political, economic and social contexts, so their cultures vary.

Individual behaviour is affected by the way in which actions are rewarded or punished. In the workplace, people learn what is acceptable behaviour by observing the behaviour (including speech) of peers and managers. Behaviour that is repeated regularly becomes the norm, or ‘the way we do things around here’. Behaviour of managers and leaders is particularly important in demonstrating the priorities of the organisation.

Risk culture is an aspect of broader organisational culture. Risk culture refers to the behavioural norms that help or hinder effective risk management. Some definitions of risk culture also incorporate the group’s underlying values and assumptions about risk management, and others incorporate policies and systems. In large organisations, subcultures often form in different areas and even in specific teams with different managers. Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.

I especially like these points they make in this definition:

  • “Risk culture is an aspect of broader organisational culture.”

Behavior towards risk-taking is just one aspect of organizational culture. In fact, it needs to be considered together with the desire for innovation, imagination, creativity, entrepreneurship, employee empowerment, compliance, and commitment to the customer. In other words, I question the value of assessing risk culture in a silo, not recognizing the tension between risk-taking, compliance, and achieving objectives.

  • “Risk culture refers to the behavioural norms that help or hinder effective risk management.”

I like this. It asks whether people generally support desired practices around taking risk – and seizing opportunities.

  • “Internal audit teams should not assume that risk culture is consistent throughout an organisation, or even within a large division or function or tier of management of that organisation. Culture normally forms in groups of people that have regular interaction with one another, often with a common manager.”

Attitudes towards risk-taking should vary. Do you want your accounting and sales people to have the same desire or antipathy about taking risk?

The Guide continues.

An unfavourable risk culture can compromise the effectiveness of the risk management framework in a range of ways. When risk management is seen as a ‘tick-box’ exercise rather than a genuine priority, investment in risk capability and systems may be insufficient to really achieve adequate effectiveness. An overemphasis on short-term profits, growth in market share or cost minimisation can override risk management considerations in decision-making.

When risk management is not seen as helping people make informed and intelligent decisions, when it is not seen as an element in achieving success, it defaults to a compliance activity. It is not surprising that so many executives (80% in surveys I have seen) view risk management as just that, an impediment rather than a valuable tool in running the business.

The Guide makes a good point, that if you are to assess risk culture you need something to assess it against. With that in mind, the IIA Australia has shared a risk culture model. It is based on the one developed by Macquarie University. One of the authors, Elizabeth Sheedy, is a professor there.

The Guide then shares a ten-step process for assessing risk culture.

I have a chapter on risk culture in Risk Management for Success. I discuss what it is and suggest that rather than assess risk culture by itself, it makes more sense and has more value to assess it within the context of overall organizational culture. I provide my own very simple ten steps for such an audit:

  1. Select one or more dimensions of culture and desired behavior – but not all of them. That would not be practical.
  2. For each, what is the desired state? (The assessment will be against that.)
  3. What can happen that would lead individuals or groups to diverge from the desired behavior?
  4. What are we doing to enable the culture we desire?
  5. What controls are in place that would either prevent inappropriate behavior or detect it so that appropriate and timely action can be taken?
  6. Do they provide reasonable assurance that the culture is as it should be and that individuals and groups will behave as desired?
  7. Are there areas where the desired culture does not appear to be in place?
  8. Understand what is happening in those areas.
  9. Identify corrective actions, if any.
  10. Communicate the results.

My serious problem with the idea of assessing risk culture (acknowledging that, as the Guide says, internal audit may be mandated by some regulators to do so) is that you should first assess risk management.

If risk management activities are poor, what’s the point of assessing risk culture? It means that management and the board are satisfied with a defective system of risk management. I have seen this many times, where everybody believes that the periodic review of a list of risks is effective risk management, when it is not.

In fact, it is difficult to consider risk management as effective if the culture means it is ignored or seen as a compliance activity.

So, my advice is to include culture in the scope of an audit of risk management, rather than do something separate.

I also like the idea of assessing whether the culture of the organization (which has multiple dimensions) drives desired behavior, such as risk-taking, compliance, ethics, teamwork, innovation, and so on.

However, if you really, really want to audit risk culture by itself, I recommend the Guide.

I welcome your thoughts.

Getting from recommendations to actions

November 17, 2021 2 comments

I recently wrote about an inherent problem with (some) audit reports.

I discussed the fact that some auditors believe they can persuade management with an audit report to take action to correct a deficiency.

I pointed out that a report is far less persuasive than a face-to-face discussion, with both management and the auditor sharing and listening openly to each other.

One of the people who commented on the piece talked about a management failure: failing to follow through and take the actions they had agreed in the audit report. As I read and considered the point, I came to believe that the writer was talking about this:

  1. The auditor drafts a report, discusses it with management, and makes recommendations for corrective actions.
  2. Operating management reply in writing, which is included in the audit report, that they agree and will take defined actions by a certain time.
  3. The due date passes without the actions being taken.

The author of the comment said this was 100% a management failure.

I am not so sure.

There is certainly a failure of management to keep their commitment, and this needs to be discussed with them and probably their management. It may be indicative of another and more serious problem with management.

But sadly there is often an internal audit failure as well.

We might have one or more of these situations:

  • Management agreed on the facts, but not whether they indicated a risk of significance. As a result, even though they committed to taking action, they did not make it a priority.

Maybe they agreed because “the auditors tell us to do it”. They may fear disagreement and how it would look to senior management or the board.

When I was a vice president in IT, my information security team was subjected to an internal audit (deliberate wording).

One of the issues identified by the auditor related to the way in which we allowed our senior executives to dial in to our data center from home. (This was before remote access was through the internet. Back in those dark days, the executives used a modem to call a dedicated phone number attached to a security device that allowed them access after providing their userid and password.)

The auditor read in a book by IBM provided to him by his manager that the company needed to change phone numbers at least monthly. The “risk” was that a hacker could detect the phone number by attaching a device to the executive’s phone line and use it to gain access to our data center and its systems.

Even though the auditor agreed that a hacker would need a dial-in userid and password before accessing our operating system, a different userid and password for the operating system, and yet another userid and password for each application, he included this as a “high” risk in his audit report. He recommended that we change phone numbers every month.

In a meeting with the auditor, after he agreed with the facts, I pointed out the disruption that would be caused by constantly changing the dial-up phone number. Every month, our help desk would be besieged by angry and frustrated executives demanding not only that we provide them the correct number, but to stop the insanity.

Nevertheless, his manager insisted on including this as a high risk in the audit report.

I provided my response, disagreeing with the rating of high risk and explaining why this was the wrong action to take for the business.

I received a call from my boss’ boss, an Executive Vice President and direct report to the CEO. He told me that management never disagreed with the auditor. We had a “constructive” discussion about it, with neither of us willing to concede the point.

I have seen this before, where management is afraid of how it would look if they disagreed with the internal auditor. So, they agree on paper and delay in practice.

  • While management agrees to the auditor’s recommendation, they don’t see it as a priority. They have more important issues to address that require the same resources.

The auditor is happy that management agrees with the finding and recommendation. However, they don’t seek to understand management’s other priorities.

I had this with the same audit of information security.

The auditor had taken every item in our information security software implementation project plan and made it a recommendation. They did not indicate that we had already identified the need and it was on our schedule. Instead, they “recommended” (read as “insisted”) that we complete each item within a month or two, ahead of plan.

When I pointed out that we didn’t have the resources to move more quickly, let alone that it was high risk to move too fast, they stood their ground.

They agreed my team had properly prioritized each task in the project and that we couldn’t move faster. Nevertheless, that is what they recommended.

I asked that they say something about resources being limited, but they would not.

At the direction of my management, we agreed to the recommendation but continued to proceed at the pace indicated in our audit plan.

  • When I was with Tosco, we agreed to acquire refineries and other assets from BP on the West Coast. I asked my counterpart at BP for copies of any audit reports for those operations, which I received soon after.

One of the audits was of the refinery at Ferndale in Washington state. The auditor had made many recommendations, including one to remove access by receiving personnel to information about what had been ordered. As a result, they would no longer be able to check that the items received were the items ordered, including whether the quantities were correct.

