Advice to the IIA on their draft Standards

A little over a week ago, I shared my report on the draft. I urged everybody not only to read the draft carefully and answer their survey, but to share their overall assessment directly with the IIA and on this blog site – so everybody can see  and consider all of them.

What you may not know is that I have been talking to the IIA staff and some members of the Auditing Standards Board for months.

Have a look at my post from September, 2022: Updated Internal Audit Core Principles. I said (note today’s highlights):

We should have a few principles for the IPPF’s principles.

1. 1. Effective internal audit in conformance with the Standards requires that all the principles are present and functioning.
   2. Present and functioning means that there are no major deficiencies in the achievement of the principle.
   3. Therefore, the only principles that should be included in the IPPF are those necessary for an effective internal audit function. A proposed principle is not relevant if it is not necessary, if internal audit can be effective in its absence.
   4. Achievement of the principles should not only be necessary for effective internal auditing, but also for the internal audit function to be a trusted partner of both management and the board.

And:

I would like your thoughts on these as a replacement and expansion of the principles around the valuable products of the internal audit function.

• • Provides constructive assurance, advice, and insight on what matters to the success of the organization, including the achievement of its enterprise objectives, when it is needed by management and the board.
  • Is forward-looking, focused on the effectiveness of the organization’s governance, management of risk and opportunity, and related systems of internal control in providing reasonable assurance of the organization’s current and future success.
  • Focuses on what matters to the success of the organization, the achievement of enterprise objectives, addressing both current and future risks and opportunities that might have a significant effect on its success.
  • Works with management, listening in a collaborative manner and exercising its independent, professional judgment, to promote improvement in the organization’s systems of governance, management of risk, and internal control.
  • Shares the results of its work through a combination of timely written and oral communications that are fair, balanced, concise, clear, and actionable.

Feedback from staff and leaders included:

“Thanks! Some great points.”

“Thank you for sharing… I shared it with the IIASB chair and staff.”

In emails about the issue of including agreed action plans instead of recommendations in the audit report: “We definitely agree with you, Norman.  We have had a couple of lengthy discussions about this topic and, while recommendations may still be a part of the process of getting to a final report, agreed-upon actions is definitely the goal.  We’re still working on how to best state that, recognizing that in some IA functions they are only asked for recommendations, but the best practice is to work with management on a solution that both agree manages the underlying risk to an acceptable level.”

In emails about the topic of enterprise risk-based audits: “That is our goal too, business objective based and risk based audit.”

This exchange over the last six months or so is why I am so disappointed in the draft that has emerged.

The people I have been talking to on staff and on the ASB understood and agreed with everything I said. Yet they have produced a long document that flies in its face.

They took a very long time to share what I consider a flawed document.

Rubbing salt in the wound, they have publicized it with great hoopla, talking about it being “a defining moment for the profession”.

How can they now walk it back, recognizing the need for substantial change?

PLEASE, join me in carefully reviewing, then sitting back and thinking about the draft.

Whether you agree with me or not, share your overall assessment with IIA staff at standards@theiia.org as well as here in the Comments.

The IIA survey is insufficient to capture whether the draft Standards meet the needs of the profession and should be published.

As with all audit reporting, the earlier the better so they can start work on corrective actions.

Thanks

Advertisement

Was Silicon Valley Bank a failure of risk management?

I have seen some unfortunate postings on social media and in the news. Self-appointed experts telling us what happened, why, and whose fault it was.

There’s a political battle going on as well, with people blaming federal government administrations, regulators, and so on.

I’m not going to get into that.

But I think it is important for governance, risk, and audit practitioners to understand the situation and its implications.

Here are some of the better pieces to read:

• Fortune: A risk management nightmare at Silicon Valley Bank
• Newswise: Op-ed: Silicon Valley Bank’s Failure in Risk Management
• com: Disastrous Risk Management Is Not the Fed’s Fault
• Forbes: Silicon Valley Bank Proxy Shows Board’s Secret Yearlong Risk Panic

X

Excerpts from Fortune:

“I think this is a colossal failure in asset-liability risk management,” Mark T. Williams, a former bank examiner for the Federal Reserve, tells me.

Williams is referring to actions that led to Silicon Valley Bank’s seizure by federal regulators on Friday following a bank run. It’s being deemed the largest institutional failure since the 2008 financial crisis. SVB is a major lender for the tech and venture capital sectors. But the bank didn’t have a chief risk officer for about eight months, Fortune reported.

SVB’s parent company, SVB Financial Group, disclosed on March 8 its big bet—it sold $21 billion of bonds, resulting in an after-tax loss of $1.8 billion for the quarter, Fortune reported. Many of those bonds were yielding an average 1.79%, far below the current 10-year Treasury yield of around 3.9%. SVB also disclosed it was conducting a stock sale worth $2.25 billion in an attempt to shore up its finances. But as my colleagues Anne Sraders, Jessica Matthews, and Kylie Robison write, this news caused panic among investors. On Thursday, investors and depositors tried to pull $42 billion from SVB.

“To prevent a crisis of confidence, SVB’s CEO and CFO should have relied more on an old-fashioned banking approach of diversification of its lending and deposit customers,” says Williams, a master lecturer in the finance department at Boston University’s Questrom School of Business. “Venture capital is a highly risky business. So not only did the bank expose its asset side of the balance sheet but also its liability side.”

“The CFO and, I would argue, the board failed to adequately protect shareholder value,” Williams says. “The board-appointed risk management committee, which works closely with the CFO, should have done adequate scenario analysis to examine the deposit withdrawal risk. That, in fact, was the bank’s downfall.”

X

Newswise:

SVB probably never imagined it could experience a run of $42 billion in a single day, accounting for about one-quarter of all deposits at the bank.

We now have a better glimpse inside as to what brought SVB down. Technically, the bank failed due to a liquidity crisis, i.e., a lack of sufficient cash inflows to sustain it during a period of significant cash outflows. Think about getting in your car to go to work and you hear a clunk, and the car just stops running. The mechanic tells you that you’ll have to replace the transmission for $5,000. Your heart sinks as you realize your checking account has $100 in it, your credit cards are maxed out and your family and friends won’t extend you any credit. That’s a personal liquidity crisis. Magnify that by billions and you get the idea of what SVB was dealing with when a good part of their depositor base evaporated.

One of the risks it seems SVB didn’t account for was the degree and speed by which its depositors would withdraw money from the bank upon hearing that SVB was experiencing a “cash burn” that required them to raise capital in an attempt to shore up losses from sales in investment securities that are held in the available-for-sale (AFS) part of the balance sheet. That announcement spooked investors and sent the stock spiraling down, precipitating the largest bank run of all time.

How did SVB get into this position? After all, it touted that it had solid risk management practices and effective controls in its financial disclosures. It turns out that things aren’t always what they seem on the surface. The company made several risk management blunders. The first was in placing large bets on interest rates. Bank balance sheets split assets into two groups, AFS, or those assets that firms expect to transact over some time and held-to-maturity (HTM) assets that are expected to be held for long-term investment purposes. HTM assets are held at book values while AFS assets are marked-to-market according to fair value accounting principles.

At the end of 2022, SVB reported $120 billion of investment securities, representing 55% of its assets, or more than double the average of all US banks. Further, three-quarters of their investment portfolio were in HTM securities, largely in U.S. Treasuries and mortgage-backed securities (MBS). While Treasuries and MBS are very safe investments from a credit risk perspective, they pose substantial interest rate risk. The weighted average duration of these investments was about six years, implying that if interest rates rose by 100 basis points (1%), the value of those securities would decline by 6%. In a low yield environment prior to the Fed’s rate hiking plan, the quest to ride the yield curve for income was very much in focus by banks including SVB.

The strategy was to invest a significant amount of deposits in the HTM portfolio where the investments would not have to be marked-to-market. However, the AFS side of the portfolio is subject to reporting unrealized gains or losses because of changes in the valuations of those assets that remain on the balance sheet. With interest rates rising quickly in 2022, the value of those assets declined (for bond portfolios, yields and prices move inversely) and SVB had to do something to stop the bleeding as those unrealized gains hit against the balance sheet, specifically equity in the form of accumulated other comprehensive income or loss (AOCI). It turns out that unrealized losses when reported under AOCI do not affect a bank’s regulatory capital but will affect their nonregulatory total common equity (TCE) ratio. SVB’s TCE ratio was severely dented by the steady unrealized losses it was sustaining and so was forced to sell AFS assets at a loss, thereby igniting the stampede to withdraw deposits once the word got out.

SVB maintained in its regulatory filings that it conducted regular and sophisticated market risk analysis and interest rate risk hedging activity. However, the amount of interest rate hedging was quite small in comparison with the AFS investments. Only $550 million in notional value of interest rate derivatives stipulated as interest rate hedges were reported at the end of 2022. And clearly their risk modeling didn’t anticipate the combination of interest rate and liquidity risk shocks it would face.

