Archive

Posts Tagged ‘SOX’

Cyber and reputation risk are dominoes

February 18, 2017 12 comments

Anthony Fitzsimmons recently sent me a review copy of his new book, Rethinking Reputation Risk. He says that it “Provides a new perspective on the true nature of reputational risk and damage to organizations and traces its root causes in individual and collective human behavior”.

I am not sure that there is much that is new in the book, but if you want to understand how human behavior can be the root cause (in fact, it is very often the root cause) of problems for any organization, you may find it of interest.

The authors (Fitsimmons and Professor Derek Atkins) describe several case studies where human failures led to serious issues.

Humans as a root cause is also a topic I cover in World-Class Risk Management.

As I was reading the book, I realized that I have a problem with organizations placing separate attention to reputation risk and its management. It’s simply an element, which should not be overlooked, in how any organization manages risk – or, I should say, how it considers what might happen in its decision-making activities.

The same thing applies to cyber risk and even compliance risk.

They are all dominoes.

dominoes

A case study:

  • There is a possibility that the manager in HR that recruits IT specialists leaves.
  • The position is open for three months before an individual is hired.
  • An open position for an IT specialist who is responsible for patching a number of systems is not filled for three months.
  • A system vulnerability remains open because there is nobody to apply a vendor’s patch.
  • A hacker obtains entry. CYBER RISK
  • The hacker steals personal information on thousands of customers.
  • The information is posted on the Internet.
  • Customers are alarmed. REPUTATION RISK
  • Sales drop.
  • The company fails to meet analyst expectations for earnings.
  • The price for the company’s shares drop 20%.
  • The CEO decides to slash budgets and headcounts by 10% across the board.
  • Individuals in Quality are laid off.
  • Materials are not thoroughly inspected.
  • Defective materials are used in production.
  • Scrap rates rise, but not all defective products are detected and some are shipped to customers.
  • Customers complain, return products and demand compensation. REPUTATION RISK
  • Sales drop, earnings targets are missed again, and …….
  • At the same time as the Quality staff is downsized, the capital expenditure budget is cut.
  • The Information Security Officer’s request for analytics to detect hackers who breach the company’s defenses is turned down.
  • Multiple breaches are not detected. CYBER RISK
  • Hackers steal the company’s trade secrets.
  • Competitors acquire the trade secrets and are able to erode any edge the company may have.
  • The company’s REPUTATION for a technology edge disappears. REPUTATION RISK
  • Sales drop. Earnings targets are not achieved, and……..

It is true that every domino and the source of risk to its stability (what might happen) needs to be addressed.

But, focusing on one or two dominoes in the chain is unlikely to prevent serious issues.

One decision at a low level in the company can have a domino effect.

Consider this slide deck by ERM Strategies, Inc. about the Deep Water Horizon disaster.

I welcome your comments.

Advertisements

A new front opens in the SOX battle

November 20, 2016 Leave a comment

One of the issues that I address in my SOX Master Classes (the next one is in February) has come of age.

I am talking about the certification signed by the CEO and CFO and included in the quarterly filing with the SEC – the one required by Section 302 of the Sarbanes-Oxley Act.

The issue is this:

  • The CEO and CFO are required by law to assess the state of internal control over financial reporting (and disclosure control) every quarter and report whether or not it is effective as of the date of the quarterly filing.
  • For their own as well as the company’s protection, they need to have a reasonable basis for that assessment.
  • Tests of internal control over financial reporting are typically spread over the year. Some perform tests in every quarter; some during at least a couple of quarters; and few limit their testing to the fourth quarter.
  • Deficiencies in the controls are identified during that testing.
  • Those deficiencies may be assessed as potential material weaknesses if not corrected and retested prior to the end of the year.
  • As a result, potential material weakness frequently not only exist but are known to exist at the time that the CEO and CFO are required to assess and certify internal control over financial reporting.
  • But, for whatever reason, these potential material weaknesses either are not reported to the CEO and CFO (which fails one of the Section 302 requirements: they have to certify that they know about control issues) or are ignored.
  • The CEO and CFO may certify that the systems of internal control and disclosure controls are adequate when they are not.

