Risk management failures?

The management team at Silicon Valley Bank failed to take precautions against rising interest rates that would devalue their assets.

Was that a risk management failure?

I call it a management failure. They knew or should have known of the risk and taken earlier action.

Some years ago, I got a speeding ticket because I failed to anticipate the presence of local police cars.

Was that a risk management failure?

I call it a personal, my management failure.

I made a bad decision, and the potential risk became a reality.

Some of my friends attended a large bridge tournament and took the risk of getting OVID-19. They got sick.

Was that a risk management failure?

I don’t think so.

People are too quick to call something a risk management failure, just because something bad happened. Maybe a bad decision was made.

In my opinion, a risk management failure is when decision-makers are given poor information – whether that results in an adverse event or not!

For example, if they are given a heat map instead of the information they need to make an informed decision, that is a risk management failure!!!

If a decision-maker is given the results of a model but can’t translate the quantified “level of risk” into actionable information in the context of risk vs. reward, that is a risk management failure.

What do you think?

Advertisement

The practitioner as movie director

I am a huge fan of Tom Peters, and he recently said on Twitter (@tom_peters):

Unequivocally my #1 leadership quote, courtesy Oscar-winning director Robert Altman: “The role of the director is to create a space where actors and actresses can be more than they have ever been before, more than they have ever dreamed of being.” (Degree of applicability: 100% of contexts.)

He may be 80 years old, but he remains one of the best business thinkers and authors.

That quote resonated with me on two levels.

First, the practitioner leader (CRO, CAE, CISO, CCO, etc.) needs to be a leader of a team. They need to inspire, but they also need to “create a space” for every member of their team to thrive: to learn, to explore, to think, to imagine, and to have fun in their work.

When a team member is doing what they are told to do and no more, sometimes because they are told not to do anything else, their growth and personal enjoyment is stifled.

There was a commercial in California that said that happy cows make better milk.

Happy team members make better decisions and assessments, and produce higher quality results.

Every team leader should consider whether they are living up to the expectations in the Altman quote.

The second level where it resonated is how the practitioner (at all levels) can help “create a space” for management to thrive, making better decisions and achieving objectives.

The job of the practitioner should not be to enforce compliance, assess risks, or find control issues.

The job of the practitioner should be to help the organization succeed, whether through more informed decision-making, processes and controls, and so on.

Are we, as practitioners, focused on doing our job or helping others do theirs?

I welcome your thoughts.

How does internal audit help the audit committee do its top job?

Some facts:

1. The primary customer of the internal audit function is the audit committee.
2. The primary responsibility of the audit committee is oversight of financial reporting to the SEC.
3. Few internal auditors provide an opinion on the consolidated financial reports.
4. Reliance is placed on the external auditors to provide assurance on the consolidated financials.
5. The audit committee is charged with oversight of the external auditors.

How can the audit committee do a reasonable job of assessing the external auditors? I don’t think they can rely on the PCAOB.

Audit Committee Blueprint by the NACD with the help of KPMG has some useful content. What it lacks, and this is not surprising given that they worked with KPMG, is content that focuses on the quality of the external audit team.

They talk about the quality and focus of internal audit. They talk about the oversight of risk. But when it comes to the external auditor, they are more concerned with getting their thoughts on the company and its operations than whether they are sufficiently competent.

A publication of the Center for Audit Quality, External Auditor Assessment Tool helps more.

But how does the audit committee obtain the information necessary for an objective assessment of the external auditor?

The internal audit team can and, in my opinion, should help.

In fact, should this be recognized as a responsibility of the internal audit function? Doesn’t it add huge value? Who else can do this?

I hope this article I had published by the IIA’s magazine will be of value.

I welcome your comments.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Evaluating the external auditors

One of the responsibilities of the audit committee of the board is oversight of the external auditor. The board and the shareholders (or owners) they represent look to the audit firm for assurance that the financial statements that the company files with the regulators are free from material error, and that management’s system of internal control over financial reporting (ICFR) is effective.

Every year, the audit committee should determine whether the audit firm is providing the necessary audit services at an appropriate quality and price. They will determine whether to retain the firm and approve the fees they propose.

Over the years, I helped the audit committee discharge this responsibility. There were a couple of reasons. First, there is a real risk that the audit firm will fail to identify material errors or omissions in the financial statements. Every year, well-publicized auditing failures are covered by the press and investigated by the regulators. In addition, the Public Company Oversight Board consistently reports defects in the audits they examine.

If the company files materially incorrect financial statements with the regulators and this is found later, it can lead not only to investigations and legal actions by the regulators, but reputation damage and the possibility of shareholder or lender lawsuits.

The second reason I help is that this is an important responsibility of the audit committee, and they have no other staff. All they can do by themselves is ask the CEO, CFO, and Corporate Controller for their assessment. Sometimes, those individuals are constrained by a desire not to confront the audit partners. (They may also be happy that the audit team is weak.) In addition, they may not have all the information necessary for an effective evaluation of the external audit team’s performance.

An independent and objective assessment

As the chief audit executive (CAE) at several companies, I worked with both excellent and less than stellar external audit teams.

It was my experience that the CFO and Corporate Controller focused on whether the auditors provided a clean opinion, reported issues, and their fees. They generally did not seek nor have a full picture of the external auditor’s performance. So, asking for their assessment is, in my opinion and experience, insufficient.

Internal audit can add value by leading an independent and objective assessment of the audit firm’s performance, just as they can for other sources of business risk. I say “leading”, because we should obtain and share management’s assessment and not just our own. I discuss this later in “How to Perform the Assessment”.

We won’t have access to the auditor’s working papers to see whether they are complying with auditing standards and performing the risk assessment and testing they should. But there are other aspects of their performance that we can address, such as:

• Their technical accounting and other knowledge
• The team members’ understanding of the company and its business
• Their ability to use reason and judgment in assessing potential issues, listening to management, and reaching a fair and balanced opinion on the materiality of any findings and the actions management should take in response
• The auditor’s scope and whether it includes areas that are highly unlikely to be the source of a material error or omission in the filed financial statements
• The timeliness and quality of the team’s communications with management, the audit committee, and others (such as internal audit)
• The auditor’s flexibility in scheduling and other matters to address management needs and concerns
• Coordination and cooperation with internal audit
• The reasonableness of fees, including statutory audit and other fees
• Whether they are inappropriately selling additional services
• The general attitude of the firm and its partners in dealing with management across the organization
• Related litigation, the results of examinations by the regulators, and peer reviews

Technical Accounting and other Knowledge

It would be unusual for the external audit team to lack technical accounting capabilities. The company’s own technical staff should be able to provide feedback on that area.

Similarly, the audit firm usually has tax experts on or in support of the team. The corporate tax and the corporate controller’s teams have insights that are useful.

However, the audit team doesn’t always have as much expertise as could be desired when it comes to technology issues. Sometimes, the firm’s IT auditors are unable to assess technology-related risks properly, relying on theory instead of determining whether there is a risk of significance to the financial statements.

In fact, many companies report that their external auditors consistently ask for IT-related controls where a failure is extremely unlikely to result in a material error or omission in the financial statements. At one of my companies, the IT audit manager came into my office to explain that we had a serious control deficiency, possibly a material weakness in ICFR. He explained that our network relied on a router in Taiwan to connect our headquarters in the US to our various operations in Asia. The traffic through that router was not encrypted nor was access to the router secured. We talked and I could see that there was a risk of network disruption if the router was attacked. However, I was able to help the manager understand that the possibility of somebody inserting or modifying transactions that went undetected and created a material error in our corporate financial statements was far less than remote: almost impossible.

Understanding the Business

This can be a challenge for the external audit team as they are only involved with the company for a few months each year. They are also (with the possible exception of the partner) relatively inexperienced. The greater part of the work is performed by junior staff who are only recently out of college.

The manager and partner may be experts in technical accounting but understanding the challenges in running a business is a totally different issue.

If they don’t understand the business, this can affect their ability to hone in on potential sources of risk as well as misunderstand the level of risk when they identify issues.

One of the problems I faced was when testing by the auditors at one of my companies identified a control weakness. They informed management of the weakness (after a delay) but didn’t understand the risk. When I found out, I saw that the weakness represented a risk of fraud. Even the audit partner had not realized this, and that led both to a delay in addressing the problem and a failure to investigate whether anyone had taken advantage of the weakness to commit a fraud without detection.

