Posts Tagged ‘IIA’

What if we just abandon “risk management”?

August 15, 2022 5 comments

Earlier this year, Marco Nutini asked this challenging question in a newsletter he shared on LinkedIn.

He starts with:

Calm down, I don’t want to ruin my source of daily bread, let alone create a fuss.

Several internationally recognized authors have already addressed a recurring theme in the Risk literature: if a company does not manage risks, but manages decisions, why use the term “Risk Management”?

For example, Grant Purdy and Roger Estall devoted an entire section of their book, Deciding (2020), to propose the temporary eradication of the term. Grant was a nominated expert to the working group that wrote ISO 31000 and ISO Guide 73. Both standards were inspired by AS/NZ 4360:2004, to which Grant was a key contributor. So, I guess he is in a privileged position to give his opinion.

Marco quotes Grant and Roger’s argument that the terms “risk” and therefore “risk management” have multiple meanings and that means they really have no meaning. Therefore, we should stop using the terns.

This is not a view I ascribe to, although I do dislike the four-letter word “risk” because it sparks a negative reaction from most business executives.

Instead, Marco suggests:

“…what we now call ERM (Enterprise Risk Management) is a tangle of three distinct, yet interconnected fields of knowledge, something like modes of Risk Management:

  • Strategic Assumptions Assurance: A set of tools developed to assess an organization’s chance of achieving its goals and honoring its performance forecasts. It is supposed to support the strategy execution and monitoring processes.
  • Risk-Informed Decision Making: This mode has a diffuse, broad scope. As the name implies, it aims to ensure that the organization’s decision-making processes gather and use intelligently the necessary information for decision making under uncertainty. This mode is called Sufficient Certainty by Grant Purdy and Roger Estall, also the name of their consultancy from Australia.
  • Risk Control: A mode that has a transactional and compliance scope. It seeks to design and maintain a control environment that keeps residual risks at the planned levels. It is analogous to the “routine management” of Quality. Many people think that this is what Risk Management is all about.

This resonates more with me (see my last blog post).

The first of the three seems very similar to my idea of top-down risk management, which focuses on whether there is an acceptable likelihood of achieving each of the enterprise’s objectives.

The second is what I referred to decision-based risk management.

But I see the third as a subset of the first two. Some might say that this is how an organization responds to, manages, or mitigates risk.

The problem is that it overlooks the positive aspect of risk: opportunities. We need controls to ensure that they are taken as and when appropriate.

Marco’s newsletter/LI post is quite long, and I will let you read the rest. The only comment I will make is that he makes everything seem complicated, whereas I always seek (but don’t always find) simplicity.

Please share your comments here as well as against his post.

P.S. Happy belated birthday, Marco!

More Risk Assessment Danger

August 4, 2022 15 comments

When I was setting up ERM for Business Objects S.A., I was surprised by the reaction of the General Counsel, David.

I had already met with the CEO and his other direct reports. Now David and I were meeting so I could get his insights on the more significant sources of risk to the company and its objectives.

“I’m not going to answer your questions about risk.”

I was shocked and asked him why, since both the board and his boss, the CEO, wanted this done.

Even though I told him that his insights were critical, he politely but firmly told me he would not share what he thought the likelihoods were of each of the events and situations most likely to cause a significant problem for Business Objects.

He went further, saying he would not provide any assessment of risk relating to legal actions by or against the company that would be documented by me.

David believed, with some justification, that documenting his (and the company’s) assessment of risks could itself create an unacceptable level of risk.

Why is there danger in risk assessment? (Beyond the risk of getting the risk assessment wrong, leading to bad business decisions, as discussed in my last post.)

Consider safety risk: the possibility that an individual might sustain serious harm while on our premises or when using our products. The company may publish a risk appetite statement that declares it has zero appetite or tolerance for safety risk. Yet, it continues to operate – meaning it is actually accepting some level of risk.

Now consider that management performs a risk assessment and (correctly) assesses that there is a low level of safety risk. For the sake of argument, let’s say it determines that the likelihood of loss of life is 0.5%, of serious injury 2.5%, and of minor injuries 3.75%. Relying on that, management decides not to upgrade some of their equipment using the argument that the cost would be prohibitive and the benefit (including the reduction in safety risk) minimal.

Then there is an incident with loss of life and other serious injuries to personnel, including both employees and contractors.

A lawsuit surfaces the risk assessment and management’s decision to accept the risk.

The union and the press blame the company for accepting the likelihood of death and injury for the sake of profit.

A similar situation can arise with compliance risk.

In theory, and probably in public, no company will accept any level of compliance risk.

In practice, they must if they are to be in business.

So when they decide not to hire additional compliance personnel because the cost exceeds the benefit, and they then violate data privacy laws or anti-money-laundering regulations, significant penalties and business disruption may ensue.

Taking this to a practical example, I have been working with a nonprofit that helps refugees in the Ukraine and many other nations around the world.

The chair of the audit committee would like to know what its risk appetite is, meaning the total amount of risk the organization is willing to take in pursuit of its objectives.

But how do you set an acceptable level of risk when people’s lives are at risk? It can’t be zero, because taking risk is necessary if you are going to send employees and others into a dangerous area to rescue people.

My point is this. The risk practitioner should understand where and when a formal, documented risk assessment or statement of risk appetite might be a source of risk should it become public.

I am certainly not saying that there is no need for or value in a risk assessment for compliance and safety risk.  There is value, especially when allocating resources to areas of greatest compliance risk.

What I am saying is that we have to be careful how we quantify, document, and report it. At Business Objects, I found a way to perform the analysis “at direction of counsel” to provide some level of safety.

What do you think?

Risk Assessment Danger

July 31, 2022 26 comments

Every so often, we hear about a military mission where something went wrong. The intelligence might have said, for example, that a targeted individual was thought to be in a certain location – so the military attacked that location but did not find the sought-after person.

In the same way, business leaders make decisions based (at least in part) on information about risks and opportunities.

If a risk assessment is unreliable, wrong decisions may be made with serious effects.

For example, if the risk is seen as ‘high’ that a competitor will shortly release an advanced version of a competitive product, the management team may decide to accelerate the launch of its own product even though its development team say they are not quite ready.

On the other hand, if the competitive product release risk is assessed as ‘low’, then management may wait and spend more time on product quality.

If the risk assessment is faulty and leads management to make the wrong decision, there may be severe damage.

Going to market too early with a less than perfect product can lead to customer dissatisfaction and longer-term revenue losses.

Going to market too late allows competitors to steal market share and for people to question the ability of the company to be a market-leader.

Are risk officers (CROs and their teams) confident in the risk assessments they make or facilitate?

If a risk (of any type) is assessed as, let’s say, ‘high’ (whatever that means), how confident is the CRO and/or the management team in that assessment?

Are they 100% confident? I doubt it.

How about 90% or 80%?

In fact, I doubt that many CRO’s think about the likelihood that any of the risk assessments they make or facilitate are reliable.

I believe that CROs need to understand the likelihood that each risk assessment is or is not reliable.

Related risk factors may include:

  • Cognitive bias. See previous posts: Understand your own bias as a practitioner and Are your business decisions failing because they are biased?
  • Incomplete information, including not involving all the people who have relevant information and insights
  • Information that is out of date
  • Inaccurate information, for example portraying risk as a point instead of a range
  • Hidden or difficult to find and use information. For example, I understand some organizations have a risk matrix with more than 50 columns let alone the number of rows. How can decision-makers be expected to find the nuggets of actionable information they need in such a mess of data.

Of course, many factors may lead to risk assessments that need to be taken with a grain, a pinch, or a bucket of salt.

The issue is whether the CRO understands the level of salt required. Should management make business decisions based on the available risk assessments.

If the likelihood of error in a risk assessment is unacceptable, should the decision be delayed until improvements are made – if that is even possible?

What do you think?

There are other dangers in risk assessment, which I will discuss in a later post.

Talking about Risk Governance

July 25, 2022 12 comments

My thanks to Alex Sidorenko, who recently wrote about The Directors and Chief Risk Officers Group (DCRO) on his blog in Companies need intelligent risk-taking to survive according to DCRO Institute.

I really like the shift from talking about risk management to risk-taking.

Alex says:

Avoiding risk altogether is the single surest way to fail over time, as innovation, competition, and customer lethargy will slowly eat away at the advantages you currently enjoy. Because there is plenty of evidence that organizations don’t take risk well – or at least well enough for long-run interests – we need to adopt practices that ensure our future.

The DCRO Institute [is] a collaboration among practicing board members and C-suite executives has developed an extensive program to help current and aspiring board members become comfortable with the positive governance of risk-taking. In just its first year, registrants for its programs come from more than 65 countries, and graduates of its flagship Board Members’ Course on Risk, an intensive study program, are found serving in boardrooms and C-suites on five continents.

He goes on to assert:

Boards and senior executives who embrace risk in this framework foster an environment of innovation, allowing organizations to grow at rates that allow them to escape the well-documented corporate fade in performance.

When a board changes its view of how risk is governed and taken, the transition to embracing risk carries throughout the organization to every employee, especially those that face customers. Today when most talk about risk, they still think of the fear of loss or uncertainty, especially given our current health, social, economic, and political climate. Loss and uncertainty are partially correct conceptualizations of risk, but both fall short of the approach we need to take to be our best fiduciaries.

The staged transition from the board’s embrace of risk-taking, to the C-suite’s implementation of that guidance, to the frontline employees’ management of essential risk-taking, leads us to the most crucial conceptual change of risk-taking: its impact on the trust that all capital providers and external influencers have in us. Organizations have an expressed purpose and stakeholders trust us to pursue that purpose in value-enhancing ways. That trust, in turn, makes all transactions more effortless and less expensive.

DCRO’s Guiding Principles for Board Risk Committees (published in 2018) lists seven principles:

  1. At any organization, the full board has the overall responsibility for risk governance. In many cases, the full board will benefit from the focused and specialized support of a well-structured and competent board risk committee.
  2. The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives. It provides the full board with the capacity to evaluate the risk management infrastructure and capabilities of the organization and to challenge the effectiveness of management’s pursuit of strategic objectives from a return-on-risk perspective.
  3. Board risk committee meeting agendas should be guided by best practices, stakeholder expectations, and regulatory requirements. Agendas should cover topics that include a review of risk culture, strategy, tolerance for loss, and both internal and external communications.
  4. Regular meetings with key executives and independent information gathering from stakeholders are both essential for the board risk committee to develop a full narrative of a company’s risk-taking activities.
  5. The board risk committee must interact with other board committees to ensure full coverage of the organization’s risk profile and the interdependencies across its risk and performance drivers.
  6. Board risk committees should be populated with Qualified Risk Directors who are competent to govern the risks to which the organization is exposed.
  7. The board risk committee should provide sufficient guidance and information to allow the full board to issue a simple-language disclosure about the organization’s risk culture and control processes. Further, and only if warranted, the full board should issue a statement that the organization’s risk philosophy, infrastructure, processes, and capital base are “fit for purpose.”