It seems apparent now that SVB’s liquidity risk management practices were deficient.  Best practice banks will employ a number of methods to understand the sensitivity of their liquidity risk profile to various shocks including contingency liquidity planning scenario exercises. The largest banks go further and are required to calculate the amount of high-quality liquid assets (HQLA) as a percent of stress net cash outflows over a 30-day horizon, referred to as the Liquidity Coverage Ratio (LCR). These banks also must calculate a similar ratio over a one-year horizon on the stability of their funding. But in the end, even if SVB had technically been compliant with LCR, (we’ll never know since they weren’t large enough to require LCR compliance) the size of the bank run would likely have resulted in the same outcome.

Poor Risk Oversight

Compounding SVB’s problems was an apparent lack of risk management oversight by the board and the risk team. SVB had a risk committee charter documenting all the components of risk management that should be in place to manage risk well. So clearly there was a disconnect between what they said on paper and their actions. SVB was without their senior most risk officer for about eight months in 2022 and only in January brought a new Chief Risk Officer on board. That leadership gap could have left the board and the risk management team in the dark on emerging risk in the portfolio and the poor strategy and practices put in place to manage their market and liquidity risks.

Another major issue that is pervasive across banking is the lack of risk expertise represented on bank boards. Most bank boards today are not equipped to challenge management on risks affecting the enterprise. Of the seven board members assigned to SVB’s Risk Committee, only one had any background remotely related to risk management and none, according to the information provided on SVB’s 2023 Proxy Statement ever held a senior risk management role such as CRO. This calls into mind how boards can ask the right questions of management regarding risks and mitigation strategies given the technical complexities of bank risks.

X

Forbes:

The repeated interest rate hikes over the past year have dented bond portfolio values. Many banks, including SVB, designate such investments as “hold-to-maturity” which allows them to avoid “mark-to-market” accounting and conceal unrealized losses.

Such background bookkeeping machinations only come to light when high growth ventures face tepid IPO markets and must draw on deposits. Their cash needs force poorly-capitalized banks to sell loss-laden holdings to generate sufficient liquidity.

Undoubtedly, such valuation woes may have placed SVB in momentary paper default positions throughout the year. The board and c-suite likely hoped, against market forces, for stabilization of their high-risk business model. The eventual March 2023 capital raise announcement ended the financial stagecraft and triggered the collapse. Simply put, SVB leadership failed its fundamental stewardship responsibilities.

X

The Investing.com piece is interesting, especially for the technical folk reading this. It describes how SVB didn’t hedge the interest rate risk enough. They said, quite bluntly:

SVB was not applying basic risk management practices and exposing its investors and depositors to a gigantic amount of risk.

Returning to the question in the title: was this a failure of risk management?

1. Clearly, there was a failure to understand and manage multiple risks. In hindsight, these are pretty obvious sources of risk.
2. There was a failure of management.
3. There was a failure of strategy setting.
4. There was a failure of board oversight.

X

Although I will wait for a full investigation to be completed by the regulators, my inclination is to blame:

100% the CEO. How can you be the CEO of a financial institution and not understand interest rate risk?

120% the CFO. This is basic stuff for a CFO.

80% the board, who are responsible not only for assessing the performance of the CEO and CFO, but in providing oversight of how they are running the bank.

I don’t know enough to allocate any portion of blame to others within the company, including the former CRO and the long-serving CAE, John Peters.

I am not sure that I would blame the external auditors. After all, the financial statements were probably correct, and we are not talking about a failure of the system of internal control over financial reporting. Francine McKenna (@retheauditors) will be commenting on this; I recommend watching for her analysis.

I’m tempted to put some of the blame at the feet of the analysts who monitored SVB.

X

You can call this a failure of risk management if you like.

Any corporate, even personal failure could be called that.

X

I think its more a failure to perform by the CEO and the rest. Poor decisions were made.

I don’t know any of the individuals involved, but I think questions must be asked as to whether they were the right people for the job.

X

What do you think?

The efficient and effective internal auditor

The IIA has released for public comment a draft update of its Standards.

I believe it is important for everybody who shares my desire to advance the internal audit profession and its practices to review and share feedback on the draft.

X

I took my time in carefully reviewing the draft, line by line, and then sat back to reflect.

Everybody should, in my opinion, do the same.

X

The IIA Standards Board, leadership, and staff spent most of 2022 working on this renewal of the Standards. I congratulate them on the significant changes, including some that I have been talking about for years.

I was looking forward to a document that would recognize and promote the development of efficient and effective practices around the world. One change that I am pleased to see they have made is the need to update the internal audit plan as conditions change, at the speed of risk and the business.

I was hoping that I could get behind a new set of Standards and promote it actively.

I am unable to do that.

X

Unfortunately, the IIA’s survey (which I was happy to complete) does not include a request to assess whether the draft should be approved, approved with minor changes, approved only after specific major changes are made, or otherwise.

X

I decided to write what is essentially an audit report to communicate my overall assessment of the draft and the specific major issues I have. I am using the word “major” in the same way as COSO: a deficiency that prevents the draft from achieving its purpose, its objectives.

With that in mind, I considered and included in the report what I believe the value of the IIA Standards, their purpose, should be. Then I assessed whether the purpose was met.

My overall opinion was not favorable.  You can download a copy of my report here. I have embedded a copy below this post.

I have a deserved reputation for being direct, even blunt. I have been that in my report, which I shared with IIA leadership as well as staff and members of the Standards Board.

X

As far as I can tell, and I have asked the IIA, they will not be posting the comments they receive, so I am sharing mine here. They have not voiced any objection.

I ask that you share your assessment of the Standards here, copying or linking any response (other than the survey), so we can all see and discuss each other’s thoughts. I expect the IIA staff and members of the Standards Board will be checking here to see what is said.

Please review the draft carefully. It is important.

Complete their survey and, if you have additional comments or want to share an overall opinion with them, the email is standards@theiia.org.

X

If you agree with my points and observations, I would appreciate your so informing the IIA as well as posting your comments in this blog.

If you disagree, please post your comments. X

I am especially interested in your thoughts on:

1. My statement about the purpose and value of the Standards.
2. Whether the draft Standards fulfil that purpose.
3. Your thoughts on each of my major issues. X

Thanks

X

PS – I am open to panel or other open discussions of the draft.

norman-marks-review-of-iia-standards-draft-of-march-2023-1Download

The President of RIMS talks about risk management

Years ago, I spoke at a RIMS conference in Seattle. While they have produced some excellent pieces of thought leadership (under the leadership of Carol Fox), I was struck at the time by the dominance of people with a background in insurance. The majority of speakers didn’t seem to understand enterprise risk management (the big picture) and the need to take risk for success. Their response to increasing levels of risk was to increase insurance coverage.

That has clearly changed.

RIMS has a new president who seems to “get it”. Jennifer Santiago was interviewed by Risk & Insurance and said:

At its core, my focus is always on maximizing opportunities while keeping a close eye on potential adverse risks and outcomes. Balancing the risks with the rewards has always been my priority.

To be successful, risk professionals can’t stand still and become complacent. We need to ​get ​out from behind our desks and driv​e​ intelligent risk taking within our organizations. We need to build capabilities around risk assessment and scenario planning ​so that we can ​strengthen organizational resiliency. We must build in resiliency and asset protection while also supporting opportunities that spur growth and innovation.

I love two aspects of this:

• “maximizing opportunities while keeping a close eye on potential adverse risks and outcomes. Balancing the risks with the rewards”
• “get ​out from behind our desks and driv​e​ intelligent risk taking”

This sound like [humble] me.

Is this also you?

I welcome your comments.

Managing the business risk that is cyber

I am pleased to announce that my latest book is now available on Amazon (see below).

The intent is to help business leaders and information security practitioners discuss cyber risk in business rather than technical language, enabling executives and the board to make informed and intelligent business decisions.

It’s not enough to say that cyber risk is “high” when there are so many business risks to address. It’s not enough to follow standards from NIST, ISO, or FAIR when they don’t help you understand the risk to the achievement of enterprise objectives.

Leaders need to know whether to invest more of their scarce resources into cybersecurity or satisfy competing demands for those same resources from other sources of risk and opportunity[1].

Should they invest their last million dollars into cyber, a marketing program, product development, employee safety, customer satisfaction, compliance, new cloud systems, an upgrade to their network, an acquisition, or other area?

How much investment is enough?