This is what I have to say in Management’s Guide to Sarbanes-Oxley Section 404: Maximize Value Within Your Organization:

In the past, most CEOs and chief financial officers (CFOs) have signed their annual and quarterly certifications—which are included in the financial statements filed with the SEC on Form 10-Q and required by Section 302 of Sarbanes-Oxley—without a rigorous examination of internal controls. Ideally, management has integrated the quarterly and annual assessment processes. Although management is not required to test all its key controls every quarter, it should perform some degree of testing each quarter to support the quarterly Section 302 certification. At a minimum, the Section 302 certification process should include a consideration of the status of the Sarbanes-Oxley project, the results of testing, the severity of any identified control deficiencies, and management’s corrective action plans.

When I was writing the book, I talked to the SEC about this issue. They said that they understood it but it was not a priority at that time.

Well “the times, they are a-changing”.

This recently appeared on the CFO magazine web site in an article on SEC Focuses on Internal Control by a former chief accountant of the SEC’s Division of Enforcement. In the middle of the article is this section:

Specific issues that investigators have been addressing include whether a material weakness: (1) existed in a reporting period before a restatement; (2) was adequately described as to scope; (3) existed, even if there was no material error; and (4) existed in connection with controls and procedures for disclosure, or in connection with 302 certification processes.

In the book and in the class, I recommend that management and the SOX PMO consider how the results of testing during earlier quarters are incorporated into the Section 302 certification process.

For example, is the SOX PMO (or equivalent) included in the disclosure review process?

When potential material weaknesses are discovered during SOX or internal audit testing, my suggestion is to review the issue with the legal function. They can advise the CEO and CFO whether this should be disclosed as part of the Section 302 certification.

This new front is clearly starting to open.

Don’t let it pull you under.

I welcome your comments.

Lessons Learned from the Transition to COSO 2013

May 3, 2015 5 comments

Protiviti has shared with us a useful Top 10 Lessons Learned from Implementing COSO 2013.

I especially like this section:

It is presumed that everyone understands that a top-down, risk-based approach remains applicable to Section 404 compliance, and the transition to the 2013 updated Framework does not affect this. While we don’t list this as a lesson, we could have, because some companies either forgot or neglected to apply this approach when setting the scope and objectives for using the Framework. As a result, they went overboard with their controls documentation and testing. We can’t stress enough that the COSO 2013 Framework did not change the essence of, and the need for, a top-down, risk-based approach in complying with SOX Section 404.

The report has a number of excellent pieces of advice. However, I wouldn’t be me if I didn’t have points of disagreement.

The first is on mapping. It is NOT necessary to map all your controls to the principles. If we take principle 10, for example, it states “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels”. Rather than map all your control activities to this principle (or to principle 11, which is the same – just for IT general controls), the organization needs to identify the control(s) it relies on for its assessment that the principles are present and functioning[1]. For principles 10 and 11, that will be the SOX scoping exercise. For the principle on fraud, the control that should be identified is the fraud risk assessment, not every control relied on to detect or prevent fraud.

Then there is the assertion that indirect controls are the same as entity-level controls. COSO (both 1992 and 2013) tell us, correctly, that activities in each of its components may operate at any level within the organization. For example, let’s say that an account analysis is prepared by Corporate Finance as part of the period-end close. This entity-level control may operate with sufficient precision to be relied upon to detect a material error or omission in that account. But the entity-level control is a direct control, not an indirect control. (A direct control can be relied upon to prevent or detect an error. An indirect control is one that serves to increase or decrease the likelihood that other, direct, controls will function effectively. Hiring, integrity, oversight by the board – these are indirect controls where a defect would increase the likelihood that affected direct controls would fail.)

