New Paper on Risk Assessment and the Audit Plan

One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.

Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.

Unfortunately, it fails to deliver on that promise.

While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.

I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”

The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”

Here are the two main problems with that last sentence:

1. The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
2. While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.

My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)

Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?

Advertisement

Risk Officers on the Front Lines of the Big Data Analytics Revolution

I was intrigued to read that when McKinsey gathered together “eight executives from companies that are leaders in data analytics …. to share perspectives on their biggest challenges”, they included not only chief information officers and marketing executives, but the chief risk officer from American Express.

The McKinsey Quarterly report that reviews the discussion doesn’t have any ground-breaking revelations. They say what has been said before, although it is still important for all of us to understand the enormous potential of Big Data Analytics.

One key point is that the existence of Big Data by itself has very limited value. It’s the ability to use emerging technology (from companies like SAP, Oracle, and IBM) to not only mine the data but deliver insights at blinding speed (using in-memory technology) that will bring amazing results.

But I was looking for more, which I explain after these quotes.

Big-data analytics are delivering an economic impact in the organization… The reality of where and how data analytics can improve performance varies dramatically by company and industry.

Companies need to operate along two horizons: capturing quick wins to build momentum while keeping sight of longer-term, ground-breaking applications. Although, as one executive noted, “We carefully measure our near-term impact and generate internal ‘buzz’ around these results,” there was also a strong belief in the room that the journey crosses several horizons. “We are just seeing the tip of the iceberg,” said one participant. Many believed that the real prize lies in reimagining existing businesses or launching entirely new ones based on the data companies possess.

New opportunities will continue to open up. For example, there was a growing awareness, among participants, of the potential of tapping swelling reservoirs of external data—sometimes known as open data—and combining them with existing proprietary data to improve models and business outcomes.

Privacy has become the third rail in the public discussion of big data, as media accounts have rightly pointed out excesses in some data-gathering methods. Little wonder that consumer wariness has risen.

Our panelists presume that in the data-collection arena, the motives of companies are good and organizations will act responsibly. But they must earn this trust continually; recovering from a single privacy breach or misjudgment could take years. Installing internal practices that reinforce good data stewardship, while also communicating the benefits of data analytics to customers, is of paramount importance. In the words of one participant: “Consumers will trust companies that are true to their value proposition. If we focus on delivering that, consumers will be delighted. If we stray, we’re in problem territory.”

To catalyze analytics efforts, nearly every company was using a center of excellence, which works with businesses to develop and deploy analytics rapidly. Most often, it includes data scientists, business specialists, and tool developers. Companies are establishing these centers in part because business leaders need the help. Centers of excellence also boost the organization-wide impact of the scarce translator talent described above. They can even help attract and retain talent: at their best, centers are hotbeds of learning and innovation as teams share ideas on how to construct robust data sets, build powerful models, and translate them into valuable business tools.

What I was disappointed in was a lack of reference to how Big Data Analytics could and should be a fantastic opportunity for risk officers and internal audit executives.

All practitioners should be familiar with the concept of Key Risk Indicators (KRI). A useful paper by COSO defines KRI:

“Key risk indicators are metrics used by organizations to provide an early signal of increasing [ndm: they should have said ‘changing’] risk exposures in various areas of the enterprise. In some instances, they may represent key ratios that management throughout the organization track as indicators of evolving risks, and potential opportunities, which signal the need for actions that need to be taken. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.”

Some vendors (including MetricStream, IBM, and SAP) are showing us the way in which Big Data Analytics can be used to produce KRIs that are more powerful and insightful than ever before.

However, I am not convinced that practitioners are seizing the opportunity.

I fear that they are concerned about the risks as their organizations embrace Big Data Analytics to drive performance while remaining blind to the opportunity to develop KRIs so that business executives can take the right risks.

I would appreciate your views. Is it a matter of cost? Or are happy simply unaware of the potential?

Questions for the Audit Committee to ask the External Auditors in early 2014

The Audit Committee of the Board (or equivalent) is responsible for oversight of the external auditors’ work. This should include taking reasonable measures to ensure a quality audit on which the board and stakeholders can place reliance. As a second priority, it should also include ensuring that the audit work is efficient and does not result in unnecessary disruption or cost to the business.

Audit Committees around the world should be concerned by the findings of the regulators who audit the firms in the US (the Public Company Accounting Oversight Board, or PCAOB). They examine a sample of the audits by the firms of public companies’ financial statements and system of internal control over financial reporting. A report is published for each firm and an overall report is also published every few years.