This is what four eminent reviewers had to say:

“With Managing the Business Risk that is Cyber Norman Marks has written a practical guide to the elusive concept of cyber risk. Addressing cyber risk as business risk rather than IT risk is pivotal to ensure proper understanding, prioritization and handling – an approach described in both tangible and actionable terms in this book which I highly recommend to anyone involved with managing a business.” – Hans Læssøe, retired Chief Risk Officer and author of Prepare to Dare and Decide to Succeed“

“Cyber risk has become one of the most critical issues facing many organizations today.  It is vitally important that directors, executives and managers understand not only the potential risks they might face but also the overall context of where cyber risk fits within the organization’s business objectives and its many other priorities.  Norman Marks has provided a most important analysis in this book and sets out how cyber risk should be evaluated and dealt with in a comprehensive and considered manner.  It should be read by all business people who may be affected or are concerned about cyber risks.” – John Fraser, retired Chief Risk Officer and author of Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives

“Norman’s new book provides a clearly presented, thoughtful, and accessible message that will help Boards better oversee all risks, including cyber. It should also help management achieve its objectives by more effectively understanding and managing all risks (including cyber risk). The book provides practical advice (highlights key takeaways), is accessible to a generalist audience, and is an engaging read (includes nice context through “war stories”).” – Joshua Rosenberg, risk practitioner

“Framing information security risks with a business context that enables good decision making is difficult to do well — this book fabulously shows how to do this. I hope that all business and technology executives can follow his example, to the benefit of their organization and their customers.” – Gene Kim, bestselling author of The Unicorn Project and co-author of the award-winning The DevOps Handbook and The Phoenix Project

As they say, the book should help those leading the organization and those in charge of protecting information assets talk the same business language.

Surveys tell us that board members find cyber risk the #1 most difficult one to oversee.

At the same time, Information Security practitioners report that they are not getting through to either the board or to business leaders, and are not receiving the support and funding they need.

If leaders don’t understand the risk within the context of running the business, how can they make an informed and intelligent decision about addressing it?

Availability:

Amazon, for some strange reason that I have asked them to correct, have the Kindle and Hardcover available on one web page (here), and the Paperback on a different one (here). Please check your Amazon marketplace as this may change.

Unfortunately, the hardcover is not available in every marketplace yet. It is available now in the US and may be added to other areas later.

Based on feedback over the years, I recommend a printed copy (paperback or hardcover) so you can mark up and annotate the book as needed. There are also charts and tables that will be more easily consumed in a printed copy.

[1] ISO 31000 advocates will remind me that “risks” include “opportunities”. But I prefer to make sure everybody understands the point.

We all need active listening skills

Whatever your role within the organization, the ability to listen, really hear, and understand others is crucial.

The concept of active listening takes the idea further.

Skills you need has an excellent article on the topic. I like what it says:

Active listening involves listening with all senses. As well as giving full attention to the speaker, it is important that the ‘active listener’ is also ‘seen’ to be listening – otherwise the speaker may conclude that what they are talking about is uninteresting to the listener.

Interest can be conveyed to the speaker by using both verbal and non-verbal messages such as maintaining eye contact, nodding your head and smiling, agreeing by saying ‘Yes’ or simply ‘Mmm hmm’ to encourage them to continue. By providing this ‘feedback’ the person speaking will usually feel more at ease and therefore communicate more easily, openly and honestly.

The article goes on to describe some of the techniques used by effective listeners. An easy search will turn up many more useful articles on the topic.

I saw this graphic that may be of interest.

But there is more.

You have to have the intent to listen.

I tell people that they should never go to talk to anybody. Instead they should go to listen.

Tom Peters and I discussed this in the context of “managing while walking around”. I suggested changing it to “managing while listening around”, and after thinking about it he agreed.

You have to have the intention and you need to make the time.

It requires patience and a genuine desire to listen and learn.

If you are talking to somebody more than 40% of a time, you are talking too much and not listening enough.

When I was trained in interviewing techniques (and also in interrogations – as part of a fraud investigation), I learned that you need to make sure you are listening not only to what is said but what is not said.

You need to continue to listen (usually by asking questions like, “what else should I know” and “you still seem troubled, what else is bothering you”) until the other person has said everything that is on their mind.

During a management training class, we covered active listening and I suggested (and the idea caught on) that we need to listen not only with our ears (and mind), but with our eyes.

If 70% – 90% of communications are non-verbal, the only way we can hear them is with our eyes.

Active listening is hard. I encourage everybody not only to study it, but to practice it again and again.

Use the techniques in every situation where you need to engage and hear.

But be careful using the techniques with your life partner. I have heard of somebody coming home from a training class, listening in a different way to their spouse and being accused of using something they learned during the class against their annoyed partner.

I welcome your comments – and please provide links to help others.

Another overlooked risk assessment problem

Following up on last week’s post, there is one major problem that I haven’t talked about before.

Too many want to quantify every risk in dollars (or other currency) as if they were equal. But they are not.

Maybe they avoid the trap of multiplying one possible impact by its likelihood. (That is wrong for several reasons, discussed elsewhere.)

But they still come up with some number of dollars for the level of risk that is not comparable to other sources of risk and cannot be aggregated with other risks and opportunities to develop the big picture necessary for decision-making.

The easiest situation to illustrate this is:

• Risk A: The risk that one or more major customers will not issue orders at the anticipated level is assessed with a number based on the potential revenue
• Risk B: The risk that gas prices will risk and increase the cost of both purchased materials and related freight; this is assessed with a number based on the potential change in cost.

These are not the same dollars.

How about this one?

• Risk C: The risk that a lawsuit will result in a verdict against the company, causing the company to have to make a massive payment (even if the lawsuit is settled). This time, the dollars are cash

Then there are these:

• Risk D: A product quality defect might lead to a loss of revenue and an increase in cost until it is resolved and customer claims settled. This could take as long as two months. Maybe the dollars are profit dollars this time.
• Risk E: The emergence of a new competitor could also lead to a loss of revenue, but this time the loss is prolonged and could even be permanent.

Or there’s this variation on Risk C:

• Risk C2: The risk that a lawsuit could result in continuing payments over ten years.

Even if the loss in C2 is discounted to present value, there is a huge cash flow difference that could be serious.

It is usually easier to handle a loss or payment that is spread over time than one that has to be paid immediately.

While some of these issues could be addressed by assessing every source of risk based on earnings (i.e., instead of revenue or cost), that doesn’t take into account:

• The ability of the organization to sustain the impact,
• The time it would take to detect (in some cases) and address the impacts, or
• The fact that it doesn’t make sense to assess risks like safety and compliance purely in dollar terms.

This is why I believe that risk should be assessed in terms of the potential effect on the achievement of specific enterprise objectives. Isn’t this what COSO ERM and ISO 31000 [should] say?

When the potential effect is assessed this way, it can be compared to other sources of risk and opportunity and included with others to develop the big picture for decision-making.

I welcome your thoughts.

Factors frequently overlooked in risk assessments

Assessing the level of any business risk is not nearly as simple as most appear to make it.

Just look at any risk register or heat map (or “risk profile” in COSO language, which is the same thing) and you will see a single point for each source of risk’s potential effect and likelihood. That is simply wrong, as there is almost always a range of potential effects from an event (such as a decision), and each point in that range has its own likelihood.

One of the problems I have with most risk assessments is that they seek to evaluate each source of risk in a silo, rather than considering the big picture.

I tackle this at some length in my new book (coming soon), Understanding the Business Risk that is Cyber.

One of the sections in the book is on something called the “tipping point”. This is an extract:

In the robotics example [a project discussed earlier in the book], the cyber risk was seen as reducing the likelihood of achieving objectives by 3%.

On its own, this might be acceptable.

But the cyber risk might take the likelihood of achieving objectives beyond the tipping point[1]. It is defined in Merriam-Webster as:

The critical point in a situation, process, or system beyond which a significant and often unstoppable effect or change takes place

Perhaps the board is willing to accept a 10% likelihood of failing to achieve an objective, and currently the risk of failure (considering all related sources of risk to objectives) is assessed at 8%.

But the robotics cyber risk would take the likelihood beyond the 10% limit.

In that case, the CEO would have to look at all the risks involved and determine the best course of action. It might be to invest in cyber; it might be to invest in a different source of risk; and, it might be to accept the more than 10% likelihood of failure.

It’s not about whether the cyber risk is “high”. It’s about whether taking it is the right option for the business.

Making a decision about cyber out of context is likely to lead to making the wrong decision.

This is one of the reasons I dislike the idea of quantifying a source of business risk in dollar terms.

An event, and every decision is an event, can affect the achievement of multiple objectives. Not only are there potential rewards to balance against adverse effects, but different objectives may be impacted by different amounts, at different times, and so on.

The effect on one objective might be acceptable, while the effect on others is not.

It may affect one objective immediately, and another in the longer run.

In addition, the decision may take the overall likelihood of achieving objectives beyond the tipping point.

The individual risk may be within approved risk limits (or criteria or appetite[2]), but the overall situation is now unacceptable.

Let me explain further with a hypothetical example.

The CEO is considering an early rollout of the latest version of the company’s product line. In a meeting of her executive team, she hears:

• There is a great opportunity to seize the market since our competitors are clearly lagging.
• An early rollout of the product line increases the risk that customers will not be satisfied with its quality. But the heads of Sales and Engineering both believe that the risk is at an acceptable level, within guidance from the board.
• The early rollout also increases the likelihood of a compliance failure, but the chief compliance officer and the head of engineering both believe that risk is acceptable.
• The CIO and CISO jointly warn that the rollout will increase cyber-related risk, but they believe the risk is acceptable.
• The General Counsel warns that there are pending legal issues related to the use of open-source code, but she believes that the level of risk is acceptable and in line with guidance from the board.
• The CFO comments that the rollout will strain working capital availability, but he thinks it is a manageable risk.

