Archive

Posts Tagged ‘IIA’

Internal Audit in Crisis Times

November 16, 2020 4 comments

My friend, Hal Garyn, has shared his views on Internal Audit in these difficult times: It’s Crisis Time: Does Internal Audit Have a Say?

He makes several first class points and I strongly recommend this article to you. For example, he says:

  • Just because internal auditors want a seat at the table, doesn’t mean senior executives will automatically pull back the chair and gesture for audit leaders to sit. It must be earned. Once it’s earned, it must be retained. Auditors earn and keep a seat at the table by continuously providing valuable insights, making commitments, and delivering on promises.
  • Just because we think we have something important to say, does that information matter to our colleagues? Is it the right information, at the right time, delivered to the right people, and is it insightful?
  • Internal audit, even with its reliance on technology, data analytics, and electronic communication, will still be most successful because of the interpersonal relationships it has now and will develop over time.
  • Look at internal audit from the outside in, not the inside out: Focus on what the organization really wants from internal audit, not just what we believe we should provide.
  • Consider and prioritize the work that is absolutely necessary, even if it is outside the typical internal audit work, and leave the work that doesn’t address the immediate problems for another time.
  • Volunteer to help: Determine how you can help and figure out how to do it. Don’t wait to be asked. The four words every internal audit leader should be asking senior executives is: “How can I help?”
  • Be more flexible with risks to objectivity: While objectivity is fundamental to internal audit, in times of crisis, what the organization needs should potentially take precedence over preserving objectivity.
  • Move to a near-continuous risk assessment: Risk is dynamic, not static. Right now, risks are quickly evolving in terms of impact, likelihood, severity, duration, and velocity. If you are conducting risk assessments on a quarterly or, dare I say, annual basis, your assessments are yesterday’s news.

I usually end my posts with, if not criticisms, additional perspectives and suggestions.

I don’t want to dilute Hal’s article and leave you to read it in its entirety.

I welcome your thoughts

Death of the Audit Report

October 18, 2020 7 comments

I have known my friend Hal Garyn for a long time. He is a gentleman for whom I have great respect and we usually are in full agreement on topics of mutual interest.

But I am only in partial agreement with his recent article, Death of the Audit Report: It’s Time to Reconsider How to Convey Internal Audit Findings.

As usual, I will point to some of his excellent comments:

  • …why do we issue audit reports? Are we required to do so? And are there other options? Does the return on investment outweigh the time spent drafting, editing, reviewing, and issuing traditional internal audit reports? We’ll explore these questions in depth, but the short answer is a resounding “no!”
  • When most internal auditors consider why they issue audit reports, far too many say it is because “the Standards require us to.” Well, that is not true at all. The Institute of Internal Auditors’ Standards for the Professional Practice of Internal Auditing states the following regarding reporting the results of internal audit work:

“Internal auditors must communicate the results of engagements.” – IIA Performance Standard 2400.

  • So, if the Standards do not say, “you must issue an audit report,” why do we do it? Another common response to the “why” question, beyond erroneously thinking that we need to, is: “Because that’s the way we have always done it.” If we are unwilling to accept a statement like that as an answer from an audit client, then that cannot be an acceptable answer for why we continue to issue standard audit reports.
  • Jason Mefford, president of Mefford Associates and CEO of cRisk Academy, agrees that it’s time to rethink the traditional audit report and instead focus on the best way to achieve its objectives. ”We all need to rethink how we communicate the results of our audit work,” he says. “The typical long, jargon-laden internal audit report may not be the most effective way to do that any longer. In fact, if you want to find an extra 30 percent of time in your budget, quit wasting time writing reports,” he asserts. In a time when efficiency matters, the audit report process may be long overdue for an overhaul.
  • Remember when our high school writing teachers advised us to begin with the end in mind.
  • The report, in the end, is just a means of communication. Communication only has value if what the author wants to say is completely and accurately understood as intended by the recipient of the communication. The communication is in a form that is most easily digested so it can be acted upon in some way by the recipient, in the manner originally intended.
  • In a recent poll conducted on LinkedIn of internal audit leaders, 22 percent of respondents said the average length of their standard audit report is more than 10 pages, and another 48 percent said the average length their audit reports ran 5 to 10 pages. With these lengths, it is possible that such reports are not easy to read or digest. Some internal auditors will readily admit that they are not written with the reader in mind.
  • Improving our audit reports starts with considering your audience and asking a few simple questions: What information do they need to know?

Hal sets the table well.

The traditional and long audit report needs to be transformed.

It starts, as he says, with understanding:

  1. Who the intended audience is, the recipients of your communication
  2. What they need to know
  3. What the best way is to communicate that information. It has to be in a way that gets their attention, tells them concisely what they need to know, and enables appropriate actions
  4. How to eliminate what is unnecessary so that the necessary stands out and is easily consumed

My first and perhaps most important disagreement with Hal, and it’s a strong disagreement, is around the purpose of the communication.

I disagree with each of these quotes:

  • “The ultimate objective of internal audit reporting is not to describe what we found or to make recommendations for improvement. It should be to persuade readers to take action,” Richard Chambers
  • “The goal is risk mitigation and operations improvement, not reports,” Amanda “Jo” Erven
  • “Communications must include the engagement’s objectives, scope, and results.” – IIA Performance Standard 2410.

He also makes these statements, with which I strongly disagree:

  • What is the best way to sufficiently document the work that was completed? And, most importantly, what is the best way to convey the findings that, when addressed, will make the biggest impact on the organization.
  • Regardless of how we communicate the results of our audit work, each ‘finding’ must cover certain elements that are fundamental to good internal audit reporting. There are great articles and other material covering the details, but be sure that each finding addresses these elements if you want to completely cover the matter at hand: condition, criteria, cause, effect, and, in most cases, a recommendation.

This is a vitally important topic and I cover it in detail, with examples and practical suggestions, in Auditing that Matters.

Let’s go back to the point that this is about communicating, not writing an audit report.

It is vital that we realize that our obligation is to communicate the results of our work and to whom that communication will be.

We need to communicate to increasingly senior levels of management and then to the audit committee of the board.

As I say repeatedly in the book, we need to communicate:

  • what they need to know rather than what we want to say (and there’s a huge difference)
  • when they need to know it (typically at the speed of decision-making)
  • in a way that is actionable, eliminating the unnecessary that makes the communication hard to receive

What do they need to know?