Another example that helps us understand the difference is the hiring process (related to principle 4, in the Control Environment). The hiring process most often is at a lower level than the entity-level, often as deep as the activity level as that is where most hiring managers reside. Controls in the hiring process in this situation are activity level (or what I call ‘intermediate level’ controls, operating at a location or business unit rather than either the top or the bottom of the organization) and are indirect controls.

I could quibble with one or two more points, but I don’t want to detract from the report. I want, instead, to encourage you to read and discuss it.

What do you think?

What additional lessons have you learned?

[1] Full credit for this wording goes to the E&Y national office, who used it in a conversation I had with them about the firm’s training of its audit staff.

The most important sentence in COSO

April 25, 2015 13 comments

In my opinion, one sentence stands out, whether you are looking at the COSO Internal Control – Integrated Framework (2013 version) or the COSO Enterprise Risk Management – Integrated Framework.

That sentence is:

An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories.

The sentence is important because it emphasizes the fact that the purpose of controls is to address risk, and that you have ‘enough’ control when risk is at desired levels.

To me, this means that:

  1. Before you assess the effectiveness of internal control, you need to know your objective(s), because we are talking about risk to objectives – not risk out of context
  2. You need to know the risk to those objectives
  3. You need to know what is an acceptable level of risk for each objective, and
  4. You need to be able to assess whether the controls provide reasonable assurance that risk is at acceptable levels

You may ask “where is that sentence?”, because when consultants (and even COSO and IIA) make presentations on COSO 2013 and effective internal control, all you hear about are the principles and components.

In fact, anybody who reads COSO 2013 should have no difficulty finding this most important sentence. It’s in the section headed “Requirements for Effective Internal Control”.

This is how that section starts:

An effective system of internal control provides reasonable assurance regarding achievement of an entity’s objectives. Because internal control is relevant both to the entity and its subunits, an effective system of internal control may relate to a specific part of the organizational structure. An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories. It requires that:

  • Each of the five components of internal control and relevant principles are present and functioning
  • The five components are operating together in an integrated manner

There is no mention of satisfying the requirement that the “components and relevant principles are present and functioning” until after the reference to risk being at acceptable levels.

In fact, I believe – and I know of at least one prominent COSO leader agrees – that assessing the presence and functioning of the components and principles is secondary, provided to help with the assessment.

Let’s have a look at the very next paragraph in the section:

When a major deficiency exists with respect to the presence and functioning of a component or relevant principle or in terms of the components operating together, the organization cannot conclude that it has met the requirements for an effective system of internal control.

When you look at this with the (COSO) risk lens, this translates to the ability to assess internal control as effective, and the principles and components as present and functioning, as long as there is no deficiency in internal control that is rated as “major”.

How does COSO determine whether a deficiency is “major”? That can be found in the section, “Deficiencies in Internal Control”.

An internal control deficiency or combination of deficiencies that is severe enough to adversely affect the likelihood that the entity can achieve its objectives is referred to as a “major deficiency”.

Let’s translate this as well:

  1. If the likelihood of achieving objective(s) is “severe”, then the risk is outside acceptable levels.
  2. If the risk is outside acceptable levels, not only should the related component(s) or principle(s) not be assessed as present and functioning, but internal control is not considered effective.
  3. When it comes to SOX compliance, a “major deficiency” translates to a “material weakness”. The objective for SOX is to file financial statements with the SEC that are free of material error or omission. The acceptable level of risk is where the likelihood of a material error or omission is less than reasonably possible.
  4. That means that if the deficiency is less than “major” (or “material” for SOX purposes), then the related component(s) or principle(s) can be assessed as present and functioning – and internal control can be assessed as effective.

So, the only way to assess whether the principles and components are present and functioning is to determine whether the risk to objectives (after considering any related control deficiency) is at acceptable levels.

Do you see what I mean?

Risk is at the core. Assessing the presence and functioning of components or principles without first understanding what is an acceptable level of risk to objectives is misunderstanding COSO!