Reason and Judgment

The auditing standards (in the US and elsewhere) call for both management and the auditors to use informed judgment in assessing risk. This applies both in establishing the scope of work (the risk assessment) and in assessing the significance of deficiencies.

However, many auditors rely on rules and theory and over-react to issues. The firms seek consistency among their thousands of staff members, so they train them to follow firm guidance. It is only the more experienced, confident, and intelligent partners (and sometimes managers) who are willing and able to step back and use professional judgment in assessing a potential weakness or error.

I experienced this at one of my companies, where a journal entry was posted backwards, creating a material error in the financial statements for that quarter. When we looked into the root causes, we found that the division controller responsible for creating the journal entry was on vacation, the first time he had been away at a quarter-end in a decade. The error should have been detected by the controller of another division, but she was home sick for the first time in at least a dozen years. The Operations Controller and the Corporate Controller and their staff both performed flux reviews that should have caught the mistake, but there were several unusual activities in the quarter that hid it from their view.

In other words, as I explained to the firm partner, it was as if we dropped a pin during a tornado, an earthquake, and a tsunami warning. Many highly unusual events happened at the same time.

But the partner was forced by his national office to declare, against his own judgment, that this was a material weakness in the system of internal control over financial reporting.

Fortunately, this was at quarter-end and as soon as one of the two controllers returned to work the deficiency corrected itself.

A balanced and thoughtful exercise of judgement would have seen this as an error that was highly unlikely ever to happen again, not a material weakness that indicated an ineffective system of internal control over financial reporting.

The scope of the audit

The auditing standards require that the external auditors focus their attention on areas where there is at least a reasonable possibility of an error or omission that would be material.

However, they are notorious for bringing up issues and auditing areas that do not pass that important and necessary test.

This can be for several reasons, including their limited understanding of the business, instructions from more senior firm members to include the issue because it has been a concern at another company, or a failure to take the top-down and risk-based approach to the audit required by the regulators.

At the Northern California oil company where I led internal audit, the IT audit partner told the company that we needed to have controls over a specific IT-related risk. I met with that partner and explained that this was not a source of risk in our business and the company.

She told me that the firm had found serious issues in several of their clients across the company and the regional partner, her boss, had instructed her that all her clients needed to have controls over it. It was mandatory that it be included in scope.

Communications with Management and the Audit Committee

I have experienced management’s complaints and frustrations with poor communications from the external auditors. They are busy and unnecessary surprises are unwelcome.

Management wants to know when the auditors are coming. For example, they want to make sure they have the right people available. They also don’t want the auditors demanding their attention when they are overwhelmed with other work.

At one of the companies where I helped the audit committee assess the performance of the external auditors, management at several of the global subsidiaries were truly angry with their local audit team. They told us that the audit firm was arrogant and not only gave them little notice of their visits but were unresponsive to management’s requests to move their testing to a more convenient time. This level of frustration was not known to me as CAE, to corporate management, or to the engagement partner.

When the auditors find a serious issue, management (and internal audit) want to know about it promptly so it can be fixed. However, I have often seen the audit team take weeks or longer to inform management or internal audit. This is clearly unacceptable as the risk remains untreated for far longer than necessary.

On the other hand, the audit committee can assess without internal audit assistance the quality of communications with them by the audit firm (generally the partners). In a survey of audit committee members by the Center for Audit Quality and Deloitte in January 2022, 85% said “strong communication between engagement partner and audit committee… contributes most to audit quality”. (That was the highest score, tied with “competence of the engagement team”.)

Flexibility

While I have worked with audit teams that are very flexible, accommodating management’s requests for their work to be performed at times when they are not as busy and their key players are available, I have also worked with some that take a different position. They stand on their independence and refuse to make any change to their schedule.

Similarly, I have worked with audit partners and managers that are more than willing to listen to suggestions on audit scope and timing of ICFR testing. But there have also been others that simply don’t want to engage.

One of the opportunities for both the company and the audit firm is to perform joint walkthroughs of key controls as part of the ICFR work. While some welcome the opportunity, other audit partners and managers I have encountered are suspicious and refuse to work with us. This inflexibility can also extend to being open to discussions about the level of materiality and the key controls that should be included in scope. That is unfortunate, as my internal audit team have a greater understanding of the business, its risks and controls, as well as a relationship with management.

Coordination and cooperation with internal audit

While some believe that the two audit teams should remain totally separate (a belief held by some CAEs as well as audit partners and managers), they can be of great value to each other.

Internal audit can be a source of knowledge for the external auditors if they choose to use it. We understand the business, the people in management, and the key controls. In addition, they should be able to rely on our work far more than most of them do.

The external auditors can also help internal auditors, for example by letting us know when they see problems or opportunities for improvement in processes and controls.

I helped my audit committee understand that the company would benefit if there was an appropriate level of communication and collaboration between the internal and external auditors. The members always asked the audit partners whether they were able to leverage our work and leverage us. They viewed any response that the firm was not able to place much reliance with skepticism.

Fees

The CFO (or the corporate controller at the direction of the CFO) is usually the person who negotiates the audit fee. However, it has to be approved by the audit committee and they can benefit from internal audit providing an objective assessment.

Fees for the statutory audits of global subsidiaries are often overlooked. Internal audit can obtain information on that, as well as feedback on their reasonableness from local financial leaders.

Additional Services

Although the regulators have standards that detail what is and what is not permissible, I have seen situations where the audit committee was not comfortable that management had engaged the audit firm for work outside their annual audit.

Internal audit can ensure that the audit committee is fully informed of such work, preferably before management commits to it and the services are provided.

General Attitude

I bring this up as something that should be reviewed by the audit committee because I have seen serious problems.

As I mentioned earlier, at one company the management of several of our global subsidiaries had major problems with the attitude of the audit firm.

At another company, I saw the two engagement partners demonstrate what I believed to be totally inappropriate behavior – even during audit committee meetings. They consistently worked to make financial management look bad, trumpeting their own work and belittling management. That behavior was not limited to the meetings, nor to the two partners.

When my reporting on audit quality for the audit committee brought this and other issues to the attention of the audit committee, they were appropriately upset. After discussing the auditors’ performance with the CEO and CFO in executive session, steps were taken. Fortunately, the partners changed their behavior and although it was close, they retained the account.

Related litigation, the results of examinations by the regulators, and peer reviews

The audit committee needs to know if the company’s audit was selected for examination by the regulators, and what the results were. Unfortunately, while some audit partners are forthright about this, others are not. So, I suggested to the chair that he or she ask the audit partners about this at least annually.

Similarly, the chair asks whether any of the firm’s quality control activities, including peer reviews with other audit firms, involved the company’s audits.

In addition, the chair should ask whether any of the engagement team have been involved, to any degree, in litigation or performance improvement plans.

On a continuing basis, I try to stay abreast of other matters that could indicate firm quality issues. They may be reported in the press, in social media, or by specialists like Francine McKenna at retheauditors.com.

How to Perform the Assessment

The way I did it at my companies was a combination of interviews and a survey.

I met with the leaders of the finance function and others that the audit team worked with, including the CFO, corporate controller, operations controller, head of tax, the treasurer, financial reporting, the CIO, and others for an open conversation. When they asked, I committed to keeping their names confidential. I said I would share their experiences and comments with attribution.

I couldn’t reasonably meet with everybody, especially those is far-flung parts of the organization. Therefore, I sent them a survey that asked for their rating and comments on the areas discussed above.

Once these had been obtained, I summarized them and met with the CFO and corporate controller to discuss them. They were usually but not always surprised to hear the results.

I did not produce a formal internal audit report. Instead, I summarized the ratings for each area with some text to explain the assessment, with comments and quotes as appropriate.

The next step was to meet with the audit partners. This was sometimes a pleasant meeting, but not always. At the company where the issues (including the behavior of the partners) was of most concern, they took the results badly. They tried to blame me, but I made it clear that the assessment reflected the opinions of the great majority of the management team they and their people engaged with.

The CFO and I talked first to the chair of the audit committee before sharing the full report with all the members and discussing it in executive session. All the members took this and their oversight responsibility very seriously. Where necessary, they made it clear to the partners that changes were needed. When the report was favorable, they expressed their appreciation to the partners.

Summary

All of the companies where I provided this service found it of great value. The audit committee and senior management all appreciated it.