As we say in the Core Principles and the Definition of Internal Auditing, we provide:

  • Assurance
  • Advice, and
  • Insight

If you are seeking assurance from a doctor, auto mechanic, or other specialist, do you want a formal report? Isn’t it better to talk to that expert and listen to what they have to say, with an opportunity to ask questions, perhaps (and only perhaps) supplemented by a written report? Maybe the written report can summarize the communication for later reference or sharing.

If you want advice from a parent, attorney, tax accountant, or other authority, do you limit the communication to a formal report? Again, isn’t a real discussion better for you? Maybe a formal report with detail can help, but it is usually not sufficient by itself and may be unnecessary. I don’t want to pay an attorney to write a formal report that summarizes what he or she has just told me.

The whole point of insight is that it is typically not included in formal reporting. It’s the enormously valuable professional opinion of the auditor that may be hard to prove with solid evidence. For example, I have discussed both individual managers and the structure of the organization with executives.

Similarly, when have you ever tried to persuade somebody to do something by writing a report when you can talk to them?

I could continue with challenging the need to document our work (we have working papers for that) or to include all the details such as scope and objectives, criteria, condition, and so on. Our customers don’t need to see all of that. It’s for our benefit – or for history (and only regulators and historians will care).

So I repeat:

  • Tell them what they need to know, when they need to know, and in a form that is readily actionable.
  • Put in writing only what our customer will want in writing.
  • Communicate, communicate, communicate – but don’t forget to LISTEN!

If you focus on listening and talking to management and the board, with a thoughtful discussion of the situation, not only will your objectives be achieved but you will have credibility with them.

This is not going to be easy for everybody – but it will pay off in spades.

I welcome your thoughts.

Auditing in a turbulent and dynamic environment

October 5, 2020 4 comments

There’s little doubt that this year has brought many challenges to organizations and their internal audit teams in every corner of the world.

It has been both a challenge and an opportunity: an opportunity to sit back and consider whether there is a better way for internal audit to work.

For example:

  • How often should we update our understanding of the risks and opportunities facing the organization?
  • How often should we update the audit plan?
  • How do we make sure we know about new or changed risks so we are in a position to update the plan?
  • If we update the plan at the speed of risk, how do we communicate that to management and the audit committee? Do we continue to measure ourselves based on completion of the annual audit plan?
  • Do we have the right people and resources to address all the issues that matter to the success of the organization?
  • Are we auditing issues that are not worth our time? Do our audits include in their scope issues that, should we find deficiencies, would not be significant to top management and the board?
  • How do we change from full-scope audits to those that only focus on things that matter?
  • Are we lean in our approach? Do we include activities, such as careful and extensive documentation, that we could and should cut back?
  • Can we audit faster, using fewer resources?
  • Do we have the people capable of doing sufficient work to reach an opinion at speed?
  • Do we know how to stop when we have done enough and accelerate when we have not?
  • Are we timely in sharing our assessments and insights?
  • Are we agile?

Every CAE and audit management team should be asking these and similar questions – and being prepared to change.

Nobody likes change, especially if you might be giving up something that has served you well in the past.

But now may be the time to embrace it.

Richard Chambers has a short video that I recommend on having an agile mindset.

But while an agile mind is very important, the body has to be able to respond with agility.

If you take a month or more to complete an audit, are you agile?

If it takes you a couple of weeks before you issue the audit report, are you agile?

If your process requires two weeks of planning and such before you even start, are you agile?

If you are leaving many important risks untouched every year, are you sufficiently agile? I am not referring to the size of your budget but your ability to make the best and most efficient use of limited resources.

To quote Richard, are you smart and fast enough in your auditing?

For more on this, read (or re-read):

I welcome your thoughts.

New advice for internal auditors

July 27, 2020 5 comments

There’s a new article that merits our attention. It’s from the software vendor, MetricStream.

Strengthening Internal Audit’s Business Impact makes some good points:

  • From corporate policemen to strategic advisors, internal auditors have come a long way over the past decade. Today, boards and leadership teams are looking to them not just to point out where internal controls are inadequate or ineffective, but to provide insights on how the business can improve its efficiency and operating effectiveness.
  • One of the simplest ways for internal auditors to create value is to ensure that their objectives and plans are always aligned to business objectives.
  • Internal auditors might even want to challenge the business objectives to ensure that they are precise, attainable, and practical.
  • Many audit training programs focus on enhancing the technical skills or domain expertise of the audit team, but it’s just as important that they build the team’s business knowledge as well.
  • Reporting is internal audit’s opportunity to weave together what they’ve seen and observed into one cohesive set of insights that can help the business catalyze efficiency, performance, and growth.
  • When business leaders understand which audit issues are most likely to impact the achievement of their goals, they can then prioritize their responses.
  • Agile auditing focuses on responding more dynamically to changing risks and stakeholder expectations.
  • While traditional audits are often planned based on the capabilities and capacities of the audit function, agile audit plans tend to focus more on what the business needs.
  • Internal auditors today have the opportunity to create real business impact.

These are all good points.

BTW, they are a software vendor, so I suggest ignoring their comments about technology and its use by internal auditors. There is frequently a great deal of value, but its neither certain nor the same for every organization.

My thoughts:

  • Internal audit has progressed significantly over the last decade. Perhaps half have moved away from annual audit plans to ones that are far more dynamic (in line with agile auditing, although that term is newer than the practice of continuous audit planning). There is still a lot of progress to be made to bring the other half to a more dynamic process and everybody to more of a continuous planning activity than one that is quarterly.
  • The reference to insights is very important. When we developed the Core Principles, we were referring not only to the traditional comments in the audit report, but also to the insights we have as professionals that may or may not be backed by hard evidence, but should be shared with leadership.
  • The idea of “aligning to business objectives” seems passive to me. It sounds like you pick the audits you want to do and then identify which are the objectives to which they might relate. I very much prefer to consider the objectives, what is relied on to achieve them, and then plan audits to provide related assurance, advice, and insight. Add to that ensuring that we only perform audits where there is a strong likelihood that our results will provide valuable information to leaders of the organization.
  • The idea that internal audit challenges the setting of business objectives is, itself, challenging. It’s fair that we say something if we don’t believe the processes for setting the objectives are sound. For example, we should point out situations where functions like Compliance were not consulted, or if the impact of technology advances has not been considered. I think it’s also fair if the objectives of a team or business unit are not properly aligned with those of the enterprise as a whole, or are in conflict with another department, business unit, etc. But I am not sure we should challenge them based only on whether we think they are the right objectives.
  • I agree entirely with the need to make sure auditors understand the business. But let’s not forget other soft skills, such as interpersonal communications, listening and interviewing skills.
  • There’s a lot I could say about reporting. Let me just make two points. 1. It’s not about reporting, it’s about communicating. 2. Tell them what they need to know, not what you want to say.
  • If you cannot explain why something is important and how it affects the achievement of objectives, maybe it isn’t and doesn’t – and management should ignore you.
  • We can and should have a significant impact on the business, but that requires that we audit what matters, when it matters, and communicate the assurance, advice, and insight leaders need for success.