The action was countermanded when more senior management got involved, after they read the audit report.

The auditors were not informed of the change in plans. They only found out when they followed up to confirm the recommended actions had been taken.

  • I have seen situations where management agreed with the recommendation but later decided there was a better response. They took business-appropriate actions in response to the risk, but they were not the actions recommended by the auditors.

I want to make a few points:

  1. Make sure, by listening openly and collaboratively to management, that you understand the true business risk and how significant it is to the business.
  2. Take the time to identify and address the root cause(s), not just the symptoms. Be brave enough to suggest that management hasn’t sufficient or the right people if that is the case.
  3. Discuss the options for addressing the risk, including how difficult and time-consuming they might be – and whether there would be other consequences. For example, would fixing one risk prevent management from having the resources to fix another one, or seize an important opportunity?
  4. Don’t ask management to do what you wouldn’t do in their shoes!
  5. Make sure management recognizes, truly, that it is in their own interests to take the actions. It will improve the likelihood and extent of their own success, as well as that of the organization. If they don’t believe it, they may not do it. They need to want to take the actions, they need to own them. They aren’t doing them just because the auditor said so.
  6. If they understand the facts and their implications but don’t believe it represents an issue deserving prompt action, why should we? Is our understanding and assessment faulty?

In other words, don’t just sell your finding. Make sure you have a committed buyer.

Management will 100% deliver on actions they believe are high priority and in their own interests.

They will dawdle if the only reason to take action is “the auditor told us to do it”.

I welcome your thoughts.

The inherent problem with (some) audit reports

November 8, 2021 14 comments

There are quite a few articles and blog posts that bemoan the situation where management fails to implement the recommendations in the audit report.

One example that merits our attention is by Richard Chambers, Whose Risk Is It, Anyway? When Management Says ‘No’ to Internal Audit.

I believe there is a fundamental problem that is simply not being addressed.

That problem is that auditors believe that one of the reasons for writing a report is to persuade management to take action,

Sorry, that is not realistic.

People are rarely persuaded to act differently by a report.

It is far better to talk to management, agree on the facts, and then see if you can agree on the severity of the situation. Only then, work as a trusted partner with management to agree on the corrective actions that are right for the organization.

The auditor needs to listen respectfully to management – something that many auditors do poorly if at all.

Don’t issue a report, even in draft, until after the auditor has had a meaningful discussion with management.

If there is disagreement on the facts, the auditor should understand why. It may be necessary to do more work.

If there is disagreement on the severity of the situation, the auditor needs to ask why management disagrees. What is their assessment and why?

The auditor needs to listen actively, with an open mind.

Management almost always will have a better understanding of the business, the risk to the organization’s objectives, and whether the risk (if any) should be taken – whether it is justified.

Once the auditor has shared even an initial draft, the potential for conflict has escalated. The auditor doesn’t want to change the report and management feels the auditor doesn’t understand and is not listening.

Not a recipe for a trusted relationship.

Once the facts and the severity are agreed, then attention turns to corrective action.

Again, it is far better to talk about this than make a recommendation and wait for a response.

I prefer to see if management has a suggestion first, but if they don’t the auditor may say (not write) what they believe will work. Both need to consider the effects of any action; sometimes there are undesirable side effects.

The desired result is action that will address the issue – the root cause of the issue at that – and makes good business sense,

It is far, far better to agree on “agreed action items” in a meeting with management and confirm them in the audit report, than to issue a report with recommendations and responses. (Worse is to issue a report with recommendations and ask management to reply with their responses. It is hardly working as a trusted partner!)

Including “agreed action items” in the audit report has been a best practice for more than 20 years, so why do people still talk about management not agreeing with recommendations?

I welcome your thoughts.

The PCAOB fails the external auditors

November 3, 2021 8 comments

My friend, Francine McKenna, writes about the CPA firms and related matters at The Dig. She frequently calls out the firms for their missteps, but she is also quick to write about issues at the regulators that are supposed to oversee them.

I recommend her site and following her on Twitter (@retheauditors).

Board members, executives, and practitioners should be concerned when there is evidence that the audits performed by the firms are deficient.

The Public Company Oversight Board (PCAOB) inspects a sample of audits every year and has consistently found fault with the firms’ performance.

They have recently shared the reports from their inspections of 2020 audits by several firms, including:

Even though EY celebrated what they thought were excellent inspection results, I don’t believe they had reason to do so. 15.38% of their audits that were inspected had serious deficiencies.

The PCAOB inspectors will occasionally go so far as to assert that an audit opinion was incorrect, although they did not say that of any of the four firms’ 2020 audits that they inspected. However, they did identify multiple audits with at least one serious deficiency – when the auditor’s workpapers did not indicate sufficient evidence was obtained for the audit opinion.

I have summarized the areas where serious deficiencies were found for each firm. The PCAOB calls these “Part I.A deficiencies…. that were of such significance that we believe the firm, at the time it issued its audit report(s), had not obtained sufficient appropriate audit evidence to support its opinion on the issuer’s financial statements and/or internal control over financial reporting”.

Firm Number of audits inspected Number with Part I.A deficiencies Percentage that failed
EY

52

8

15.38%

KPMG

53

14

26.42%

PwC

52

1

1.92%

Deloitte

53

2

3.77%

Even one failure is too many. Nobody should be happy with these results, although for PwC in particular the failure rate was significantly lower than for 2019 audits.

With respect to their audits of the financial statements, PCAOB reported these types of Part I.A deficiencies.

EY KPMG PwC Deloitte
Did not perform sufficient testing of data or reports used in the firm’s substantive testing 4

3

0

0

Did not obtain sufficient evidence as a result of overreliance on controls (due to deficiencies in testing controls) 3

8

1

0

Did not sufficiently evaluate significant assumptions or data that the issuer used in developing an estimate 2

2

0

0

Did not perform sufficient testing related to an account or significant portion of an account or to address an identified risk 0

2

0

1

Did not perform sufficient procedures related to the scoping of the audit, including multi-location audits 0

0

0

1

Did not perform sufficient roll-forward procedures 0

0

0

1

Did not perform sufficient, appropriate analytical procedures when analytical procedures were intended to provide substantive evidence 0

0

0

1

With respect to the audits of internal control over financial reporting:

EY KPMG PwC Deloitte
Did not perform sufficient testing of the design and/or operating effectiveness of controls selected for testing 3

9

1

1

Did not identify and/or sufficiently test controls over the accuracy and completeness of data or reports that the issuer used in the operation of controls 1

5

1

1

Did not test the accuracy and/or completeness of information that the firm used to make selections for testing the operating effectiveness of a control 1

0

0

0

Did not identify and test any controls that addressed the risks related to a significant account or relevant assertion 0

5

1

1

Did not perform sufficient procedures related to the scoping of the audit, including multi-location audits 0

0

0

1

The area that had more deficiencies for each of the four firms was Revenue and Related Accounts.

Finally, the number of audits that failed either with multiple deficiencies or where the PCAOB said the auditor’s opinion was wrong:

EY KPMG PwC Deloitte
Audits with an incorrect opinion on the financial statements and/or ICFR 0

0

0

0

Audits with multiple deficiencies 4

13

1

1

What does all of this mean?

  1. The auditors are not perfect.
  2. There is a risk that they will not identify material errors in the financial statements or in the design and operation of internal control over financial reporting.
  3. Should they fail to detect a material error, especially one involving fraud, that can have a serious impact on the company, its management, and its board of directors.
  4. The audit committee, with the help of the chief internal auditor, should perform sufficient oversight to gain reasonable assurance that the auditors are performing a quality audit.

I welcome your thoughts and reflections.

Enterprise Risk Management, 2nd Edition

October 31, 2021 7 comments

A good friend and valued resource when it comes to both risk management and internal audit is John Fraser. Formerly the Senior Vice President for both Internal Audit and Risk Management at Hydro One, John’s work has been widely recognized for its excellence.

John’s risk management program at Hydro One was the focus of a study by Harvard professor, Anette Mikes, and John wrote about it in the Journal of Risk and Financial Management.

With his coauthor Dr. Betty Simkins and others (Rob Quail on the first of those listed below, and Kristina Narvaez on the second), John has shared a couple of useful reference books:

Each book is a collection of articles by different authors on a vast range of topics.