In their October 24, 2013 Staff Alert, the PCAOB highlighted “deficiencies [they] observed in audits of internal control over financial reporting”. They reported that “firms failed to obtain sufficient audit evidence to support their opinions on the effectiveness of internal control due to one or more deficiencies”. In addition, in a large majority of the audits where there were such deficiencies, “the firm also failed to obtain sufficient appropriate evidence to support its opinion on the financial statements”.

While the Staff Alert is intended to help the firms understand and correct deficiencies, it also calls for action by the Audit Committee of each registrant:

“Audit committees of public companies for which audits of internal control are conducted may want to take note of this alert. Audit committees may want to discuss with their auditor the level of auditing deficiencies in this area identified in their auditor’s internal inspections and PCAOB inspections, request information from their auditor about potential root causes, and inquire how their auditor is responding to these matters.”

In a related matter, COSO released an update last year to its venerable Internal Control – Integrated Framework. It includes a discussion of 17 Principles and related Points of Focus. Reportedly, the audit firms and consultants are developing checklists that require management to demonstrate, with suitable evidence, that all the Principles (and in some cases the Points of Focus) are present and functioning. This ignores the fact that COSO has publicly stated that their framework remains risk-based and they never intended nor desired that anybody make a checklist out of the Principles.

Of note is the fact that the PCAOB and SEC have not changed their auditing standards and guidance. They continue, as emphasized in the PCAOB Staff Alert, to require a risk-based and top-down approach to the assessment of internal control over financial reporting.

However, the checklist approach does not consider whether a failure to have any of these Principles or Points of Focus present and functioning represents a risk to the financial statements that would be material.

In other words, blind completion of the checklist is contrary to PCAOB and SEC guidance that the assessment be risk-based and top-down.

With that in mind, I suggest the members of the Audit Committee consider asking their lead audit partner these seven questions at their next meeting. An early discussion is essential if a quality audit is to be performed without unnecessary work and expense to the company.

1. Was your audit of our company’s financial statements and system of internal control reviewed by the PCAOB? If so:

• For which year was it reviewed?
• Did the Examiners report anything they considered a deficiency?
  • How significant did they believe it was?
  • Do you agree with their assessment? If not, why not?
  • What actions have been taken to correct that deficiency?
  • What actions will you take to ensure it or similar deficiencies do not recur, including additional training of the staff?
  • Has any disciplinary action been considered?
• If you did not promptly report this to us, why not?

2. Were any of the partners and managers part of the audit team on a client where the PCAOB Examiners reviewed and had issues with the quality of the audit? If so:

• What was the nature of any deficiency?
• How significant did the Examiners consider it to be?
• What actions have you taken and will continue to take to ensure it and similar deficiencies do not occur on our audit, including additional staff training?

3. Are there any members of your audit team who have been counseled formally or otherwise relating to quality issues identified either by the PCAOB or other quality assurance processes? What assurance can you provide us that you will perform a quality audit without additional cost to us for enhanced supervision and quality control?

4. With respect to the audit of internal control over financial reporting, have you coordinated with management to ensure optimal efficiency, including:

• A shared assessment of the financial reporting risks, significant accounts and locations, etc., to include in the scope of work for the SOX assessment? In other words, have you ensured you have identified the same financial reporting risks as management?
• The opportunity to place reliance on management testing? Have you discussed and explained why if you are placing less than maximum reliance on management testing in low or medium risk areas?
• The processes for sharing the results of testing, changes in the system of internal control, and other information important to both your and management’s assessment?

5. Are you taking a top-down and risk-based approach to the assessment of internal control over financial reporting?

6. Does the top-down and risk-based approach include your processes for assessing whether the COSO Principles are present and functioning? Do your processes ensure that neither in your own work nor in your requirements of management addressing areas relating to the Principles and their Points of Focus where a failure would present less than a reasonable possibility of a material misstatement of the financial statements filed with the SEC? Have you limited your own audit work to areas where there is at least a reasonable possibility that a failure would represent at least a reasonable possibility of a material error – directly or through their effect on other controls relied upon to either prevent or detect such errors? Or have you developed and are using a checklist contrary to the requirements of Auditing Standard No. 5, instead of taking a risk-based approach?

7. How do you ensure continuous improvement in the quality and efficiency of your audit work?

I welcome your comments.

Internal Auditors should be Brave

It can be hard for internal auditors to tell their stakeholders, whether at board level or in top management, what is putting the organization at greatest risk.

It can be hard to say that the root cause for control failures is that there aren’t enough people, or that the company does not pay enough to attract the best people.

It can be hard to tell the CEO or the audit committee that the executive team does not share information, its members compete with each other for the CEO’s attention, and as a group it fails to meet any person’s definition of a team.