I welcome your thoughts.

The Three Lines of Defense Model is no more

July 20, 2020 12 comments

Today, the IIA released what I would call a replacement for its Three Lines of Defense Model. The old model was released in a Position Paper in 2013, The Three Lines Of Defense in Effective Risk Management and Control.

One of the more significant things to note is the change in name to The Three Lines Model.

Before you read and digest the new model, I suggest you read an excellent introduction by Richard Chambers, New IIA Three Lines Model Offers Timely Evolution of a Trusted Tool.

I disagree with Richard’s piece in one respect, when he says the new model (and it is almost entirely a new piece of work) will change the way many organizations look at risk and controls. I think that is hyperbolic optimism.

Before going further, I should reveal that I am one of the 30 members of the advisory group. But having said that I can also tell you that I was highly critical of each of the previous drafts I received for review and comment. I even made calls to Richard and others pleading for dramatic change, if not destruction of those drafts.

I am thrilled to tell you that I wholeheartedly endorse the new model. It’s not perfect, nothing can be, but it comes close. It has a great deal of value and merits a close read with careful attention to each phrase.

The only change I would have required to the final product would have been to strengthen the discussion of the independence of internal audit by requiring that the compensation, hiring, and termination of the CAE be the responsibility of the governing body, not management.

You can download the new Model from this page.

Some of the improvements:

  • It is no longer only about “defense,” protecting rather than creating value. It’s about achieving objectives and that requires both creation and protection of value.
  • It repeats the consistent message from the IIA, only more clearly, that management is responsible for achieving objectives and the success of the organization, with oversight from the governing body (the board). That includes understanding and addressing what might happen, “risk”.
  • It helps organizations understand the responsibilities of and relationships among the board, management, internal audit, and others.
  • It is based on principles that are sound and useful.
  • It recognizes that what we used to call the second line is really part of management. Now my concern about the old model and trying to fit functions like Legal, Compliance, Information Security, Quality Management, and so is addressed by recognizing that there is some fluidity between first and second lines.
  • The Model emphasizes the need for collaboration, the essence of GRC (see my earlier post).
  • It also confirms that risk management contributes “to achieving objectives and creating value, as well as to matters of “defense” and protecting value”.
  • The final version of the diagram is simple. There’s no need any more to argue about whether there are three, four, five, or even six lines.
  • It’s less about “lines” than it is about who does what and how they collaborate for enterprise success. The Model continues to use the word “lines”, but is almost apologetic for doing so.

I will close with just one excerpt that I like, with one sentence in particular highlighted:

Internal audit’s independence from management ensures it is free from hindrance and bias in its planning and in the carrying out of its work, enjoying unfettered access to the people, resources, and information it requires. It is accountable to the governing body. However, independence does not imply isolation. There must be regular interaction between internal audit and management to ensure the work of internal audit is relevant and aligned with the strategic and operational needs of the organization. Through all of its activities, internal audit builds its knowledge and understanding of the organization, which contributes to the assurance and advice it delivers as a trusted advisor and strategic partner. There is a need for collaboration and communication across both the first and second line roles of management and internal audit to ensure there is no unnecessary duplication, overlap, or gaps.

What do you like or dislike about the Model?

Please share and let’s discuss.

When to audit business locations

August 16, 2015 8 comments

One of the readers of my work sent me this message.

I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.

In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.

I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).

I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.

Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.

I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?

I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.

I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?

The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.

Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!

I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.

But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.

Down in the weeds, missing the big picture.

I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.

Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.

Where are you now and are you changing?

What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?

By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.

Assessing the organization’s culture

August 1, 2015 7 comments

It’s difficult to argue that an organization’s culture does not have a huge effect on the actions of its board, management, and staff.

Fingers have been pointed at the culture at GM, Toshiba, a number of US banks, RBS, and more – asserting that problems with the culture of the organization led to financial reporting issues, compliance failures, and excessive risk-taking.

Now, a new report by the Institute of Business Ethics, Checking Culture:  new role for internal audit, “shines a spotlight on the role of internal audit in advising boards on whether a company is living up to its ethical values”.

The authors quote the CEO of the UK’s Chartered Institute of Internal Auditors (UKIIA):

“Through a properly positioned, resourced and independent internal audit function a board can satisfy itself not only that the tone at the top represents the right values and ethics, but more importantly, that this is being reflected in actions and decisions taken throughout the organisation.”

In 2014, the UKIIA published Culture and the role of internal audit.

I strongly recommend reference to both papers.

As usual, I have some concerns.

  • While internal audit clearly has a role, why is the assessment of culture not performed by management – specifically by the Human Resources function? Wouldn’t internal audit add more value if it worked with that function and helped them not only assess culture periodically but build detective controls to identify potential problems on a continuing basis?
  • There is no single culture within an organization. The UKIIA report includes this great quote: “The problem is; complex organisations, like the NHS [the National Health Service], mean there is no ‘one NHS’. There is a tangled undergrowth of subcultures that, even if they wanted to march in step, probably couldn’t hear the drum beat”.
  • Culture has many forms: ethics; risk; performance; teamwork and collaboration; innovative; entrepreneurial; and so on. All of these are critical to success, but they can be in conflict with one another, such as risk-taking and entrepreneurial. Any audit engagement would need to focus on specific areas and know where management and the board draw the line between acceptable and non-acceptable. Taking too little risk can be as damaging as taking too much!
  • Culture is very personal! It changes as managers and other leaders change, as business conditions change, and so on. Any audit engagement has to take note that the behavior of decision-makers can change in an instant and any assessment can quickly be out-of-date and misleading. In fact, poor behavior by a tiny fraction of the organization can have massive impact – and this may not be detected by any survey.

Does this mean that internal audit should not have a role? No. They should.

This is my preference:

  1. All internal auditors should be aware and alert to any indicators of inappropriate behavior of any kind: from ethical lapses, to excessive risk-taking, to disregard for compliance, to poor teamwork, to ineffective supervision and management, to bias or discrimination, to – you name it.
  2. Internal auditors should not be afraid of bringing these issues to the attention, not only of senior internal audit management (so that the need can be assessed for a broader review to determine whether this is an individual, team, or broader problem) but to more senior management and Human Resources so they can take action.
  3. The CAE should talk to the CEO and the head of Human Resources and help them establish the proper guidance, communication and training in desired behaviors, as well as periodic assessments and detective controls to assure compliance.
  4. The CAE and the CEO should discuss the organization’s culture and its condition with the board (or committee of the board) on a regular basis. My preference is for the CEO to take the lead, with additional information provided by the CAE on internal audit’s related activities and opinion.