For example, the 2nd edition of Enterprise Risk Management has 43 pieces with discussions that include:

  • The role of the directors and senior management
  • How to teach ERM
  • The history of ERM
  • ERM frameworks
  • The role of the CRO
  • Key risk indicators
  • A risk-aware culture
  • ERM in the federal government
  • Risk appetite
  • Bias
  • Risk workshops
  • Risk profiles
  • Resource allocation based on risk
  • Quantitative risk assessment
  • Decision-making
  • Market risk
  • Credit risk
  • Operational risk
  • Climate change risk
  • Cybersecurity risk
  • Foreign exchange risk
  • Leveraging ERM for growth
  • Director and officer insurance
  • Financial reporting and disclosure

Do I agree with everything in the book? No, certainly not.

But I think the book is worth reading and can be the basis for forming your own ideas on the effective implementation of risk management at your organization.

I welcome your comments, especially if you have a copy of the book and are willing to share your review.

How much of a risk is ransomware?

October 29, 2021 6 comments

I recently saw a couple of pieces from the UK government. One seems to make ransomware to be a huge issue, while the other does not.

A senior reported from ZdNet wrote an article, Ransomware is the biggest cyber threat to business. But most firms still aren’t ready for it. He said:

Ransomware is the most significant cybersecurity threat facing organisations ranging from critical national infrastructure providers and large enterprises to schools and local businesses – but it’s a threat that can be countered.

In a speech at the Chatham House Cyber 2021 Conference, Lindy Cameron, CEO of the UK’s National Cyber Security Centre (NCSC), warned about several cybersecurity threats facing the world today, including supply chain attacks, the threat of cyber espionage and cyber aggression by hostile nation states, and cybersecurity exploits and vulnerabilities being sold to whoever wants to buy them.

But it’s ransomware that is “the most immediate danger to UK businesses and most other organisations,” said Cameron, who warned that many businesses are leaving themselves vulnerable because “many have no incident response plans, or ever test their cyber defences”.

Now contrast that with other information from the UK government in their Cyber Security Breaches Survey 2021.

On the one hand, the frequency of cyber attacks and breaches is alarming:

Four in ten businesses (39%) and a quarter of charities (26%) report having cyber security breaches or attacks in the last 12 months. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).

However, the cost incurred when there is a breach is anything but alarming:

…where businesses have faced breaches with material outcomes, the average (mean) cost of all the cyber security breaches these businesses have experienced in the past 12 months is estimated to be £8,460. For medium and large firms combined, this average cost is higher, at £13,400. There are too few charities in the sample to report average costs in this way, but the overall costs recorded for businesses and charities follow a similar pattern.

Now I admit one article is specifically about ransomware and the other is a broader survey of all cyber breaches, which would include ransomware.

But it is hard to say that ransomware is a top risk based on the two pieces.

Then there’s a new piece ISACA, Surge in Ransomware and 10 Biggest Attacks in 2021. It confirms the survey’s assessment that the frequency of breaches has increased. But it doesn’t go beyond the 10 largest attacks to estimate the typical cost.

The ISACA report lists these ten:

  • Kia, a $44bn revenue company, paid $20m
  • Acer, a $8.4bn revenue company, paid $50m
  • The Washington, DC Police Department paid less than $4m
  • CAN Financial Corp., a $9.4bn revenue company, paid $40m
  • ExaGrid, a private company whose revenue I estimate is about $500m, paid $2.6m
  • Colonial Pipeline Company, who was in the news for their ransomware problem and has revenues of $1.3bn, paid $4.4m
  • JBS had $14.3 in revenue for the 1st quarter of 2021, and they paid $11m
  • Accenture, a $50.5 bn revenue company, paid $50m
  • CD Projekt Red did not indicate how much it paid
  • Brenntag, a company with $13.6bn in revenue, paid $4.4m

These are all large numbers, but really quite small for each of these companies.

I doubt that ransomware is really the top risk for any of these companies. It is likely less significant than the potential harm from a change management failure that causes a new or changed system to fail.

I have to wonder what their information security budget is!

I believe every organization should:

  1. Recognize the high likelihood that not only will they be attacked but their defenses will be breached.
  2. Complete (and maintain over time) a business impact analysis to understand how a breach might affect them. This is an exercise that must have the active and committed participation of both the technical and business management and staff experts.
  3. Assess how significant a breach could be (there is a range of possible magnitudes, each with its own likelihood) in their specific circumstances.
  4. Prepare for the event.
  5. Harden both defenses and response – within reason – and test them regularly. The articles have some great recommendations.
  6. Invest according to the risk to the organization, based on the business impact analysis, rather than on somebody else’s survey, the news headlines, or a consultant’s advice.
  7. Review and audit periodically (with the frequency based on the level of risk, continuously updated).

I welcome your thoughts.

Revisiting the concept of Risk Appetite

October 25, 2021 22 comments

Carol Williams has written a thoughtful post, Risk Appetite: Bridging The Gap Between Two Extremes that I recommend reading.

Before diving into it, I want to thank her for her comments about this blog and how it sparks useful discussion among practitioners.

Carol is a believer in risk appetite, but I am not.

My primary argument is that leaders of the organization should be managing the business, not a list of potential harms.

Risk appetite focuses only on potential harms absent the context of whether they should be taken on business grounds.

There are other problems with the concept, including:

  • They are of little value if they don’t affect decision-making.
  • They are harmful if they lead to decisions that consider only the downside, not whether risks should be taken.
  • Business conditions are changing all the time, so we need decisions made based on current and future conditions, not some “statement” made in the past that is unchanging.
  • It is impossible to establish a meaningful risk appetite, defined by COSO as the amount (whatever that is) of risk you are willing to accept in the pursuit of objectives, for risks like:
    • The possibility of physical harm, even death, of personnel, or
    • The possibility of non-compliance with applicable laws and regulations
  • Risk appetite statements such as “we are risk averse” are meaningless. If you are risk-averse and want to minimize potential harms as much as possible, you should not be in the business.
  • They don’t help anybody know what risks to take.
  • People aggregate disparate sources of risk to create a meaningless number. That helps nobody.

Carol quotes my good friend, John Fraser. John as usual makes a good point, that these statements can spark a discussion. Anything that gets people talking is, of course, healthy and desirable. But do they lead to informed and intelligent decisions?

I don’t deny that people need to know when there are limits on the risks they should be taking. (I prefer the idea of taking risk to the passive language of accepting it.)

But that can be done through risk limits and other policies that are meaningful, with specific numbers and guidance (such as requiring more senior managers to be involved in the decision) instead of attitude statements. It can also be done by making sure people know how to make decisions that weigh both the positive and negative potential effects of what might happen.

Let’s take a moment to consider Carol’s argument that when people in management have different attitudes about risk-taking, there’s a problem. I don’t see it that way at all!

I don’t want my Sales and Finance leaders to have the same attitude about risk-taking. I want my sales team to be more imaginative and creative than my accounting folk. I am sure you do as well.

What is important is that when there is an important decision to be made, the right people are at the table with reliable information about what might happen. That can mean that the risk-taking EVP Sales and the risk-averse General Counsel are talking and listening to each other. Any risk appetite statement is unlikely to come up in discussion.

Here’s my bottom line:

How can you make sure that people are making informed and intelligent decisions, taking the right level of the right risks, considering all the things that might happen?

If risk appetite factors into your solution to that mission, great. It would not at any of the companies where I worked.

I welcome your thoughts.

The auditor’s responsibility for fraud

October 20, 2021 7 comments

Today, I want to discuss the topic, first about the external auditor’s role, and then internal auditing role.

XX

Francine McKenna is a lady you should follow[1] (@retheauditors) if you are interested in the external audit profession. She never holds back on her criticisms of the accounting profession, especially the so-called “Big Four”.

Her latest online newsletter is The Dig. That is where she recently wrote a provocative piece, Busting the myth about auditors and fraud.

She asserts that there is a common myth that “The [external] audit is not designed to detect fraud”.

It is very easy to get confused with this topic, and the ‘myth’ is both true and false.