Frankly, the only one that resonates with me is the second. The rest are ho-hum. The first sentence in #2 is the key:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

I will come back to that, but first want to share some interesting excerpts, with my highlights.

  • Formal and effective implementation of a board risk committee fosters a corporate environment in which the most value can be created from an organization’s limited risk-taking capacity. Garnering the most benefit from risk-taking requires both an understanding of downside risks, from either action or inaction, as well as an understanding of the drivers of success.
  • The full board’s responsibility for risk oversight and governance mirrors its responsibility for oversight of strategy and the evaluation of results.
  • A board risk committee helps the full board to evaluate if the organization is taking risks that will truly generate value after accounting for their costs, both actual and prospective. It further helps to focus the full board’s attention on the organization’s most critical risks and risk management capabilities.
  • Board risk committees should meet quarterly or monthly, depending on the complexity of the organization and overall cadence of full board meetings. The focus of the conversations should be on linking the organization’s risk-taking activities with its strategic objectives and evaluating whether the return on risk-being-taken is sufficient to support strategic goals.
  • At least annually, the committee should independently gather information from key stakeholders in their supply chain, from customers, line employees, securities analysts, investment bankers, and regulators. The committee may go even further and create a stakeholders committee to advise it on external perceptions of the organization for alignment with the representations made by internal sources. To be clear, this is not intended to be a two-way flow of information, but rather a way for the board risk committee to receive additional perspectives on the work of the organization.
  • The committee should always consider ways to avoid barriers that prevent risk information from reaching the highest levels of an organization. Regular meetings with randomly selected line employees from key business and operational units may provide additional perspective on emerging risk or cultural issues that have not yet garnered the attention of senior management or that may contradict the representations they are making to the committee. These types of conversations can also help to identify obstacles to the free flow of critical information to the board.

The last two bullet points are controversial, at least in my opinion.

The idea that the members of the board committee should meet with “randomly selected employees” and other stakeholders is a strange one. I am not persuaded that directors should do that, especially as I am not sure they will receive sufficient information from a small sample to challenge management’s position. I would prefer that management justify how they arrived at their assessments.

Another controversial suggestion relates to where there is a combined Audit and Risk Committee.

DCRO points out that there is a lot of work for such a committee. It has a full slate just on the Audit Committee side. DCRO also asserts that understanding financial reporting doesn’t mean that you understand risk and risk-taking.

So they suggest that there might be dual chairs, one for each responsibility of the committee.

I am not in favor of that, although I do agree that combining Audit and Risk may give short shrift to the oversight of risk-taking.

The same criticism applies when the Audit Committee is expected to address risk, even though it is not part of their name. In those cases, DCRO points out that attention to risk-taking is often one of the last items listed in the committee’s charter.

My personal belief is that there should be a Risk and Strategy committee.

When you have a Risk committee, it may devolve into a focus on managing and mitigating risk (a list of risks, more often than not). This is especially true when there is a separate Strategy committee.

Going back to the second DCRO principle:

The focus of a board risk committee is to link the risk-taking activities of an organization with its strategic objectives.

Isn’t this best achieved by a Risk and Strategy committee?

Whatever you believe, I think the DCRO guidance is useful and should be considered by every Risk, Audit, Audit and Risk, and Risk and Strategy committee.

What do you think?

A brave root cause analysis and how COSO might help

July 22, 2022 7 comments

I have been a big fan of the IIA’s magazine for a long time, having been both a contributor and a member of its editorial board.

A recent piece tackled a topic that I believe is important, not only for internal auditors but also for risk practitioners in an article titled, Digging Deep (available to IIA members).

The lead-in paragraph says:

Using COSO-based root cause analysis to connect reasons for control failures with internal control principles can help identify weaknesses across the organization.

Now I’m not sure the author understands that root cause analysis has nothing whatsoever to do with the COSO Internal Control Framework.

However, that COSO framework’s principles can point to some areas, such as competency and information, that can help understand the true root cause of an internal control failure – so the author just got the wording wrong.

She says this well:

Conducting a root cause analysis is a way internal audit can add value to the organization by looking beyond identified symptoms of internal control weaknesses to the underlying reasons for why they exist. Without an RCA, recommended corrective actions often fail to address the actual cause of a problem, and the issue may persist or evolve.

In fact, if the auditor doesn’t perform a root cause analysis it is highly likely that only the symptom is identified and addressed, rather than the underlying disease.

RCA should not be considered an additional step. It should be mandatory for every identified control weakness.

The author has a useful section on the different ways a root cause analysis can be performed.

  • Five Whys: Asking “why” five times to drill down to the true cause of a finding.
  • Pareto Chart: Presenting potential causes for the identified problems on a chart from the highest to the lowest frequency to focus on areas of improvement with the greatest impact.
  • Fishbone Diagram: Assessing potential causes grouped into categories (people, process/methods, equipment, materials, measurement, environment) to establish a relationship with the identified problem.
  • Scatter Plot Diagram: Testing correlation between variables by plotting potential root cause (an independent variable) against the effect (dependent variable).

I would add a caveat: whichever method you choose (I prefer the first), you have to keep inquiring until the true root cause is identified.

In other words, you may have to ask “why” six, seven, or more times until you are satisfied that the root cause has been identified, and only then can corrective actions be considered.

Consider this. An audit or review has identified that reconciliations are not being completed on time.

  1. Why? Because people are too busy.
  2. Why are they busy? They have too much work to do in other areas and the reconciliations are lower priority tasks.
  3. Why do they have too much work? People have left and not been replaced.
  4. Why have they not been replaced? The manager has not been able to fill the positions.
  5. Why hasn’t he been able to fill the positions? Candidates are asking for too much money, more than the company can offer.
  6. Why is the company not able to offer sufficient compensation? Because the Human Resources department mandates a salary and bonus range for these positions that is lower than candidates with the required experience and ability demand.
  7. Why…..?

And on it goes until the true root cause, which in this case is in a different department than the symptom, is identified.

The other three methods (Pareto chart, Fishbone diagram, and Scatter plot diagram) may not be sufficient. For example, you may identify a common point of failure for multiple control issues. But then you have to ask “why” several times to get to why that cause existed.

Where the article goes astray is in its attempt to list ‘common root causes’ for deficiencies in particular areas. If you have been able to access and read the article, you will see what I mean. We can set aside the rest of that article.

So are there common root causes?

I would start with the principle that holds true in 99.99% of cases: the root cause is people related. It may be:

  • Controls are performed by people with insufficient training, experience, or competency (addressed by a COSO principle). The author has identified competency weaknesses and lack of training as common root causes, but they are not root causes. The auditor needs to ask why these conditions exist. Why didn’t competent people get hired? Why wasn’t adequate training provided? Several more whys may be needed before the true root cause is identified.
  • Controls are performed by people who have not received the information they need to do their job well (another COSO principle). Again, the article just says the common root cause is insufficient internal communication. But why did that happen? And why, and why, and why.
  • Management is lacking in some way, whether it is in how people are directed, how they are motivated, or some other issue.

Take one example from Auditing that Matters. Loretta Forti is our heroine, conducting an audit that focused on the timeliness of approval for capital expenditures (Authorizations for Expenditures, or AFEs).

I had asked her to perform an audit of the AFE process after I discovered that expenditures with a very high ROI were taking so long to be approved that the opportunity passed!

It was relatively easy to find out how the process worked. Once a month, the division CFO gathered all the Vice Presidents and they collectively reviewed all the AFEs and the analysis prepared by Mike Passaretti and his team [the Capital Expenditure department]. They would take about half a day to discuss them and decide which they would propose should move forward and what the priority was for each.

The next meeting, typically the following day, was with the division CEO, Bob. The CFO and all the Vice Presidents would review with Bob the AFEs they believed should go forward. When he felt that the total was too high or disagreed with the VPs’ recommendations, the executives had to debate which would be approved, which might be deferred, and which would be declined. This meeting also took a half-day on average.

Because of the intense review and approval process, each executive was careful to ensure all the AFEs they proposed had complete and accurate analyses included in the package. Mike and his team were equally careful with their review and analysis. This all took time.

It was clear to Loretta, as it was to all the Vice Presidents and the CFO, that the process was too long, consumed far too much executive time, and often cost more than the spending itself (if you count the cost of the VPs’ time)!

The question was why the process was this way.

The CFO and VPs all agreed, usually with language they wouldn’t use with children around, that they hated both the all-VP meeting and the meeting with Bob. They said they didn’t have the time to spare and asked for our help to get the process – both time and cost – under control.

Loretta and I met to talk about what we were to do. Rather than share my opinion, for once I did the smart thing and asked Loretta for her opinion.

At first, she didn’t know what to say. But as she realized she could say what was on her mind, and with some gentle guidance from me, she said it: the CEO was the problem. He was the only one who wanted these long and expensive meetings. Only when he was persuaded to change his mind could it be changed.

I knew Bob quite well, having worked with him before he moved into his current position with the company. He was one of the executives with whom I met frequently to discuss the business and he had shared a number of confidences with me.

I was sure that he would listen to Loretta and had a suspicion he would find it easier to understand himself if he met one-on-one with her. Both a formal meeting with the CFO present and a larger meeting with the three of us (Bob, Loretta, and I) might make it harder for him to look in the mirror.

And so it was. I persuaded him to meet with Loretta and she, in turn, trusted me when I told her she would not only be safe but would enjoy herself.

I admit that I was a little nervous as I waited in my office for Loretta. Then she appeared in the doorway, all smiles!

She told me that the meeting went brilliantly. Bob was charming, as usual, and showed great respect for her – even though she was ‘only’ a manager. He let her explain what she had found and that the long process was preventing timely investment to seize market opportunities. In addition, not only was it consuming a lot of expensive executive time, but it was taking them away from running the business.

This was critical, explaining the issue in terms of how it affected the business and its success. Auditors who talk in their language (what I call “technobabble”), rather than the language of the executives they are attempting to inform or persuade (which is the objective of an audit report) are unlikely to succeed.

Loretta said that Bob responded with silence, clearly thinking about what she had said.

Then he shocked her by telling her that he was the problem. He recognized that his insistence on discussing and approving every AFE could not continue. Bob told Loretta she had done an excellent job and that he would like to talk to me.

When I met Bob later that week, he repeated his praise for Loretta. Then he asked for my opinion. Again I was smart and didn’t give him my opinion straight away. Instead, I asked him why he wanted to approve every AFE.

After a short hesitation, he said that perhaps he should only approve major capital expenditures instead of every one. I concurred, saying that was what I was used to and would advise.