It can be hard to say that the CFO or General Counsel is not considered effective by the rest of management, who tend to ignore and exclude them.

It can be hard to say that the organization’s structure, process, people, and methods are insufficiently agile to succeed in today’s dynamic world.

But these are all truths that need to be told.

If the emperor is not told he has no clothes, he will carry on without them.

Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out:

• They may believe, with justification, that their job is at risk
• They may believe, with justification, that their compensation will be directly affected if they alienate top management
• They may believe that their career within the organization will go no further without the support of top management, even if they receive the support of the board
• The level of resources provided to internal audit will probably be limited, even cut
• The CEO and other top executives have personal power that is hard to oppose
• They are focused on “adding value” and do not want to be seen as obstacles
• They fear they will never get anything done, will not be able to influence change, and will be shut out of meetings and denied essential information if they are seen as the enemy

Yet, if internal auditors are to be effective, they need to be able to speak out – even at great personal risk.

It would be great if internal auditors were protected from the inevitable backlash. I know of at least one CAE that has a contract that provides a measure of protection, but most are only protected by their personal ethics and moral values.

It would be great if the audit committee of the board ensured that the CAE is enabled to be brave. But few will oppose an angry CEO or CFO.

We need to be brave, but not reckless. There are ways to tell the emperor about his attire without losing your neck. They include talking and listening to allies and others who can help you. They include talking to the executives in one-on-one meetings where they are not threatened by the presence of others. Above all, it is about not surprising the emperor when he is surrounded by the rest of the imperial court.

It is about treating the communication of bad news as a journey, planning each step carefully and preparing the ground for every discussion.

It is also about being prepared to listen and if you are truly wrong being prepared to modify the message.

But, the internal auditor must be determined to tell the truth and do so in a way that clearly explains the facts and what needs to be done.

I close with a tongue-in-cheek suggestion that the song Brave by Sara Bareilles (well worth watching) become our anthem.

You can be amazing
You can turn a phrase into a weapon or a drug
You can be the outcast
Or be the backlash of somebody’s lack of love
Or you can start speaking up

Everybody’s been there,
Everybody’s been stared down by the enemy
Fallen for the fear
And done some disappearing,
Bow down to the mighty
Don’t run, just stop holding your tongue

And since your history of silence
Won’t do you any good,
Did you think it would?
Let your words be anything but empty
Why don’t you tell them the truth?

Say what you wanna say
And let the words fall out
Honestly I wanna see you be brave
With what you want to say
And let the words fall out
Honestly I wanna see you be brave

What Audit Committees (Should) Want

Michele Hooper is a highly-respected (including by me) member and chair of audit committees. She has been a passionate advocate for internal audit and its profession for many years and an advisor to the Institute of Internal Auditors (IIA). In addition, she has been very active with the Center for Audit Quality (CAQ), which is where I met her (she was chair of a CAQ meeting in San Francisco to discuss fraud and I was present as a representative of the IIA).

In December, Michele was interviewed for an article in Internal Auditor (Ia), What Audit Committees Want.

The article brings out some important points. I agree with some and disagree with others (in part because they are left unsaid).

The very first sentence is telling:

“I rely on CAEs to be my eyes and ears in the organization, reporting back on culture, tone, and potential issues that may be emerging within the business”.

The expression ‘eyes and ears’ is an old and perhaps tired phrase. On one hand, it implies that internal audit is spying on management and then running, like a child, to tell on it. On the other, it describes the important role of internal audit as a source of critical information to the board on what is happening within the organization, which may be different from what they are hearing from management.

I can accept that, but what I especially like and appreciate are the next words: “culture, tone, and potential issues that may be emerging within the business”.

Michele is not talking about controls. She is not even talking directly about the management of risk. She is talking first about the culture and tone of the organization, and then about emerging business risks and related issues.

Does your internal audit function provide the board and its audit committee with a sense of the culture and tone within the organization – at the top, in the middle, and in the trenches? If not, why not?

Does your internal audit function ensure that the board is aware of new and emerging business risks and related issues? If not, why not?

Then Michele goes astray:

“An important responsibility critical to audit committee and board discussions is the CAE’s ownership and prioritization of the process management framework for risk identification.”

The CAE should not own the process for identifying and prioritizing risks. The IIA has made that clear in its famous Position Paper: The Role of Internal Auditing in Enterprise-Wide Risk Management. It says: “Management is responsible for establishing and operating the risk management framework on behalf of the board….. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management”.