Why are so many blind to this most important sentence?

I have a theory: the presentations were all prepared based on the Exposure Draft. That document failed to reference the requirement that internal control be designed to bring risk within acceptable levels. (The defect was fixed after comments were received on the issue.)

Do you have a better theory?

Can you explain the blindness of so many to the most important sentence in the entire Framework?

Why Internal Audit Fails at Many Organizations

December 6, 2014 29 comments

When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.

With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.

My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.

Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.

The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)

Let’s look at what they did well:

“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”

This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.

“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”

Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.

“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”

The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.

“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”

If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.

Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.

While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.

What did they miss?

  1. The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
  2. The audit committee should challenge any audit activity that is not designed to address a risk that matters.
  3. The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
  4. The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
  5. The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
  6. The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
  7. Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.

The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?

That’s my challenge to you – in addition to welcoming your comments.

The effective audit committee

November 22, 2014 7 comments

A short article in CGMA Magazine, Ingredients of an effective audit committee, caught my eye. I recommend reading it.

I think there are some key ingredients to an effective audit committee that are often overlooked. They include:

  1. The members have to read all the material for the audit committee meeting before the meeting. It’s amazing how often they don’t, which reduces the meeting to absorbing the material rather than a constructive discussion of its implications.
  2. The members have to be ready, willing, and able to constructively challenge all the other participants, including the external and internal auditors as well as financial, operating, and executive management. Too often, they are deferent to the external auditor (for reasons that escape me) and too anxious to be collegial to challenge senior management.
  3. They need a sufficient understanding of the business, its external context (including competitors and the regulatory environment), its strategies and objectives, risks to the achievement of its objectives, and the fundamentals of risk management and financial reporting, to ask the right questions. They don’t need to have a deep understanding if they are willing to use their common sense.
  4. They need to be willing to ask a silly question.
  5. They need to persevere until they get a common sense response.
  6. No board or committee of the board can be effective if they don’t receive the information they need when they need it. I am frustrated when I read surveys that say they don’t receive the information they need – they should be demanding it and accepting no excuses when management is slow to respond.
  7. Audit committee members will not be effective if they are only present and functioning at quarterly meetings. They need to be monitoring and asking questions far more often, as they see or suspect changes that might affect the organization and their oversight responsibilities.

What do you think?

I welcome your comments.

A Rant about the GRC Pundit’s Rant

April 18, 2014 24 comments

Michael Rasmussen, a.k.a. the GRC Pundit, is a friend whose intellect, integrity, and insights I respect. He and I, together with another friend, Brian Barnier, were the first three to be honored as OCEG Fellows for our thought leadership around GRC.

Michael and I have had many a debate on the topic of GRC. Michael brings the perspective of an analyst that works with many companies, helping them select and implement software solutions. That is his business: he refers to himself (GRC 20/20 Research, LLC) as a “buyer advocate; solution strategist; and market evangelist”. His latest blog, GRC Analyst Rant: Throwing Down the GRC Analyst Gauntlet, inspired me to write this one.

My background is very different, having been a practitioner and executive responsible for many of the business activities he supports – in other words, I might have been one of his customers. My focus is on helping business run better – and that frequently but not always involves the judicious use of technology.

Michael and I agree on a number of points, disagree on others. For example, I believe he and I agree that:

  • The term ‘GRC’ is one that is interpreted in many ways.
    • When I ask practitioners within a company what they mean when they use the term, most say it stands for ‘governance, risk, and compliance’ but cannot explain why anybody would use that term to describe the totality implied by the expression; they may wave their hands in the air and say “what does GRC mean? You know…. it means GRC”. They cannot explain why they don’t refer to governance, or governance and risk management, or risk management and compliance. Sometimes they talk as if GRC is something in the air, something related to the culture of the organization as much as anything else.
    • When I ask people at the IIA, they say it stands for ‘governance, risk, and controls’; in other words, the totality of what internal auditors work on. I don’t personally see anything new in this, nor any value in using the term. In fact, using it with ‘controls’ instead of the more usage of ‘compliance’ is only going to confuse.
    • When I talk to software vendors, they either describe their software solutions (as if GRC is technology) or describe the business solutions that their technology supports.
    • When I read papers from consultants, I find that if I substitute the phrase ‘risk management’ every time they say ‘GRC’, the piece makes more sense. In other words, they are usually talking about risk management but for some reason (some would say to hype the discussion) they use the term GRC instead.
    • When I talk to the people at OCEG and those who follow OCEG and its definition of GRC, they use a definition that makes more sense. That definition adds value by emphasizing the needs for all parts of the organization to work together.
  • GRC is not about technology. It is about (as I said last year) “how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values)”.
  • The key to optimizing outcomes is to for management (with board approval) to set the appropriate strategies, objectives, and goals, and then everything flows from there: managing risks to strategies, managing performance against strategies, and acting with integrity (which includes compliance with applicable laws and regulations) at all times.
  • No technology vendor (not even SAP and Oracle, who have the greatest breadth and depth of solutions IMHO) has a complete solution that addresses all GRC needs. The last time I said that, in a September post, several vendors wrote to tell me they had everything. But, they simply didn’t. They have everything that they chose to call GRC, but none included strategy management, support for governance activities like board packages and whistleblower lines, risk management including automated and integrated key risk indicators, compliance training and monitoring, performance management, legal case management, and so on.
  • The analysts like Gartner and Forrester have a business model where they need to define technology using buckets. But those buckets do not reflect what individual companies actually need, so their analyses and ratings may be interesting but may well steer organizations to acquire solutions (such as a so-called ‘EGRC platform’) that are not the best use of scarce resources. I would not advise any organization to base their purchase decision on an analyst rating of ‘GRC’, ‘EGRC’ or other made-up bucket of fish.

Where I believe we differ is that I do not advocate the use of the term ‘GRC’.

As I inferred, if not explicitly stated in my post last November, I believe that if the term ‘GRC’ is not dead (and apparently it lingers on), then it should be put to death.

I do not see the value in business people talking about GRC. I have said before and will say again, managers should look to fixing the processes they know need work.

For example, few organizations have effective processes for developing strategies and objectives at the corporate level, cascading them down throughout the organization so every individual knows what they need to do if the organization is to succeed, and minimizing individual objectives that are not clearly necessary to corporate achievement –then rewarding individuals, at least in part, for performance against those cascaded objectives. I have worked at several organizations where we were told what the corporate objectives were and asked to link our personal objectives to them. That is not the same thing. That is tying our personal objectives onto a branch of the corporate objectives, rather than making sure that all the roots of that corporate objective tree are healthy – even when we should be responsible for the health of a root or two.

Another example is the effectiveness of risk management. Most organizations practice enterprise list management at best (i.e., they manage a limited number of risks on a periodic basis), when mature risk management that is dynamic, iterative, and responsive to change, integrated into decision-making at all levels of the organization and into every aspect of daily operations, is essential to success.

Does using the term ‘GRC’ mean anything useful for internal auditors? No. They should continue to “up their game” from a focus on controls and risks that matter to operating management, to providing assurance and insight on organizational governance and risk management.

Effective GRC for OCEG means the integration, among other things, of strategy and risk management. But how many organizations do that well? How many executives receive and manage their area using an integrated report or dashboard that shows for each of their strategies both the current level of performance and the current state of related risks? How many executives see that not only have they accelerated up to the desired level of 100kph but are less than 100m from hitting a brick wall?

So here’s my recommendation to all: stop talking about GRC and start talking the language of the business. Let’s talk about how we can increase value to stakeholders, address potential obstacles and seize opportunities to excel, act with integrity and remain in compliance with current and anticipated regulations, and manage the organization to success.

Don’t try to fix GRC. Fix those parts of the business, those business processes, that are broken.

Good Riddance grC.

I welcome your comments.