But I kept at it. Why had he insisted on approving every AFE? This was not what he had done in his previous positions with the company, nor was it what he was used to working directly for Tom O’Malley – a consistent and effective delegator.

Then he looked again in the mirror and saw his true self.

“Norman, I can see now that I didn’t trust my direct reports enough to make these decisions!”

We talked about this for a while. Either he had the wrong people in these key positions, in which case he needed to replace them, or he needed to trust the people he had and delegate more effectively. He didn’t hesitate before saying he had excellent people; he just had to let go, take a little more risk, and trust and delegate.

For the next couple of weeks, Loretta and I had a trail of VPs visiting us to express their thanks for Loretta’s great work. Bob had changed the entire process, with new delegations of authority such that the VPs could approve most AFEs, the CFO would have to approve all over a certain value, and Bob was only involved in truly major capital expenditures.

Going back to the statement I made earlier, that PEOPLE are almost always the root cause, in one way or another, root cause analysis may surface some ugly truths.

It can take a lot of interpersonal and even political skills for the auditor (with the CAE’s active assistance) to discuss the issue and root cause with management, obtain their agreement on the facts, and work with them on the appropriate corrective action.

They are often unable or unwilling to face those facts.

Consider situations where:elephant in the room

  • A manager is a poor leader, failing to delegate, motivate, inspire, etc.
  • The employee charged with performing the control has too much work and management is unwilling to hire additional staff.
  • A manager is unable (might be incapable) to persuade more senior management that there is a need to address a risk, to hire more people, to change direction, etc.
  • People are talking in different languages, such as senior management and the cybersecurity staff.
  • The company’s systems are old and need to be replaced at a cost of tens of millions, which is not in the budget.
  • The CEO is a bully and gets his direct reports to compete instead of working together.
  • The Marketing team distrusts the people in the front lines, and therefore loses touch with the needs and wants of the customer base.
  • The manager is biased against individuals who don’t look like him or her, creating a hostile environment and failing to get the best out of employees.
  • The culture established and reinforced by management’s actions discourages creativity and risk-taking, and stifles performance.
  • Management is not trusted or respected.
  • People are motivated to achieve their personal performance goals rather than what is best for the organization.

A root cause analysis that is not afraid of identifying and reporting people failures is essential.

The COSO principles are useful, but they are insufficient. Only some of the bulleted situations above are covered by them.

I am reminded that the former CEO of GE, Jack Welch, was once asked what problems he faced every day. His answer was:

  1. People
  2. People
  3. People

They are the root of (almost every) control failure.

We need to be brave to see and help others see the true situation.

I welcome your thoughts.

The agile risk appetite

July 18, 2022 4 comments

If you have been reading this blog or my books, you know I have significant reservations about the concept of “an amount of risk” that would be acceptable in pursuit of objectives.

However, I recognize the need for limits and policies when it comes to risk-taking. They help guide decision-makers on what risks and outcomes are desirable to leaders of the organization. We could call them ‘risk criteria’ (ISO), while some refer to them as ‘risk appetites’ or ‘risk tolerances’ (COSO). I prefer to avoid those terms as they focus on ‘risk’ with the inevitable negative connotation (i.e., we must manage or mitigate risk) instead of guiding people to take the right level of the right risks in the circumstances (such as the potential for reward). Let’s use ordinary business language instead of risk technobabble.

For example, these are useful:

  • Spending approval authorities
  • Credit limits
  • Policies on the level of credit that can be given to customers, with escalation to more senior individuals or even the board as needed
  • Approval levels for capital expenditures, including reserving certain expenditures to the CEO or the board
  • Policies of who can approve journal entries, purchase orders, inventory write-offs, etc.
  • Policies with limits on the use of derivative instruments
  • Policies on commodity or currency hedging
  • …and so on

My point today is that all of these, whatever you call them, need to be “agile”.

The environment within which organizations function is volatile – as or more volatile than any prior period.

There is uncertainty about:

  • Local and global economies
  • The supply of raw materials and components
  • The speed of the supply chain
  • The availability of personnel, both in specialist positions and minimum wage jobs
  • Disruption caused by sanctions
  • Consumer confidence
  • …and more

In these times, organizations need to be agile. They need to be able to adapt intelligently and at speed, without sacrificing the long term at the altar of the short.

If policies and limits, etc. don’t change as business needs change, you are highly unlikely to be taking the right level of the right risks.

I am reminded of a real-life situation that I wrote about in World-Class Internal Auditing.

The Treasurer at Tosco was a senior member of the Finance team, highly respected by company leadership. He had been a key member of the management team during the lean years at Tosco; shortly before I joined when the company was “leaking cash”, he had led twice-daily meetings of the financial team to ensure there was sufficient cash to make it to the next day!

So it was important that we make a good impression when we performed our first audit of his area.

At the same time, he was a gruff curmudgeon (he reminded me of the late, great Alastair Sim as Scrooge in “A Christmas Carol”) that scowled every time I saw him – and other executives told me that he shared that disposition with everybody except the CFO.

So, I set the auditor, Laura Morton (now Nathlich), two tasks: the first was to perform an audit and provide an objective assessment of whether the Treasury function was meeting the needs of the corporation; the second was to get the Treasurer (Craig Deasy) to smile!

Laura exceeded my expectations (something she went on to do regularly).

As I had expected, Craig’s area was in very good shape. It reflected his personality as a disciplined, careful individual that had a deep understanding of the business and its needs.

But, Laura identified one issue that only deepened Craig’s frown.

She pointed out that the company’s investment policy limited overnight investment of cash to the safest of all investments, which had the lowest of all rates of return. While this was the policy that had been approved by the board, the level of risk being taken (clearly a very conservative one) was inconsistent with the general attitude of the company to taking risk!

The company was a significant “player” in the commodity derivatives market, not only to hedge the price it would pay for its raw materials (crude oil) and the price it would obtain for its refined products (gasoline, diesel, jet fuel, and so on), but it also had a truly speculative position. (The manager in charge of our derivatives trading desk was permitted to make speculative trades of several million dollars, subject to supervision by Pete Sutton, a Vice President. Over the years, he was consistently profitable.)

So it was taking millions of dollars of risk in the commodities market but unwilling to take any risk in its overnight investments?

Laura recommended that the investment policy be reconsidered. That was a wise move. Only management can decide how much risk it is willing to take, but we (as the independent and objective internal audit team) can challenge them when appropriate.

Craig reluctantly agreed that Laura had a point – not on technical controls philosophy but on business grounds. He discussed it with the CFO and they agreed to change the policy.

I met with Craig and Laura to review the final report before it went to the audit committee. He gave Laura a reluctant smile and acknowledged that it was a professional audit.

Since then, when I talk to groups of internal auditors about ‘world-class internal auditing’ and ‘how internal audit can add value’, I ask “Do your audit customers smile?”

But the other lesson for me was that internal auditors should not try to eliminate every risk they see.

In my early years, we would identify “findings” and assess the level of risk they presented. The level of risk (high, medium, or low was the typical scale) would drive the sense of urgency when we reported the issues and recommended corrective action by management.

This audit was one of the first where I applied the lessons I had learned in line management, that it is not about eliminating risk – it is about taking the right risk, based on understanding the potential downside, the potential upside, and the cost of any actions.

When the policy was developed, it was the right policy for those times. But times had changed, without the policy being updated.

Some will tell you that policies and other guidance should be reviewed on a regular basis. They will suggest an annual review.

That’s fine, but is it fast enough in these turbulent times?

Are we being agile if we only update policies and practices annually (if that)?

Let’s recognize that agility requires being flexible, with appropriate reviews and approvals, with our risk criteria and other guidance.

Let’s encourage everybody to challenge existing policies and procedures, drawing the attention of management to guidance that used to be but is no longer best for our business.

Don’t accept “we can’t do that because of our firm’s policy” if that is holding us back from success.

I welcome your thoughts.


The Woeful State of Enterprise Risk Management

July 14, 2022 15 comments

My thanks go to Professors Mark Beasley and Bruce Branson of North Carolina State University’s Poole College of Management (the Enterprise Risk Management Initiative).

They recently published 2022 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices – 13th Edition.

I believe this is their best edition and thank them for the detail it includes.

The information has value, but it is very important to understand that the survey on which the report is based was sent only to current members of the AICPA (in other words, CPAs). What they have to say is likely to be very different from what a CEO, COO, or other business executive would say. It is also likely to be different from what a board member would say.

Data was collected during the first few months of 2022 through an online survey instrument sent to members of the AICPA’s Business and Industry group who serve in chief financial officer or equivalent senior executive positions. In total, we received 560 fully completed surveys.

A variety of executives participated in our survey, with 21% of respondents having the title of chief financial officer (CFO), 18% serving as chief risk officer (CRO), 6% as controller, and 8% leading internal audit, with the remainder representing numerous other executive positions.

The respondents represent a broad range of industries. Consistent with our prior year survey, the four most common industries responding to this year’s survey were finance, insurance, and real estate (27%), followed by not-for-profit (28%), services (21%), and manufacturing (10%). The mix of industries is generally consistent with the mix in our previous reports.

The respondents represent a variety of sizes of organizations. As shown in the table on the next page, 47% of organizations have revenues $100 million or lower while 30% have revenues over $1 billion. So, there is nice variation in organization size in our sample. Almost all (89%) of the organizations are based in the United States.

My intuition says that they are more likely to be positive about ERM at their organization, as well as being more risk averse than other executives in operating management positions.

Their introductory statements are solid, and I am pleased to see them recognize the need to take risks and exploit opportunities. (The emphasis below is mine.)

Many business leaders and other key stakeholders are realizing the benefits of increased investment in how they proactively manage potentially emerging risks. This is done by strengthening their organizations’ processes surrounding the identification, assessment, management, and monitoring of those risks most likely to impact – both positively and negatively – the entity’s strategic success. They are recognizing the increasing complexities and real-time challenges of navigating emerging risks as they seek to achieve key strategic goals and objectives.

Many organizations are recognizing the need to enhance the formalization and robustness of their risk governance processes. Boards and C-suite executives of these organizations have embraced the concept of enterprise risk management (ERM), which is designed to provide an organization’s leadership a top-down, strategic perspective of risks on the horizon so that those risks can be managed proactively to increase the likelihood the organization will achieve its core objectives.

However, even these CPAs are saying that current risk management practices are failing to deliver.

The professors ask: “To what extent do you believe the organization’s risk management process is a proprietary strategic tool that provides unique competitive advantage?”

  • Not at all – 37%
  • Minimally – 26%
  • Somewhat – 25%
  • Mostly – 9%
  • Extensively – 3%

That’s pretty awful!