For a different spin, check these out:

What do you think the role of audit should be, especially vs. the role of management, when it comes to culture?

Core Principles for Effective Internal Audit

July 24, 2015 4 comments

The IIA released an update to its standards (specifically, the International Professional Practices Framework, or IPPF) at its recent International Conference, in Vancouver. They now include new Core Principles for the Professional Practice of Internal Auditing, as well as a Mission of Internal Audit statement.

This is how the principles are described:

The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. How an internal auditor, as well as an internal audit activity, demonstrates achievement of the Core Principles may be quite different from organization to organization, but failure to achieve any of the Principles would imply that an internal audit activity was not as effective as it could be in achieving internal audit’s mission (see Mission of Internal Audit[1]).

  • Demonstrates integrity.
  • Demonstrates competence and due professional care.
  • Is objective and free from undue influence (independent).
  • Aligns with the strategies, objectives, and risks of the organization.
  • Is appropriately positioned and adequately resourced.
  • Demonstrates quality and continuous improvement.
  • Communicates effectively.
  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

I was privileged to be a member of the task force (RTF), composed of leading internal audit practitioners from across the globe, which recommended that the IIA leave the definition of internal audit unchanged but add core principles and a mission statement. Taking the last item first, we recognize that each IA department will probably have its own mission statement, customized to its organization and charter. However, including a generalized mission statement in IIA guidance would be useful.

The RTF debated whether the IIA standards are rules-based or principles-based. We all felt that they are principles-based, so somebody asked what those principles are. After a lot of discussion, we developed ten that after minor word changes are the Core Principles listed above.

In August, I am joining with Paul Sobel in a free OCEG webinar to discuss World-Class Internal Auditing (based, in part, on my book of the same name). One of the questions we will each answer is which of the principles is our favorite. My choice will probably be “is insightful, proactive, and future focused”. I explained why in a post last year, Auditing Forward.

But, I might also choose “communicates effectively”. Here are a few excerpts from the book:

It is revealing that the IIA Standards do not require an audit report! Standard 2400, Communicating Results, simply says “Internal auditors must communicate the results of engagements.”

The audit report, I learned, is not a document that summarizes what we did and shares what we would like to tell management and the board.

Instead, it is a communication vehicle. It is the traditional way internal audit communicates what management and the board need to know about the results of our work.

The audit report is not for our benefit as internal auditors. It is not a way to document our work and demonstrate how thorough we were. It is for the benefit of the readers of the report, management, and (when I was CAE) the audit committee. It tells them what they need to know, which is typically whether there is anything they need to worry about.

………………….

I talked to my key stakeholders in management and on the audit committee and listened carefully so I could understand what they needed to hear after an audit was completed.

I heard them say that they wanted to know the answers to two questions:

  1. Is there anything they need to worry about?
  2. Are there any issues of such significance that somebody in senior management should be monitoring how and when they are addressed?

In other words, they wanted to manage by exception. They were going to trust internal audit and operating management to address routine issues; they didn’t want to waste their time (my expression; they didn’t actually use those words) on matters that didn’t merit their attention.

………………….

The traditional way to express an opinion in an audit report is through a rating scale, such as one that uses a three point scale of Satisfactory, Needs Improvement, and Unsatisfactory.

I don’t believe that a rating scale conveys to the executive reader what they need to know.

If we are tasked with assessing controls over risks, we should not only be telling management whether the risks are being managed effectively but explain, in business language, the effect on corporate objectives.

………………….

My focus is always on providing each stakeholder with the information they need to run the business, when they need it, in a clear and easy-to-consume fashion.

………………….

Which are your favorite principles?

Do you agree with my thoughts on auditing forward and effective communications?

How does your internal audit department measure up to these principles?

[1] To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Evaluating the external auditors

June 14, 2015 7 comments

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

Why Internal Audit Fails at Many Organizations

December 6, 2014 31 comments

When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.

With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.

My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.

Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.

The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)

Let’s look at what they did well:

“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”

This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.

“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”

Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.

“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”

The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.

“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”

If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.

Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.

While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.

What did they miss?

  1. The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
  2. The audit committee should challenge any audit activity that is not designed to address a risk that matters.
  3. The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
  4. The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
  5. The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
  6. The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
  7. Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.

The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?

That’s my challenge to you – in addition to welcoming your comments.

The effective audit committee

November 22, 2014 7 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

Leaders of internal audit should never be satisfied

September 12, 2014 7 comments

If you think you are world-class, it is time for you to consider change.

Our organizations and the risks they face are changing constantly and the pace of change is increasing.

Jack Welch once said: “If the rate of change on the outside exceeds the rate of change on the inside, the end is in sight.”

We should never be satisfied with where we are today, as this represents a risk that we will not be sufficiently agile to deal with risks tomorrow.

Here are a couple of excerpts from my book, World-Class-Internal Audit: Tales from my Journey. The first is on the need for change:

OK, you and your team have been recognized as adding huge value and being world-class.

Do you stop there, confident and happy in your success?

No. What is world-class for your organization today may be insufficient for tomorrow.

The CAE should have a thirst for change and growth. Learn not only from other internal audit leaders and what they do well. Learn from leaders of other organizations entirely, like Marketing and Sales.

I like to read magazines like Fast Company because they profile innovative and creative thinkers in all walks of life. Maybe what works for them could, with some tailoring, work for me. At least it might stimulate me to think about something I had never thought about before. It might stimulate me to challenge what had worked for me in the past.

Innovative leaders think outside the box. They create something that excels and they love it. They love it so much it becomes a box for them and limits their ability to discard it in favor of something new.

We should not only think out of the box, but stay out of the box, and kick it as soon as somebody builds one.

This is what I had to say about the future of internal audit:

Internal audit has made great strides since I first became a CAE in 1990.

We have moved the edge of the practice from controls auditing to assurance over governance, risk, and control processes.

The majority of CAEs now report directly to the audit committee with functional reporting to at least the CFO if not the CEO.

But that leading edge is a thin one.

Far too few internal audit departments assess and provide assurance on the effectiveness of risk management.

Even fewer consider the risks of failures in governance programs and processes and include related engagements in their audit plan.