It takes time, tact, and a lot of careful listening by the CAE (I didn’t delegate any part of it), but performing the work not only helps the audit committee discharge its responsibilities, but also builds bonds between the CAE and both management and the members of the committee.

The power of Why

I love to tell the story of Juliano. His father, Julio, was the manager of a hotel on the Adriatic coast of Italy that my family visited several times. Julio then purchased a hotel of his own near Rimini (not far away).

It was there that I met his young son, Juliano. The kid was maybe 5 years old and spoke very little English – just what he had picked up living in the hotel with many English guests.

Juliano followed my brother and I everywhere. If we played table tennis, he was watching. If we went to the beach, so did he.

He followed us with one word, repeated constantly: “why?”

Why were we going to the beach?

Why were we going to play each other?

Why?

It’s a great question and not always easy to answer, and I didn’t want to dismiss the cute kid out of hand.

He made me think – a very important activity.

Why is a great question for practitioners to ask.

Why are you doing that? Why aren’t you doing this?

Why are you performing that reconciliation?

Why are all your direct reports in this meeting?

Why are you selling that product?

Why are you managing cybersecurity in-house?

Why are your top salespeople given the best customers?

Why are your freight costs so high?

Why is your scrap level this high?

Why are you getting so many product returns?

Why do you use different software solutions in different parts of the business?

If the answer is not readily forthcoming, something may be wrong. Perhaps there is no good reason for what they are doing. Perhaps there used to be a good reason, but times have changed.

Don’t accept these answers:

• Because we have always done it this way
• Because the auditors told me to do this
• Because it’s “best practice”
• Because that’s what the framework requires
• Because the IIA says we have to
• I don’t know

It’s also a great question for practitioners to ask of themselves?

Why does it take so long to assess a risk?

Why isn’t the CRO involved in strategy-setting meetings or quarterly performance reviews?

Why do you need so many risk officers? Where is the ROI?

Why are you telling them what the risk is? Why aren’t you asking them instead? Why don’t they know?

Why do we need to follow this framework, or any framework?

Why are you writing that report? Why aren’t you having a discussion instead?

Why aren’t you being asked to perform advisory work every day?

Why do we need to follow IIA Standards (for internal auditors)? Why is that the best way to deliver value to our stakeholders?

Why does the IIA have Standards? Why are they, or are they, the way all highly effective internal auditors should work?

Why are you spending so much time documenting your work? Why do you think the time is worth spending, delivering more value to our customers than it costs?

Why does the IIA think you need documented methodologies for your work?

Why does the company need a chief risk officer?

Why does it need a risk committee? Why does it believe that risk, strategy, and performance should be discussed separately?

Why are we here?

Why are you reading this?

If you have read the draft IIA Standards and not answered my poll, why not?

The submariner and the practitioner

It’s a movie.

We see the submarine captain, Calhoun, as he scans the horizon with his periscope.

He announces that he can see three enemy warships a few miles away and asks his second in command, Lieutenant Tripp, whether radar is picking up any enemy aircraft.

Tripp bends down to talk to the radar operator and inspect the screen.

“None in sight, Captain.”

“Captain,” a new voice interrupts. “It’s Marks, the risk officer. I have your weekly risk map and risk register.”

“Get lost, Marks! Tripp?”

“Yes, Captain?”

“Ready torpedo tubes one through five.”

“Tubes one through five, ready Captain.”

“Captain,” another voice chirps up.

“What?”

“It’s Sobel, the auditor. I want to discuss our latest audit report on procurement for the officers’ mess.”

“Oh my God!! Get him out of here!”

The crew hurry to literally throw Marks and Sobel out of the control room.

The two practitioners look at each other and are soon yelling at each other. Why was the other disturbing the Captain in the middle of a potential attack, one where they could all die?

Back in the control room, Lieutenant Tripp is alerting Captain Calhoun of a new message from fleet command. They are to withdraw and meet with two other submarines 150 miles away, returning together the next day to make a joint attack on the enemy.

They come off battle stations and the two practitioners decide to change their approach.

Sobel and Marks meekly knock on the Captain’s cabin and are summoned to enter.

They apologize for their stupid interruptions and ask, “how can we help now, as you prepare for the next attack?”

“OK. I accept your apologies and appreciate the offer.” They relax a little.

“I am going to have to make a number of important decisions over the next hours, including how best to position our three subs, whether and when the enemy is likely to get air support, and more. I will also need to know how many fully functional torpedoes and tubes we have, how long it will take to reload, and so on. Go talk to Tripp. He can help figure out how you can help us not only sink the enemy but survive the fight.”

The find Tripp in the officers’ mess and chat over coffee.

What do you think they came up with?

How can the two practitioners help?

NIST and Cybersecurity Risk

The National Institute of Standards and Technology (NIST) has shared a preliminary discussion draft of the planned update 2.0 of their Cybersecurity Framework (CSF).

In their earlier Concept Paper, NIST explained:

The NIST Cybersecurity Framework (CSF or Framework) provides guidance to organizations to better understand, manage, reduce, and communicate cybersecurity risks. It is a foundational and essential resource used by all sectors around the world.

As it relates to risk management, they said:

CSF 2.0 will describe how an underlying risk management process is essential for identifying, analyzing, prioritizing, responding to, and monitoring risks, how CSF outcomes support risk response decisions (accept, mitigate, transfer, avoid), and various examples of risk management processes (e.g., Risk Management Framework, ISO 31000) that can be used to underpin CSF implementations.

I have extracted from the draft the sections on risk management strategy and risk assessment. I have highlighted the portions of the text I like.

Risk Management Strategy (GV.RM): The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established and used to support operational risk decisions.

• RM-01: Cybersecurity risk management objectives are established and agreed to by organizational stakeholders.
• RM-02: Cybersecurity supply chain risk management strategy is established, agreed to by organizational stakeholders, and managed.
• RM-03: Risk appetite and risk tolerance statements are determined and communicated based on the organization’s business environment.
• RM-04: Cybersecurity risk management is considered part of enterprise risk management.
• RM-06: Responsibility and accountability are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed, and maintained.
• RM-07: Risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks.
• RM-08: Effectiveness and adequacy of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders.

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

• RA-01: Vulnerabilities in first-party and third-party assets are identified, validated, and recorded.
• RA-02: Cyber threat intelligence is received from information sharing forums and sources.
• RA-03: Threats, both internal and external, are identified and recorded.
• RA-04: Potential business impacts and likelihoods are identified and recorded.
• RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization.
• RA-6: Risk responses are identified and prioritized.
• RA-07: Changes are managed, assessed for risk impact, and recorded.
• RA-08: Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored.
• RA-09: Processes for receiving, analyzing, and responding to vulnerability disclosures are established.
• RA-10: Exceptions to security measures are reviewed, tracked, and compensated for.

Although I did not provide written responses to the earlier drafts that NIST made available for comment (unlike the IIA, they post them all), I have spoken to staff at NIST and shared my concerns with the current framework.

1. Risk is the effect of uncertainty (in this case, the chance of a cyber breach) on enterprise objectives. (Paraphrasing ISO 31000.) However, the NIST framework assesses and reports the risk to information assets.
2. This creates a gap between the way business leaders talk and make decisions and the way cyber practitioners talk and provide information to decision-makers.
3. While the draft talks about understanding how cyber risk might affect the business and its performance, it does not explain whether risk will be measured by how it affects the likelihood of achieving enterprise objectives.
4. Cyber-related risk is just one of many operational sources of risk that need to be considered together when making a business decision.
5. Informed and intelligent decisions require the ability to compare and aggregate where necessary both upside and downside effects of uncertainty on the business, its performance, and its objectives.
6. It is impossible to make an informed and intelligent business decision when the choice is between investing to reduce the risk to information assets, mitigating safety risk, initiating a marketing plan to drive additional revenue, or accelerating the development of a new generation of products and services.

The answer, in my opinion (as explained with examples in Understanding the Business Risk that is Cyber: A guide for both business executives and InfoSec managers to bridge the gap) is to assess everything, both upside and downsides, in terms of how they might affect the achievement of enterprise objectives.

This is what drives the leaders of the business, how their performance is measured, and it is in their language.

My recommendation to NIST is to ensure that this is the result of their risk assessment: not the risk to information assets, but the risk to affected enterprise objectives. How a breach would affect the likelihood of achieving them.

This approach enables the cyber practitioner to provide leaders and decision-makers with the information they need.