Each of these and other sources of risk to the business’ are within defined tolerances.

But the CEO looks at the big picture and is not happy taking the overall risk that at least one of these issues will bite the company, so focuses on a few of the individual sources of risk to see if they can be reduced before giving the go-ahead for the rollout.

We have heard for a long time that managing risk in silos is not a good idea, and that is why enterprise risk management was born.

Some continue to believe ERM is not a good idea[3]. I believe that managing each source of risk without seeing and understanding the big picture is the path to failure.

That is a major issue when it comes to cyber risk assessments – wait for the book to read more.

What do you think?

[1] Made famous by Malcolm Gladwell in The Tipping Point: How Little Things Can Make a Big Difference.

[2] By the way, I continue to have major issues with the idea that you can set an overall level of risk appetite, as it assumes you can aggregate all risks to a single number. The meaning of life may be 42, but that number has no practical meaning – just like most risk appetite statements.

[3] Some have repackaged ERM as “integrated risk management”, or IRM. I assume this is a marketing device, as there’s no practical difference.

How much to invest in a risk

You have a problem.

You are running for an elected office in a highly competitive race. After one of your excellent speeches, you are surrounded by reporters shouting questions at you.

You need to capitalize on the points you made in the speech by answering a few questions. Feeding the press and the media (especially the national TV stations) is an important and very valuable use of your time.

But you have a plane to catch to your next campaign stop, and your aides are already calling for your attention.

Maybe you can spend a few minutes and answer three or four questions.

How do you choose which questions from which reporters to answer?

It’s not an easy answer, You don’t want to automatically answer the first questions from the first shouting voices, because they may not be the topics you want to emphasize and may not be from the outlets you want to reach.

Fortunately, your team has prepped you. You know where your time will be best spent, where you will gain most value.

You know which point to feature and which reporter to call on.

You can make informed and intelligent choices.

X

Now let’s switch to a different scenario.

X

You are the CEO of a growing company and chairing a meeting to decide the allocations in the capital budget for the next period.

Instead of reporters clamoring for your attention, you have department heads pleading for your money!

“I need $10 million to fund a new marketing campaign. There’s an opportunity in the market we have to seize straight away. We expect it will drive up to ten times that amount in added revenue.”

“We need $20 million to upgrade our financial systems. They are old and are not providing the information we need to run the business effectively. The vendor is going to stop supporting them this year, so it is essential to move to the latest versions.”

“Our cyber defenses are weak, and the risk of a significant breach is far too high. We estimate it will take $12 million to acquire and install the necessary technology.”

“There’s an opportunity to acquire TBD Tech for $20 million. It will fill in a gap in our product line and they have some great people. We talked about this at the last board meeting, and it will enable us to continue with our strategic plan.”

More people are pressing their claims, but the CFO reminds you that based on cash flow and other projections, the capital budget will be limited to $50 million.

You will have to decide who gets how much of that scarce budget.

Fortunately, you have a risk function that has worked with each department head on their numbers.

While your competitors have been given risk registers and heat maps by their CRO, yours has worked with both operating and financial management to assess how each proposal will contribute to the achievement of the company’s targets for the year: things like revenue, market share, profits, share price, customer satisfaction, sustainability measures, and so on.

You can see whether it makes more business sense to invest in the marketing program or in ensuring compliance with proposed anti-money laundering regulations. You can decide between cyber risk and an acquisition.

X

Does your CRO and their team help you make these decisions, ensuring you have the necessary reliable information?

Or does the CRO tell you which risks, in their estimation, are more significant using some dollar quantification?

Are they helping you avoid icebergs or travel to your destination?

X

I welcome your thoughts.

WHY do auditors do that?

One of the most powerful words for an auditor is one of the shortest: “why”.

We should always ask an individual performing a control why they are doing it.

Even if we know why, if the individual doesn’t know why that can affect their ability to perform the control properly, on a consistent basis.

If their answer surprises us, it’s an explanation that is different from our understanding, it should be a learning opportunity – for us as well as them.

We should never accept an answer of “because they told me to do it this way,” or “because that’s the way we have always done it.”

Yet, when I ask internal auditors why they do things the way they do, I get those answers:

• Because that’s the way we have always tested a control.
• Because the IIA Standards tell us to.
• Because the regulators require it.
• Because the external auditors require it.
• Because the audit committee expects us to.
• Because my manager told me to do it.
• Because that’s the way it was done last year.
• Because it’s in the audit plan.
• Because it’s in the audit program.
• Because I heard it was required at an IIA conference.
• Because it’s accepted “best practice”.
• Because it’s in the budget.
• I don’t know.

None of these are good answers.

None of them will survive further investigation.

For example, the IIA Standards do not require a formal audit report. But why do we still do it? Where’s the value? Why do we still do it and spend a lot of time on it?

The audit committee may expect you to do things the way they were done before because they haven’t been shown a different, possibly better way. Show them, don’t assume anything.

Just because the directors sometimes ask for more detail doesn’t mean you have to include more detail (stuff they don’t need to know) in every audit report.

You may have been told the regulators or external auditors require something, but have you asked them and shown them an alternative?

The regulators may expect an audit report, but why do they need all the detail when they can see the workpapers? Ask them and show them a better way both for them and for you.

The external auditors may say they need something, but if they are not relying on it……

We should only do something if it adds value, and that value is to our customers in top management and on the board.

Our mission is to provide assurance, advice, and insight on the more significant sources of risk to the objectives of the organization.

Do what is necessary to achieve that mission, no more.

I have heard of companies that spend as much time writing, reviewing, editing, rewriting, etc. etc. an audit report as they do in the field.

Every hour saved is an hour that can be used to audit something.

The CAE and their team should ask:

• Why are we building an annual audit plan when we know it is 90% likely to change? Where is the value? If it’s in supporting the annual budget, what’s the least I can do? If it’s to meet the needs of the audit committee, explain alternatives like continuous or rolling plans. Why not adopt one of those techniques?
• Why are we spending so much time on workpapers? Where is the value? Do we need thorough and detailed supporting documentation for every engagement, especially when management agrees with our results? Is there really a regulatory or external audit requirement? What’s the least we can do?
• Why are we spending so much time on quality assurance? Is it really adding value? Is it changing the results of the engagement? Is it red tape that impairs staff morale?
• Why are we testing to many transactions? At what point do we, as professionals, have reasonable assurance that a control is or is not being performed consistently? We are not external auditors.
• Why are we auditing this? Is it truly a risk that matters? Is this a control that, it if it fails, would represent a serious risk to the business?
• Why are we not auditing that?

Why?

Why?

And Why not?

The more we ask, the better the answers and the more insight we should have on how we can deliver most value, the right value, at the lowest cost to our customers.

I am not saying that you shouldn’t write an audit report; I am saying that you should only when the person you expect to read it will believe that there is more value to their reading it than the time it takes (for them, and for you in writing it).

I am not saying that you shouldn’t prepare workpapers, but only do so to the extent that the value (honest value, where it saves time and money in the future) significantly exceeds the cost.

Why do anything if you cannot see and believe that the value to the organization and your customers exceeds the cost?

I welcome your thoughts.

By the way, I thank Jose Gabriel Calderon and his team for sharing a copy of Thing Again by Adam Grant. It’s a book about unlearning, something many practitioners need to do. I congratulate Jose for his willingness to listen to and try new and challenging ideas.

I also recommend that internal auditors study the Lean Methodology. Consider Lean Auditing: Driving Added Value and Efficiency in Internal Audit by James Paterson.

Risk during times of high employment and layoffs

These are very unusual times for the world economy. We have inflation that is deemed unacceptable by the reserve banks, and a number of companies with poor prospects are letting thousands of employees go. But, while it varies significantly by area, overall most countries have low levels of unemployment.

While some companies are laying off employees in droves, others are finding it hard to find qualified people for essential positions.

These represent times of different risks to the business than in the past.

They are also times where risk and audit practitioners can add huge value by helping leaders understand and address those risks.

I am talking about risks related to not having the people you need to perform critical internal controls.

Let’s consider these two situations. They are a little different, so I will start with the situation where your company is going through a layoff process.

I have to admit that I did not handle this issue very well when my companies decided they had to trim staff counts.

The first time was with Tosco. I had been there about three years (out of the more than a decade I enjoyed as their CAE) when the company, with board approval, determined that they needed to cut costs.

My priority was on protecting my staff. I cut my training and other costs but was forced by the audit committee to let one person go – a very sad day.

While I worried about how the rest of the management team was going to handle the layoffs, I was assured by the CFO and others that they were being careful. They would make sure all critical areas remain adequately staffed. I trusted them (without, in hindsight, doing enough to confirm the trust was justified), and fortunately our later audits did not find that the layoffs had adversely affected operations or key controls.