  • True: the external auditors are not required to detect every fraud.
  • False: they are required to perform procedures that will provide a reasonable level of assurance that the financial statements filed with the SEC are free of material misstatements due to fraud.

Francine provides a link to a PCAOB[2] paper from 2012, Consideration of outreach and research regarding the auditor’s approach to detecting fraud. The paper says:

Under PCAOB standards, the auditor is required to plan and perform the audit of the financial statements to obtain reasonable assurance, which is a high level of assurance, about whether the financial statements are materially misstated due to error or fraud. As this wording suggests, these auditor responsibilities are focused on fraud that results in material inaccuracies in, or omissions from, the financial statements.

They use the term, “financial statement fraud”.

The paper continues:

Existing PCAOB auditing standards require the auditor to, among other things, (1) perform procedures to identify fraud risks; (2) plan and perform audit procedures to address those risks, including certain specified procedures to address the risk of management override of controls; and (3) consider fraud in evaluating the results of the audit.

It’s a very useful paper that summarizes existing PCAOB requirements.

Francine provides some additional insights, but one of the challenges is the notion of “reasonable assurance”. The audit firms have defended failures to detect massive financial statement frauds with statements like “management lied to us and withheld information”. Is that reasonable? Probably is sometimes, and probably is not other times.

One myth that Francine doesn’t discuss in her article is whether the external auditors have a clue about what is happening in the business. In my experience, there is a great deal that escapes them, but on the other hand they have very smart people who usually do the best they can.

I will defer to Francine, the PCAOB inspectors, and the courts on whether the firms are obtaining “reasonable assurance”.

XX

One point is clear, though:

The external auditors are NOT responsible for detecting every fraud. They are only responsible for detecting frauds (one or more) that are at least reasonably likely to lead to a material misstatement of the financial statements filed with the SEC.

There are a great many other frauds. For example, the first fraud my audit team uncovered was of the safety numbers. These numbers affected the perception of performance, and therefore the continued employment and compensation of the safety officer and his staff.

At Solectron, my team discovered quite a few accounting frauds that resulted in the misstatement of the results and financial position of different business units. However, they were not material (individually or in aggregate) to the consolidated financial statements; KPMG was an interested observer and, to my knowledge, performed no additional procedures. I was surprised at the time and remain surprised today at their apparent complacency. But as I told the audit committee, I believed that the risk of material misstatement of the consolidated financial statements was not high – especially as we got the units’ financials corrected.

XX

To summarize:

  1. The audit firms are not responsible for detecting immaterial financial statement frauds.
  2. They are also not responsible for anything relating to other types of fraud.
  3. Even when there has been a major financial statement fraud, we shouldn’t leap to the conclusion that the auditors failed. They may have performed everything required of them by the PCAOB or other regulators. Reasonable assurance is not perfect assurance.

XX

What is the internal auditor’s responsibility for fraud?

This is also an area of myth: that it is internal audit’s responsibility to detect fraud.

Let’s get something straight:

Preventing and detecting fraud is a management responsibility.

Similarly:

Understanding the risk of fraud is a management responsibility.

That’s not to mean that internal audit has no role in this.

  1. Internal audit should consider the risk of fraud in its engagement planning.
  2. Internal audit should assess whether management understands fraud risk and has appropriate preventive and detective controls.
  3. Internal audit should also consider the influence of culture and the tone at the top on the possibility of fraud.
  4. Internal audit usually, but not always, has a role in investigating suspected violations of the company’s code of ethics and values.

We should be focused on fraud that could be a significant source of risk to enterprise objectives. In addition, we should be concerned about fraud that:

  • Involves senior management or even the board
  • Affects the health and safety of individuals, whether employees or not. For example, I have seen fraud involving the safety training of contractors
  • Could lead to reputational damage
  • Would be of a magnitude that would be of concern to top management or the board

I suggest that the responsibilities of internal audit in relation to fraud should be discussed with both top management and the board. That could lead to management and the board asking the CAE to take on additional fraud-related responsibilities as a consulting service.

XX

What do you think?

[1] I consider her a friend, although we rarely have been able to see each other. We live in different parts of the country.

[2] The Public Company Accounting Oversight Board oversees and provides standards for the external auditors of larger public companies with securities registered in the US.

Who owns and is responsible for a risk?

October 15, 2021 19 comments

There is a maxim that every risk should have a “risk owner”. Let’s examine that rule.

But first I want to share what Adrian Wright, CEO of 1GRC, wrote on one of my recent posts:

IMO one of the key tasks of the risk function – be it CRO or Business divisional, is to facilitate the dialog with the business needed to identify risk owners, assign clear responsibilities to them and instruct them on what they need to do to carry them out. Including any assessment and process around risk acceptance.

Where organizations get it wrong is in allowing ownership of all identified risks and remediation thereof to fall to some core risk function that is not within the business.

I totally agree with his last statement. The only risks the risk function owns are around the possibility that they are ineffective or make serious mistakes that lead managers to make poor decisions. For example, if they are tasked with using Monte Carlo to assess a situation and make errors in the process.

In a later comment, Adrian expanded on his point:

Norman, the thrust of my original comment was around assigning the ownership of risks to their appropriate (business) owners, rather than the subsequent risk methodology used. But as we are now talking about contrasting downside risks and potential business (risk) opportunities in order to maximize overall business performance; we are not in disagreement.

To paraphrase some of your own writings, you gave an example that the King IV code now talks about ‘the oversight of risk and opportunity management. And the tools and techniques traditionally used to manage potential harms (downside risks) might be used to manage the potential for gain (opportunities). From this current discussion, we can also add in business performance (as in not impacting it, and potentially enhancing it) through improved RM.

In fact, I was recently moved to produce a Venn diagram in an attempt to illustrate these interactions. It’s not exact, as in the real world the bubbles are not of equal sizes and there are bigger and more overlaps than the diagram can show, but I find it’s a useful start point for starting to get the business to understand the potential benefits that can be achieved.

Venn diagram

I think Adrian has done some excellent work.  His Venn diagram could lead to some interesting discussions.

However, I want to come back to the idea that every risk should have an owner.

XX

What I have said in the past is that whoever owns a performance objective should also own the management of the risks and opportunities that might affect its achievement.

XX

Take the example of the possibility that a cyber breach could result in the loss of customer personal data, intellectual property, business disruption and ransom payments, or damage to the organization’s reputation.

Who is affected?

Who should make the decisions about how much risk to accept, whether the current level of threat is acceptable, how much to invest in reducing the threat, and so on?

A breach could result in a failure to achieve several enterprise objectives, including:

  • Revenue targets
  • Customer satisfaction
  • Organizational reputation
  • Compliance with regulations and the expectations of the community
  • Product competitive advantage (if competitors gain access to our IP)

Does the CISO “own” the risk? Does the head of Sales or Compliance?

XX

I could argue that the management team “owns” the risk, but that is not particularly helpful.

XX

Let’s take another example: the possibility that a customer could default on their account.

Who does that affect? It can affect several enterprise objectives, including:

  • Revenue targets
  • Cash flow (and the use of that cash for marketing initiatives or major projects)
  • The company’s share price

Who “owns” the risk? Is it a useful concept?

XX

Here’s my suggestion.

Instead of defining an owner for every risk, determine who will make related decisions and who will take related actions, including monitoring.

These are not necessarily the same people!

In fact, identifying “action owners” instead of “risk owners” can lead to the sort of discussions among the various involved parties that can lead to taking the right level of the right risks.

XX

This is a new concept. What do you think?

The Role of the Risk Officer

October 11, 2021 11 comments

A friend and colleague[1] has written a bit of a rant on risk management in a new blog post: How Can So Many Get Risk Management Wrong? 3 Ways to Fix Your Approach.

Doug Anderson has a wise head on his shoulders, and I agree with everything he says in this piece – which I recommend.

I especially like how he summarizes his position:

When I was part of a management team acquiring and divesting businesses, evaluating capital projects, setting pricing strategy, and exploring investments in new technology, risks were an integral part of each decision. I may have addressed the risks poorly or well, but I was still doing “risk management” as an integral part of making the decision. RM may be best thought of as a mindset and discipline – supported by tools, expertise, and process.