When Michele is asked about the risks she and the audit committee will worry about in 2014, she comments on:

• Culture
• Tone
• Internal control
• Compliance, especially regulatory compliance
• Cyber vulnerabilities
• Financial reporting
• Reputation risk, and
• Oversight of the external auditor

What she does not mention are:

• The effectiveness of the organization’s ability to manage risks to the achievement of objectives
• The effectiveness of governance processes
• The need for the audit committee to work collaboratively with other board committees, such as the risk and governance committees, to ensure risks are managed at acceptable levels

I wish she had. I especially wish she had mentioned the magic word:

ASSURANCE

Let’s return to basics, but with a new twist: a new explanation of the primary purpose and value of internal auditing.

Internal audit provides objective assurance to the board and top management of the effectiveness of the entity’s organization, people, processes, and systems in managing risks to the achievement of the entity’s objectives at acceptable levels.

Does your internal audit department provide that assurance, formally, to the board and top management?

 

What they don’t know will probably hurt them

It is always interesting to read the various studies that report that directors don’t have an in-depth understanding of their organization’s business, its strategies, and the related risks. In fact, the studies generally report that the level of understanding is insufficient for them to provide effective oversight of management and governance of the organization.

I want to turn this on its head.

If you are the head of risk management, internal audit, information security, or a senior executive, answer this question:

Do you believe that your directors have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; its strategies; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate the directors? What are you doing about it and is that sufficient?

Now let’s ask another question?

Do you believe that your top executives (including the CEO and CFO) have a sufficient understanding of the reality that is the organization: its culture and politics; the effectiveness of its people, systems and processes; and whether risks to the achievement of its objectives and delivery of value to its stakeholders are being managed within acceptable tolerances?

If not, do you have an obligation to help educate them? What are you doing about it and is that sufficient?

If the directors and/or top executives don’t understand reality the way you do, if their head is in the sand or in a more pungent place, shouldn’t your priority be to help them get their head on straight, pointed in the right direction? If they don’t understand the current state of the organization, shouldn’t the process of informing and educating them be fixed before trying to communicate new areas of concern?

I welcome your views and commentary.

Digital Transformation

I thoroughly enjoyed listening to an MIT Sloan video, “What Digital Transformation Means for Business”. It features executives from Intel, Avis (the president of Zipcar), a researcher into the topic from MIT, and a Capgemini consultant.

It’s about 45 minutes long, so allow yourself some quiet time and have a pad and pencil (or tablet) handy so you can take notes.

I found it inspiring to hear these influential leaders talk about the need for organizations to embrace disruptive technology (they mentioned cloud computing, ultramobile, advanced big data analytics, and social media).

They also emphasized that the risk of NOT embracing the technology of tomorrow, even when they are in the process of implementing the technology of today, is too great. It is critical to continue to watch and consider how the technology that appears on the horizon may affect the ability of the organization to excel.

I loved the story told by the Intel CIO of how she assigns her staff to work within the business to learn it, and then takes them back into IT so they can work on enhancing that business.

You should also listen to how Intel uses gamification to have a better handle on earnings forecasts. It was a great example of how gamification can be used as a technique for understanding and assessing risk. I have written separately about how an organization assessed risks to the success of a major software implementation by creating a stock market game around it. Individuals on the project team from IT and user departments, the consultants they engaged, and others with a stake in its success bought and sold fictional stock in the project. The stock price varied based on demand: when there was optimism, people bought stock and the price rose; when there was pessimism, people sold and the price dropped. The risk assessment considered the stock price and tried to understand why it moved.

Intel and Avis, together with Capgemini, talked about how much time executives were spending on digital transformation. Clearly, these companies (and I join them) expect leaders from the CEO on down to be spending a good amount of time looking at and considering the technology of today and tomorrow and how it can transform their business.

What do you think?

You might also consider this discussion on the battle between IT and the business for control over technology resources.

I close with my greetings to all for a healthy, prosperous, and joyous holiday season and new year.

Reflections on Strategic Risk

Surveys say people are paying more attention to so-called “strategic risk”. The latest from Deloitte, called Risk Angles, says:

“Strategic risk is not new; however, in a world where risks are hastened along by business trends and technological innovations, strategic risk management has taken on new urgency. In fact, according to a recently published global survey of more than 300 companies, conducted by Forbes Insights on behalf of Deloitte, 94% say they aren’t just increasing their focus on managing strategic risks; they are changing how they do it – most often by incorporating strategic risk management into their business strategy and planning processes.”

There’s a Strategic Risk Management magazine, my friends at RIMS (the risk management society) have a paper and web page on strategic risk management, and according to a report from IIA, internal auditors in the USA need to pay more attention to strategic risks. In fact, earlier this year the IIA released a Practice Advisory (which is considered “strongly recommended guidance”) on “Internal Audit Coverage of Risks to Achieving Strategic Objectives”.