Solectron was the next company that let a lot of people go. This time, I was very concerned as the dictate was that every department had to release 10% of its staff. There was no concern for risk, no concern for using any kind of judgment on where the company could afford to let people go.

I was allowed to satisfy the monster by agreeing not to fill open positions, but the blanket cuts made no business sense to me.

So I asked for a meeting with the CFO and shared my concerns.

He got angry and told me that the decision had been made by the CEO and it had been approved by the board. He wouldn’t listen to my argument that it would be better to take a risk-based approach, understanding where we could and could not afford layoffs.

I talked to the chair of the audit committee. He, at least, listened. But he told me the decision had been made and I should let it be.

I didn’t have a good relationship with the CFO, as he wanted to control me and I refused to allow it. This altercation didn’t help – but I am satisfied that I did the right thing by talking to the CFO and audit committee.

Looking back, though, it wasn’t enough. I will explain later why. But I will say that the company had to rehire several people it couldn’t afford to lose.

Maxtor, my next company, also let people go. But their management team was far more capable and I was comfortable, after talking to them, that they were minimizing layoffs and being very careful not to impact operations or key controls.

Again, I might have done more.

At Business Objects, I did do more – but the situation was different.

This time, the company had announced that it had agreed to be acquired by SAP. Many people decided they didn’t want to work for SAP, which was perceived as a less entrepreneurial company, and they were leaving.

My team obtained weekly reports that showed who had tendered their resignation, and called the managers of those areas to discuss how the risks and controls would be addressed.

That is the step I wish I had taken in my earlier positions.

X

The situation is a little different for a company that is finding it difficult to fill open positions.

The risk is similar: that there are insufficient competent and experienced people to manage risks and perform critical controls.

I didn’t have this occur during my (long) career, but my advice for the audit teams in such organizations is to find out where the open positions are. Then discuss with management of those areas how they are addressing risks and performing controls in those areas.

• Get reports that show who is being let go, who is leaving, and what positions are open.
• Consider the risk that key controls will not be properly performed.
• Discuss with management how those risks are being addressed.
• Where multiple people in an area are leaving, consider whether there is a management problem.
• Where positions are remaining open for an extended period, and this represents a serious risk to the business, explore why. Should management take a different approach?

X

This is a great opportunity for risk and audit practitioners to add great value.

It is also an opportunity for the two to form a partnership.

Most risk practitioners, in my experience, don’t have the bandwidth (sometimes they also don’t think of it) to assess the likelihood that controls relied upon to manage risk at desired levels will fail. They tend to assume that controls are effective.

They can partner with internal auditors to upgrade their insights.

The information obtained by internal audit can be used to fuel risk discussions with management and upgrade risk reporting.

Similarly, when the risk practitioner learns about related issues, they can inform internal audit who can dig a little deeper.

X

What do you think?

I welcome your thoughts.

The agile organization

On my flight to meet with internal auditors at their company’s annual IA conference, I sat next to a partner in the advisory practice of Deloitte. He helps the finance organizations of his clients in a number of interesting ways, including process engineering.

One of the types of projects where he is asked to assist is the implementation of ERP systems. The concern of the finance team is that their interests would be insufficiently addressed during the 2-3 year project.

I can understand that some companies may not have the bandwidth or the expertise in-house and go to one of the large accounting firms, like Deloitte, for help. (I asked about other firms, such as Accenture, and he confirmed that they are also a major player.)

What I have more difficulty with is the idea of a 2-3 year ERP implementation.

How can we be confident that we know what the business will look like, and what our needs will be, in 2-3 years?

Organizations of all stripes (private, public, government, NGO, etc., etc.) and in all industries need to be agile.

They need to be able to react promptly and with confidence, if not anticipate, change.

If I was on the board of a company where management told us that they wanted to take such a long time to implement a new system, I would be highly agitated!

ERP systems cost a ton of money, and I would challenge management:

• Can the business wait two or three years to have its IT needs met?
• Won’t those needs change over that period?
• Will there be an acceptable return on investment for the project?
• Isn’t there a better, more agile way to meet our current and future needs?

As an executive, I would be asking the same questions.

As head of internal audit, I would sit down with the CEO and share my concerns.

If we are not agile, we may perish.

The IT industry is moving towards faster delivery of services, using methods like DevOps.

Amazon Web Services (AWS) explains:

DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enables organizations to better serve their customers and compete more effectively in the market.

I attended a conference in Las Vegas last year organized by Gene Kim of IT Revolution and was excited by the progress I heard from companies using DevOps.

If you want to learn more, I recommend Gene’s website and the book he wrote with Kevin Behr and George Spafford, The Phoenix Project.

Don’t let IT stop your organization from being agile, ready to change as the environment changes.

In fact, consider whether your management team (and board) are sufficiently agile to survive.

I welcome your thoughts.

Wasting money with audit reports

This week, I had the privilege and pleasure of spending time with a number of smart and curious professionals who are dedicated to adding value to their organization.

I am talking about internal auditors, of course.

I was a speaker at a multi-national company’s annual internal audit conference (something I enjoy doing). I touched on a number of themes from my book, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.

The attendees not only asked me about some of those themes, but we discussed other topics, some of which I will cover here today and in later posts.

X

My topic today is the significant time and money wasted by internal audit functions when it comes to audit reports.

As we know, the IIA’s Standards do not require a formal, written audit report – even though almost every function prepares them.

Writing, reviewing, rewriting, debating with management, amending, re-reviewing, and then publishing an audit report can take a lot of time. My teams might spend anywhere from 10 to 50 hours on the task. I have heard of others spending as much as 600 hours on their average internal audit report.

If you say that the average internal auditor’s salary is about $90,000 (based on Accounting.com figures) and you add about 30% for benefits and other costs, the average internal audit hour (based on 2,080 productive hours per year) costs roughly $60.

That puts the cost of an audit report, in addition to the cost of planning and performing an audit, at between $600 (my minimum) and $36,000.

What is the cost of a typical audit report in your organization?

Now let’s consider whether the value exceeds the cost.

The value should be expressed from the perspective of the organization, in this case that means our customers and stakeholders.

There are essentially three groups:

• Operating management, including process and control owners, and their direct management
• Senior and executive management
• The board of directors, especially the audit committee

When it comes to the first group:

1. The audit team should have discussed any potential audit ‘findings’ with them as they arise, certainly by the end of that week.
2. Any issues are again discussed, this time with a broader group including some levels of management, at the Closing Meeting.
3. They should already be working on corrective actions as needed.
4. They will derive little value from seeing the same information in the formal audit report.
5. Their interest in the report will be focused on whether they are being treated fairly, and whether the report is inconsistent with what has previously been discussed.
6. If useful, send the group a memo confirming the issues and actions agreed upon at the Closing Meeting. Then you don’t have to worry about using the formal audit report for that purpose.

There really is little value in the final audit report for that group.

X

The second group will not have been at the Closing Meeting, so they will neither know what the audit assessment is nor whether there are issues of significance.

The value to them is in the communication of information they need to know to perform their jobs.

The value is in what they need to know, rather than what internal audit wants to say.

What do they need to know?

• Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
• Is there anything they have to do?
• Are their teams taking appropriate corrective actions?
• Can they rely on their organization, people, processes, and systems to perform as needed for success?

There is value in providing that information.

But they don’t need to read, in the audit report, about issues that don’t represent a risk of significance.

In fact, cluttering up the audit report with stuff they don’t need to know reduces the value of the report. It makes it harder to consume.

If you only tell them what they need to know, when they need to know, they will listen.

But if you are constantly telling them stuff that is not relevant to their success, they won’t necessarily listen when there is something important they should know.

Tips:

• Tell them what they need to know when they need to know. If its important, it can’t wait until the report is perfect.
• Eliminate the stuff they don’t need to know. It is wasted, even negative value space.
• Make it easy for them to read and understand what they need to know. Don’t hide it among a pile of trivia they don’t need to read, such as who did the audit, whether it was performed in compliance with IIA standards, what the objectives were, whether there were other issues, whether prior minor findings have been corrected, etc., etc., etc.
• Recognize that the best communications (and the report is a communication device, not documentation of the work that was done) take very little time.
• The best reports are less than one page, with attachments that are optional reading.
• Don’t spend $36,000 to issue an audit report.

X

Then there’s the audit committee of the board (and perhaps any compliance committee).

They need even less than top management, although their needs are very similar.

• Are there any issues that represent an unacceptable level of risk to the business and the achievement of its objectives?
• Is there anything they have to monitor themselves?
• Can they rely on the executive team?
• Can they rely on their organization, people, processes, and systems to perform as needed for success?

The same tips apply.

X

Now that we have an idea of the value, we can decide whether internal audit reports cost more than they are worth.

Can and should they be streamlined, so that the cost is lower and (especially) the time to deliver the information people need is fast?

You can’t consider your internal audit function as agile if important information is delayed.