This is what they say about the “Strategic Value of Risk Management” (with my highlights):

  • Less than 20% of organizations believe their risk management processes provide strategic advantage. This is surprising given most leaders understand that risk and return are inseparable [Marks: it’s not much more than 3% and not close to 20% according to their own numbers.]
  • Organizations continue to struggle to integrate their risk management and strategic planning
  • Except for financial services organizations, most organizations are not emphasizing the consideration of risk exposures when management evaluates different possible strategic initiatives or when making capital allocations.
  • Most organizations do not formally articulate tolerances for risk taking as part of their strategic planning activities.
  • There is noticeable room for improving ERM processes to help manage risks impacting reputation and brand.
  • There are opportunities to reposition an entity’s risk management process to ensure risk insights generated are focused on the most important strategic issues.

The say this about the “Overall State of Risk Management Maturity”:

  • While progress has been made in implementing complete ERM processes, more than two-thirds of organizations surveyed still cannot claim they have “complete ERM in place.” [Marks: and those that do are not saying that their ‘complete ERM’ is effective!]
  • Large organizations and public companies are more likely than other organizations to report a complete ERM process.
  • The level of robustness and maturity of risk management oversight remained relatively steady with the prior year; however, fewer than half of respondents describe their organizations’ approach to risk management as “mature” or “robust.”
  • Just over one-half of the public companies surveyed do not describe their risk management processes as robust or mature. Non-profit organizations are less likely to have structured risk management processes relative to other organizations.

They also point out that “Many organizations are concluding that their approaches to business continuity planning and crisis management are not at the level of preparedness desired, with almost three-fourths indicating significant changes in those processes will occur”.

The report has a number of important tables. I have highlighted a few points.

Description of the State of ERM Currently in Place Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
No enterprise-wide management process in place 15% 2% 2% 6% 14%
Currently investigating concept of enterprise-wide risk management, but have made no decisions yet 10% 3% 2% 6% 10%
No formal enterprise-wide risk management process in place, but have plans to implement one 8% 3% 4% 4% 10%
Partial enterprise-wide risk management process in place (i.e., some, but not all, risk areas addressed) 34% 36% 35% 36% 38%
Complete formal enterprise-wide risk management process in place 33%


56% 57% 48% 28%

Many are reporting that they have a “complete and formal” ERM process in place, but at the same time they are not saying that it is delivering the value it should. They are also saying it is not robust (see the next table).

I believe that these people don’t understand the need for ERM to inform both strategic and tactical decision-making. They are satisfied with they have (a list of risks, which is often quite short and only occasionally updated according to the survey), even if it fails to help the organization achieve its objectives.

What is the level of maturity of your organization’s risk management oversight? Full Sample Largest  Organizations (Revenues >$1B) Public  Companies Financial Services Not-for-Profit Organizations
Very Immature 13% 3% 5% 5% 15%
Developing 22% 14% 11% 17% 29%
Evolving 35% 39% 39% 43% 33%
Mature 25% 36% 37% 29% 20%
Robust 5% 8% 8% 6% 3%

If only a handful of the CPAs in a firm see ERM as “robust”, and 18% of them are CROs, what would the heads of manufacturing, sales, and marketing have to say?

Description of the Current Stage of ERM Implementation Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Our process is systematic, robust, and repeatable with regular reporting of top risk exposures to the board. 39% 70% 70% 52% 35%
Our process is mostly informal and unstructured, with ad hoc reporting of aggregate risk exposures to the board. 28% 16% 11% 28% 31%
We mostly track risks by individual silos of risks, with minimal reporting of top risk exposures to the board. 18% 13% 17% 12% 17%
There is no structured process for identifying and reporting top risk exposures to the board. 15% 1% 2% 8% 17%

So 70% of large organizations and public companies report at the highest level in the table above, but they don’t say the same in the next table.

Extent to which the organization’s ERM process formally identifies, assesses and responds to emerging strategic, market, or industry risks: Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Extensively 14% 22% 26% 19% 9%
Mostly 31% 41% 42% 37% 27%
Somewhat 27% 28% 23% 21% 33%
Minimally 14% 7% 7% 17% 11%
Not at all 14% 2% 2% 6% 20%

The next two tables demonstrate what I have believed for a while. Top executives don’t see the value of ERM as it is practiced at their organization (or believe it will be practiced if additional resources are provided).

Percentage of respondents indicating that each of the following “Mostly” to “Extensively” is impeding risk management progress Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Risks are monitored in other ways besides ERM 29% 28% 18% 30% 24%
Too many pressing needs 16% 27% 26% 19% 19%
No requests to change our risk management approach 19% 17% 23% 12% 21%
Do not see benefits exceeding costs 13% 17% 12% 15% 12%
No one to lead effort 12% 9% 12% 7% 16%
Would overcomplicate what can be best done ad hoc 11% 8% 9% 17% 8%
Percentage of respondents who describe each of the following as being a “barrier” or “significant barrier” to effective ERM Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Competing priorities 44% 35% 36% 47% 50%
Insufficient resources 43% 41% 40% 43% 52%
Lack of perceived value 28% 31% 27% 25% 29%
Perception ERM adds bureaucracy 24% 25% 23% 21% 26%
Lack of board or senior executive ERM leadership 21% 18% 19% 16% 22%
Legal or regulatory barriers 6% 3% 4% 6% 6%

As the authors say:

Some of the overall reluctance to embrace ERM across an organization may be due to a lack of understanding and knowledge of what an enterprise-wide risk management process actually entails relative to traditional approaches organizations use to manage risks. ERM is a relatively new business paradigm that business leaders are hearing about but may lack an understanding of how it might help them achieve their strategic objectives.

On the other hand, at least more people than I would have thought realize risk is not just downside.

The definition of “risk” focuses Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Both on “upside” risks (risk opportunities) and “downside” risks (threats to the organization) 60% 58% 54% 63% 68%
Only on “downside” of risks (threats to the organization) 39% 41% 44% 36% 31%
Neither 1% 1% 2% 1% 1%

The table below shows that the speed and volatility of risk are certainly not being addressed.

Frequency of Going Through Process to Update Key Risk Inventories Full Sample Largest Organizations (Revenues >$1B) Public Companies Financial Services Not-for-Profit Organizations
Annually 41% 57% 55% 43% 41%
Semi-Annually 10% 12% 13% 9% 11%
Quarterly 16% 14% 20% 21% 15%
Monthly, Weekly, or Daily 7% 9% 7% 11% 5%
Not at all 26% 8% 5% 16% 28%

As I said in the table, the report indicates that the current practices around risk management are woeful.

We need to change everything, including the guidance from the various consultants, risk institutes, COSO and ISO (sorry, advocates), to help lead practices away from management of risk (doom management) and towards the informed and intelligent risk-taking through quality decisions that will enable the achievement of objectives (success management or, more simply, effective management).

Unfortunately, the professors failed to ask what might be the most important question:

Does risk management at your organization help you and others understand what might happen so you can make the informed and intelligent decisions necessary for success, taking the right level of the right risks and exploiting appropriate opportunities?

Maybe this will be in the 2023 edition! One can only hope.

What do you think?

How do you audit enterprise risk management?

July 11, 2022 16 comments

The IIA published a Practice Guide, Assessing the Risk Management Process, in 2019. It is recommended guidance and not mandatory. What is mandatory in the IIA Standards is performing an assessment, and this Practice Guide (PG) is intended as helpful advice on how to do it. (While the Standards say that you must perform an assessment, I am assured that you don’t need to do so every year (regardless of the actual words used) when the risk is low – for example, if it was assessed and found effective the prior year.)

The PG starts well:

Around the world, risk management activities and initiatives are required and expected by regulators, rating agencies, and a host of other stakeholders in major industries including financial services, government, manufacturing, energy, health services, and more. However, risk management is driven by more than regulations and external forces. Implementing efficient and effective risk management benefits organizations of any type and size by helping them to achieve operational and strategic objectives and to increase value and sustainability, ultimately better safeguarding their stakeholders.

Internal auditors must evaluate the effectiveness and contribute to the improvement of risk management process (Standard 2120 – Risk Management). Benchmarking the current state of the organization’s risk management against a risk management maturity model is a good place to start this type of assessment. Benchmarking may help the internal audit activity communicate with senior management and the board about the organization’s level of risk management maturity and about aspiring to improve the process and advance in maturity. This information also enables internal auditors to appropriately tailor each engagement, taking into account the maturity of the area or process under review.

I like the fact that the PG promotes the use of a maturity model. I recently shared one that Michael Rasmussen developed and have a more extensive on in Risk Management for Success.

While the PG appears to understand that there is a “positive side to risk” (i.e., good things can happen, usually referred to as opportunities, as well as negative, generally referred to as risks), it falls into the same trap as almost everybody else by focusing on the negative side. For example, it talks about risk registers (lists of risks, also known as risk profiles), heat maps, and risk appetite. It fails to recognize the need to take risk, even taking more risk when the business opportunities and needs require.

The PG contains material that is worth considering (especially if you are only interested in auditing compliance with risk policies and procedures), I think there is a better way.

It starts with the recognition that if risk management is effective, leaders and other decision-makers will say so.

They will acknowledge that risk management is helping them make better informed and intelligent decisions that are contributing to the success of the organization, the achievement of objectives.

By ‘risk management’, I am not talking only about any risk function; I am talking about how the organization as a whole understands the more significant things that might happen, and uses that information in setting objectives, goals, objectives, and strategies, and then executing on them through every-day decisions.

So the audit starts by asking leaders and decision-makers, not only at the top but in other positions:

  • Does risk management (broadly defined) help you set your goals and objectives and then execute on them for success? If so, to what extent? Is it sufficient?
  • Is it helping you make informed and intelligent decisions? If so, to what extent? Is it sufficient?
  • Do you have confidence that others are making the best informed and intelligent decisions?
  • What is working well?
  • What needs improvement?
  • Are risk practitioners (if there are any such specialists) effective? Are they proficient? Are they helping you succeed?
  • What should be changed?

While this can be asked in a survey, I strongly encourage the auditor to sit down with each individual and listen carefully. Start here and see what answers you get. Listen carefully.

If there are issues, understand the root causes and go from there.

You may find that everybody is complying with stated policies, risk limits, and even risk appetite statements – but this is not helping the organization succeed!

Seek to assess effectiveness rather than compliance. Help the organization succeed rather than avoid failure.

I welcome your thoughts.

Seize the opportunity through strategic risk management capabilities

June 20, 2022 5 comments

PwC has shared with us the results of their 2022 Global Risk Survey.

It has some interesting stuff, although (as usual) doesn’t go far enough for me. Their food stuff includes:

  • In this turbulent business environment, many executives find the need to revise and adapt their strategies and operating models at a rapid pace. They know that capturing opportunity and avoiding disruption requires speed.
  • Organisations’ risk management and broader resilience capabilities need to quickly adapt to support business agility and to contribute proactive, robust and timely risk insights for decision-making. In an environment where change is constant, strong risk and resilience capabilities can provide an edge. Business leaders can make confident decisions in pursuit of their strategy that are informed by a panoramic view of risk.
  • The organisations that have stood out from the pack in the past two years have not just managed risks. They’ve taken on risks, with confidence. These organisations have an agility advantage. They have the right resources engaged in making risk-informed decisions at the right time.