This sounds right, but it is worth exploring further.

For a start, just what is “strategic risk”?

RIMS says that “Strategic Risk Management (SRM) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution”.

A 2011 article by (originator of Deloitte’s excellent Risk Intelligence series) Mark Frigo and Richard Anderson, “What is Strategic Risk Management”, defines SRM as “a process for identifying, assessing and managing risks and uncertainties, affected by internal and external events or scenarios, that could inhibit an organization’s ability to achieve its strategy and strategic objectives with the ultimate goal of creating and protecting shareholder value. It is a primary component and necessary foundation of Enterprise Risk Management”.

The IIA doesn’t really define strategic risk, but says “Executive management is responsible for identifying and managing risk in pursuit of the organization’s strategic objectives. It is the board’s responsibility to ensure that all strategic risks are identified, understood, and managed to an acceptable level within risk tolerance ranges. Internal audit should have an understanding of the organization’s strategy, how it is executed, the associated risks, and how these risks are being managed.”

In Risk Angles, Deloitte defines strategic risks as “risks that have a major effect on a company’s business strategy decisions, or are created by those decisions. So they tend to have a larger and more widespread impact than the other types of risk that businesses have traditionally focused on, in areas such as operations, finance and compliance.”

Leaving aside the error in some of these definitions that risk management is only about the downside and not the seizing of opportunities, there is a larger question:

If risk is the effect of uncertainty on objectives (the ISO definition, but if you read COSO ERM carefully, you will see they essentially say the same thing), then how is “strategic” risk different?

In fact, if a risk doesn’t have a significant potential effect on the organizations strategies and goals, why should we worry about it?

Aren’t all risks that matter therefore “strategic risks”?

A compliance risk can significantly affect an organization’s ability to achieve its strategic goals. Just ask JP Morgan Chase as they consider their multi-billion dollar fines.

An operational risk, such as the floods in Thailand that shut down hard drive manufacturers, can cripple an organization.

We could stop there and conclude that the concept of something separate and distinct “strategic risk” is nonsense. But, I have a proposition for you to consider.

In the Introduction to the ISO 31000:2009 global risk management standard, there is this paragraph:

“Risk management can be applied to an entire organization, at its many areas and levels, at any time, as well as to specific functions, projects and activities.

You can (and should, in my opinion) take all your organization’s defined business strategies and goals and take a top-down approach to understanding and assessing the uncertainties surrounding achievement of each of those strategies. That should include assumptions that have been made, the things that need to go right, the things that could go wrong, and the events and circumstances that could lead you to surpassing your objectives. All of those uncertainties should be understood, an assessment made as to whether the risks are at acceptable levels, and actions taken as necessary to optimize outcomes.

I would call this top-down approach strategic risk management. It doesn’t preclude the individual risks being financial, compliance, green, blue, or whatever you want to name them.

At the same time, there is nothing fundamentally wrong with understanding and assessing risks at lower levels of the organization, such as those surrounding the use of technology. The key is to prioritize resources on the risks that matter to the organization as a whole over those that only matter to one department, business unit, or location.

In other words, if you are assessing risks within an area such as IT, Finance, or Human Resources, consider whether they will have an effect of any significance on the success of the organization as a whole in achieving its strategies and strategic goals in the pursuit of value.

If they would, then you can choose to call them strategic, red, blue, or whatever. If not, perhaps they relate to activities that are not relevant to the organization’s objectives and which can be cut back.

Personally, I prefer to focus on the risks that matter to the organization’s success. I just call them risks.

What do you think?

The Optimal Role for the CIO

Deloitte has given us food for thought in an article “The Four Faces of the CIO”.

Fortunately, they are not talking about a devious executive. Instead, they are talking about four different key roles that every CIO has to play.

The roles are:

• Catalyst: As a catalyst, the CIO acts as a credible, enterprisewide change agent, instigating innovations that lead to new products or services; delivering IT capabilities in radically new ways; or significantly improving operations in IT and beyond. Catalysts have significant political capital and are able to enlist and align executive stakeholders. Their relentless focus on disruptive innovation and cross-functional teaming allows them to lead transformational change in IT and the business at large.
• Strategist: “The CIO’s primary objective as strategist is to maximize the value delivered across all IT investments. The strategist has deep business knowledge and can engage as a credible partner, advising the business on how technology can enhance existing business capabilities or provide new ones. “The strategist also keeps the business apprised [sic] of distinctive IT capabilities that can drive revenue, create new opportunities, or mitigate and navigate risks and adverse events.”
• Technologist: “As a technologist, the CIO is responsible for providing a technical architecture that increases business agility by managing complexity, supports highly efficient operations (to keep costs low), and is flexible and extendable enough to meet future business needs. Technologists also continually scan the horizon for new technologies, rigorously analyze and test those with promise, and then select the ones most apt to achieve enterprise architecture objectives (efficiency, agility, simplification, and innovation).”
• Operator: “As an operator, the CIO oversees the reliable day-to-day delivery of IT services, applications, and data. Operators manage the department, and hire, develop, and lead IT staff. They institute service level agreements with IT customers and ensure performance targets for IT services are achieved. They maintain transparent IT cost models and charge the business appropriately for IT services. Operators also source technology, services, and staff, and govern those third-party relationships. Among the biggest challenges for operators are protecting the organization against cyber attacks and ensuring regulatory compliance.”