It can be compared and aggregated with other downside and upside risks.

Decisions about investing in cyber would no longer be made in a silo.

I welcome your thoughts.

118 have now voted! Preliminary IIA draft Standards survey results – updated May 31

I am keeping the survey open for another few days, even though the comment period for the English version of the draft has closed. So if you have not yet answered the poll, please do so here.

118 people have voted so far. While this is great, it would be even more persuasive if more shared their views.

I am going to update it as more people vote.

Results so far. Note: not everybody answered every question.

As a reminder, the stated purpose of the Standards (according to the draft) is:

The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of quality internal auditing globally. The Standards also establish a basis for evaluating the performance of internal audit services.

X

Q1: Do you agree with the stated purpose of the IIA’s Standards?

ANSWER CHOICES	RESPONSES
Yes	46.15%	54
No	53.85%	63
TOTAL		117

X

Q2: The Standards should “provide requirements and recommendations to guide the professional practice of quality internal auditing globally.”  Does the draft describe quality internal auditing?

ANSWER CHOICES	RESPONSES
They describe in full what is required for high quality internal auditing	5.08%	6
They describe, with minor exceptions, what is required	15.25%	18
They describe some of the requirements, but there are a few serious omissions or errors	59.32%	70
They do not describe what is needed	20.34%	24
TOTAL		118

X

Q3: Should the draft be approved?

ANSWER CHOICES	RESPONSES
Yes, with perhaps a few minor changes	5.93%	7
Yes, after some edits of significance	17.80%	21
No. The issues merit significant change and a reissue of the draft	66.10%	78
No. The Standards should not be changed at this time	10.17%	12
TOTAL		118

X

Q4: What is the most significant issue of concern? Add others in the comments area.

Note that the Responses do not include the points made by those who responded with Other.

ANSWER CHOICES	RESPONSES
None of the above	1.69%	2
Improved focus on risk-based auditing	6.78%	8
Less “must”. It’s too rules-based	33.05%	39
Use the Core Principles rather than those in the draft	1.69%	2
Change the Purpose statement	3.39%	4
Separate what must be done (standards) from how it should be done (framework)	24.58%	29
It’s too long	3.39%	4
Other (see below)	25.42%	30
TOTAL		118

Other comments on this question:

• All of the above (five people)
• All of the above – especially a focus on Enterprise Risks – risk-based auditing
• Aside ensuring an improved focus on risk based auditing, the use of “must” in the standard especially with regards to board oversight should be reviewed. The code of ethics now ethics and professionalism should be a separate element of the global audit standards for ease of reference. Some core principles deleted/merged in the proposed standards should be maintained as they are of significant benefits to the performance of internal auditing.
• It will not improve the value (I.e. output) of IA services in the eyes of our key stakeholders, nor move the profession forward
• Too much must – not all IA shops are the same and ultimately need to fit in with what their stakeholders require so structuring to avoid IPP vs stakeholder conflict would be sensible; trying to overreach (IIA has no jurisdiction over the Board); too long – show the “black letter” vs the guidance more clearly
• Separate out board / audit committee requirements beyond scope of CAE
• It is too long to be meaningfully understood and applied consistently- even by a large mature IA function. The whole set has become too proscribed “must” vs “should” and takes away the professional judgement of the CAE for what it the best fit for their organization and culture. As currently written, the draft supports that there is o my one way to be “effective” when that is clearly not the case in current practice. It seems to ignore the 3Lines Model altogether.
• Requirements do not distinguish between Assurance, Building and Consulting Engagements
• The whole thing is a mess. It looks as if it’s been written by well intended amateurs and needs a wholesale review and rewrite.
• 1) too rigid & rules-based, especially when IA are trying to be agile, risk based & provide value added advisory services. 2) for different contextual needs, maturity & culture of each organization, auditors should discern the best approach. While we employ systematic & disciplined approaches, there are many subjective & judgmental elements as well. The wisdom to know the differences & approach is important as there is no one size fits all. The standards should rise above to describe principles and what ‘good looks like’ instead of prescriptive & detailed methods. CAEs / IA Managers would have the maturity to lead & coach their junior auditors on the details, according to the different org needs. Ultimately, we want to protect our companies by partnering & collaborating with Management, as trusted advisors, without compromising our independence, objectivity, and moral courage.
• Board mandated requirements. The IIA has no authority to impose requirements upon the Board.
• Treatment of advisory services equal to assurance engagements reducing agility and value to be provided.
• The Purpose Statement seems to me somewhat general (too broad) and it does not consider ethics as a part of the purpose. Besides, as a core domain how is possible that do not have a requirement and implementation section?
• Needs more on risk-based audit, small audit function, need to cover the minimum requirements when the company is in law maturity, more investing in advisory engagements. Ethics should not be standards. weak relation between conformance and quality.
• Cost/benefit analysis of the changes to improve the professionalism of the profession.
• It is likely to make the profession less attractive to join / stay. With less auditors standards don’t even matter. Its also far too long and there is no requirement to innovate or modernise. More of the same will lead to less and less relevance. Are IA being consulted on AI governance or any emerging risk areas as risk management experts – No, a sign of irrelevance.
• Audit can be a core business partner, contributing to strategy from a risk management perspective. Is this risk management? Yes, but it goes beyond that, the opportunity being risk management and strategy integration.
• Governance bodies roles
• 1) remove requirements over people and things IA cannot control (Board); 2) more on performance and value; 3) Advisory: a) IA should be able to initiate, and b) provide standards and guidance throughout; 4) Leverage three lines model, including reliance (or not) on 2LOD audits.
• It sets out requirements for audit committees who are not IIA members or internal auditors
• Too focused on big departments; unrealistic musts like an ann’l review of the charter by the Audit Committee.
• Following rules does not establish Effectiveness of Assurance, rules are not even a proxy for effectiveness
• Absence of how you determine the link between organisational success and failure and IA role .. weak on emphasizing the 3Lines
• Use the Core Principles; Change the Purpose; too prescriptive
• It’s a solution in search of a problem
• I would choose 1, 2 and 5 and 6
• The proposed standards will be detrimental to the charity sector, where resource is very scarce, and the emphasis on extensive box ticking and compliance to ‘musts’ is at odds with charities’ public benefit objectives.

X

Your thoughts are welcome – and please add your voice to the poll if you haven’t already.

The audit findings fallacy

I am taking the title of today’s blog post from a comment by Richard Berry on a LinkedIn post by my friend, Richard Chambers. The post is about Richard’s latest video, Episode 3: Are follow-up audits a waste of time?

I believe Richard is asking the wrong question. He should be asking whether there is reasonable assurance that internal audit is getting any recommendations and action items right. Are they the right thing to do for the business, and has management not only agreed (which may be token) but actually embraced the change as being in their best interests?

I realize there is a need to be reassured that all our work has resulted in the change we believe in. But is the answer in a follow-up audit, or in listening to management and working with them instead of preaching to them?

As you would expect, Richard makes several excellent points in the video. In particular, he tells us that the draft update of the Standards provides alternatives to the traditional mandated follow-up: essentially a second audit of the same area that focuses on whether the recommendations (that were agreed to by management) had been completed by the scheduled date. It focuses on outcomes, completion of the action, rather than process.

When I first became a Chief Audit Executive, so many years ago, I would have a separate engagement that followed up on all the open management action items. I didn’t perform a second audit, and unless I had reason not to, I accepted management’s word that the actions had been taken.

I believed then and believe now that was a better approach than a repeat audit to confirm action items, and it would comply with the updated Standards. (See Standard 15.2 in the draft update.).

But I stopped soon afterwards.

When I presented my audit plan for the next year to the audit committee, they asked why I was doing it! I said it was common practice and encouraged by the IIA Standards.

They put me straight!

Taking action is management’s job – and they should take ownership of getting it done.

They told me to stop and work with management so they can track the status of necessary actions.

They were right!

We have better things to do.

This is how I responded on Richard’s LI post, with added wording:

I think the draft Standards gets this wrong.

1. If the auditor has been working well with management, listening collaboratively and actively, instead of preaching (telling rather than talking), then management should embrace the change as in their best interests. Sadly that is often not the case.

A world-class auditor listens to management.

Instead of telling them what the finding and risk is, work with them to agree on the facts, the implications for the business, and what (if anything) should be done.