As I travel around the world, talking to internal auditors from Malaysia to Ottawa, I find a consistent pattern of growth. But, there remain pockets where the internal auditor is only there so that management can “check the box”. This seems especially true in government (from local to national), where internal audit departments are upgraded or disbanded based on politics – a concept I find abhorrent in what should be an independent and objective function.

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations.

Still, I expect that internal auditing practices will continue to improve. Organizations need them, as PwC says, to move to the “next platform” and provide assurance that is not just about what used to be the risks, but what they are now and will be in the near future.

Our business environment is becoming more complex, more dynamic, and changing at an accelerating speed. I expect that internal audit leaders will risk to the challenge.

Those that do will create a competitive advantage for their organizations.

Does your internal audit department need to change? Is it able to deliver world-class products and services that represent a competitive advantage for the organization? Do you help them increase the likelihood and scale of success?

Are you ready to adapt to tomorrow’s challenges?

I welcome your comments.

A Rant about the GRC Pundit’s Rant

April 18, 2014 24 comments

Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.

Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.

My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.

Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:

  • The term ‘GRC’ is one that is interpreted in many ways.
    • When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
    • When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
    • When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
    • When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
    • When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
  • GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
  • The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
  • No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
  • The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.

Where I believe we differ is that I do not advocate the use of the term ‘GRC’.

As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.

I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.

For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.

Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.

Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.

Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.

Good Riddance grC.

I welcome your comments.

What is effective risk management?

April 12, 2014 15 comments

Some say that risk management is effective when it has all the components described in their favorite standard (ISO 31000:2009) or framework (COSO ERM). (COSO ERM specifically states this as the requirement).

Some say that risk management is effective when all the principles in their favorite guidance are present and functioning. (ISO talks about its “set of principles that organisations must follow to achieve effective risk management.”) The principles are (from a consultant’s site that provides a high-level view of the standard):

  • Creates and protects value;
  • Is an integral part of all of the organisation’s processes;
  • Forms part of decision making;
  • Explicitly expresses uncertainty;
  • Is systematic, structured and timely;
  • Is based on the best available information;
  • Is tailored to the organisation;
  • Takes human and cultural factors into account;
  • Is transparent and inclusive;
  • Is dynamic, iterative and responsive to change; and
  • Facilitates continual improvement of the organisation.

Some say that risk management is effective when activities are compliant with the organization’s related policies and standards. But are those policies and standards adequate?

Some will say that risk management is effective when the board, operating and executive management believe it adds value and are satisfied that it provides the information they require. I believe that has merit but they may be satisfied with less than mature risk management (that seems to be the case with many current organizations who are satisfied with enterprise list management, until they are caught short).

Some will say that risk management is effective when an independent assessment/audit/examination is performed and the report says so. The trouble is that the people who do such audits generally rely on one of the above criteria (components present, principles in operation, etc.)

I would like to suggest a different approach.

Let’s start by considering why organizations should have risk management. It’s NOT because laws and regulations mandate it in many cases. It’s NOT because people say you need it. It’s because effective risk management provides a level of assurance that an organization will not only achieve its objectives (or exceed them) but will set the best objectives.

Quoting from COSO ERM:

“Enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.”

COSO explains that effective risk management enables:

  • “A greater likelihood of achieving business objectives”
  • “More informed risk-taking and decision-making”

Irish guidance on the ISO 31000:2009 risk management standard says:

“The purpose of managing risk is to increase the likelihood of an organization achieving its objectives by being in a position to manage threats and adverse situations and being ready to take advantage of opportunities that may arise.”

The Australian mining company, BHP Billiton, has a risk management policy signed by its CEO. It includes:

“Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.

  • By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
  • Successful risk management can be a source of competitive advantage.
  • Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.

“The effective management of risk is vital to the continued growth and success of our Group.”

I like what E&Y has to say:

“An effective [ERM] capability provides value by giving organizations the confidence to take on risk, rather than avoid it.

“By effectively managing the right risks, management has more timely, comprehensive and a deeper understanding of risk which, in turn, facilitates better decision-making and confidence to take on new ventures or even to accept higher levels of risk.”

So we can see that, as the BHP CEO said, effective risk management is not only essential to the success of an organization but “can be a source of competitive advantage”.

For the last year or two, I have been saying that you assess the effectiveness of risk management by asking decision-makers at all levels whether the risk information is enabling them to make better decisions and be more successful.

In other words, assess risk management not by its structure but by its effect.

I still think that is a key test, but I am going to add a new dimension to my thinking.

Let’s consider a company that has significant foreign currency exposure. It does business globally so it has bank accounts in a number of countries and has both payables and receivables in different currencies.

There are a number of strategies for reducing foreign exchange risk, but to manage the risk effectively you need to know what is happening with rates as well as how your bank account balances, payables, and receivables are changing.

If this company only has the ability to understand its foreign exchange risk once a month, in other words its monitoring of this risk is only monthly because that is the only time it is able to obtain all the necessary information and calculate its exposure, the risk is much higher than if it has the processes, people, and systems to monitor its exposure daily or better.

However, the investment necessary to upgrade the risk monitoring from monthly to daily may be significant. The company has to decide whether the reduction in exchange risk that can be improved by upgrading risk monitoring justifies the additional expense.

Until it upgrades risk monitoring, there is a risk that the information provided by risk management is insufficient. Management needs to decide whether that is an acceptable level of risk.

If management decides that the level of risk is too high, then I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks. But if management decides that the level of risk is acceptable, then that would not prevent me from assessing risk management as effective.

Let’s take another situation. An organization is concerned about its reputation risk. It has engaged a company to monitor reputation risk indicators (using social media analytics) and report once each quarter. However, it is in an industry where customer satisfaction can move quickly and significantly.

Quarterly risk monitoring creates a risk that the risk management program is not providing the information necessary to manage risks to the enterprise objectives. As in the prior example, management will need to decide whether an investment in more frequent reputation risk monitoring is justified by the potential reduction in reputation risk (because it would increase the ability to respond to customer complaints, etc.)

If management decides that quarterly risk monitoring represents a risk outside acceptable ranges, I would say that the risk management program is less than effective. It is not providing the information necessary for management to take the right risks, and management has determined that this is a risk (the risk of a bad decision) is unacceptable.

One final example. The company has an excellent risk management framework, formal policies and procedures, processes, and enabling systems. However, in the last year the level of staff turnover among the champions of risk management in the executive ranks and among the risk officers themselves means that the experience of the individuals relied upon to monitor, understand, assess, evaluate, and respond to risks has diminished.