These are both excellent observations (in the midst of a discussion about the turbulent risk landscape).

Although an argument may be made that things are changing faster than ever before, the fact remains that if an organization is to be successful it has to do more than avoid disaster.

I congratulate PwC for recognizing this truth. I especially like the last excerpt above.

They sound a note of warning, reporting that only “39% of business executive respondents say they are making better decisions and achieving sustained outcomes by consulting with risk professionals”.

However, that is the highest percentage by far I have ever seen respond positively on this issue. Other surveys tell us that about 80% of executives see risk management as a “compliance activity. So I am taking the good news of 39% with a dose of salt.

Unfortunately, the greater part of their report still focuses on avoiding failures. For example, they talk about risk profiles (COSO-speak for risk registers), KRIs instead of KPIs, risk appetite (they would have done better by including a discussion of risk capacity), risk culture (instead of organizational culture), a common risk language (when we should be talking about performance), and a GRC platform (without saying it has to be objective and performance driven).

My advice:

Instead of talking about risk and trying to embed it into decision-making, make sure your decision-making processes consider all the events and situations that might happen. Then make the right business decision.

In the meantime, ask your executives whether “they are making better decisions and achieving sustained outcomes by consulting with risk professionals”.

I welcome your thoughts.

Wasting time with audit reports

June 7, 2022 9 comments

Richard Chambers has returned to the topic of audit reports in 5 Strategies For More Timely Internal Audit Reports.

I agree with much of what he has to say, especially this:

…it can sometimes take as long to issue a report as it took to perform the audit!

This is a major problem, a total waste of scarce and valuable time.

There is never enough time to complete audits of all the issues and areas where there is a risk to the enterprise. The idea that we are wasting time writing and re-writing audit reports should turn everybody’s stomach.

Richard has some good ideas. His five strategies are:

  1. Share internal audit results with client “as you go”.
  2. Eliminate or reduce levels of review. 
  3. Use team editing or report conferencing. 
  4. Use automated working papers’ report-writing features.
  5. Streamline the report format.

That last strategy is, in many ways, the most telling. To quote Richard again:

Internal audit departments that have successfully reduced their reports’ cycle time generally produce leaner audit reports, which makes them not only easy to edit but easy to read. The shorter a report is, the less time it typically takes to write and edit. Complexity can also slow the review process, so generally speaking, simpler is better, too. And reaching consensus with clients can become onerous with longer reports, so streamlining formats pay dividends throughout the process. I have on occasion seen internal audit reports that exceeded 100 pages. I am convinced reports that long are not read in their entirety by all of those who were likely to benefit from the information. It’s always tempting to include more detail in an internal audit report than the minimum needed to make your point, but my advice to new auditors is to tell your story clearly and succinctly. There’s nothing worse than working hard and coming up with a good report that people then ignore. Think of it this way—the longer your report, the less likely it will be read by those in a position to take action on your recommendations.

I have also seen audit reports that are so long that they needed a table of contents to tell readers that the executive summary is on page 8.


How can you expect anybody to take time from running the business to read anything more than a page or two?

Yes, you can say that it is their job, and they need to. But do they really need to read an audit report?

That is the real question.

Why should anybody read an audit report?

Put a more meaningful way:

What will a leader learn from an audit report that will help them run the business?

Too often, auditors write for themselves, for history, rather than for their customers in top management and on the board.

As a reminder, I have written about audit reports twice recently:

If audit reports were banned

The inherent problem with (some) audit reports

We need to put ourselves in the shoes of our customers and consider the issue from their point of view.

1, Members of the audit committee of the board (or owners)

Our primary customers, the people to whom we report, need answers to these questions:

  • Is there a problem I need to know about, because it might affect the performance of the organization as a whole?
  • If so, what is it, how would affect the organization, what is being done, do I need to worry?
  • Can I rely on management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?

If there is nothing for them to be concerned with, why aren’t we telling them that in half a page or less?


2. Members of top management

Their needs are very similar to those of the audit committee members. The only difference is that they may (emphasis on ‘may’) be concerned with matters of less significance.

The questions they need answers to would be:

  • Is there a problem I need to know about, because it might affect the performance of my team or the organization as a whole?
  • If so, what is it, how would affect my area or the organization, what is being done, do I need to worry?
  • Can I rely on my team or other members of management to make informed and intelligent decisions, including taking the right risks and seizing the right opportunities?

3. Members of operating management

The first inclination might be to assume they need to know everything. But do they?

The audit team should have been not only sharing their observations as they go (as Richard points out in his first strategy) but discussing them with management and agreeing on the facts, whether they represent a risk to the organization, whether the risk should be taken, and what action (if any) should be taken.

If that is the case, then where is the value in documenting what has already been agreed?

The problem may lie in the fact that many auditors will tell management what they have found, but don’t stay longer and engage in sharing with them to agree on actions.

I recommend communicating (and that is two-way) as you go and confirming the results in an email each time.

Now ask where the value is in a long report.

It may lie in confirming all the details discussed earlier (one line per issue) and then talking about what it all means when taken together.

What is the overall opinion, and what does it mean in terms of the ability of the area to achieve its objectives?

It may well be that even operating management only needs a page or two in a formal report at the end of the audit.



Let’s not do anything, especially anything that consumes a lot of our scarce and valuable resources, on work that has little or no value to our customers.

Speed is not the issue that it may seem: why tell them what they don’t need to know faster?

The IIA’s Standards do not require a formal audit report. Instead, they require that the auditor communicate the results of the engagement.

I would change the Standards to instruct the auditors to:

Communicate to those who need to know, what they need to know, when they need to know about the results of the engagement and what they mean to them, to the organization, and to its success.

Why do we do more?

I welcome your comments.

Assessing or Auditing Cybersecurity Risk

June 2, 2022 5 comments

One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an “IT risk”. No. It’s a business risk.

That is easy to say, and it makes all the sense in the world.

However, people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.

The truth is that cybersecurity MUST be seen within the context of the whole business, not in a silo.

What is the potential effect of a breach on the achievement of the enterprise’s objectives?

If we are to assess cyber-related business risk, we have to have the answer to that question.

That requires the involvement in the assessment process of both business and technical personnel.

Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer.

Yet, the most widely accepted cyber risk standards are written by information security personnel, for (in my opinion) other information security practitioners.


If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to that question: “What is the potential effect of a breach on the achievement of the enterprise’s objectives?”

An audit should probably include the participation of financial and operational auditors, not be limited to the infosec experts.


In fact, the first step in any audit should be to determine whether management knows the answer! Then see whether they continue to know the answer as the business, technology, and the environment (including the hackers’ tools, techniques, and favorite targets) change.

If management has not completed and then maintained a business risk-oriented risk assessment that is integrated with enterprise risk management and decision-making, the audit team should consider calling the audit to a halt.

If management doesn’t know where the risks are, what assurance does it have and what assurance can internal audit provide, that the right controls and security are in place?


The next step, the one I favor, is to determine whether the information security team has the necessary capabilities, position, and authority to address those risks.


Only then would I consider assessing whether the measures in place are sufficient and effective.


The IIA had different ideas when it published one of their newer pieces of ‘supplemental guidance[1]’ in their 2020 Global Technology Audit Guide (GTAG): Assessing Cybersecurity Risk.

The GTAG has some good and some not-so-good advice for auditors wishing to provide assurance, advice, and insight on cyber-related business risks.

This GTAG seems to fall into the trap of assessing risks to information assets, rather than risks to the business, IT risks (whatever they are, absent the context of what the business os trying to achieve) vs. risks to the success of the business.

Let’s look and comment first at some excerpts.

  • Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity.


Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete,

(Later still)

The complexity of cybersecurity requires added layers of controls, such as monitoring for risk, detecting exploits as they happen, and prompting corrective action.

Comment: I couldn’t disagree more on the first two of these excerpts. ITGC includes information security, which includes cybersecurity. Cyber is no different from what I was responsible for when Information Security reported to me at two financial institutions; what I evaluated as an IT auditor; or what my various Internal Audit teams assessed after I became a CAE.

The third quote is fine, although every source of significant risk needs to be monitored and the assessment updated at the speed of risk.

  • Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access.

Comment: In other words, IT Information Security.

  • Cybersecurity risks are notably more dynamic than most traditional risks and necessitate a timely response.


    1. More dynamic (volatile) than currency or commodity prices? I doubt it.
    2. All risks require more than just a timely response, they require timely identification and assessment.
  • Cybersecurity is relevant to the systems that support an organization’s objectives related to the effectiveness and efficiency of operations, reliability of internal and external reporting, and compliance with applicable laws and regulations. An organization typically designs and implements cybersecurity controls across the organization to protect the integrity, confidentiality, and availability of information.

Comment: The GTAG has correctly listed all the categories of objectives identified in the COSO Internal Control Framework. Nothing new here. But the controls need to be designed to address risks to the achievement of those objectives, a different dimension to “the integrity, confidentiality, and availability of information”.

  • Because assurance based on traditional, separate evaluations is not sufficient to keep up with the pace of cybersecurity risk, an innovative assurance strategy is required. Increasingly, continuous auditing techniques are needed to evaluate changes to security configurations, emerging risk outliers and trends, response times, and remediation activities.

Comment: 100% disagree, and this is one of my primary problems with the GTAG. I will explain shortly.

  • The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering: Who has access to the organization’s most valuable information? · Which assets are the likeliest targets for cyberattacks? · Which systems would cause the most significant disruption if compromised? · Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization? · Is management prepared to react quickly if a cybersecurity incident occurred?

To understand the cyber threats relevant to an organization, it is important to determine what information would be valuable to outsiders or cause significant disruption if unavailable or corrupted. Also, it is important to identify what information may cause financial or competitive loss or reputational damage to the organization if it were acquired by others or made public.

Comment: While the GTAG focuses on the protection of information assets, that is IT-centric and siloed and not a business-centric view. I will come back to that as well.

  • Management should consider performing a business impact analysis (BIA).

Comment: if management hasn’t done a BIA that identifies how a cyber incident could affect the achievement of its objectives, Internal Audit should immediately bring that to the attention of senior management and the board as a serious issue. Any risk assessment is likely to be wrong. If they have done one that only helps them prioritize information assets and does not enable multiple sources of risk (i.e., not only cyber but also compliance, human resources, etc.) to be considered together when making a decision, the issue remains serious – but is easier to remedy. See discussion later.

The GTAG includes eight questions that a CAE to consider.

It also has a Cybersecurity Risk Assessment Framework that has six components.