The question is not whether to manage risk, but how to manage risk. Will it be through ad hoc, inconsistent, or poorly-executed actions? Or, through disciplined thinking and structure to make sure it is managed correctly?

I challenge you to rethink how you view RM – a centralized, formal process that has no substantive impact on your organization or a functional discipline that improves decision making. Don’t immediately start with lists of risks, mathematical models, charts, and endless meetings. Instead start with understanding your business, the decisions to be made, and how the risks that are an integral part of your decisions will impact your business’ success.

If risk officers are not viewed by managers as helping them be successful, helping them make informed and intelligent decisions, they are not effective.

It is not enough to try and help; it is necessary to help in a way that is recognized as significant by your customers in management.

My favorite measure of risk management effectiveness is this. Ask your managers and executives whether risk management, as practiced in the organization and by the risk team, makes a significant and sufficient difference in your ability to make the informed and intelligent decisions necessary for success. Alternatively, ask them whether (as Deloitte once put it) risk management helps them set and then execute on business strategies.

What do you think?

[1] He was chair of the IIA’s Professional Issues Committee when I was a member.

I disagree with Richard Chambers on Opinions and Ratings

October 5, 2021 9 comments

It is not often that I disagree with my friend, Richard, but on this occasion I have very different views.

He has shared the results of a recent survey and then his opinion on opinions in a post for his new company, Auditboard. In How do we rate? Assigning Ratings and Opinions on the Basis of Audit Results, he says:

As internal auditors strive to serve the needs of various business stakeholders as well as management and the board, we must always be cognizant of how we communicate our findings. A key part of this is providing information that stakeholders need in a manner that is clear and accurate. What I’ve observed over the course of more than two decades is that management and audit committees are typically appreciative of audit results that have been synthesized in an easy-to-digest manner. More often than not, any mechanism that can help to focus their attention, as well as any predetermined indicator of what is urgent, is greatly welcomed by executive readers.

In this, he is absolutely right. I especially like the point about “providing information that stakeholders need” rather than what we want to say. He doesn’t mention the need for the communication to be concise and timely, which I am sure he believes.

He summarizes the survey results:

  • A recent AuditBoard survey of 175+ CAEs found that audit ratings continue to be a widespread practice among internal auditors, although methodology and frequency range widely among different audit departments and companies.
  • Our CAE survey found 63% of audit departments assign overall ratings for each audit report. In addition, nearly 63% of respondents also rate individual findings in their audit reports.
  • Our survey found a range of rating schemes that differed from department to department. The most common method —preferred by nearly 70% of respondents — is using adjectives (Satisfactory, Needs Improvement, Unsatisfactory) to summarize an audit report. A less popular method is a numerical rating scheme, with about 14% of respondents indicating they prefer this method. Considering auditors are typically criteria-focused, I expected more to prefer numerical ratings to adjectival ratings. Perhaps this is one of the factors that contributes to friction or tension between internal audit and operating management when ratings are assigned.
  • Another popular method used to distinguish audit reports is color-coding (e.g. red, amber, or green): almost half (47%) of respondents employ this rating scheme both in findings and in the title of report summaries. In particular, assigning color codes to risks observed, based on findings — e.g. a lack of adequate controls, heightened risk areas, controls that may leave the organization vulnerable — can be useful for directing a reader’s eyes to urgent areas requiring attention.
  • Our survey also found that nearly 70% of respondents also assign overall opinions on internal controls periodically to management and the board.

All of this is factual with only a little of Richard’s opinions injected.

But then he says this:

  • While there are benefits to doing so, I believe that assigning opinions creates potential risk for internal auditors. Whereas external auditors offer opinions based on a specific set of standards, there is sparse guidance for internal auditors regarding issuing opinions. This is why internal auditors must exercise caution whenever assigning opinions.
  • An example of safeguarding your opinion by providing negative assurance is wording such as: “Based on the work we conducted… nothing came to our attention that would indicate the organization is not well-controlled.”
  • As audit is a profession that heavily relies on its relationships with all of its stakeholders, audit leaders must be as diplomatic and conscientious as possible when assigning ratings — being mindful of preserving relationships for the future in the process of providing assurance.

Richard is a smart guy with many years of experience.

However, my many years of experience take me down a very different path.

The clue to Richard’s position (IMHO) is in this phrase that he uses: “friction or tension between internal audit and operating management”.

Here is a summary of my position:

  1. If, as Richard has eloquently advocated over the years, internal audit is a profession, then we must act as professionals.
  2. Professionals are entitled to an opinion. That opinion can be borne of experience rather than objective facts. For example, in one audit where there had been serious accounting errors, my opinion was that the root cause was a failure of management. The manager of the accounting function didn’t trust his people, was ineffective as a manager and leader, and his treatment of them was not only demoralizing but had led to past errors and, unless changed, would lead to future errors. Was there objective “proof” of this? No. But when I shared my opinion with the CEO he agreed and appropriate actions were taken.
  3. As professionals, we are entitled to and must use our professional judgment. Contrary to what Richard says about the external auditors relying on a “specific set of standards”, they exercise a great deal of judgment. So do we, and so should we.
  4. Every conclusion on the adequacy of a control and how well it manages risk is an opinion where we use professional judgment. Even the sample size in testing is a judgment call.
  5. Management and the board are entitled to seek and obtain the opinion of the professionals they employ. Wimping out with negative assurance is failing to provide all the value our leaders and the organization deserve.
  6. The formal audit report is the last communication with management and the board, not the first. It should contain no surprises. “Friction or tension between internal audit and operating management” are best avoided by having an open two-way, constructive discussion with management at each level before the report is issued. In fact, discussions about the “findings” should be held with responsible management as soon as possible – not just to agree on facts and assessment, but so that management can take corrective actions promptly. The overall audit opinion should also be discussed. By that, I do not mean that internal audit tells management what the opinion or rating is. I mean that internal audit works with management to agree on the facts, assessment, and corrective actions (if any); they also agree on how this will be communicated to more senior management and the board. If absolutely necessary, internal audit has the final say. But that should only after seeking to find words that are fair and balanced.
  7. Any and all communications need to be fair and balanced. Our goal is not to catch management out – and that is what a report that only lists findings does – but to provide management with assurance that they can rely on their organization, systems, processes, and controls to work as needed.
  8. We must tell them what they need to know, when they need to know, so they can act as needed.
  9. Reports should not have “findings and recommendations” with management providing a response. That indicates a failure to communicate! They should have agreed assessments and action plans. Wherever possible, give management credit when they have already started or even finished work on the action items. Consider dropping issues if they have been fixed and top management and the board simply don’t need to know about them. Go even further and give credit for high performing teams and staff. I have named names, with the CEO making a personal call to junior staff to congratulate them.
  10. Negative assurance is not assurance. If you take your ailing child to the doctor and they report that they have run several tests and have not found any serious issues, is that assurance? Is that of much use at all? If you take your car to your mechanic before a log trip and they report that they have not found any issues, is that something that will give you confidence to get on a busy freeway and drive at 75mph?
  11. Don’t hide the elephant in the room. Be brave and point it out. Don’t let your concern, your fear of “friction or tension between internal audit and operating management” prevent you from doing the right thing. If controls are poor because there aren’t sufficient people to do the work, or the people don’t have the experience or ability to perform controls, you need to say so. But do it quietly, in person (Zoom is fine) and find a way to avoid HR issues with anything in writing. In the situation with the accounting manager, I glossed over it with careful words in the report but had more open discussions with the audit committee.
  12. Where possible, remember that the primary goal when there are issues is to get them fixed. The goal is not to rack up points with your audit reports. In audit committee meetings, I presented serious issues jointly with responsible senior management. That way, the board can see the issue is being handled and we are working effectively with management. The “friction” is minimal.
  13. I hate ratings. What do they mean? Would you appreciate a report that your child brings back from school that says he or she is “satisfactory”? What does “high risk” mean? High risk to what? What does it mean to the business? Do I need to change my strategy? English is a very rich language, so why not use it to explain how the results of the audit might affect the achievement of objectives?

I close with some IIA guidance that I recommend. It was written when many people opposed providing an opinion because they were afraid of being wrong. Times have changed.