There is an increased likelihood than in prior years that risks will not be managed as desired, the wrong risks taken, and that risk information that flows to top management and the board may not be reliable.

This is a deficiency in the operation of risk management and may represent a risk to the achievement of objectives because it results in less than reliable risk information on which decisions are based. If the risk is unacceptable, then until it is treated and brought back to within acceptable ranges I would say that the risk management program is less than effective.

So, where am I going?

If we revisit the objective of risk management, we see that we rely on it to provide management and the board with the information they need to run the business, make better decisions, and take the right risks.

But risk management is not and never will be perfect.

It is impossible to monitor every risk, including new risks, in real time and provide useful information – also in real time – to the people who need to act on it.

There will always be risk champions who are new to the company and because they don’t understand the business and their risk-related responsibilities, will fail in that respect.

There will be times when the people required to provide expert insight when assessing and evaluating risks are on vacation, sick, or otherwise unable to participate.

There will always be a risk that the risk management program fails to provide the information necessary for decision-making.

The key is whether that risk is known and is considered acceptable.

If the risk is acceptable, then I would consider the risk management program as effective.

That is not to say that all the principles described in ISO 31000 are not necessary, or that the components discussed in COSO ERM are not required. But, that is the structure of the program and that doesn’t mean it is effective and produces the results necessary for the organization to succeed.

Bottom line: CROs and executive management should assess their risk management program (auditors can help) and determine whether the level of risk that it will provide insufficient information to run the business, make informed decisions, and take the right risks is acceptable.

OK, I understand that this is a little complicated and a very different way of thinking about effective risk management. Does it make sense?

I welcome your views.

Missing the boat on IT and technology

March 29, 2014 8 comments

When you look at surveys of CEOs, such as the ones by PwC in 2014, McKinsey in 2013 and IBM in 2012, they reflect what we should all know: that the innovative use of technology is one of, if not the primary, enabler of business innovation these days. Whether it’s connecting with the customer (as referenced by IBM), obtaining market insights (through analytics including Big Data analytics – see this discussion of a McKinsey report), or simply finding new ways to deliver products and services to customers, technology is a critical driver of business success.

As PwC says:

“CEOs told us they think three big trends will transform their businesses over the next five years. Four-fifths of them identified technological advances such as the digital economy, social media, mobile devices and big data. More than half also pointed to demographical fluctuations and shifts in economic power.”

“The smartest CEOs are concentrating on breakthrough, or game-changing, innovation. They’re explicitly incorporating it in their strategies. And they’re using technology not just to develop new products and services, but also to create new business models, including forging complete solutions by combining related products and services. In fact, they don’t think in terms of products and services so much as outcomes, because they recognise that products and services are simply a means to an end.”

“Breakthrough innovation can help a company rewrite the rules and leapfrog long-established competitors.”

Organizations that fail to leverage new technology are likely to be left behind by customers and competitors. In an ISACA report on Big Data, the point was made that failing to take a risk with new technology is very often a greater risk than any risks created by the new technology.

(Please see these earlier posts on IT Risk and Audit, Deloitte says mid-market companies are  using new technology to great advantage, and Digital Transformation.)

Now we get a couple of reports and discussion documents that indicate that companies, executives, and consultants that aim to guide them are all missing the boat!

A new report from McKinsey, IT Under Pressure, says that dissatisfaction with IT’s effectiveness is growing. They start the report with:

“More and more executives are acknowledging the strategic value of IT to their businesses beyond merely cutting costs. But as they focus on and invest in the function’s ability to enable productivity, business efficiency, and product and service innovation, respondents are also homing in on the shortcomings many IT organizations suffer. Among the most substantial challenges are demonstrating effective leadership and finding, developing, and retaining IT talent.”

McKinsey points out that in their survey only 49% felt IT was effective when it came to helping the organization introduce new products and 37% said IT was effective in helping enter new markets.

Even IT executives said that they were failing when it came to driving the use of technology and innovation: just 3% were fully effective and only 10-17% very effective in related areas.

Fully 28% of IT executives and 13% of other executives came clean and said the best way to fix the problem was to fire current IT leadership!

I suggest reading the entire McKinsey piece and considering how it relates to your organization.

Deloitte’s prolific thought leadership team has weighed in with advice for the CFO, who often has IT within his organization. Evaluating IT: A CFO’s perspective starts with some good points:

“Ask finance chiefs about their frustrations with information technology (IT), and you are bound to get an earful. Excessive investments made. Multiple deadlines missed. Little return on investment (ROI) achieved. The list goes on.

“To complicate matters, many CFOs simply do not know if chief information officers (CIOs) are doing a good job. What exactly does a good IT organization look like anyway? How should IT be evaluated? And what are the trouble signs that the enterprise is not prepared for the future from a technology standpoint?”

But then they stray from the need to get IT to drive the effective use of new technology for both strategic and tactical advantage. Instead, they focus on “IT is typically the largest line item in selling, general, and administrative expense.”

This is the attitude, managing cost at the potential expense of the business, which gives CFOs a deservedly bad name!

I will let you read the rest of this paper, but when the first question it suggests for CFOs to use in assessing IT performance is “Have you tested your  disaster plan”, I am more prepared to fire the CFO who asks that as his first question than I am to fire the poor CIO who reports to him.

My first question for the CIO is “How are you enabling the organization to innovate and succeed?”

PwC asks some good questions as well:

  •          What are you doing to become a pioneer of technological innovation?
  •          Do you have a strategy for the digital age? And the skills to deliver it?
  •          How are you using ‘digital’ as a means of helping customers achieve the outcomes they desire – rather than treating it as just another channel?

Risk and internal audit professionals should consider whether the risk of missing the technology boat is at an unacceptable level in their organization.

Board members should ask how the leaders of IT are working with the business to understand and use technology for success.

CFOs should worry less about the cost of IT and worry more about the long-term viability and success of the organization if they become barriers to strategic investment.

I welcome your comments.

The continuing failure of the risk appetite debate to focus on desired levels of risk

March 22, 2014 12 comments

I have written often and with passion about the concepts of “risk appetite” and “risk tolerance”. In order of date, from earliest to latest:

I am drawn to write about this flawed concept yet again by two developments. First, a respected risk practitioner told me that he has found that in many banks (and presumably other financial services companies) the board agrees on risk limits and appetite statements with management, but those limits are not shared with everybody that has day-to-day responsibility for running the business and staying within desired levels of risk.

This is the primary area with which I have a problem when it comes to the idea of a risk appetite statement. Something that satisfies the needs of the board and top management to establish and monitor aggregate risk across the enterprise fails if it does not direct the actions of those people who are taking risk every day, not only in transactions but in decision-making.