  1. Cybersecurity Governance
  2. Inventory of Information Assets
  3. Standard Security Configurations
  4. Information Access Management
  5. Prompt Response and Remediation
  6. Ongoing Monitoring

I will let you read and think about them. Instead, I want to be constructive. I will explain my two major issues and then suggest a far better approach (IMHO[2]).


It’s not about information assets.

One of the problems I have with the NIST, ISO, and FAIR standards and guidance is that they focus on ‘information assets’ and not on the business..

While the business cannot be considered absent IT-related risks and opportunities, those IT-related risks and opportunities cannot be considered absent the context of running the business and achieving objectives.

Cyber (and other IT-related risks) should not be considered in a silo.

Cyber (and other IT-related risks) is just one source of risk that needs to be considered in decision-making.[3]

In fact, a cyber incident can create a supply-chain, compliance, operational, financial, or other risk – because risk is inter-related.

Similarly, a change in the supply chain such as the use of a new logistics company, or a change in operations or financial advisor, can change cybersecurity-related risks.

Cybersecurity risk assessment and treatment should be an integral part of the organization’s enterprise risk management program (ERM) and decision-making, not a siloed operation.

If cybersecurity is not fully integrated, then Internal Audit should be reporting that to the board.

We need to be concerned with risk to the ability of the organization to achieve its objectives, its purpose over time.

That is what a BIA should do, and it’s why the absence of one that is continually updated is a major issue that needs to be reported to the board and fixed.

Internal Audit needs to rise above the silo and use its ability to see the whole, not just individual parts.

Audit what might affect the organization, and that is likely to result in assessing cyber differently.


It’s not about doing it ourselves

There’s too much focus on assessing what defenses are in place, and not nearly enough about whether management knows they have the right level of cybersecurity in place all the time.

Note the ‘all the time’ qualifier in that sentence.

We shouldn’t be looking at continuously auditing cybersecurity (as suggested by the GTAG). Instead, we should be seeing if management not only has the right defenses at the time of our review, but will adapt them properly as risks change in the future.

Not only do we review their processes for cyber risk assessment (as an integral part of ERM), but review whether that assessment is continuously updated.


Provide forward-looking assurance, advice, and insight

Any audit should provide our professional opinion on whether management’s processes and controls provide reasonable assurance that there is a low (i.e., acceptable) likelihood of a breach with an unacceptable effect on the organization and the achievement of its objectives.

Auditing what is in place today and whether it is sufficient to address today’s known risks is of limited value.

Audit whether management has the right capabilities in place today and is reasonably likely to have in the future.


I welcome your thoughts.

[1] The IIA says “Supplemental Guidance provides additional information, advice, and best practices for providing internal audit services. It supports the Standards by addressing topical areas and sector-specific issues in more detail than Implementation Guidance and is endorsed by The IIA through formal review and approval processes”.

[2] Maybe not so humble.

[3] This is the focus of my book, Making Business Sense of Technology Risk.

Trends in SOX Material Weaknesses

May 30, 2022 1 comment

Last week, I shared a post about the firm of Audit Analytics’ report on 2021 financial restatements.

Today, I am going to cover their report, SOX 404 Disclosures: A Seventeen-Year Review. Admittedly, it analyzes 2020 filings, but I would expect that the results would be similar now.

Their report has some interesting news, notably that the number of adverse assessments of internal control over financial reporting (ICFR) decreased in 2020 despite the pandemic.

The percentage of adverse ICFR management reports and auditor attestations decreased in 2020, despite the impact of the COVID-19 pandemic throughout 2020 that necessitated changes to internal controls. The COVID19 pandemic occurring throughout 2020 had particular effects on public companies and their internal control structure and environment.

Some companies with existing control deficiencies disclosed difficulty remediating those weaknesses due to pandemic circumstances. Furthermore, rapid changes to the control environment were required in order for many companies to continue operating, including the need to reduce personnel to comply with pandemic restrictions or conserve cash. A reduced workforce can result in issues in the control environment related to segregation of duties and maintaining appropriate accounting personnel. Additionally, many companies increased reliance on information technology to accommodate a remote workforce, an area of controls ripe for deficiencies.

They also said that there was no significant change in the areas where material weaknesses were found.

Despite the unprecedented nature of the pandemic, little effect was noted in terms of the most common issues disclosed in adverse SOX 404 assessments. For example, the top two internal control issues cited in adverse ICFR management reports in 2020 – issues related to accounting personnel and segregation of duties – have been the top two issues for the previous five years. This illustrates that issues related to personnel are always common for smaller companies, regardless of circumstances arising from an event, such as the pandemic, that could significantly exacerbate existing deficiencies.

One ‘finding’ in the report astonished me.

The report says that the external auditors cited different material weaknesses than management.

  • In adverse ICFR auditor attestations for the fiscal year 2020, the most common internal control issue that led to the conclusion that ICFR was ineffective was the need to make year-end adjustments (51%). The second most common reason expressed by auditors was a need for more highly trained accounting personnel (42%). These internal control issues are common, appearing as the top two issues in each of the last five years.
  • In adverse ICFR management reports for the fiscal year 2020, the most common internal control issue that led to the conclusion that ICFR was ineffective was a need for more highly trained accounting personnel (75%). The second most common reason was related to segregation of duty issues associated with the design and use of personnel within an organization (63%). These internal control issues are commonly cited in management reports, appearing as the top two issues in each of the last five years.

This makes no sense to me for several reasons.

First and foremost, I find it hard to believe that they couldn’t agree on material weaknesses. If the audit firm said something was a material weakness, it would be next to impossible for management (and the audit committee) to refuse to identify it as such in their report. Similarly, I can’t see the audit firm passing up the opportunity to report something management said was a material weakness.

I am also surprised that the auditors thought having a lot of year-end adjustments reflecting an ineffective system of ICFR. The only explanation I have is that they related to errors during the year that were material to one or more quarters and corrected at year-end – and that should have been the disclosure. The problem with that is that the system of ICFR at the end of the year would probably have been effective! (Management also identified this area in 21% of their adverse assessments.)

The report lists other areas where material weaknesses were identified, either by the audit firm or by management.

  • The audit firms identified issues related to IT in 36% of their adverse opinions.
  • Both the audit firms and management identified inadequate disclosure controls (21% of the adverse audit attestations, and 25% of management’s). But disclosure controls (the subject of s302 of the Act) are not subject to s404 opinions. This makes no sense to me.
  • Management identified an insufficient audit committee as a material weakness in 21% of their reports. It is hard to see how this can be correct. While it is one of the Principles in the COSO Internal Control Framework, defects in the audit committee are highly unlikely to result in a material error or omission in the financial statements.

The report has some more useful information. Again, they contrasted the reports of the audit firms to those of management.

  • In adverse ICFR auditor attestations for the fiscal year 2020, the most common accounting issue that led to the conclusion that ICFR was not effective concerned revenue recognition. The second most common reason expressed by auditors was related to taxes. Taxes were the number one issue in 2016 but were less common between 2017-2019. Accounting issues related to PPE, intangible or fixed assets jumped in rank from eighth in 2019 to 2020. In a bigger jump, accounting issues related to the recording of debt and warrants identified in adverse ICFR auditor attestations went from being far outside the top five issues in the last five years to being the sixth most common issue in 2020.
  • In adverse ICFR management reports for the fiscal year 2020, the most common accounting issue that led to the conclusion that ICFR was ineffective concerned the recording of debt/warrants/securities. This issue ranked fourth in 2015, but historically, the recording of debt and warrants was not a prevalent accounting issue cited in management reports with adverse ICFR.

I am drawn to conclude that people are having difficulties in this area. I strongly suspect that some auditors and some management teams are not testing their identification of material weaknesses against the definition of “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis.”

I also suspect that the audit committees of these companies are not challenging management and the audit firms to report the same and not different material weaknesses.

Finally, too many seem to be failing to assess and report on the state of ICFR at the end of the year, which is the requirement.

Reports like these are useful information to all involved in SOX. We should pay attention and makes sure we have the right top-down and risk-based scope, and test any deficiencies against the definition of a material weakness.

I welcome your thoughts.

Where do material errors occur in the financial statements?

May 27, 2022 1 comment

Every so often, the firm of Audit Analytics shares a report with information of interest.

Their latest is 2021 Financial Restatements: A Twenty-One-Year Review. They introduce it:

In this report, we cover twenty-one years of trends in financial restatements – including a closer look at the effect of SPACs on recent trends in financial restatements. We also cover materiality, impacts, severity measures, size and location, and the top accounting issues.

If you are involved in preparing or auditing financial statements or the system of internal control over financial reporting (e.g., for SOX compliance), or on the audit committee of the board, you should read the report.

The big news is that the great majority of restatements were due to issues around the use and accounting for special purpose acquisition companies (SPACs). As the report says:

On April 12, 2021, the SEC’s Acting Director of the Division of Corporation Finance John Coates and Acting Chief Accountant Paul Munter issued a joint statement urging companies with warrants issued by Special Purpose Acquisition Companies (SPACs) to reconsider the accounting treatment of those warrants.3 In November, hundreds of SPACs reclassified redeemable shares from permanent equity to temporary equity.

The SEC’s guidance on accounting for redeemable shares and warrant liabilities resulted in significant increases observed in both the number of restatements filed and the number of companies that disclosed a restatement during 2021. Additionally, the composition of restating companies was altered from previous years, as these two accounting issues had a broad impact on a narrow population: SPACs and companies acquired by SPACs.

As a direct result, the positive trend in the number of restatements was interrupted in 2021. If you exclude SPAC-related restatements, the numbers continued to decline.

If you exclude SPAC-related restatements, the more significant accounting issues were:

  • Debt and equity securities – 19.1%
  • Revenue recognition – 12%
  • Liabilities and accruals – 11.7%
  • Expenses – 10.9%
  • Taxes – 8.8%
  • Cash flows – 7.3%
  • Share-based compensation – 7%
  • Acquisitions and divestitures – 7%
  • Inventories – 6.7%
  • Asset valuations – 6.5%

I find it interesting that a hot button in previous years, Revenue Recognition, has dropped from being the reason behind more than 20% of restatements in 2004, around 16% in 2018, to 12% last year.

What does all of this mean for those of us involved in preparing or auditing financial statements and related controls?

I believe this should be factored into your risk assessment activities.

The audit committee might include a discussion of this report with their external auditors.

I welcome your thoughts.

Risk and Strategic Intelligence

May 23, 2022 5 comments

One of the issues that has concerned me over the years is who is not only responsible for understanding what might happen (both risks and opportunities) but also has the capability to do so.

The easy answer is that operating management is responsible for understanding, evaluating, and addressing what might happen that could affect their business and its ability to achieve enterprise objectives.