It’s a Practice Guide, which is recommended guidance: Formulating and Expressing Internal Audit Opinions. (Full disclosure: I was on the IIA team that developed the guidance.)

I welcome your thoughts.

The IIA fails again on risk management

September 30, 2021 20 comments

I have reached out to people at the IIA with a plea to come on board with the latest thinking about risk management: that it is not about managing or mitigating risk, but about taking the right level of the right risks to achieve your objectives.

No reply, unfortunately. (Even though they replied to other initiatives regarding the Standards.)

Now we have a new report from the IIA that cements their feet in the concrete of failure. Yes, failure. Risk management practices are not seen by executives as contributing to how they make decisions and run the business. As a result, they don’t participate with enthusiasm or provide the resources risk practitioners need.

The new IIA report is OnRisk 2022: A Guide to Understanding, Aligning, and Optimizing Risk.

The marketing blurb says that the report will “will change the way organizations view and understand risk”. Wrong!

The report says:

  • C-suite executives, and chief audit executives [are] the key players in risk management
    • Comment: this ignores any risk practitioners as well as the fact that operating management at multiple levels are the ones making decisions and taking risks every day.
  • The OnRisk approach is grounded in an innovative methodology that uniquely brings together the perspectives of the major stakeholders in organizational governance — the board, executive management, and chief audit executives. Alignment of these stakeholders’ views on personal knowledge, organizational capability, and risk relevance is a significant step toward achieving strong risk management in support of effective governance.
    • Comment: yes. Asking these people for a list of the higher risks is certainly innovative (not!).
  • One technology C-suite executive articulated a more sophisticated approach to risk management, which adds needed perspective: “We have a formal ERM process, with a person that leads annual reviews for the entire organization. Risks get rated, gaps get identified, and then the likelihood and significance as well as tolerance is determined. Two hundred risks are assessed and grouped together in different categories. I think because we have this process and our audit function is so tuned-in to risk, we have sufficient assurance.”
    • Comment: this is shockingly awful
  • “Some risk reports are maybe too detailed, which makes it difficult for extracting insights. Detail is good, but there should be summaries of relevant info for stakeholders, board members, etc.”
    • Comment: this is correct!!
  • [Internal audit should] perform organizational risk analysis, leveraging the OnRisk methodology.
    • Comment: this is a management responsibility! If management is not capable of anticipating what might happen and take necessary actions, the CAE should raise this to the audit committee as a very serious deficiency!
  • The OnRisk 2022 report continues The IIA’s groundbreaking approach in collecting stakeholder perspectives on risk and risk management in support of good governance and organizational success.
    • Comment: your feet are in the cement and you are not breaking anybody’s ground.
  • The growing sophistication and variety of cyberattacks continue to wreak havoc on organizations’ brands and reputations, often resulting in disastrous financial impacts.
    • Comment: this hyperbole is not supported by facts. I have written frequently about this and will say no more here.

While I will again share this post with IIA leadership, I ask that everybody who agrees with me contact Anthony Pugliese (@AJPugliese1 on Twitter) and urge the IIA to challenge their old-fashioned thinking, lift their feet out of the cement (which will be hard – pun intended), and get on board with risk management that works – what I have described as risk management for success and Tim Leech refers to as objective-centric risk management.

This continued emphasis on managing risks instead of the business discredits this fine profession.

I welcome your comments.

How effective are your systems of governance, risk, and control/compliance (GRC)?

September 27, 2021 13 comments

The IIA likes to talk about GRC as an acronym that stands for governance, risk management, and internal control. The rest of the world has ‘compliance’ as the last part.

That doesn’t really matter.

The point is that we are talking about the organization, systems, processes, and related controls that management relies on to not only manage ‘risks’ but achieve their objectives.

They rely on them to function properly and do what is asked of it.

One of the valued services that internal audit provides is assurance, as expressed in the last part of the IIA’s Definition of Internal Auditing:

It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.

But too few provide an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities.

This is something I did at each of my companies and I was part of the team that developed a Practice Guide in 2009: Formulating and Expressing Internal Audit Opinions. Its Background section stated:

Internal auditors are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).

I strongly recommend that every internal audit leader become familiar with the Practice Guide. Since 2009, I have developed reservations about a grading system as discussed in the Guide. However, it covers very important issues such as:

  • The form and scope of the opinion
  • The work required to support it
  • Reliance on the work of others

I covered this important topic in Auditing that Matters (my essential book for practitioners). I said:

I am a strong advocate that the CAE should provide a formal overall assessment of the systems of internal control and risk management[1] to the audit committee (or full board) and top management on an annual basis.

While some do not think this is necessary or even achievable, a growing number of governance codes around the world require internal audit to provide an overall opinion. I believe that in time this will be recognized as not only best practice but mandatory.

I started doing this in the mid 1990’s at Tosco and have not looked back. The board very much appreciated the assessment, as did management.

I believe this is the primary value that internal audit can provide to any organization.

It provides leadership of the organization with confidence that they can rely on its people, processes, and systems to support their initiatives and achieve enterprise objectives.

It provides leadership with the confidence to take the risks necessary for success.

An opinion on the overall systems of internal control and risk management does not mean that the CAE is opining on the management of every risk. It represents the CAE’s professional opinion on whether there is reasonable assurance that the risks that matter, the risks addressed in the audit plan, are at desired levels.

Let me break that down.

An opinion is just that, an opinion.

As professionals, we are capable of forming and communicating our opinion.

Every professional provides an opinion. It’s not a statement of fact, it’s an opinion – and we are not only entitled to form but to share that opinion.

There is a possibility that we are wrong, but if we and our team perform the work to appropriate professional standards we should be able to stand behind it and provide an overall assessment of the condition of the controls over the risks that matter.

I argue that if we don’t provide that opinion, we are shirking our professional responsibilities.

There’s a huge difference in the quality and value of assurance provided by an overall opinion compared to the value of individual reports with opinions on the management of specific risks.

The overall opinion is clear, concise, and actionable.

When only individual reports are provided, the CAE is leaving the audit committee and management to determine for themselves whether, overall, the systems of internal control and risk management are adequate.

Why make them make that assessment, guessing whether deficiencies in one area mean that the overall assessment is that it is deficient?

I think the CAE should step up, take the risk, and share his opinion.

When I provide my opinion, it:

  • Is formal, in writing
  • Is an assessment of the systems of risk management and internal control over the more significant risks to the organization and its objectives, based on the work performed during the year; that work is reflected in the audit plan and reports on the audit engagements that have been completed
  • Is based in part on the insights obtained by auditing by walking around, talking to management, and being present. The assessment is not limited to the formal audits that have been completed
  • Is a positive statement, rather than a ‘negative’ opinion. The latter is where you point out the risk and control issues but don’t make a positive assertion on the condition of the risk and internal control systems. I dislike the negative opinion as it makes the board and top management guess what our real opinion is
  • Where there are risk and control issues that merit special attention, or where parts of the organization are of concern, they are highlighted

In other words, I try to provide the board and top management with the information they need if they are to understand the condition of the risk and internal control systems, whether risks are being managed at acceptable levels, and whether action is required by them.

For example, while at Tosco, I highlighted the issues at the Avon refinery in Northern California while praising the strength of the Bayway refinery in New Jersey. The contrast was especially useful to the audit committee.

I explained that controls over financial reporting were fine, but those over some operational risks were not. I told them what they needed to know.

My communication is intended to help the board and top management discharge their governance and oversight responsibilities. It is not about telling them how good we are and how successful we have been in identifying deficiencies.

Because my primary end product is this annual assessment, I design the audit plan to give me the input, the information about the management of risk that I need.

In the book, I provide an example of the opinion I shared with the audit committee of the board at Tosco Corporation. I also share how I developed the audit plan and the team to execute it.

Questions:

  1. Do you provide an opinion on each audit rather than ratings or a list of weaknesses?
  2. Do you provide an overall opinion annually?
  3. Do you do the right work to support that opinion?
  4. Do you do work that is not necessary for that opinion – and if so why?

I welcome your answers and comments.