In this world of dynamic and business model-shattering technological change, it is essential that the CIO take her rightful place as a business leader. The Strategist and Catalyst roles are of massive importance if an organization is to succeed.

This is recognized in a survey by Deloitte of where CIO’s actually spend their time vs. where they want to spend their time:

• 36% as an operator, compared to a desired level of 14%
• 43% as either strategist of catalyst, compared to a desired level of 71%

I believe that boards should be asking the CIO, and whoever she reports to, where she spends her time. If the dominant portion is not as Strategist and Catalyst, they should ask why not.

Risk officers should consider whether there is a risk to the business if the CIO is predominantly a passive Operator, and the CAE should consider how the situation can be improved.

I welcome your views.

If I was Chair of the Audit Committee

If I was asked to join a board and serve as the chair of the audit committee (which I am qualified to do), I would apply the lessons from what seems like a lifetime of working with audit committees. In most cases, the chair was excellent and I would hope to be as effective as they were.

After what I would assume would be a thorough and detailed orientation to the organization and its challenges by such key people as the CEO, CFO and her direct reports, General Counsel, Chief Operating Officer, Chief Accounting Officer, Chief Strategy Officer, Chief Information Officer, Chief Audit Executive, Chief Risk Officer, head of Investor Relations, Chief Information Security Officer, Chief Compliance Officer, Chairman of the Board or Lead Independent Director, lead external audit partner, and outside counsel (and others, depending on the organization), I would turn my attention to the following:

• Do I now have a fair understanding of how the organization creates value, its strategies, and the risks to those strategies?
• Do I have a sufficient understanding of the organization’s business model, including its primary products, organization and key executives, business operations, partners, customers and suppliers, etc.?
• How strong is the management team? Are there any individuals whose performance I need to pay attention to, perhaps asking more detailed questions when they provide information?
• Who else is on the audit committee and do we collectively have the insight, experience, and understanding necessary to be effective? Where are the gaps and how will they be addressed?
• What are the primary financial reporting risks and how well are they addressed? What areas merit, if any, special attention by the audit committee? Who should I look to for assurance they are being managed satisfactorily? Who owns the compliance program (if any) on controls over financial reporting, and how strong is the assessment team?
• What are the other significant financial and other risks (for which risk management oversight has been delegated by the full board) that merit special attention? Who should I look to for assurance they are being managed satisfactorily?
• How strong is the external audit team and how well do they work with management and the internal audit team? What are their primary concerns? Is their fee structure sufficient or excessive? Is their independence jeopardized by the services they provide beyond the financial statement audit (even if permitted by their standards)?
• How strong is the internal audit team and does the CAE have the respect of the management team and the external auditor? Are they sufficiently resourced? Are they free from undue management influence (for example, is the CAE hoping for promotion to a position in management, does he have free access to the audit committee, and is his compensation set by management or the audit committee)? What are their primary concerns? Do they provide a formal periodic opinion on the adequacy of the organization’s processes for governance and management of risk, as well as the related controls? How do they determine what to audit?
• Who owns and sets the agenda for the audit committee? Is there sufficient time and are there enough meetings to satisfy our oversight obligations?
• Do the right people attend the audit committee meetings, such as the general counsel, CFO, CAE, CRO, CCO, chief accounting officer, and the external audit partner?
• How does the approval process work for the periodic and annual filings with the regulator (e.g., the SEC)?
• How are allegations of inappropriate conduct managed? Who owns the compliance hotline, who decides what will be investigated and how, and at what point is the audit committee involved? Is there assurance that allegations will be objectively investigated without retaliation?
• What concerns do the other members of the audit committee have? Does the former chair of the committee have any advice?

I have probably missed a few items. What would you add?

Please share your comments and views.

Is it time to call the term “GRC” dead?

While the ‘rest of the world’ thinks of “GRC” as governance, risk management, and compliance, the Institute of Internal Auditors (IIA) uses the term to refer to governance, risk management, and [internal] control.