Information loses value as it ages.

So re-examine your audit reporting process. Eliminate non-value work.

Consider doing more communication to leaders face-to-face, as that stimulates constructive discussions about the issues, their implications, and any necessary actions. It also speeds up the communication process.

X

I welcome your thoughts.

Internal Audit and ESG: My Opinion

I have seen several articles and blog posts lamenting the apparent fact that internal audit teams are not spending a large percentage of their audit plan addressing ESG risks.

CIO.com defines ESG as:

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

• Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.
• Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.
• Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

My reaction is similar to what it was when I read opinions that internal auditors were not spending enough time on cybersecurity.

I even saw one post by an eminent (and unnamed) thought leader that pointed out that while internal auditors saw cyber as perhaps the top risk to their organization, they were only spending 10%-15% of their time on it. They were spending more time on financial, compliance, and other operational risks.

My principle is this: perform the audit engagements that address the more significant risks to the organization and its enterprise objectives.

You can do a great deal with 10%-15% of your audit resources!

X

When it comes to ESG, we need to recognize the huge breadth and depth of it.

It is much more than sustainability or corporate social responsibility (CSR).

It’s not something you can say you audit in totality. At best, you can audit elements.

Much of it is not new, and governance is covered in the IIA’s Standards as an area requiring consideration when building the audit plan.

X

My friend, Dr. Rainer Lenz (whom I am looking forward to meeting at a company’s annual internal audit team meeting next week), has written a piece with Florian Hoos on the issue: The Future Role Of The Internal Audit Function: Assure. Build. Consult.

He says:

[Richard] Chambers recently raised “a red flag” by pointing out that internal auditors have been unduly placing Environmental, Social, and Governance (ESG) risks on the back burner. Internal auditors currently do not play a significant role as assurance providers and are absent from potential advisory services about ESG – on both sides of the Atlantic. We diagnose an “ESG helplessness syndrome.” Like in the world of animals, the internal audit function is in a state of freeze response when it comes to ESG topics. The ESG challenge is so big, and the threats for the role of the Internal Audit Function (IAF) are so real, that the profession reacts like animals in the face of a threat: they freeze. We discuss and challenge the professional demand for “objectivity” and “independence” in the ESG context as they might represent obstacles to the IAF playing a significant role in the ESG agenda. We suggest practitioners consider widening the repertoire of internal auditing. We suggest an ABC-Model © of Internal Auditing, adding “Building” as a new third pillar of internal audit value creation which complements the traditional assurance and consulting services. We encourage internal auditors to become “builders” when tackling the ESG challenge in their respective organizations. Metaphorically speaking, we borrow from Yvon Chouinard, the founder of Patagonia which is often used as an ESG role model company when we suggest “Let Internal Auditors Go Surfing” as our call to action.

Later in the piece, they say:

ESG seems to be far from being well integrated into the internal audit function’s work. Referencing the World Economic Forum and other organizations, [Richard] Chambers concludes that “overall, ESG is one of the fastest-growing risks this year (…)”; “a top risk for 2023”. At the same time, his survey among 188 CAEs and internal audit directors in organizations based primarily in North America show that ESG risks are at the bottom of their priority list for 2023 audits, with significantly lower priority than for instance cyber and data security, attraction and retention of talent, macroeconomic conditions, regulatory changes, supply chain-related issues, etc.

Let’s think about this.

1. ESG is not “a risk”. It is something you do. But you can have risks to the ESG-related objectives of the enterprise.
2. Talent management and compliance are part of ESG. Saying that they get more attention than ESG makes little sense to me.
3. Surveys are telling us that while organizations may be giving more attention to ESG today than in the past , they have started to lower their related investments given the change in economic conditions.

If management and the board have not given a priority to ESG, and by that I am referring to the social responsibility elements, and included it in the objectives they set for the period, why should we be concerned that internal audit is doing the same?

Should internal audit be the conscience of the organization?

No.

We can make sure the board and top management understand the risks that a failure to be socially responsible can mean to their success.

But it is not our job to tell them, bluntly, that they are making a mistake.

Our job is to provide assurance, advice, and insight.

The emphasis here is on advice.

But when management and the board set objectives, we can provide assurance as well.

For example, some years ago I visited the internal audit leadership of Adobe in San Jose, led by Eric Allegakoen. In the reception area, there were multiple displays showing the clean energy and other sustainability achievements of the company. Eric told me that his team audited and provided assurance on related reporting, some of which was included in public filings.

Rainer goes much further. After discussing and trying to set aside obstacles like objectivity and independence, he and Florian say:

We advocate that addressing ESG may be an opportunity for internal auditors and the internal audit profession to consider going beyond their core remit of rendering assurance and consulting services, to help building an ESG program – before it can be audited (by external auditors, as seems likely).

On the ESG journey, internal auditors can be most valuable as co-creators, as builders, as members of the ESG team.

When I first read this, I thought they were going too far by talking about internal audit building anything. That is a management responsibility! But then they say:

We see potential in positioning internal auditors more clearly as enablers of learning and change. We regard a promising path forward to be overcoming hurdles, including those set by professional demands for independence and objectivity. The more effective internal auditor can be “a hinge, a connector, a relation facilitator”.

Not only do I accept that, I don’t think it is anything new!! It’s just the advice part of our mission!

CAEs and their teams have been champions and enablers for many things over the years, including:

• Risk management
• Information security
• Controls over derivative trading
• Controls and security over new computer systems
• Whistleblower and ethics programs
• And much more

Here’s my take on the topic:

1. ESG is about paying more attention to the role of the enterprise in society.
2. ESG is a broad spectrum of activities and related processes and activities.
3. Internal audit should be aligned, where possible and practical, with management and the board.
4. When the leadership has established ESG-related objectives, risks to those objectives should be considered when developing and maintaining the audit plan.
5. When leadership has not established ESG-related objectives, the CAE should work to understand why not. This may be an opportunity to lead a discussion among the management team.
6. Internal audit should be a champion when that is the best use of their time. (There are so many issues to champion, so our time should be prioritized.)
7. Internal audit should build and maintain an audit plan that addresses the most significant sources of risk to the enterprise and its objectives. They may or may not include ESG-related issues.
8. If management and the board have not prioritized ESG, we should be careful about prioritizing it ourselves at the expense of other areas that they have prioritized.
9. It would be better to break down the topic into meaningful parts, such as environmental compliance, human capital management, compliance, sustainability, and so on.
10. Focus on what matters to your organization, not what others are doing.

I welcome your thoughts.

When the IS auditor identifies a lack of segregation of duties

Chinmay Kulkarni has asked people on LinkedIn a question that appears to be from the ISACA Certified Information Systems Auditor (CISA) exam. He posted (I have included the current poll results, with 941 voting):

CISA Question 3

As an IS auditor, what is the FIRST step you will take upon identifying lack of segregation of duties [“SOD”] within the organization?

Document as audit finding 18%

Implement SODs 7%

Review Compensating Controls 46%

Review Access Controls 30%

I am not a CISA, although I could have “grandfathered” into it when ISACA first set up the CISA certification.

One of my problems with these exams is that I always question the question, and frequently think the available answers are wrong. (I was able to pass both the UK’s Chartered Accountancy and the US CPA exams.)

I have a problem with the available answers to this question.

1. Document as an audit finding

The auditor has “identified a lack of segregation of duties,” but:

• Has the auditor confirmed the facts with management?
• Does the auditor understand whether it matters? Where is the risk? Even if there is a deficiency, does the risk justify corrective action? If so, there is no “finding”.
• Does management already know? Have they assessed the risk and believe it is acceptable, given the cost, etc.?
• Are there other controls over the risk? Maybe controls within the business or elsewhere are being relied on, not the ones the auditor is considering.
• Compensating controls may reduce the business risk, but by how much?

I have seen a couple of situations where an external auditor came to me (I was the head of internal audit) to inform me that there was an issue with segregation of duties. In the first case, he said individuals in China’s HR department had access to SAP payroll, so they could add and then pay a fictitious employee. However, the company did not use SAP payroll in China. In the second, a different auditor said there were individuals in China who had the ability to post an inventory adjustment to cover up the theft of inventory and hide it further with their ability to post a GL entry. I questioned him and found out that the inventory in question was in Romania while the employee and the GL were in China. There was no real risk.

Moving directly to documenting an audit finding is not a good option for the first step the auditor should take.

In fact, depending on the organization, the IS auditor should discuss the issue with the team lead or audit manager as a first step – which is not an option provided in the question.

2. Implement SODs

The auditor doesn’t implement segregation of duties or any other control for that matter. If that is to be done, it is done by management.

3. view compensating controls

As noted above:

• There may not be a business risk justifying corrective actions.
• The auditor hasn’t confirmed the facts or their implications.
• The business may not be relying on these controls, but on controls within the business, (Technically, these not compensating controls. They are the primary controls and are not designed to compensate for any SOD deficiency.) In fact, it is possible that the controls tested should not have been in scope for the audit!