[1] I consider governance processes to be part of the systems of internal control and risk management. Technically, internal control exists to manage risk, so I could readily make the case that we should just be assessing the management of risk – but it is easier to talk about the more traditional view of internal control and how it helps manage the risks that matter.

There are some that believe internal audit should provide assurance on governance, risk management, and compliance (or control). I don’t agree with this position. Internal audit can provide advisory services to help the board assess its practices, but I don’t believe internal audit should put itself in the position of assessing the competence, integrity, or performance of either the board or executive management. Instead, I believe we should assess whether there are processes and controls in place that address the risk of ineffective governance. We can also share best practices in governance. But going further is a step too far, in my opinion.

How great is your cyber risk?

September 16, 2021 3 comments

Recently, I read a piece directed at CFOs. The question was asked, “You may have a cyber breach that costs $25 million. Don’t you think it’s prudent to invest $1 million to prevent it?”

This is the state of the hyper-active consultants.

Let’s examine the question.

First, each of us needs to understand the potential cost of a breach in our organization. Not what others have reported, the extremes, but what applies in our specific facts and circumstances. We need a careful business impact analysis.

Then we need to understand the likelihood of a breach that would have a significant effect. It’s not the likelihood of a breach that we need to be concerned with. It’s the likelihood of a breach with an unacceptable impact on the business.

As I explained with examples in Making Business Sense of Technology Risk, a breach can have a small effect, a moderate effect, or a significant one. There is a range of potential effects, from graffiti on a web site to the loss of essential intellectual property. Each point in that range has its own likelihood.

While we may be concerned with multiple breaches of low impact, most of us are focused on the likelihood of a breach that would disrupt or cost us more than we can tolerate – making it more difficult to achieve our enterprise objectives.

XX

Fortunately, we have some very useful information from IBM. For several years, they have sponsored research into the cost of a breach by the Ponemon Institute. Their latest report is Cost of a Data Breach Report 2021. Here are some key points in this informative publication. I have highlighted key language.

  • Data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. Costs were significantly lower for some of organizations with a more mature security posture, and higher for organizations that lagged in areas such as security AI and automation, zero trust and cloud security.
  • The average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor. The percentage of companies where remote work was a factor in the breach was 17.5%. Additionally, organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely. IT changes such as cloud migration and remote work increased costs, yet organizations that did not implement any digital transformation changes as a result of COVID-19 experienced $750,000 higher costs compared to the global average, a difference of 16.6%.
  • Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase. Costs varied widely across industries, and year over year. Costs in the energy sector decreased from $6.39 million in 2020 to an average $4.65 million in 2021. Costs surged in the public sector, which saw a 78.7% increase in average total cost from $1.08 million to $1.93 million.
  • Lost business represented 38% of the overall average and increased slightly from $1.52 million in the 2020 study. Lost business costs included increased customer turnover, lost revenue due to system downtime and the increasing cost of acquiring new business due to diminished reputation.
  • Customer personally identifiable information (PII) was the most common type of record lost, included in 44% of breaches.
  • Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in the previous report.
  • The average cost of a breach was $5.04 million for those without zero trust deployed. Yet in the mature stage of zero trust deployment, the average cost of a breach was $3.28 million, $1.76 million less than organizations without zero trust, representing a 2.3% difference
  • Organizations with fully deployed security AI and automation experienced breach costs of $2.90 million, compared to $6.71 million at organizations without security AI and automation. The difference of $3.81 million, or nearly 80%, represents the largest gap in the study when comparing breaches with vs. without a particular cost factor. The share of organizations with fully or partially deployed security AI and automation was 65% in 2021 vs. 59% in 2020, a 6 percentage point increase and continuing an upward trend. Security AI/automation was associated with a faster time to identify and contain the breach.
  • Ransomware attacks cost an average of $4.62 million, more expensive than the average data breach ($4.24 million). These costs included escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious attacks that destroyed data in destructive wiper-style attacks cost an average of $4.69 million. The percentage of companies where ransomware was a factor in the breach was 7.8%.

Going back to that initial question by the consultant, where did this $25 million number come from, when the average cost of a breach is a fraction of that figure?

Even after performing a business impact analysis and understanding the range of potential effects from a breach, there are additional questions that should be asked when evaluating cyber risk, including:

  • How much can either the potential (range of) impacts be reduced through additional investment in either/or prevention or response?
  • How much can the likelihood of an unacceptable breach be reduced?
  • Will the investment result in an acceptable level of risk? (This is critical.)
  • What is the level and type of investment that makes the most business sense?
  • Are there other actions I can and should take? For example, should I exit a business that represents excessive risk?

XX

I am not saying that cyber is not a serious issue. I am saying that we should take the consultants’ pitches with a huge bucket of salt. I am saying that we should determine our level (range) of cyber risk in our specific organization, given our specific facts and circumstances.

XXX

I welcome your comments.

Scenario Analysis is a Great Tool in Risk Management

September 13, 2021 7 comments

I have been a fan of scenario analysis for a very long time. Not only is it a great way to understand the current situation, whether it is a problem, which options are available, and what actions to take, but it is far more effective than making decisions based on a list of risks.

Scenario analysis helps everybody view risks and opportunities together and in context.

I highly recommend a 2019 article How to Use Scenario Analysis to Manage in Uncertain Times.

Here are some high points:

  • Every single decision in an organization is made under a certain degree of uncertainty.
  • Often, leaders make these decisions based on anticipated events, along with corresponding best-case and worst-case predictions about what might happen. Whether or not these predictions will actually come to pass is unknown at the time the decision is made.
  • Scenario analysis is a method for creating responses to various future events with the aim of reducing uncertainty and maximizing the chances of achieving a desired outcome. This process requires investments of people, time, and money. Imagination also comes into play as managers use scenario analysis to determine or invent possible courses of action to take so the organization can reduce its overall risk and maximize its value.
  • Historically, scenario analysis arose out of military planning during World War II. During the war, it was a means to offer specific descriptions of different futures; summarize and synthesize variables into a coherent picture for each possible future; suggest multiple and distinct choices that each future would entail; and increase the likelihood of achieving desired outcomes by exploring a range of responses or solutions.
  • Economic historians say that scenarios were first used in the post-war business world by the Shell Oil Company to evaluate oil price variability and consumption patterns, so that capital investments would be shifted into areas offering the best-predicted financial return. The practice quickly spread, and scenario analysis is now used by companies in most industries.
  • In conducting a scenario analysis, specific future uncertainties and corresponding realities are evaluated by exploring different possible ways to arrive at a desired outcome. This requires assessing internal capabilities, such as the strengths and weaknesses of the operation, and external factors, such as the existing and future opportunities and threats in the business environment.
  • Four features make scenarios analyses a particularly powerful tool for understanding uncertainty and making business decisions.

First, these thought experiments expand thinking by developing a range of possible outcomes, each backed by a sequence of events that could lead to the desired outcome. According to psychologists, this is particularly valuable because it helps counteract the common biases of expecting the future to resemble the past and expecting that change will occur only gradually. By demonstrating how and why things could quite quickly become much better or worse in new and unexpected ways, scenarios improve readiness for the range of possibilities the future may hold.

Second, these analyses help protect against groupthink, which can inhibit the free flow of ideas. In business meetings, people often agree with whatever the highest-ranking person in the room says. This is especially true in hierarchical companies, where employees will wait for the most senior executive to state an opinion before venturing their own, which often magically reflects that of the executive. Scenarios allow companies to break out of this trap by providing several established options, which can serve as a “political safe haven” for contrarian thinking.

Third, in large corporations there is typically a strong status quo bias. Scenarios can help challenge conventional wisdom when status quo-based assumptions may no longer hold true. Having alternatives built into the process provides a less threatening way to deviate from the status quo.

Fourth, scenarios are particularly useful in navigating the kinds of extreme events recently seen in the world economy, such as natural disasters, pandemics, terrorism, active shooters, or ransomware. Scenario analyses enable management to steer a course between the false certainty of a single forecast and the confused paralysis that often strikes in chaotic times. When well executed, they allow strategy to be based on a sophisticated understanding of probabilities that maximize the chances of a desired outcome.

Risk officers can lead scenario analysis discussions as a facilitator, but they can also help management understand the several ranges of potential effects and their likelihoods (both benefits and harms) under each scenario.