That’s the easy answer, because I see the risk function as helping management do that. The risk function shouldn’t own the risk or be responsible for identifying and assessing it.

But do either have the capability to do it well?

A Wall Street Journal article, Building a Corporate Strategic Intelligence Program, got me thinking.

Should an organization establish a function whose job it is to survey and monitor the external environment? If so, should it be on targeted areas rather than the whole potential landscape? (The discussion in the article does not include threats or opportunities from internal sources.)

In the article (which has content by Deloitte but is written by an executive from Invesco, the company it profiles), the Strategic Intelligence function is not part of the risk function.

Effective strategic intelligence functions are often well connected across organizations, especially with risk management teams, and well positioned in the organization’s strategy-setting process. They also often report to a C-suite leader to enable intelligence to be elevated to the highest levels of leadership in the organization.

I think this is an idea that is worth exploring.

It would be a team with expertise in analytics and other tools, and access to other sources of research.

What do you think?

Proactive Auditing or Embedded Assurance

May 20, 2022 7 comments

When I saw that Protiviti had published an article with the title What Is Embedded Assurance — and How Can It Benefit Enterprise Projects?, I was intrigued.

What exactly is “embedded assurance”?

I expected something along the lines of the new-fangled concept of ‘combined assurance’, which is really not new at all! In 2009, the IIA issued Practice Advisory 2050-2, Assurance Maps (available only to members). It was an excellent piece of work then and remains useful today.

Or it could have been related to continuous assurance/auditing. But it’s not.

In fact, the concepts behind “embedded assurance” are very old! Just Google ‘pre-implementation reviews’ to find multiple articles on the topic. I was doing these when the authors were in diapers!

That doesn’t mean that the Protiviti piece is without merit (only that the only thing new is the name they give it).

I strongly encourage every audit department to perform proactive auditing, getting involved in major (or even minor) projects when justified by the level of risk to the enterprise.

Vary the level of work, again based on the level of risk.

For example, a pre-implementation review might include one or more of the following:

  • A review of the cost justification/capital expenditure request
  • A review of the requirements documentation
  • A review of the project approach, such as whether adopting an agile methodology is optimal. One of the issues I have seen is that the incremental changes identified over the project’s life move it away from the original intent and why the expenditure was approved.
  • A review of the project plan and its management
  • A review of the design to ensure it will address the requirements
  • A review of the design to ensure it will have the necessary internal controls and security
  • A review of the test plans
  • Independent testing or reperformance
  • Building in additional data monitoring and alerts
  • A post-implementation review

You should also make sure you have the right team for your pre-implementation review.

At Tosco Marketing Company, which had more than 6,000 convenience stores as well as gas stations, management had a massive IT systems project. They would replace all the systems in the stores, connect them with a new central stores management system, run everything on new hardware, and implement a new access control system.

My team included two IT audit managers with application auditing expertise, another IT auditor with highly technical skills (including experience with the new access control system), and an operational auditing manager.

I needed all of these to make sure we covered the waterfront. This was not an IT project; it was a major business project.

By the way, this concept should apply to the proactive auditing of any major project, not just technology ones. For example, get involved in major new construction projects.

What do you think?

How active are you in pro-active auditing?

A Better Objective for an Audit

May 16, 2022 4 comments

Over the years as a CAE, I learned that there was a better way to steer the audit team. Instead of asking them to assess the system of internal control over a process or business unit (an approach that is disconnected from enterprise objectives), or whether the controls provide reasonable assurance that specified risks are at desired levels (a far better approach), I ask them to answer this question:

Do the processes and controls meet the needs of the business?

This makes the members of the audit team think!

What is management trying to achieve with this business unit, activity, process, etc.?

Does the way they are operating, which includes the controls they are relying on, provide reasonable assurance that they will be successful?

That means that not only do they need to take the right risks but seize the right opportunities. Are they doing that?

How well are they leading the organization and its people, obtaining optimal performance from both?

Is there a better way? What can and should be improved?

Answering my question enabled my auditors to assess the management of risks and opportunities and the related controls.

What do you think?

Try it for yourselves.

What should the Audit Committee ask the head of Internal Audit?

May 6, 2022 7 comments

In an April blog post on his new company’s web site, Richard Chambers writes about: 5 Questions the Audit Committee Should Ask Internal Audit – But Doesn’t.

It always surprises me, but perhaps it shouldn’t, that my friend and I (and we have known each other for a very, very long time) often have different views.

There are some issues on which we fiercely agree, such as the need to audit at the speed of risk. (We have both used that expression for a decade or more and written books about it. I claim, although Richard is not sure, to have used it first. But no matter, we both are ardent supporters of a continuously updated, enterprise risk-based audit plan.)

There are also areas where we disagree. For example,  Richard believes strongly that the CAE should report administratively to the CEO because if he/she reports instead to the CFO that executive may try to own the function. I reported throughout my career as CAE to the audit committee and the CFO, and not once did the CFO interfere with my planning or reporting. However, I have personal experience at two different companies, one huge and one small, of a CEO owning and directing the CAE and his planning and reporting. (The first was a company that acquired mine, and the second was a company that mine acquired.)

In this blog post, there are topics that Richard suggests where I fiercely agree, and others where I disagree. No surprise.

Let’s start with where I fiercely agree.

The first and most important is his fifth question:

Based on internal audit coverage during the prior year, what is the CAE’s assessment of the overall effectiveness of the company’s internal controls and risk management?

As Richard says, this is:

…the most important question of all – the question that I often find is on virtually every audit committee member’s mind but is rarely asked. In seeking the answer to this question, the audit committee is asking the CAE to “connect the dots.”

However, I don’t accept that the CAE should ever answer the way Richard describes:

However, the committee must be prepared for an answer that it does not want to hear: that the body of internal audit’s work over the past year has not been adequate for an “unqualified” opinion or assessment on the adequacy of risk management and controls. In communicating any opinions, the CAE should be prepared to communicate qualifications based on the extent of internal audit’s coverage. If the audit committee is not comfortable with a qualified answer, then a discussion about internal audit’s resources needs to be back on the table. 

No. The question is the right one. It asks for the CAE’s assessment, their assurance, based on the coverage during the year. How can any reasonable CAE say that they can’t provide an unqualified opinion? The question includes the only necessary qualifier: “based on the coverage during the year”.

As CAE, I started providing my opinion on the adequacy of internal controls to address the more significant risks more than 30 years ago! It had the necessary qualifier, that was based on the work performed. I was a member of the IIA team that developed their Practice Guide: Formulating and Expressing Internal Audit Opinions in 2009.

BUT: the audit plan was specifically designed, even back then, to address the more significant risks to the enterprise as a whole.

In other words, the audit plan was designed to deliver the necessary macro-level opinion at the end of the year!

The audit committee knew this, as did management, so there was no surprise, no question about the adequacy of coverage.

In fact, when I presented the plan for review and approval by the audit committee, I showed them what were the next most significant risks that I would not be able to address due to resource constraints.

That answered, at the beginning and not the end of the year, Richard’s excellent third question:

What are the top five risks that internal audit is not addressing due to a lack of resources or skills?

By the way, lack of skills is not an acceptable excuse, as those can be obtained by co-sourcing, the use of guest auditors, and/or training.

Moving on to Richard’s fourth question, it is again one with which I very strongly agree:

What strategies is internal audit deploying to ensure greater understanding of the business by audit staff?

My quibble is that the question should ask whether that understanding is sufficient, rather than greater.

I recently had a debate with the great Tom Peters. I first ran into him more than twenty years ago, when he started talking about WoW! Projects. I was so impressed I had each of my internal audit direct reports attend his WoW! seminars! You can see the slide deck of a presentation I made at MISTI’s SuperStrategies conference in 2001 that talks about a Wow! Internal audit department.

Have a look at slides 37 and on.

The debate with Tom (we follow each other on Twitter) was about Managing by Wandering Around (MBWA). He has been an advocate for this practice for a long time and writes about it here.

Check out the video linked in his article and ask whether you and your team are doing enough MBWA to understand the business.

MBWA is a great way of staying in touch with changes in the business (internal and external context) and changes in risks to the business so you can update the audit plan! That addresses Richard’s second question. Just remember that it is the responsibility of management to identify the risks; it is our responsibility to assess how well they do that and to make sure our audit plan is continuously updated so we audit what matters today and will matter in the future.

I suggested to Tom, and after he thought about it, he agreed that instead of MBWA, we should be talking about MBLA: managing by wandering and listening around. The focus is on listening, making sure that you are not talking more than 40% of the time.

I have not addressed Richard’s very first question:

Is internal audit following the International Standards for the Professional Practice of Internal Auditing (Standards), and what were the results of the last external quality assessment?

With all respect to Richard, The IIA, and all CIAs, I have a hard time believing that the Standards are a guide to quality auditing. There are too many issues with them (which I have shared with IIA leadership and hope they are considering as they work towards upgrading them) and adhering to the Standards is not a guarantee of excellence.

Sometimes, you need to go your own way and design an internal audit program that meets the assurance needs of the organization at that time and in your specific circumstances. I admire what Chris Keller did at Apple when he was CAE there, moving from static internal auditing per the Standards to more continuous risk and control monitoring of the various projects at the company.

So – are there questions that Richard has not included in his top five?

My top five are different and include some he did not.

  1. Based on internal audit coverage during the prior year, what is your assessment of the overall effectiveness of the company’s internal controls and risk management? (This assumes that there is a continuously updated, enterprise risk-based audit plan.)
  2. Describe your relationships with management. Is there inappropriate pressure on you to change your audit plan or your reporting? Do you get the support you need from all levels of management? Does management work with you when it comes to assessing and acting on the need for change?
  3. What, if anything, is holding you back from excellence? Are there sources of risk that you wish to address but cannot due to resource limitations – other than those we previously decided not to fund? Are you satisfied with the quality and performance of your staff?
  4. What should we and the board be focused on?
  5. How can we help you?

Somewhere in here, but I hate to remove any of the above, is the set of questions that the committee should ask around the effectiveness of the management team (individually and as a team). In my top ten is also the question of whether the external audit team is effective, including the level of communication and collaboration with internal audit.

There are just so many questions the audit committee should ask!

What have Richard and I missed?


How do you measure the performance of the Internal Audit function?

April 29, 2022 8 comments

One metric stands out when it comes to assessing the performance of the CAE and his or her team: the satisfaction of their primary customer, the audit committee of the board. Second to that, and frankly not far apart in its effects on the longevity and mental health of the CAE, is the satisfaction of the CEO, CFO, and the rest of the executive team (but especially those two execs).

Having said that, there are other metrics that are very important.

ACI Learning has shared with us their suggestions in an article you can download.

Measuring the Performance of Internal Audit Departments: Standardize measurements and align business operations with balanced scorecards has some good points.

At the same time, I disagree with some and believe others are missed.