Of all the options provided, this may be the best but it is seriously flawed.

4. Review access controls

I am flummoxed! How do you determine that there is a lack of SOD if you haven’t already assessed access controls?

If I was presented in an exam setting with these four options and had to choose one, I would go with #3.

But in real life, I would have an issue with any auditor who hadn’t first made sure of their facts, discussed the issue and its implications with management, and confirmed this was a real business risk that needed to be addressed.

What do you think?

The risk is assessed as high. So what?

While there may be a debate whether risk should be assessed using qualitative or quantitative measures, I believe that is answering the wrong question.

Knowing what the level of risk is, even whether it is an unacceptable level of risk, is insufficient information.

It doesn’t answer the questions of:

1. Should I take the risk?
2. How much should I invest to reduce the level of risk given the opportunity cost? (Assuming the best business decision is not to take more!)

These are simple questions to ask, but not so simple to answer.

They are essential questions to answer.

If all you wanted to do was to avoid risk, you would never buy a house, cross the street, drive a car, or get married.

There are reasons for doing all of these in our personal life, and there are reasons for taking risk in our business life.

People talk about risk management enabling decision-making and go on to talk about whether the level of risk is acceptable (using terms like risk appetite, limits, and criteria).

But in real life, whether personal or business, you need to answer both of my questions.

Resources are limited.

Every penny spent to mitigate one source of risk is a penny that cannot be spent mitigating another source of risk.

Every penny spent on mitigating risk comes at the expense of investing in opportunity.

Is it any surprise that surveys of CIOs report that they prefer, overall, to spend their limited budgets on new systems rather than on cybersecurity? They can see both the risk and the reward of each alternative use of scarce funds.

So I end this short post with another question:

Is your risk management activity helping executives and board members know which risks should be taken, and how much should be invested in each of the following?

• Cybersecurity
• Regulatory compliance
• Safety
• Marketing
• Product development
• Employee morale and development
• Sales
• Acquisitions
• And so on

I try to provide something of a roadmap to answering my questions in my various books. I am currently working on one (due out next month) that is intended to help executives and board members figure out how much to invest in cyber.

I welcome your thoughts.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

There seems to be some confusion about this post. Let me clarify with an example.

At Tosco, our Marketing division (which operated about 6,000 Circle K convenience stores and and Union 76 gas stations) had a monthly meeting of its executive team to review and approve capital spending requests. They ranged from $10,000 to $10,000,000.

Management at lower levels would prepare a request that would be reviewed by a team in Finance to make sure that the numbers were correct. Let’s assume (because I don’t remember) that each had a section on assumptions and risks.

A request could come from any one of the stores (such as spending to improve the facility that would generate revenue or improve compliance), or from any of the corporate functions (such as IT, Marketing, and so on).

Each month, there could be fifty of more requests.

The management team had to decide:

• How much, in total, could they spend
• Which, if any, of these requests would generate an acceptable return
• How they should allocate the available funds among the requests
• Whether any of the requests should be partially funded or modified
• Whether they should defer spending, even on ‘profitable’ requests, to save funds for requests they knew were coming, or because there was uncertainty about cash flow, etc.

Coming up with a risk quantification (a number or a range) for each request is only a step in the process. It is not sufficient to evaluate each request by itself. The business decision is complex and requires judgment as well, considering the big picture not just the pieces.

I hope that clarifies my point.

Do your leaders see the big picture, or just pieces?

Let me share a story (based on a real event) that you are watching on multiple monitors.

On the first screen, management of the company’s largest oil refinery are planning a major capital project to build a new processing unit. One of the refinery’s existing units produces not only highly valuable jet fuel, diesel, and gasoline, but also a variety of medium and low value byproducts (“midstream”). The new unit will reprocess the low value midstream products and convert them to medium value midstream or even gasoline and diesel.

You can see the refinery’s risk officer consulting with the management team. He is helping them with safety, compliance, and a variety of other sources of risk to the project.

The second screen shows the trading floor, where management is monitoring both the prices they will have to pay for the crude oil that is the raw material for the refinery, and the prices that the different products of the refinery can obtain in the market. You can see the trading floor risk officer, monitoring futures and derivative trading and other risks.

In response to a question from refinery management, the traders share the projected prices for the range of products that the new unit will produce.

Using that information, refinery management designs the new unit to generate the optimal mix of products.

Screen three has the financial team preparing forecasts for the rest of the year. They get a projection from refinery management that includes when the new unit will come online, its operating costs, and projected revenue.

The fourth screen shows the Treasury department. They are managing short-term investments and cash flow, based at least in part on forecasts and projections from Finance. The Finance risk officer is tracking and reporting currency, interest, and other sources of risk.

Four months pass.

Turning your attention to the refinery, you see that excellent progress is being made. The new unit is close to 70% complete. It is on schedule and on budget. The refinery risk officer is reporting that all remaining risks are within acceptable limits.

The traders continue to monitor raw material and product prices. They decide to change their derivatives trading strategy, as they are seeing a significant shift in the market.  Product prices are shifting. The low value midstream products are increasing in value, while prices for gasoline and the medium value byproducts are falling. But while they (with the help of their risk officer) report that to senior management, they are focused on their own operations. They optimistically project no change in revenues, although there is a significant possibility that total revenues will fall.

Finance and Treasury continue as before.

Another two months go by.

The traders raise the alarm that revenue is dropping. Product prices have fallen steeply and are not expected to come back in the near future. They apologize for not warning everybody earlier.

Finance hurries to update the forecast and the executives meet to decide whether to change the projections they have shared with analysts and others.

Management at the refinery are innocently continuing to work on completing the new unit, which is scheduled to start operations in thirty days. Everything is looking good.

Meanwhile, Finance has shared its updated forecast with Treasury. With the drop in projected revenue, Treasury alerts the CFO and top management that cash flow is drying up. They will have to cut back 100% on capital spending, at least for the next month or more.

You see the CFO meeting with the refinery manager, asking him to defer any capital spending for three months. Words are exchanged, and the CFO is told that the money has already been committed on the new unit. Canceling or deferring the remaining construction will delay opening by three to six months, increasing costs, and reducing revenue.

The CFO replies that there is no cash to spend, and he cannot obtain new funding quickly.

Reluctantly, the refinery manager calls in his team and they figure out how to cut back work on the new unit.

Three months later, the executive team meet to celebrate the opening of the new unit.

However, refinery management and Finance tell them that it will not generate the anticipated return on investment that had been expected due to the change in product prices.

The refinery manager informs the CEO and the rest of the executive team that had they known, months earlier, that the prices for the mix of products of the new unit were changing, they could have modified the design. They could have made some adjustments to increase the volume of what were now higher value products.

But they didn’t know. Nobody told them, and they didn’t ask.

The Lesson Learned

People talk about the problem created when risk is managed in silos. That problem is what enterprise risk management (ERM) is intended to address.

But while it is true that risk is interconnected and so on, I would express the problem differently.

In this tale (again, based on a true story from my time at the oil refining and marketing company), the company was being managed in silos.

I have seen this time and time again.

When management is managing just their piece of the puzzle, they may optimize that piece at the expense of the whole picture.

I have seen:

• Two divisions of one company competing against each other for the same contract
• The three business units of another company fighting against the CIO’s proposal for a company-wide ERM. As a result, each business unit purchased their own systems that were not connected or integrated in any way.
• A factory that made enclosures for the company’s products deciding to sell them to a third party instead of their sister factory. The enclosure factory generated more revenue but forced their sister to purchase their enclosures from a third party at much higher cost.

When we see this, we need to ensure top management and, if necessary, the board know what is happening.

Managing the company in silos, perhaps enabled by addressing risk in silos, is a serious inhibiter of success.

Is this something you see in your organization?

I welcome your comments.

Internal audit and risk management

The results from my recent survey (thanks to the 75 internal audit practitioners who responded) are interesting. (You can see the results of the earlier survey here.)

First, I will review the answers about auditing risk management.

Q1: Does your internal audit function audit the organization’s management of risk?

62 (83%) indicated that they do, in one form or another. That’s good news.

Skipping the next two for a moment:

Q4. If you audit risk management, which of these is your approach? Check all that apply.

• 37 (50%) said “We assess whether risk management practices meet the needs of the organization for decision-making”. That is my favorite answer.
• 42% (56%) audit compliance with policies and procedures. Maybe necessary, but not sufficient IMHO.
• 29 (39%) assess the accuracy of management’s risk reporting. I have an issue with this if internal audit is seen as knowing better than management what the level of risk is. It’s also a moving target, so I would have to see what these functions are doing.
• 22 (29%) use a maturity model. I like this approach and included one in Risk Management for Success.
• 36 (48%) use a standard or framework:
  • 16 use the ISO 31000 risk management standard
  • 13 prefer COSO’s ERM Framework
  • 7 use a different framework

Q5. If you don’t audit risk management, why is that? Answer all that apply.