Far too few auditors listen. Perhaps they are so proud of their work, findings, and recommendations, that they are not open to hearing that they are wrong. Perhaps they aren’t mature enough to understand that sometimes the risk needs to be taken (accepted, if you prefer).

The world-class auditor is able to not only agree with management on what should be done, but also get to where management sees it as in their best interests to embrace the need for change.

When management owns and believes in the change, it will happen.

2. Management should have a follow-up process, since these are risks that matter to them. This was brought home to me by audit committee members.

When there is a risk office, these risks and corrective actions can be included in their assessment, etc.

If they are IT-related, a task should be entered into their change management system.

If management owns and wants to make the change, they will make it happen. Let them follow up.

Why not include in the audit report the agreement that not only will management take the agreed action, but will also follow up and report on status?

3. Follow up only where the risk justifies the time. Resources are limited.

There is so much to audit we can’t afford to waste a minute of our valuable time.

Only follow up in any form where the risk to enterprise objectives is high.

4. Track the level of failure. Every time an agreed action is not taken (forget recommendations), that is a failure of internal audit! Management may still be doing what is right for the business.

If things are so bad that management is not implementing many of the agreed action items, that may or may not indicate a lack of attention to internal control. It may reflect a lack of auditing skills: identifying a true business risk and working with management to effect the necessary change.

If 90% of action items in a report are not completed on time, that is a 10% failure rate! Unacceptable!

Audit to find the root cause rather than following up on the symptoms.

5. Focus on outcomes: appropriate controls to run the business.

The outcome we should be concerned about is whether the system of internal control provides reasonable assurance that risks (including opportunities) to enterprise objectives are at desired levels.

Focus 125% of our time on the more significant sources of risks to enterprise objectives. If one of those sources of risk is management’s lack of attention to internal controls, there is a serious problem that needs to be discussed with the board.

But is that really the case?

I don’t believe the Standards should mandate (or even recommend) follow-up audits. You don’t have to “monitor management’s progress toward the completion of action plans” (Principle 15) to have an effective and efficient internal audit department.

What do you think and why is it the best use of our limited time?

Have you answered my poll about the Standards? Please do so as the results will be shared with IIA leadership.

Why internal audit only needs one risk assessment process

Both the current IIA Standards and the draft update have two risk assessments.

The first is during the annual audit planning process (which is updated as needed). A list of auditable entities is developed, an “audit universe”, and they are prioritized based on risk (perhaps also on the value of an audit). The higher “risk” entities are then included in the audit plan.

2010 – Planning (current standard)

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

X

Standard 9.5 Internal Audit Plan (draft update)

Requirements

The chief audit executive must develop an internal audit plan that supports the achievement of the organization’s objectives.

The chief audit executive must base the internal audit plan on a documented assessment of the organization’s strategies, objectives, and risks. This assessment must be informed by input from senior management and the board as well as an understanding of the organization’s governance, risk management, and control processes. The assessment must be performed at least annually.

Note: the update has removed the requirement that the plan be risk-based.

X

The second is at the engagement level.

2200 – Engagement Planning (current standard)

Internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations. The plan must consider the organization’s strategies, objectives, and risks relevant to the engagement.

2201 – Planning Considerations

In planning the engagement, internal auditors must consider:

• • The strategies and objectives of the activity being reviewed and the means by which the activity controls its performance.
  • The significant risks to the activity’s objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.
  • The adequacy and effectiveness of the activity’s governance, risk management, and control processes compared to a relevant framework or model.
  • The opportunities for making significant improvements to the activity’s governance, risk management, and control processes.

X

Standard 13.2 Engagement Risk Assessment (draft update)

Requirements

Internal auditors must develop an understanding of the activity under review and assess relevant risks.

To develop the understanding, internal auditors must identify and gather sufficient information and conduct an engagement risk assessment.

Internal auditors must understand:

• • The strategies, objectives, and risks of the organization that are relevant to the activity under review.
  • The organization’s risk tolerance.
  • The risk assessment supporting the internal audit plan.
  • The objectives of the activity under review.
  • The governance, risk management, and control processes of the activity under review.
  • Authoritative frameworks, guidance, and criteria that may be used to evaluate the effectiveness of those processes.
  • To conduct the engagement risk assessment, internal auditors must:
  • Identify the significant risks to the objectives of the activity under review.
  • Identify the means by which the activity controls its risks to a level within the organization’s risk tolerance.
  • Evaluate the significance (impact and likelihood) of the risks.
  • Assess the design adequacy of the activity’s control processes.
  • Consider specific risks including those related to fraud and information technology and systems.

Note: while the update has more meat, it is essentially unchanged.

X

The problem

The two-step process ends up with engagements whose objectives and scope are primarily driven by risks to the objectives of the auditable entity, rather than those of the enterprise.

It ends up with auditing risks that don’t matter to leaders of the enterprise, only to leaders of the entity.

This is a problem because:

1. No audit department has the capacity to audit every risk.
2. We need to place a priority on auditing the controls over the more significant risks to enterprise objectives.
3. Every hour we spend auditing something that doesn’t matter to enterprise success, we are losing the opportunity to audit something that is.

X

Last November, I ran a short survey on this topic. 125 people responded. The answers were:

1. Do you perform full scope audits or focus on controls over high risks?

• Full scope audits, all the controls over risks important to the entity being audited… 42%
• Our audits focus on controls over risks that are important to the enterprise as a whole… 53%
• Other… 6%

That is a significant improvement on my 2016 poll, when the results were:

• 11% Risks to the enterprise
• 15% Risks to individual auditable entities such as processes, locations, business units
• 32% A combination of the above. but more enterprise risks
• 42% A combination, but more at the process business unit, or location level

X

I see this as a positive trend towards true (enterprise) risk-based auditing.

We need to continue to make progress, and it starts with getting the IIA to reflect risk-based auditing in the update of the Standards.

X

Have you seen my latest poll on the Standards? If you have read the draft, please take a couple of minutes and answer my high-level questions. I will share the results here and with IIA leadership.

X

I welcome your thoughts.

What is the standard for the IIA’s Standards?

The lead in to the draft update of the IIA’s Standards says:

“The Global Internal Audit Standards provide requirements and recommendations to guide the professional practice of quality internal auditing globally. The Standards also establish a basis for evaluating the performance of internal audit services.”

Please complete a short survey that asks whether you think the draft fulfils that promise.

A book the IIA should read

As the IIA absorbs what the practitioner community is saying about its flawed draft update of the Standards, I have suggested that they read my book, “Auditing what matters“.

The review panel included eminent practitioners, with several former IIA chairs:

• John Fraser
• Steve Goepfert
• Larry Harrington
• Tom McLeod
• Patty Miller
• Michael Parkinson
• Dominique Vincenti

In the Introduction, I wrote:

Over the last years, significant progress has been made in the professional practice of internal auditing, especially when it comes to risk-based auditing. I especially like some of the new Core Principles for effective internal auditing that were adopted by the Institute of Internal Auditors in 2015[1]. They include the principles that internal audit:

• Communicates effectively
• Provides risk-based assurance
• Is insightful, proactive, and future-focused
• Promotes organizational improvement

Is internal auditing communicating, in an appropriately timely manner that supports decision-making by the board and management team, whether the risks that matter to the success of the organization are managed as desired?

Is internal auditing really thinking about the road ahead and the risks around the corner, or is it focused mainly on past activity and current capability?

Is it effective, as effective as it can and should be, in helping the organization bring its systems, processes, organizational structure, and people to the desired level of performance?

My question to the IIA and all of you is:

Will the IIA’s draft move our profession and its practice forward to achieve these Core Principles?

I welcome your thoughts.

[1] The Core Principles were included in the update of the International Professional Practices Framework (IPPF), as recommended by the IIA’s Relook Task Force, of which I was privileged to be a member.

How do you audit risk management?

You can’t audit what you don’t understand.

That doesn’t mean you have to be an expert with years of experience as a risk practitioner.

But you have to know enough about risk management to be able to assess whether it is effective.

X

What does “effective” mean?

It means, in my opinion, that it meets the needs of the organization.

Unfortunately, too many see it as about managing or mitigating the downside of risk, rather than knowing how much risk to take. They use risk registers and heat maps and call that effective risk management. It’s not. These are not tools that help people make informed and intelligent decisions that enable the achievement of enterprise objectives.

Any assessment of risk management has to be broader and more useful to leaders of the organization.