Then, my good friend (and that is an honest statement with which that I believe he will agree) Jim DeLoach of Protiviti penned a piece on risk appetite and tolerance for Corporate Compliance Insights.

Jim shares some truths:

“Risk levels and uncertainty change significantly over time. Competitors make new and sometimes unexpected moves on the board, new regulatory mandates complicate the picture, economies fluctuate, disruptive technologies emerge and nations start new conflicts that can escalate quickly and broadly. Not to mention that, quite simply, stuff happens, meaning tsunamis, hurricanes, floods and other catastrophic events can hit at any time. Indeed, the world is a risky place in which to do business.”

“Value creation is a goal many managers seek, and rightfully so, as no one doubts that successful organizations must take risk to create enterprise value and grow. The question is, how much risk should they take? A balanced approach to value creation means the enterprise accepts only those risks that are prudent to undertake and that it can reasonably expect to manage successfully in pursuing its value creation objectives.”

But then the discussion veers towards the too-common misperception that the only limit that should be set on risk is the upper level – a constraint that stops management from taking too much risk.

In fact, as Jim points out, companies will only succeed if they take risk: “a company may choose to drive growth through extending more credit to its customers, entering certain third-world markets or investing in a completely different line of business”.

So, it is important to ensure that not only does management not take on too much risk, but they do not act timidly and fail to take on the risk that will drive performance and value creation.

I know Jim well and have total confidence that he appreciates that companies need not only ceilings but floors on the levels of risk they should take (and not limit their risk criteria to quantitative factors) to ensure they are taking the right risks.

I just wish his paper focused less on the negative (with comments like “What ceilings are placed on capital expenditures, M&A activity, R&D and other investments? In what areas are there policy restrictions (e.g., avoidance of certain markets and use of certain financial instruments)?”) and helped organizations recognize when to take more risk.

I also wish that Jim brought into his pieces a greater appreciation of the perspective on risk and uncertainty reflected in the ISO 31000:2009 global risk management standard, instead of limiting himself to the concepts (some of which, like risk appetite, I believe to be flawed) of COSO ERM.

I welcome your comments.

Please see this related story about an internal auditor that recommended that the company consider taking on more risk.

New Paper on Risk Assessment and the Audit Plan

March 15, 2014 14 comments

One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.

Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.

Unfortunately, it fails to deliver on that promise.

While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.

I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”

The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”

Here are the two main problems with that last sentence:

  1. The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
  2. While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.

My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)

Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?

Risk Officers on the Front Lines of the Big Data Analytics Revolution

March 8, 2014 4 comments

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

McKinsey talks about a forward-looking board of directors

March 1, 2014 4 comments

The latest edition of McKinsey Quarterly is on the topic of “Building a forward-looking board”.

I like the general theme, that “directors should spend a greater share of their time shaping an agenda for the future”. This is consistent with board surveys that indicate board members would prefer to spend more time on strategy and less on routine compliance and other matters.

The author, a director emeritus of the Zurich office and member of several European company boards, makes a number of good points but leaves me less than completely satisfied.

The good quotes first:

Governance arguably suffers most, though, when boards spend too much time looking in the rear-view mirror and not enough scanning the road ahead.

Today’s board agendas, indeed, are surprisingly similar to those of a century ago, when the second Industrial Revolution was at its peak. Directors still spend the bulk of their time on quarterly reports, audit reviews, budgets, and compliance—70 percent is not atypical—instead of on matters crucial to the future prosperity and direction of the business

“Boards need to look further out than anyone else in the company,” commented the chairman of a leading energy company. “There are times when CEOs are the last ones to see changes coming.”

Many rational management groups will be tempted to adopt a short-term view; in a lot of cases, only the board can consistently take the longer-term perspective.

Distracted by the details of compliance and new regulations, however, many directors we meet simply don’t know enough about the fundamentals and long-term strategies of their companies to add value and avoid trouble.

Rather than seeing the job as supporting the CEO at all times, the directors of these companies [with prudent, farsighted, and independent-minded boards] engage in strategic discussions, form independent opinions, and work closely with the executive team to make sure long-term goals are well formulated and subsequently met.

Boards seeking to play a constructive, forward-looking role must have real knowledge of their companies’ operations, markets, and competitors.

The best boards act as effective coaches and sparring partners for the top team.

The central role of the board is to cocreate and ultimately agree on the company’s strategy. In many corporations, however, CEOs present their strategic vision once a year, the directors discuss and tweak it at a single meeting, and the plan is then adopted. The board’s input is minimal, and there’s not enough time for debate or enough in-depth information to underpin proper consideration of the alternatives.

While I agree with the forward-looking theme and some of the ideas around such issues as getting the most from the talent within the organization, I am troubled in a few areas:

  1. The detailed discussion on strategy still has a shorter horizon, one year, than I believe optimal. While it is difficult if not impossible to plan further ahead, the organization should have a shared understanding between the board and top executives about how it will create value for its stakeholders over the longer period. There should be more discussions around strategic and other developments (risks and opportunities) that should shape not only long-term but short-term actions.
  2. There is insufficient discussion of the fact that you cannot have a fruitful discussion about strategy without understanding the risks (adverse and potentially positive) in the business environment. What are they today and how will they change tomorrow? How able (agile) is the organization and able not only to withstand potentially negative effects (the focus of McKinsey in this piece) but to take advantage of market opportunities? Is it now and will it in the future be able to change or adapt strategies established in different conditions?
  3. Many companies are less than agile because they have stuck-in-the-mud executives, unable to pull themselves out due to a lack of vision, legacy systems, and poor information. The boards need to understand this and question management on how they plan to address it – with urgency!
  4. Finally, while the piece discusses the need for effective board and director evaluations, surveys show that it is hard to fire under-performing directors. How can a board succeed in that environment? I think this needs to be on the board agenda if it is to remain forward-looking.

Do you agree? I welcome your comments.

Interesting new paper on risk culture

February 22, 2014 18 comments

The topic of risk culture has been receiving a lot of attention ever since it was identified as a cause of many of the problems that led to major issues at financial services organizations a few years ago.

Risk culture drives behavior when it comes to taking the desired risks and levels of risk. As I say in my KEY POINTS section at the end of this post, traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact (of taking the risk) and after damage may have been done!

One learned paper (I was a minor contributor) was published by the excellent Institute of Risk Management. I wrote about the topic in a 2011 blog post, with reference to a couple of excellent articles, and included these quotes:

“The most remarkable finding of the survey is that most risk professionals – on the whole a highly analytical, data rational group – believe the banking crisis was caused not so much by technical failures as by failures in organisational culture and ethics.