For example, the first metrics suggested are related to time:

  • Audit announcement to when the final report is published (days)
  • End of fieldwork to when the draft report is published (days)
  • Publication of draft report to when the final report is published (days)
  • Time variance Audit plan to actual (hours)
  • Audit plan to actual (%)

As a CAE, I never measured any of these. I don’t think they are meaningful and may even lead practices in the wrong direction!

While some CAEs focus on publishing a report as soon as possible, my focus was on publishing the right, fair and balanced report that will help management and the board with actionable information, effecting the right change (if necessary) for the business.

My focus was on working with management to ensure they had the best systems, processes, organization, and controls to run the business, and to provide related assurance and insight to senior management and the board.

The next set of metrics are:

  • Number of audits planned vs. completed (number)
  • Number of audits planned vs. completed (%)

I don’t see either of these as a measure of effectiveness.

If you are using a continuously updated, enterprise risk-based audit plan, the number of audits planned is changing all the time. This is only relevant when you have a rigid audit plan (typically out-of-date before it is approved by the audit committee) and stubborn adherence to auditing what used to be a risk is considered important.

The authors don’t get to the most important metrics until page 5, when they talk about the customer. However, there is no assessment here of the satisfaction of the audit committee, not even of top management!

On the other hand, I like these:

  • Training hours per auditor
  • Management requests for audit services

There are other vital measures that are overlooked, such as:

  • Satisfaction of the internal audit staff
  • Career progression of the internal audit staff, including their being hired into management positions within the business
  • Staff retention

As a CAE with several companies over many years, I had one set of questions. I asked it of members of the audit committee individually and as a group, as well as of the CEO, CFO, and their direct reports:

  • How are we doing?
  • Are we helping you with your job?
  • What else can we do to help you?
  • What should we stop doing?
  • Do you have specific comments on what we are doing and on the members of the team?

I now ask you:

  • How should you or anybody else assess the performance of internal audit?
  • How am I doing with this blog?
  • What changes should I make?

Audits of information security or cyber may be short

April 22, 2022 3 comments

I have been involved in information security, either auditing it or being responsible for the function at a couple of financial institutions, for a very long time. To me, cyber is not separate from information security. If I were to make a distinction, information security would include not only digital information, but also hard copy reports and other information not stored electronically. But I will treat the terms interchangeably today.


Why do I say audits would be short?

Because they often were short when either I or my team of IT auditors performed them.


The first thing I do is ask for the information security risk assessment.

If they haven’t done one, it is difficult to know where we should focus our limited audit resources. I want to assess the areas where there is greater risk to the business and its success, the achievement of enterprise objectives.

It is difficult to assess whether they have adequate defenses or responses if they haven’t identified the greater sources of risk.

If they have done a risk assessment based on NIST or ISO guidance, it is usually disconnected from the achievement of business objectives and I again have a problem.

I don’t want to audit the “risk to information assets” (per NIST and ISO). I want to audit the risks to business objectives and success.

We can help management as a consulting activity understand how to perform such a risk assessment.

I wrote about this recently for EDPACS in an article that is now free to view: Making business sense of technology risk.


Where I am aware of a specific infosec risk that is critical to business success, I can target an audit.

But those are targeted audits, not an audit of all of information security.

In fact, my approach typically breaks the area up into multiple targeted audits.


I have written before about auditing what I call the information security foundation: where it reports, whether there is an acceptable risk assessment, who leads it, how it is funded, and so on.

I will do that first.

Then I will have some number of audits targeted at specific issues.


Do CAEs pay enough attention to cyber and information security?

I think they do, although every year there are complaints that CAEs don’t have the resources necessary.

My thinking is:

  1. The CAEs risk assessment should identify what they need to audit, including cyber-related audits
  2. That assessment should be shared with the audit committee of the board
  3. Where possible, the CAE should have sufficient internal resources to perform the necessary audits
  4. Where internal resources are not available, the CAE should engage external resources, such as from a consulting firm
  5. If the budget does not permit the funding of high priority audits, that should be a matter for discussion with the audit committee, and they will have the last word.

In his April 6th blog post, my good friend Richard Chambers said:

[The IIA’s Pulse of Internal Audit] reports that 85% of respondents rate “cybersecurity” as a high or very high risk, but it only accounts for 11% of internal audit plans. Allocation of resources to cyber risks is lower than to compliance and regulatory risks, operational risks, and internal controls over financial reporting (SOX).

He sees this as a problem, an alarm bell. I don’t.

11% of internal audit resources is a HUGE amount!

When you consider all the risks to business success these days, and the fact that the typical breach costs far less than people think, 11% may be appropriate. It might be too little, but it is more likely to be too much than too little!

If CAEs are following a true enterprise-risk based approach, I will trust them to be focusing on the highest risks to the enterprise, such as:

  • The loss of critical employees, particularly those with strong connections to customers, those who drive product development, the leaders show inspire other employees, and the ones who perform critical controls
  • Supply-chain risks in the midst of political upheaval
  • The ability to leverage new technology and not fall behind competitors
  • The potential for a downturn in the economy
  • Compliance with new sanctions and other regulations
  • The return on investment from marketing and sales initiatives
  • Developing staff when they are remote
  • And so on


The main point is that in the absence of an adequate, business-focused cyber risk assessment, knowing what cyber related audits to perform is difficult.

How do you audit what matters to the organization when those responsible for running the organization haven’t figured that out?

Remember, there’s a huge disconnect between information security leaders (CISO’s) and top management (including the board) when it comes to agreeing on how much resource to allocate to infosec.


I welcome your thoughts.


By the way, I will be speaking at an upcoming virtual conference in May, the Transforming Your Audit Summit 2022. The list of speakers is impressive!

Where should internal audit report?

April 18, 2022 4 comments

This is a touchy subject.

While there is very little debate that the head of internal audit, the chief audit executive or CAE, should report functionally to the board (usually the audit committee of the board), there are some strong opinions on whether it should report for administrative purposes.

This is what the IIA’s Standards have to say (with my emphasis):

1110 – Organizational Independence    

The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.


Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:

  • Approving the internal audit charter.
  • Approving the risk-based internal audit plan.
  • Approving the internal audit budget and resource plan.
  • Receiving communications from the chief audit executive on the internal audit activity’s performance relative to its plan and other matters.
  • Approving decisions regarding the appointment and removal of the chief audit executive.  Approving the remuneration of the chief audit executive.
  • Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.

1110.A1The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. The chief audit executive must disclose such interference to the board and discuss the implications.

The Standards do not discuss what is included in administrative reporting. This is what I believe is included:

  • Reviewing and approving the expenses of the CAE
  • Performing other administrative functions that may be required by organizational policy. These vary from organization to organization but may include the approval of purchase orders that exceed the CAE’s authority level, approval of travel, and so on.

There’s little else that I can think of today.

It is customary for the CAE to be able to attend the executive’s direct reports.

It is also customary, but not always a given, that the executive will be a supporter and champion of internal audit.

The CAE’s cost center may or may not roll up to that of the executive.


Somebody has to perform these administrative functions, and it is unrealistic (with rare exceptions) to expect the chair of the audit committee to do them.

The debate is whether the CAE should report administratively to the CEO, the CFO, or another senior executive.

While it is possible for the CAE to report for administrative purposes at a lower level, for example to the Corporate Controller, this will generally create a perception that the CAE is middle management at best – rather than the senior executive he or she really is (or should be).


Some years ago, the IIA stated its preference (my guess is that this was influenced by its CEO) that the administrative reporting should be to the CEO.

Richard Chambers repeated his strong preference for that in a recent post, New Surveys Raise Alarm Bells for Internal Audit. He tells us:

One of the most jaw-dropping statistics in the IIA’s recent 2022 North American Pulse of Internal Audit report is that 76% of CAEs at publicly traded companies say they work administratively for the CFO! I have never been shy about sharing my views on this reporting relationship. While many CFOs fully respect the need for internal audit to remain independent, and for internal auditors to be objective, the optics indicate that CFOs who “own” internal audit are more likely to use the function to focus on their own priorities. Even more alarming is that only 4% of respondents are concerned about reporting lines. That is, by and large, a uniquely American problem, and fortunately it isn’t widespread in either the public or not-for-profit sectors. But the number of internal audit functions reporting to the CEO in publicly traded companies appears to be retreating. That is not a good development.

He has strong views on this and so do I.

It could be that his many years as CAE in government service influenced his position. My many years as CAE in US and global corporations led me to a totally different position.

First, administrative reporting does not confer, in any way, “ownership” of internal audit.

Second, I have seen CAEs who report administratively to the CEO forced to work on special projects for the CEO, even to the point of being sent to fire non-performing executives! In other words, the CEO thought he owned internal audit.

Third, the CEO is a busy individual and asking him or her to spend their valuable time on administrative duties like approving expense reports is absurd. In practice, the CEO will delegate those responsibilities to the CFO (at best) or an assistant (at worst, but more likely).

Fourth, you can report to the CFO and have free access to the CEO.

Fifth and extremely important, you are far more likely to be included in the CFO’s executive staff meetings than the CEO’s, even if you report administratively to the CEO. In fact, reporting to the CEO may make it harder to attend the CFO’s meetings. These meetings are very valuable sources of information about the strategies and activities of the organization.

Finally, the fact that 96% of CAEs are content with their administrative reporting should tell us something. These are smart people, and their opinion should be respected as being based on reality. Reporting to the CFO satisfies the intent of Standard 1110: “The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.”


Should the CAE report administratively to another senior executive?

This will depend on the organization and on the individual executive.

I can see a case being made for reporting to one of these people:

  • Chief Administrative Officer
  • Chief Operating Officer
  • General Counsel

I am not a fan of the CAE reporting to a specialist CRO with whom there may be conflict over the assessment of control deficiencies and the risk they represent.


Whoever the CAE reports to administratively must respect the fact that the reporting is purely administrative, they do not own internal audit, and their role is limited.


How does the CAE make this happen?

That is covered by Standard 1000: Purpose, Authority, and Responsibility.

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval.


The internal audit charter is a formal document that defines the internal audit activity’s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity’s position within the organization, including the nature of the chief audit executive’s functional reporting relationship with the board; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board.

The value of the Charter is not that the CAE can brandish its authority when management doesn’t allow internal audit necessary access to information, etc.

The value is that it is discussed and reviewed by the board or its audit committee. That activity instructs whoever is administratively supporting the CAE where the boundaries of their role lie.


What do you think?


By the way, I am not commenting today on the other alarm bells that Richard says are ringing except to say that I disagree on SOX and do not agree with his logic on cyber. (I would point you to an IIA webinar we did together, but the IIA has removed it for some reason. In it, he agreed with my position that IA delivers great value if it is given the necessary resources to fulfil its primary mission as well as test controls for SOX.)