X

If you pass the IIA’s exam and hold a Certification in Risk Management Assurance (CRMA), a certification I hold, does that mean you have the knowledge you need to audit risk management?

Certainly not. Many have those initials after their name but don’t have more than rudimentary knowledge.

X

How do you gain sufficient knowledge?

There are good books on the topic (of course, I recommend my own: World Class Risk Management, Risk Management in Plain English, and Risk Management for Success). Others can add their favorites in the comments.

A number of organizations have training on risk management. But be careful to sign up only for classes that discuss both downside risks and upside opportunities. (ISO 31000 includes both the upside and downside effects of uncertainty in their definition of risk). Too many teach and practice risk management as the mitigation of the downside of risk, rather than how to make informed and intelligent decisions and take the right level of risk.

You can also engage an expert to partner with you on the audit. That is what I did when we needed to audit the use of derivatives at Tosco Corporation.

X

One of the experts you might consider engaging is my friend, Alexei Sidorenko.

He has shared with us a free guide to auditing risk management.

In my opinion, it is well worth downloading and can be a helpful guide.

Is it complete? No. How can it be?

Effective risk management needs to be practiced in every nook and cranny of the organization, with a focus on enabling the decisions that matter and addressing the more significant risks (and risk includes “opportunities”) to the achievement of enterprise objectives.

Risk management should include how objectives and strategies are set, as well as how the organization executes to achieve them. Every decision relies on understanding what might happen (my preferred definition of risk) under each scenario.

It includes not only avoiding harms, but also seizing opportunities – making the right business decision. Sometimes, it is right to take more downside risk to gain upside potential.

It is not about the activities of any risk office. It is about the activities of every decision-maker.

An audit that seeks to provide an opinion on the effectiveness of risk management would be a major endeavor. It’s almost like assessing whether the system of internal control of the organization is effective, given that risk is both created and treated in every decision – both strategic and tactical.

We break down audits of internal control into manageable chunks. Each audit addresses one or more small pieces.

Do the same with risk management. Break it down into manageable chunks, such as:

• risk reporting to and discussion by the board
• supply chain risk management
• inventory risk management
• safety risk management for the Liverpool plant
• competitor risk management
• major project risk management
• quality risk management in Guadalajara.

Identify the possible engagements and risk rank them (the risk to enterprise objectives if risk management is poor, combined with the likelihood that the risk management is insufficient).

X

I haven’t written a book on the topic, although I might take on the massive project at a later date.

But I have provided a road map, especially in Risk Management for Success.

My advice to anybody wanting to audit risk management is to use the maturity model in the book. It is extensive.

I am a big fan of using maturity models in auditing topics like this, as the opinion will be on where the organization’s maturity level is rather than whether it is effective or not.

X

I welcome your thoughts.

Talking about an “audit universe”

When I started in internal audit a long time ago, I followed a practice that is still enshrined in the IIA’s Standards.

Basically, the process is:

1. Build a list of auditable entities and processes. For example, it might include the UK subsidiary, a joint venture, Treasury, accounts payable, and inventory management. The list can be very long and is called an Audit Universe.
2. Rank each entity in the list using attributes. They might include the time since the last audit, the level of revenue, the number and severity of past findings, the complexity of systems, whether there has been a change in those systems or in personnel, and more.
3. Build an audit plan to audit the higher rated entities.
4. During engagement planning, identify and prioritize the risks to those entities and processes.
5. Perform the engagements.

While the Standards require the CAE to build a risk-based plan, under this approach the plan is full of engagements that address risks to auditable entities rather than risks to the organization as a whole.

It’s really auditable entity auditing, rather than enterprise risk-based auditing.

The alternative, which I practiced for more than twenty years as a CAE, is a process designed to identify risks to the objectives and strategies of the enterprise as a whole.

1. Understand the organization’s objectives (and the strategies and plans for achieving them) including those that are not documented but assumed – such as compliance with applicable laws and regulations, and maintaining the safety of personnel.
2. Identify the more significant sources of risk to those objectives (relying to the extent possible on management’s own risk assessment processes). This is not an audit universe, but a Risk Universe. Big difference! It’s a list of enterprise risks, not a list of auditable entities.
3. Build and maintain an audit plan designed to assess the controls over the more significant enterprise risks. For example, include an audit of the UK subsidiary where the scope is to assess the controls in the UK where a failure could affect the selected organizational objectives – not just the UK firm’s objectives. This is enterprise risk-based auditing. (For detail on the approach and what it means for staffing and more, see Auditing that Matters, followed by Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.)
4. During engagement planning, confirm the scope and objectives defined in the audit plan. Identify the specific controls relied on to address the selected organizational objectives.

We all want a “seat at the table”.

If you perform auditable entity auditing using an audit universe (which is still reflected in the IIA’s draft update of the Standards), you will earn a seat at the table of middle management, those responsible for an auditable entity or process. That is because they are the ones who will derive most value from your work. You are auditing the risks and concerns of middle management.

But if you perform enterprise risk-based auditing, you may get a seat at the table of the top executives, because they are the ones who will get the most value. You are addressing the risks and concerns of top management and the board.

Where would you like to sit, the top table or the children’s table?

Do you want, as the title of my book says, to perform auditing that matters to the organization and its success?

The Mission of Internal Audit (until it is replaced, perhaps, by a Purpose statement) is:

To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Is this best achieved with an audit universe or a risk universe?

Advice to the IIA and the Standards Board

The Standards should strongly suggest, if not mandate, providing the risk-based and objective assurance, advice, and insight that our leaders need (consistent with the Mission and the Core Principles, which you may have noticed I just enhanced by qualifying it with “that our leaders need”).

But they should not include the framework for doing that. Return to separate guidance that reflects best practices.

I await your comments.

Agility for success

We should be worried about whether our organization (and ourselves) are able to respond with agility as or even before things happen.

We need to go beyond questions of risk and resilience.

Questions that we might ask (whether on the board, in management, or practitioners of any stripe) include:

• How will we know when things that might affect our organization are:
  • Happening?
  • About to happen?
  • Possibly happening in the future?
  • Not happening – especially when we had expected them?
• Will that knowledge be:
  • Timely?
  • Complete?
  • Accurate?
• Are our systems:
  • Able to provide the information we need when we need it?
  • Able to change as our business needs to change, or are they inflexible? How fast can new or changed capabilities be added: minutes, hours, days, or weeks?
  • Sufficiently secure amidst dynamic change?
• Do we have the ability to respond, whether to threats or opportunities:
  • Promptly?
  • Adequately?
  • With confidence?
• Can we remain compliance and safe?
• Do we have a slow-as-molasses culture, or are decisions made at an appropriate speed, with appropriate quality information (not to slow, not too fast, but just right – the Goldilocks test)?
• Do we have stick-in-the-mud leaders and decision-makers who resist change?
• Do we have an organization structure that will resist or accommodate change?
• Will employees, especially key employees, embrace and make change happen with success?
• So we have the knowledge necessary for change?
• Do we have visionary or slow stakeholders, investors, and analysts who will get in the way of change?
• Will regulators, customers, suppliers, or others prevent necessary change?

McKinsey has an interesting piece: What is agile? I like this:

Agile is a way of working that seeks to harness the inevitability of change rather than resist it.

This about this:

Traditional organizations are optimized to operate in static, siloed situations of structural hierarchy. Planning is linear, and execution is controlled. The organization’s skeletal structure is strong but frequently rigid and slow moving.

Agile organizations are different. They’re designed for rapid change. An agile organization is a technology-enabled network of teams with a people-centered culture that operates in rapid-learning and fast-decision cycles. Agility adds speed and adaptability to stability, creating a competitive advantage in uncertain conditions.

Another McKinsey article covers interviews with HR executives: CHRO perspectives on leading agile change.

It’s one thing to believe you have effective risk management and are resilient. But is your organization sufficiently agile for success in this dynamic world?

I welcome your thoughts.

An excellent discussion of the draft IIA Standards

My congratulations to my friend, Jason Mefford (CEO of cRisk Academy) for a very interesting video discussion of the draft Standards. 

He moderated a 90 minute debate with:

• Rob Stingle – Head of Audit, Thrivent Financial
• Paul D. Smith – SVP Head of Global Audit, Reinsurance Group of America
• Robert Berry – That Audit Guy
• and Hal Garyn – President, Audit Executive Advisory Services

A number of very good points were made and it’s well worth spending the time to listen (its free).

I certainly hope the IIA staff and Standards Board members absorb the comments.