This is confusing. I can imagine a conversation between two people about “GRC” that continues for 20-30 minutes before they realize they are not talking about the same thing.

Taking the IIA usage first, it has meaning and relevance. While the term GRC is not used per se, the IIA’s definition of internal auditing says that internal audit provides assurance by assessing the organization’s processes for governance, risk management, and the related internal controls. So it has meaning, although (my opinion, not shared by IIA leadership) I wish they would come up with another acronym and stop confusing the greater number who think the C in GRC stands for compliance and not control.

In my experience most internal auditors, influenced presumably by consultants, software vendors, and thought leaders from OCEG, think of the C as standing for compliance and not [internal] control.

So let’s turn to the more common usage of GRC – governance, risk management, and compliance.

Earlier this year, in April, I wrote companion pieces on GRC:

• Why it makes sense to consider GRC and
• Does it make sense to discuss GRC?

Seven months on, I am starting to think that the term is becoming even more meaningless in practice.

Maybe we can ask the person who invented the term GRC. Although there is competition from PwC and others (including the founder of OCEG), it is generally recognized that Michael Rasmussen (a friend) made it popular while he was with Forrester Research. He needed a term to describe the bucket of software functionalities he was assessing and decided to use the term GRC.

The stimulus for this post and reflection on GRC is recent writing by Michael on his web site. Referring to himself as the GRC Pundit (others call him the King of GRC and he certainly has no peers), he lambasted Gartner for their ‘Magic Quadrant’ assessment of GRC solutions (I did the same, for different reasons, in an earlier post).

But it is worth noting that Paul Proctor of Gartner (not the individual responsible for their ‘Magic Quadrant’) said he hates the term GRC. He said:

“GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have.”

I love and agree with this sentiment.

To add to the confusion around GRC, Gartner has its own definition. However, the most common and most widely-recognized definition is the one from OCEG:

“GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].”

We could leave it there, in a confused and confusing world.

But enough is not enough.

Gartner also has definitions and an assessment for IT GRC – whatever that is – and Michael, on his web site now refers (and sometimes gives awards to):

• Identity and Access GRC
• Legal GRC
• 3^rd Party GRC
• Enterprise GRC
• GRC gamification

Now I am not being fair to Michael, because I know what he is really doing. GRC is so broad, extending from processes to setting strategy and monitoring performance, through risk management to legal case management, internal audit management, information security, data governance, and more. So, he has diced up the software landscape into categories and awarded different vendors for their excellence in individual categories.

Is there any point to continuing to talk about GRC (except within the IIA with respect to their usage) when there are so many reasons there really is none?

I am privileged to be a Fellow of OCEG. They champion the concept of Principled Performance, referring to GRC (under their definition) as a capability that enables Principled Performance. Principled Performance is defined as:

“The reliable achievement of objectives while addressing uncertainty and acting with integrity”

Perhaps we can stop (except for the IIA) talking about GRC and start talking about how we can optimize outcomes and performance, addressing uncertainty (risk management) and acting with integrity (regulatory compliance and organizational values).

What do you think?

Or should we step back and just talk separately about organizational governance, performance management, risk management, ethics and compliance, information security, and so on?

I welcome your views.

The Risk of Average People

How many organizations, small or large, expect to succeed if they have a large number of “average” people – and by that I mean truly average, neither poor nor exceptional?

None. Yet, do we always do everything we can and should to hire, retain, reward, and develop exceptional people?

Does our human resources function help us find and hire exceptional people, or does it limit us to people who are paid average or, if we are lucky, just above average salary, benefits, and other compensation?

Do you really expect to hire exceptional people with just-above-average compensation?

Are we encouraged to recognize our people – all our people – as exceptional, or are we required to grade their performance on a curve?

At one of the companies where I was head of internal audit (CAE), I inherited an existing team. I would rate only two of the staff (one in US and one in Singapore) as stars; a few had the potential of being very good; a couple were struggling; and the rest were “average”. They were competent, but had little potential for growth and were tolerated rather than welcomed by our customers.

I demanded more, in part because I was changing the style of the audit department so that instead of working in large teams, people were working in pairs or individually. This required more initiative, leadership, and exercise of common sense and business judgment.

The couple that were struggling recognized they were not going to be able to meet the new standard and left of their own volition. A few others saw the opportunity to growth and seized it. But the rest of the “average” performers remained average.

I was able, over time, to find positions for a couple of these people but the rest seemed to have glue on their feet. They enjoyed the new work and challenges, but were setting nobody on fire.