• 12 said there is no risk management function to audit. However, IMHO that just changes the audit. It shouldn’t be an audit of the function; it should be an audit of how well management addresses risks to objectives.
• 7 said they don’t have the support of management for such an audit. I don’t think that should be a sufficient deterrent.
• But 7 said they don’t have the support of the board! I hope the CAE made sure the audit committee understood why this is a problem.
• 5 said that other functions, such as the external auditor, assesses risk management.
• 5 said it’s not a priority. Hopefully, that’s because the CAE has confidence (such as from a prior audit) that the risk of poor risk management is low.
• 3 don’t have sufficient experience. I hope they work around that.
• 1 doesn’t have the budget. Hopefully, the CAE is discussing that with the audit committee.
• 9 cited other reasons.

Going back to the second question:

Q2. Who completes the risk identification and assessment that management and the board rely on? Answer all that apply.

This is a question that will interest Tim Leech. The answers will probably surprise him as much as they surprised me!

• 19 (25%) said management and the board rely on internal audit’s assessment. I am surprised that it’s so many, and Tim will be surprised that it’s so few. Risk assessment is a management responsibility, and the CAE should be telling the board and CEO that this is a huge problem. As CAE, I would not be comfortable if management relied on my assessment instead of their own. (Of course, internal audit can gain an understanding of the more significant risks when building and maintaining the audit plan.)
• In 45 (60%) cases, a risk management function is responsible.
• 24 (32%) said they have separate risk assessments in different parts of the business.
• 4 don’t have a risk assessment, and 2 didn’t know.

Q3. When you perform an audit, do you review management’s risk assessment of the area and provide an opinion on its accuracy?

• 35 (47%) not only said that management has a risk assessment for the area under audit, but it is reviewed as part of the audit. That is encouraging – more than I expected.
• 21 (28%) said management doesn’t have a risk assessment for the area being audited.
• 18 simply said No, and 1 didn’t know.

The next two questions are important.

Q6. Do you use management’s risk assessment in building the audit plan

12 replied that management doesn’t have a risk assessment, so they can’t use it. Of the 63 who do:

• 40 (63%) said Yes.
• 20 (32%) said that rely to a limited extent.

Q7. Is your audit plan based on an assessment of risks to the enterprise?

• 32 (43%) said that they “audit the controls over the more significant risks to the enterprise and its objectives. We don’t perform full scope audits of processes or units”. This is my preferred approach.
• 31 (41%) audit “those business units and processes that represent the greatest risks, and then audit the controls over the risks to those units and processes”. This is the traditional approach that I hope people are starting to realize is misguided. You will audit risks that matter only to middle management, if that, and not limit your work to what matters to the success of the enterprise.
• 6 (8%) still use the antiquated cyclical approach.
• And another 6 have taken a different approach (undefined).

Q8. Are you changing your approach in 2023 and beyond?

• 34 (45%) are staying with the same approach.
• 23 (31%) are definitely changing.
• 19 (25%) might change.

I welcome your thoughts on the results.

My opinion of audit opinions

Last week, I was in a duel with Richard Chambers on the topic of internal audit opinions.

Neither of us had much time to express our views, so I am taking the opportunity of today’s post to share some insights that might be useful.

Last month, I ran a survey that asked internal auditors “How do you communicate your overall opinion?” The answers were:

• We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
• We use traffic lights, such as red/yellow/green… 19.0%
• We use language like “the controls are effective, adequate, or ineffective”… 41.3%
• We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
• Other… 7.9%

Consider four identical manufacturing companies where internal audit has completed an audit of their inventory management processes. This is a critical activity for them (as it is for businesses in many sectors, such as retail and wholesale, oil and gas, and more).

Imagine that you are on the boards of each company and reading the audit reports.

All the audits found the very same six issues. But they reported them differently.

The auditors of Company A wrote that they had completed their audit of inventory management processes and found a number of issues of concern. In their Findings section, they explained that six controls were not functioning as designed. The auditors went on to recommend that management ensure they function properly in future, and management responded that they would.

Company B’s auditors had a different report. While they also reported that they had completed their audit of inventory management processes and found a number of issues of concern, they commented that the controls over inventory management “needed improvement”.  They listed the six findings in the Executive Summary and put a traffic light color next to each, indicating their opinion of the severity of the finding.

Company C was different again. The report was similar to that for Company B, but this time the opinion specified the risks that had been audited, not just the controls. The auditors’ opinion was that the controls over inventory-related risks, such as ensuring the accuracy of inventory records and the quality of materials, needed improvement.

Finally, there is Company D. This time, the audit opinion was:

“Several controls were not operating properly, and management has agreed. As a result, there is an unacceptable level of risk that insufficient raw materials will be on hand when needed for production. In addition, what material is in inventory may not be of the appropriate quality. Should that occur, sales and customer satisfaction will be severely impacted and the company’s revenue targets for the quarter (if not the year) might not be achieved.

“Management has agreed with this assessment and has already started the process of upgrading the controls, scheduled for completion next month.”

My survey indicated that less than a quarter of internal audit departments (if the survey is representative) would include an opinion like that of Company D.

In the duel, Richard and I both agreed that we needed to provide the assurance, advice, and insight that management and the board need.

Which of the four company’s audit departments did that?

The auditors at Company D had to do more work, primarily sitting down with management and having a constructive discussion to (a) confirm the facts, (b) agree on what the facts meant, (c) consider options for addressing the risks, (d) review the language that will be in the report, and (e) discuss how best to communicate the situation to senior management.

But there is huge value in that additional work.

Where are you?

Are you going to adopt Company D’s approach?

I welcome your comments.

By the way, if you haven’t responded to my second survey, please do so.

Designing efficient and effective audits

Before I start today’s post, may I ask the internal auditors who haven’t already done so to respond to my latest survey, here?

 

Yesterday, I fought a duel (up to you to decide who won) with my good friend, Richard Chambers. It was hosted by Jon Taber (see footnote for the links) on the topic of audit opinions.

At one point, Richard made the excellent point that you shouldn’t provide an opinion without having done the work to support it.

My reply was that you should start the audit with the end in mind.

If you plan to express an opinion at the end of the planned audit on the adequacy of controls to manage specific risks, then the scope of the audit should be designed to provide to enable that opinion.

Do enough work to reach and support your opinion – and no more, unless you desire to audit controls and processes that are not relevant to your audit objectives (“muda”).

One of the fights I have been engaged in for a long time now is against full scope audits, especially those performed on a cyclical basis.

We should (as guided by the IIA’s Standards) be performing risk-based auditing.

That means that we should be auditing the controls over the more significant risks to the achievement of enterprise objectives. That is not the same as auditing the controls over a business process!

When you audit an entire process or business unit, you are going beyond the things that matter (controls over significant enterprise risks) to things that don’t matter to leadership (risks to the process or business unit that don’t have much effect on the achievement of enterprise objectives).

The key to efficient and effective auditing is focusing exclusively on what matters; stop auditing what doesn’t matter to the achievement of enterprise objectives.

Audit the controls over enterprise risks, not controls over local risks.

The excellent magazine of the IIA features a piece by my pal, Dave Salierno.

Brief, highly focused internal audits can produce rapid results for audit clients features comments by Hassan Khayal, an internal audit manager at Scope Investment (based in Dubai). The CAE there is Vijesh Ravindran.

Dave tells us:

…one internal audit function has fundamentally transformed its approach to audits. Responding to the need for increased agility and speed, auditors at a private investment firm based in Dubai, United Arab Emirates, began performing fewer large-scale, traditional audits in favor of faster engagements with a much narrower scope. These “burst audits” enabled the audit function to conduct operational risk assessments quickly and on short notice, and provide near-immediate feedback.

He continues with:

“Throughout the company, people were trying to address new challenges and quickly find solutions,” Khayal says. Clients asked how internal audit could help them. “Many of our clients suddenly needed quick assessments and recommendations.”

Providing those assessments through traditional audits could take months for each engagement. To meet the moment, the internal audit team began performing short, operational risk reviews that gave clients the rapid recommendations they needed. As small issues began arising throughout the firm, auditors started performing these reviews regularly — one- to two-week engagements that each covered a narrow, highly focused area. The approach enabled practitioners to make a quick impact and then swiftly move on to the next area in need of attention.

Unfortunately (in my opinion), the company continues to perform “large-scale, traditional audits” that cover an entire process or business activity.

If you can narrow your focus to providing an opinion (an “evaluation” per the Standards) as to whether controls are adequately designed and operating effectively over specified risks to objectives, ALL your audits can be “burst” audits that last weeks instead of months, delivering the assurance, advice, and insight that leadership needs, when they need it.

Why is it necessary to perform fast, efficient, focused audits?

Every hour saved by not auditing what doesn’t matter is an hour that can be spent on an additional audit that addresses something that does matter.

Can we eliminate full scope audits?

Can we move to enterprise risk-based audits?

I welcome your comments.

 

Footnote:

You can find the duel on LinkedIn (which is where you can vote for the winner), Apple podcast, or Spotify.