The panelists discussed whether the draft is a set of standards or a framework, and whether it really is principles-based or prescriptive.

They also discussed replacing the existing Mission, Definition, and Core Principles with the Purpose statement. They agreed it was a step back, not forward.

One of the questions that arises for me is “what is the purpose of the Standards?” In my letter to the IIA and Standards Board, I said:

In my opinion, they should serve as a basis for the effective and efficient professional practice of internal auditing across the globe.

They should establish what must be done, otherwise it is highly unlikely that internal auditing will be effective in delivering the assurance, advice, and insight on risks to the achievement of enterprise objectives that leaders of the organization (in management and on the board) need.

That foundation is then supplemented by recommended practices (“should”) that will in all likelihood lead to increased value to our stakeholders. Examples and further detail are added of practices that may be practiced.

The Standards therefore must not mandate practices that are not essential to delivering the value our stakeholders need. They must only mandate those that are.

They must avoid adding unnecessary bureaucracy and red tape, such as excessive documentation requirements. They add cost and divert scarce audit resources from performing valuable audit work.

 In the discussion Jason moderated, it was said that that many departments are of low maturity in their performance and we will shoot ourselves in the foot if we write Standards that are hard to achieve. They will be ignored and we will lose members.

But, my question is whether the Standards should set a level of performance that is easy and therefore more people would qualify, or should it set a minimum standard for what is considered a sufficiently professional internal audit activity?

If the Standard is too low, can we call ourselves a profession? Or is it (as one commented said) just a club?

If it’s high, yes we will prevent some from saying they comply. But is that a bad thing if their performance is less than minimally acceptable let alone desirable?

Shouldn’t we be setting an achievable and desirable level of performance, even if its a high bar?

Should we sit back and accept low levels of maturity in internal audit departments? Should we allow them to brag about being in compliance with the Standards while they deliver low levels of value to their customers?

Will that enhance the reputation and credibility of our profession? Or will it dilute it?

Returning to the webinar.

I believe (as was agreed by the panelists) that exclusion of some of the key phrases in the Mission statement and the Core Principles is a step backwards.

I totally disagree with them that the draft is “aspirational”, because it fails to promote enterprise risk-based auditing. Instead, it enshrines auditing what matters to middle management.

We MUST address what matters to the success of the organization, to the leaders on the board and in top management.

The draft will also drive inefficient bureaucracy and confuses compliance with quality.

You can see my assessment here.

Don’t sweat the small stuff!

Are you spending most of your time, 80%, 90%, or more, on risks and issues that are not significant to the success of the organization?

I like to quote Drew Stein, a retired CEO and board member in New Zealand. He said:

Almost all of IA findings are mundane operational compliance issues.

The same criticism can be levied at many risk officers.

We should all spend as much time as possible on the risks and issues where there’s at least a reasonable possibility of something happening that would derail our strategies, seriously impacting the likelihood of achieving enterprise objectives.

We should spend as little time as possible on everything else.

We could call this Lean Risk Management and Lean Internal Auditing: eliminating the muda (wasted time and effort that adds no real value to our customers). Wikipedia tells us:

Muda (無駄, on’yomi reading, ateji) is a Japanese word meaning “futility”, “uselessness”, or “wastefulness”,^[1] and is a key concept in lean process thinking such as in the Toyota Production System (TPS)

These days, top executives and boards have a great deal to worry about, including:

• Their reliance on the banking system and the availability of funds
• A potential recession
• The availability of the skilled (and unskilled) workforce they need
• Labor, energy, and material costs
• Potential weather effects on their business
• The ability of the organization to react to change with agility

Are practitioners worrying about these issues and how they can help? Are do they continue to audit payroll and look for duplicate payments?

Are we providing valuable assurance, advice, and insight on the controls over cash flow, investment of funds, the use of technology to reduce reliance on scarce labor, etc.?

This is why I have been talking about [enterprise] risk-based auditing for a long time and providing related guidance in Auditing that Matters, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan, and Is your internal audit world-class? A maturity model for internal audit.

We have limited time and resources and need to make every second and every penny count.

We should examine everything we do and ask,

Is it really necessary? Or can we eliminate (or reduce it) without impacting the value we provide to our customers?

Are we auditing controls that, should they fail, would not represent a source of risk that would worry the CEO and the board? If not, why are they on the audit plan and in the scope of our engagements?

Are we talking to management about risks that might matter to a department head, but not to the achievement of corporate strategies?

This is probably the major reason I find fault with the draft update of the IIA’s Standards. They are supposed to be guidance for the “professional practice of internal auditing”. To me that implies they are guidance for effective and efficient internal auditing that delivers the value our customers need.

What can be eliminated from the IIA’s draft guidance without adversely affecting the value internal audit provides to the board and top management?

What can you eliminate from your:

• Audit plan
• Engagement scope
• Workpapers
• Audit report
• Quality assurance activities

… that wouldn’t reduce the value you deliver?

Maybe eliminating or minimizing muda here and elsewhere would free your team up to address areas of real significance and deliver more value!

I welcome your thoughts.

Following up on Audit Findings

When I first became a chief audit executive (CAE), I did what pretty much everybody did: instituted a periodic process to follow-up the status of management action plans.

After all, the IIA Standards say (2017 version):

2500 – Monitoring Progress

The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 – The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

Since my team issued a lot of audit reports (more than 100 per annum), this became a significant activity to the point that I put it on the audit plan and issued audit reports with the results.

This was fine until I presented the status of management actions at an audit committee meeting. This is roughly what happened as I answered questions from the directors:

Q: Does this represent what you believe is the current status of action plans?

A: It represents what management is telling me the current status is.

Q: Does that mean it might be incorrect? Have you audited the status they report?

A: It is possible, but I have no reason to believe their reported status is incorrect. We have not audited the status of every action item.

A second director joined in:

Q: Why are you monitoring the status of these actions? Shouldn’t management?

A: It’s normal practice for Internal Audit to do this. I see it as a service to management as they don’t have a process of their own.

Q: Aren’t there better uses of your time, especially as you are only reporting what management is telling you?

A: Good point. I will discuss that with the CFO after the meeting.

A third:

Q: Are these all the action items management is responsible for to address risk and control issues?

A: No. They identify issues themselves, such as through their monitoring of user access, and other functions like Quality or Security identify corrective actions as well.

Q: Why are you doing this then? It’s not a complete picture and we can’t really rely on it since you haven’t checked the status of every item yourself.

A: These are all good points. Thank you. I understand the audit committee would like me to work with management on a better way forward, which we will discuss after the meeting.

I met with the CFO and other senior managers, including the CIO. I included the CIO as many of the action items were in IT.

We agreed that management would be responsible for ensuring corrective actions were taken as agreed, and that they would let me know if there was a serious problem.

I continued to monitor some action items, but limited that to those that represented a serious risk to the organization. I included that information in maintaining my continuously updated audit plan.

X

I was not complying with the IIA Standard 2500.

If an auditor finds that management is not complying with one of its standards, they should find out why. When management’s actions are appropriate for the business, the auditor should talk to them about changing the standard.

In other words, blindly doing what you are told (whether by a standard or by an auditor) is not a good idea.

X

Why am I bringing this up today?

We have an opportunity to update the IIA’s Standards for the Professional Practice of Internal Auditing to include what is appropriate and necessary for efficient and effective auditing that delivers the assurance, advice, and insight the organization and its leaders need.

That update should include changing Standard 2500 (current version) and 15.2 (draft). The latter says:

Internal auditors must confirm that management has implemented the agreed-upon action plans.

Why is it still here?

Is it because “we have always done it”?

That’s a very poor answer! We wouldn’t accept it from an auditee!

Is it necessary and valuable, especially when we cannot audit and confirm the status of every action plan and we are not the only function that is identifying corrective actions?

The answer is no.

X

What does this mean for the rest of us?

We should all question the value of monitoring and reporting whether “management has implemented the agreed-upon action plans”.

If it has insufficient value vs. the time it takes, stop doing it – and inform the audit committee why. I expect they will agree.

After this episode with one audit committee, I changed my approach (focusing only on the follow-up of serious issues) with the wholehearted support of every audit committee I worked with.

I was not conforming with the Standards, but neither I nor the audit committee cared. We cared about the quality of internal audit services – assurance, advice, and insight – my team delivered.

I welcome your thoughts.