Most risk professionals saw the technical factors which might cause a crisis well in advance.  The risks were reported but senior executives chose to prioritise sales. That they did so is put down to individual or collective greed, fuelled by remuneration practices that encouraged excessive risk taking. That they were allowed to do so is explained by inadequate oversight by non‐executives and regulators and organisational cultures which inhibited effective challenge to risk taking.

Internally, the most important area for improvement is the culture in which risk management takes place (including vision, values, management style and operating principles).”

And….

“Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.

While some risk-taking will be governed by rules and controls, much is governed directly by culture – where rules and controls are not effective, fail or where they do not apply.”

I like the definition above, that “Risk Culture is the ‘tone at the top’ shaped by the values, strategies, objectives, beliefs, risk tolerances and attitudes that form how everyone .. views the trade off between risk and return. The risk culture … determines how individuals and business units take risks.”

In other words, risk culture is what drives human behavior. That behavior can and hopefully is to take the risks that the organization wants taken. But too often, people react to a situation by taking the ‘wrong’ risk (including taking either too much or too little risk).

Now a new paper has been published. By three respected professors, Risk Culture in Financial Organisations tackles the topic in great depth. It doesn’t include a clear (at least to me) definition of risk culture, but I believe if they did it would be consistent with my discussion, above. They certainly talk about the trade-offs and identify many of the same factors that contribute to an organization’s risk culture.

I suspect that readers of the research paper will appreciate the discussions of such matters as whether the risk function should try to be an independent monitor or a partner to the business; whether the risk function is focused on enabling effective decisions to advance the organization, or on compliance; whether organizations know where behaviors and their drivers need to change; and the questions it suggests organizations ask to probe the issues.

I particularly enjoyed some of the quotes the authors included, such as:

“…the leaders of industry must collectively procure a visible and substantive change in the culture of our institutions, so as fundamentally to convince the world once again that they are businesses which can be relied on.”

“…development of a ‘risk culture’ throughout the firm is perhaps the most fundamental tool for effective risk management.”

“The institutional cleverness, taken with its edginess and a strong desire to win, made Barclays a difficult organisation for stakeholders to engage with. Barclays was sometimes perceived as being within the letter of the law but not within its spirit. There was an over-emphasis on shortterm financial performance, reinforced by remuneration systems that tended to reward revenue generation rather than serving the interests of customers and clients. There was also in some parts of the Group a sense that senior management did not want to hear bad news and that employees should be capable of solving problems. This contributed to a reluctance to escalate issues of concern.”

“The strategy set by the Board from the creation of the new Group sowed the seeds of its destruction. HBOS set a strategy for aggressive, asset-led growth across divisions over a sustained period. This involved accepting more risk across all divisions of the Group. Although many of the strengths of the two brands within HBOS largely persisted at branch level, the strategy created a new culture in the higher echelons of the bank. This culture was brash, underpinned by a belief that the growing market share was due to a special set of skills which HBOS possessed and which its competitors lacked.”

“In contrast to JPMorgan Chase’s reputation for best-in-class risk management, the whale trades exposed a bank culture in which risk limit breaches were routinely disregarded, risk metrics were frequently criticised or downplayed, and risk evaluation models were targeted by bank personnel seeking to produce artificially lower capital requirements.”

“Culture has played a significant part in the development of the problems to be seen in this Trust. This culture is characterised by introspection, lack of insight or sufficient self-criticism, rejection of external criticism, reliance on external praise and, above all, fear….from top to bottom of this organisation. Such a culture does not develop overnight but is a symptom of a long-standing lack of positive and effective direction at all levels. This is not something that it is possible to change overnight either, but will require determined and inspirational leadership over a sustained period of time from within the Trust.”

“Absent major crises, and given the remarkable financial returns available from deepwater reserves, the business culture succumbed to a false sense of security. The Deepwater Horizon disaster exhibits the costs of a culture of complacency… There are recurring themes of missed warning signals, failure to share information, and a general lack of appreciation for the risks involved. In the view of the Commission, these findings highlight the importance of organizational culture and a consistent commitment to safety by industry, from the highest management levels on down.”

Simons’ Risk Exposure Calculator (1999) is composed of 12 keys that reflect different sources of pressure for a company. Managers should score each key from 1 (low) to 5 (high). ‘Alarm bells’ should be ringing if the total score is higher than thirty-five. The keys are: pressures for performance, rate of expansion, staff inexperience, rewards for entrepreneurial risktaking, executive resistance to bad news, level of internal competition, transaction complexity and velocity, gaps in diagnostic performance measures, degree of decentralised decisionmaking.

“You go to a management meeting and you talk about management issues and then you go to a risk committee and you talk about risk issues. And sometimes you talk about the same issues in both but people get very confused and I don’t know … I don’t know how right it is but I really think you should be talking about risk when you talk about your management issues because it kind of feels to me again culturally that’s where we are.”

“Too many bankers, especially at the most senior levels, have operated in an environment with insufficient personal responsibility. Top bankers dodged accountability for failings on their watch by claiming ignorance or hiding behind collective decision-making. They then faced little realistic prospect of financial penalties or more serious sanctions commensurate with the severity of the failures with which they were associated. Individual incentives have not been consistent with high collective standards, often the opposite […] Remuneration has incentivised misconduct and excessive risk-taking, reinforcing a culture where poor standards were often considered normal. Many bank staff have been paid too much for doing the wrong things, with bonuses awarded and paid before the long-term consequences become apparent. The potential rewards for fleeting short-term success have sometimes been huge, but the penalties for failure, often manifest only later, have been much smaller or negligible. Despite recent reforms, many of these problems persist.”

This is clearly the work of academics and practitioners may find it hard to digest the long piece. However, the authors have tried to be practical and if you focus on the questions at the end of each section there is some good material.

KEY POINTS

In particular, focus on the underlying message. In my reading, it is essential that management and boards of organizations, including but not limited to the risk office, understand how behavior is being driven when it comes to taking desired risks – and levels of risk.

  • Are the positive influencers, like policies and related training, effective?
  • Are the potentially negative influencers, such as short-term financial incentives, understood and mitigated?

This understanding should then be used to assess whether actions need to be taken to improve the likelihood that desired risks will be taken.

Whether you call this risk culture or not, I believe it is very important. Traditional risk management metrics will tell you whether risk levels are unacceptable, but that is after the fact and after damage may have been done!

By the way, the Bibliography is excellent and the publication is worth downloading just to get it!

I welcome your views and comments.