My internal audit team has also facilitated such discussions.

What do you think?

Misunderstanding what is effective risk management

September 9, 2021 10 comments

I want to commend Tim Leech for his persistence in pointing out how few organizations understand, let alone practice effective risk management.

In his latest post Tim reviews an EY publication, The Board Imperative: Is now the time to reframe. He comments:

New EY survey reports 84% of board directors don’t think companies they oversee have highly effective risk management….. EY has identified a big performance gap and a huge opportunity, but, in my view, not how to fix the problem/the way forward.

I agree.

But I have a somewhat different view from Tim (which may be more language than anything else).

Here are some good points made by EY:

  • A new survey of board members reveals that decisive action is required to optimize risk oversight and seize new strategic opportunities.
  • In the current uncertain environment, risk management has become essential to strengthen resilience and create sustainable value.
  • Boards have an opportunity to reframe their organization’s approach to risk management, but first they need to reconsider how the board itself thinks and acts.
  • Enhanced risk management has become a top priority for boards: 79% believe that improved risk management will be critical in enabling their organizations to protect and build value in the next five years. CEOs share this view. When asked which areas of the enterprise they expect will change most in the next three years, they ranked risk management first.
  • …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
  • “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”

The problem I have with the EY perspective is that despite these comments they are still focused on managing or mitigating harms, and harms alone. They end the article with:

As the risk landscape around their organizations becomes more and more complex, board members need to ensure that their organizations are doing all they can to effectively identify, mitigate, manage and even predict new threats. That means getting proactive.

While it is clearly necessary to address potential harms, there has to be a balancing between the possibilities for harm and those for reward. Risk management should ensure people have the necessary information to make the informed and intelligent decisions necessary for success, knowing which risks and opportunities to take if they are to achieve their business objectives.

That requires that comparable information be available for both upside and downside effects of what might happen (which some refer to as uncertainty and others as ‘risk’).

Unfortunately, EY’s criteria for effective risk management don’t do this. So we have to consider their numbers on high performers overly optimistic.

To repeat two salient points from EY’s own publication:

  • …boards [sic] members today believe that those responsible for risk management are too focused on downside mitigation: 80% say that risk and compliance teams need to find a better balance between mitigating downside risks and driving growth.
  • “Risk needs to be embedded in strategy conversations at the board level and also in what every business function is doing,” says Nick Allen, a Board Director at Lenovo Group. “You just can’t isolate discussions about risk.”

What do you think? I welcome your comments.

Understand your own bias as a practitioner

August 16, 2021 7 comments

Alexei Sidorenko has shared an interesting article with the title of If cognitive biases in decision making are a given, how do risk managers overcome them?

I recommend it and like the infographic he has included.

XX

But there’s a different issue, which he has not addressed in his piece: the bias of the practitioner.

XX

Whatever your role, you have biases. These cognitive biases are likely to affect your own decision-making and the information you provide to leadership.

For example:

  • If you don’t like or respect a department manager, you are more likely (as an auditor) to rate his or her area as high risk and include it in your audit plan. You are also less likely to trust their controls and their response to any issues you might identify. As a risk officer, you might similarly be more likely to question their ability to identify and assess risks and opportunities.
  • If you like a department head, you are more likely to accept without question what they have to say. You are also more likely to listen to them and be willing to partner with them on assessments, corrective actions, and so on.
  • If you have had poor experiences in the past with a particular process or function, that will influence your attitude today – even if your prior experience was with another company.

XX

We need to understand our own biases and how they affect our thinking, actions, and decisions.

XX

We need to ensure they do not adversely influence the quality of our work.

XX

Do you know your own cognitive biases?

Have you made sure they do not affect your work?

I welcome your feedback.

If you are interested in risk management

August 16, 2021 3 comments

There’s a great virtual conference coming up in October. Risk Awareness Week (RAW) 2021 is hosted by Alexei Sidorenko and will feature 30 or so excellent speakers including:

  • Hans Læssøe
  • Douglas Hubbard
  • David Koenig
  • Kurt Nelson

I will be speaking on the topic of “The board’s role in risk governance”, and others will dive into more detailed topics like:

  • Scenario planning
  • Business continuity
  • Resilience
  • Stochastic decision trees
  • Uncertainty
  • Risk-taking
  • Risk measurement fallacies

The 5-day conference is one I recommend and is quite inexpensive.

I hope to see you there!

How should the IIA change its Standards and other Guidance?

August 10, 2021 9 comments

The IIA’s Internal Audit Foundation is asking for practitioner member input. You can find the survey here on their web site. It is available through the end of August.

They say:

2021: Research Focus: Assessing Internal Audit Practices

The Foundation has selected this topic to gather perspectives and insights of importance in understanding the global practice of the profession and to understand the current relevance and potential improvements of the International Professional Practices Framework (IPPF) and International Standards for the Professional Practice of Internal Auditing (Standards).

Overall Study Objectives:

  • Assess internal audit practices at the internal audit activity and practitioner levels.
  • Understand the value and relevance of the IPPF and Standards toward ensuring internal audit effectiveness.
  • Ensure continued applicability and effectiveness of the IPPF and Standards.

I started the survey, but when I indicated that I was retired they threw me off because they only want the survey completed by “current practitioners”.

Of course, that will not prevent me from sharing my views – which I shall in this post.

I haven’t seen the questions, so I am making some general rather than specific points.

  • The Standards and other guidance require a “risk-based plan” (Standard 2010 – Planning), which I support. However, the Standards lead you away from identifying risks to the enterprise as a whole and towards risks to individual processes, business units, etc.

This is because Standard 2201 – Planning Considerations asks that the auditor consider “The significant risks to the activity’s objectives, resources, and operations”.

Standard 2210 – Engagement Objectives dictates: “Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment”.

The auditor needs to focus on the risks that matter to the enterprise as a whole, and not risks to individual activities within the enterprise. The auditor should strive to audit processes and related controls at an activity that could lead to a failure to achieve enterprise objectives.

  • In a previous iteration of the Standards, the word “should” was globally replaced with “must”. As a result, certain aspects of the organization. For example, Standard 2110 – Governance states:

The internal audit activity must assess and make appropriate recommendations to improve the organization’s governance processes for:

    • Making strategic and operational decisions.
    • Overseeing risk management and control.
    • Promoting appropriate ethics and values within the organization.
    • Ensuring effective organizational performance management and accountability.
    • Communicating risk and control information to appropriate areas of the organization.
    • Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management.

2110.A1 – The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.

2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.

While each of these may be high risk, mandating them flies in the face of the risk-based approach.

The correct approach is to require auditors to consider these matters in their risk assessment and audit planning activities, including related projects in the plan when and where justified based on enterprise risk.

  • Several standards mandate work that is neither necessary nor of value. The IIA Standards Board should take a pencil in hand and delete them. We need every internal auditor to be agile, responding promptly to changes in business conditions and risks, and auditing at speed. Excessive bureaucratic red tape does not help you run fast.

For example, Standard 2200 – Engagement Planning states:

Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.

In my many years as CAE, I cannot think of a single audit where all of this was needed. I want my auditors to audit, not write a lot of documents.

Standard 2240 – Engagement Work Program is far too onerous. 2240.A1:

Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.

Why document all of this? I see little value in most cases. Let the auditors go!

  • The approach to risk management needs an overhaul and update, reflecting leading thinking on what constitutes effective risk management. Frankly, this is an area where IIA seems to lag.

For example, the definition of risk management in the Glossary needs to go further. It defines it as:

A process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

What is missing is the link to decision-making. Risk management enables the informed and intelligent decisions necessary to achieve enterprise objectives.

  • I would like to see more guidance, including standards, that leads practitioners to limit their scope to what matters, audit at speed, and then communicate effectively and promptly.
  • A number of excellent Practice Guides and Advisories were developed in the past but are no longer available. That is unfortunate since the guidance was very good.
  • Recent GTAGs have been less than satisfactory. They should have never been issued. See previous posts on this blog for details.

I will leave it there. I am, however, open to discussing these and related questions with IIA leaders.

Please share your thoughts as well – with the IIA in their survey and here, as comments to this post.