Comparing the draft IIA Standards and the Core Principles for Effective Internal Audit

One of the points I made in my review of the draft was that it is not consistent with the Core Principles for Effective Internal Auditing.

I have asked whether the principles on which the draft is based are the right principles.

Here is a comparison. My apologies for the formatting with lots of unnecessary white space (a defect in the editor).

Current Core Principles and my comments	Principles in Draft Standards
Demonstrates integrity. This is in the draft.	Principle 1 Demonstrate Integrity Internal auditors demonstrate integrity in their work and behavior.
Demonstrates competence and due professional care. This has been divided.	Principle 3 Demonstrate Competency Internal auditors apply the knowledge, skills, and abilities to fulfill their roles and responsibilities successfully. Principle 4 Exercise Due Professional Care Internal auditors apply due professional care in planning and performing internal audit services. Principle 5 Maintain Confidentiality Internal auditors use and protect information appropriately.
Is objective and free from undue influence (independent) This one has been divided and it is unclear whether Principle 10 adequately addresses “free from undue influence)..	Principle 2 Maintain ObjectivityInternal auditors maintain an impartial and unbiased attitude when performing internal audit services and making decisions. Principle 6 Authorized by the Board The board establishes, approves, and supports the authority, role, and responsibilities of the internal audit function.
Is appropriately positioned and adequately resourced. Positioning is partially addressed (only its independence, not its effectiveness to understand what it happening).	Principle 7 Positioned Independently The board establishes and protects the internal audit function’s independence. Principle 8 Overseen by the Board The board oversees the internal audit function to ensure the function’s effectiveness.  Principle 10 Manages Resources The chief audit executive manages resources to implement the internal audit function’s strategy, complete its plan, and achieve its mandate.
Demonstrates quality and continuous improvement.Quality is not guaranteed by conformance.	Principle 12 Enhances Quality The chief audit executive ensures conformance with the Global Internal Audit Standards and continuously improves the internal audit function’s performance.
Communicates effectively. This has been split and the requirement to monitor action plans (which should be a management responsibility) has been added.	Principle 11 Communicates Effectively The chief audit executive ensures the internal audit function communicates effectively with its stakeholders. Principle 15 Communicate Engagement Conclusions and Monitor Action Plans Internal auditors communicate the engagement findings and conclusions to the appropriate parties and monitor management’s progress toward the completion of action plans.

Aligns with the strategies, objectives, and risks of the organization. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement. These four core principles are not addressed, and have been replaced.

Principle 9 Plans Strategically The chief audit executive plans strategically to ensure the internal audit function fulfills its mandate and is positioned for long-term success. Principle 13 Plan Engagements Effectively Internal auditors plan each engagement using a systematic, disciplined approach. Principle 14 Conduct Engagement Work Internal auditors implement the engagement work program to achieve the engagement objectives.

Advice to the IIA on their draft Standards

A little over a week ago, I shared my report on the draft. I urged everybody not only to read the draft carefully and answer their survey, but to share their overall assessment directly with the IIA and on this blog site – so everybody can see  and consider all of them.

What you may not know is that I have been talking to the IIA staff and some members of the Auditing Standards Board for months.

Have a look at my post from September, 2022: Updated Internal Audit Core Principles. I said (note today’s highlights):

We should have a few principles for the IPPF’s principles.

1. 1. Effective internal audit in conformance with the Standards requires that all the principles are present and functioning.
   2. Present and functioning means that there are no major deficiencies in the achievement of the principle.
   3. Therefore, the only principles that should be included in the IPPF are those necessary for an effective internal audit function. A proposed principle is not relevant if it is not necessary, if internal audit can be effective in its absence.
   4. Achievement of the principles should not only be necessary for effective internal auditing, but also for the internal audit function to be a trusted partner of both management and the board.

And:

I would like your thoughts on these as a replacement and expansion of the principles around the valuable products of the internal audit function.

• • Provides constructive assurance, advice, and insight on what matters to the success of the organization, including the achievement of its enterprise objectives, when it is needed by management and the board.
  • Is forward-looking, focused on the effectiveness of the organization’s governance, management of risk and opportunity, and related systems of internal control in providing reasonable assurance of the organization’s current and future success.
  • Focuses on what matters to the success of the organization, the achievement of enterprise objectives, addressing both current and future risks and opportunities that might have a significant effect on its success.
  • Works with management, listening in a collaborative manner and exercising its independent, professional judgment, to promote improvement in the organization’s systems of governance, management of risk, and internal control.
  • Shares the results of its work through a combination of timely written and oral communications that are fair, balanced, concise, clear, and actionable.

Feedback from staff and leaders included:

“Thanks! Some great points.”

“Thank you for sharing… I shared it with the IIASB chair and staff.”

In emails about the issue of including agreed action plans instead of recommendations in the audit report: “We definitely agree with you, Norman.  We have had a couple of lengthy discussions about this topic and, while recommendations may still be a part of the process of getting to a final report, agreed-upon actions is definitely the goal.  We’re still working on how to best state that, recognizing that in some IA functions they are only asked for recommendations, but the best practice is to work with management on a solution that both agree manages the underlying risk to an acceptable level.”

In emails about the topic of enterprise risk-based audits: “That is our goal too, business objective based and risk based audit.”

This exchange over the last six months or so is why I am so disappointed in the draft that has emerged.

The people I have been talking to on staff and on the ASB understood and agreed with everything I said. Yet they have produced a long document that flies in its face.

They took a very long time to share what I consider a flawed document.

Rubbing salt in the wound, they have publicized it with great hoopla, talking about it being “a defining moment for the profession”.

How can they now walk it back, recognizing the need for substantial change?

PLEASE, join me in carefully reviewing, then sitting back and thinking about the draft.

Whether you agree with me or not, share your overall assessment with IIA staff at standards@theiia.org as well as here in the Comments.

The IIA survey is insufficient to capture whether the draft Standards meet the needs of the profession and should be published.

As with all audit reporting, the earlier the better so they can start work on corrective actions.

Thanks

The efficient and effective internal auditor

The IIA has released for public comment a draft update of its Standards.

I believe it is important for everybody who shares my desire to advance the internal audit profession and its practices to review and share feedback on the draft.

X

I took my time in carefully reviewing the draft, line by line, and then sat back to reflect.

Everybody should, in my opinion, do the same.

X

The IIA Standards Board, leadership, and staff spent most of 2022 working on this renewal of the Standards. I congratulate them on the significant changes, including some that I have been talking about for years.

I was looking forward to a document that would recognize and promote the development of efficient and effective practices around the world. One change that I am pleased to see they have made is the need to update the internal audit plan as conditions change, at the speed of risk and the business.

I was hoping that I could get behind a new set of Standards and promote it actively.

I am unable to do that.

X

Unfortunately, the IIA’s survey (which I was happy to complete) does not include a request to assess whether the draft should be approved, approved with minor changes, approved only after specific major changes are made, or otherwise.

X

I decided to write what is essentially an audit report to communicate my overall assessment of the draft and the specific major issues I have. I am using the word “major” in the same way as COSO: a deficiency that prevents the draft from achieving its purpose, its objectives.

With that in mind, I considered and included in the report what I believe the value of the IIA Standards, their purpose, should be. Then I assessed whether the purpose was met.

My overall opinion was not favorable.  You can download a copy of my report here. I have embedded a copy below this post.

I have a deserved reputation for being direct, even blunt. I have been that in my report, which I shared with IIA leadership as well as staff and members of the Standards Board.

X

As far as I can tell, and I have asked the IIA, they will not be posting the comments they receive, so I am sharing mine here. They have not voiced any objection.

I ask that you share your assessment of the Standards here, copying or linking any response (other than the survey), so we can all see and discuss each other’s thoughts. I expect the IIA staff and members of the Standards Board will be checking here to see what is said.

Please review the draft carefully. It is important.

Complete their survey and, if you have additional comments or want to share an overall opinion with them, the email is standards@theiia.org.

X

If you agree with my points and observations, I would appreciate your so informing the IIA as well as posting your comments in this blog.

If you disagree, please post your comments. X

I am especially interested in your thoughts on:

1. My statement about the purpose and value of the Standards.
2. Whether the draft Standards fulfil that purpose.
3. Your thoughts on each of my major issues. X

Thanks

X

PS – I am open to panel or other open discussions of the draft.

norman-marks-review-of-iia-standards-draft-of-march-2023-1Download