Our human resources function (HR) was no help. Since their work performance was “adequate”, I had no ethical way to move their sticky feet.

I wished I could have rolled back the clock and persuaded my predecessor to hire better people, people with greater intellect, curiosity, and imagination.

I have made a habit, now, of fighting hard to create an environment that lets me hire exceptional people. For that I need pay ranges agreed with HR that let me pay attractive salaries and offer excellent benefits, bonuses, etc. I need job titles that give the people pride in their position and responsibilities. Finally, I need the ability to rate all my people where they truly deserve to be rated – as exceptional performers.

Does your HR function let you hire the best possible person – and that is not the best you can find at the permitted rate, but the best you can find for the job you need done? Or are they a drag on performance?

How many of your sales team are “average”?

How many of your engineers are “average”?

What are you doing about it?

I welcome your comments and stories.

Use the language of your audience

The other day, I was on a call with other members of an oversight committee. We were talking about the high level project plan for our new products and I asked to see a version that showed key deliverable dates. The chair of our small committee agreed, suggesting that the project manager add a diamond to the dates or otherwise indicate when the various deliverables would be completed.

But the project manager replied that the deliverable dates were in the detail of each “sprint” (the project was being managed using agile management techniques). We were looking at a higher level and he would be happy to show us the plans for each individual sprint.

I told him that I understood that the deliverables were in the sprint-level detail, but needed to see the deliverable dates on the higher-level project plan. Without that, I would not be able to see whether the plan was acceptable  and the products would hit the market at the right time. For example, I could not see whether the timing of it made sense to work on deliverables serially or in parallel, or when oversight activities needed to occur.

His response was that he couldn’t run the project using two different project management techniques. Implying that my requirement was old-fashioned (I admit here that I have been managing or overseeing major projects since he was in grade school), he reiterated that he was using agile project management.

I tried to tell him that agile is how you run the project day-to-day, but for oversight purposes I needed to see the big picture – especially when the deliverables were to be completed.

Noting my rising tone, the chairman intervened and suggested that the project manager take the chart he was showing us and simply overlay the deliverable dates. He needed them as well.

The lesson here is that I, as an oversight and big picture person (at least in this role on this project), was talking a different language than the project manager.

I respect the project manager for his expertise and experience in running projects to successful completion. But, he was unable to put himself in my shoes, understand my needs, and then express himself in a way that communicated what I needed to know.

The same issue applies when technical experts, whether in finance, information security, risk management, internal audit, or other area, need to communicate with people in a more senior management or board position. They tend to think and talk in technical detail, while senior management and board members think and talk in terms of the bigger picture.

My advice:

1. Understand the questions that senior management and the board need answers to.
2. Answer those questions directly.
3. Only provide additional detail when necessary to answer the questions – to their satisfaction, not yours – or when asked for more detail.
4. Get to the point quickly.
5. Stop.

For example, when a risk, security, or audit practitioner is talking to an executive officer, recognize that they want to know (a) is  there anything I need to worry about, (b) is there anything I need to do, and (c) is there a need for me to continue to monitor the situation. They don’t need to know details when there is nothing for them to spend time on.

I welcome your views. If you can share experiences and stories, that would be appreciated.

Are you considering GRC software?

If you are, I am worried that you might be relying on so-called research by the analyst firm, Gartner. Each year, they publish a Magic Quadrant (MQ) that is presented as addressing organizations’ needs for GRC software. Their 2011 Magic Quadrant for ‘Enterprise Governance, Risk and Compliance Platforms’ (EGRC) is available from Gartner or one of the included software vendors. (I haven’t seen the 2013 MQ).

The purpose of the MQ is to present their “assessment of the main software vendors that should be considered by organizations seeking a technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance and the ability to achieve business objectives”.

It is good to see my former employer, SAP, in the top quadrant. This means that Gartner considers them visionaries with a high ability to execute.

Also included are players with whose products I have some familiarity: Archer, BWise, IBM, Thomson Reuters, MetricStream, and Oracle.

But does this mean anything? Does it actually have value and relevance for organizations seeking to improve their governance, risk management, and compliance programs?

I have so many criticisms, it is difficult to know where to start:

1. Gartner assesses software solutions against a defined set of required functionality. That set of functionalities is highly unlikely to be the same as your prioritized needs and requirements! While they talk most prominently about risk management and compliance programs, and these are typically the areas with the greatest need and potential ROI, they include requirements for internal audit, policy management, and more. How many companies would give significant weight, when considering solutions for risk management, to the needs of the (typically small) internal audit function? At the same time, they exclude critical functionality (in my opinion) around the capabilities to link strategy and risk, perform risk monitoring, and support risk workshops. How can you run an effective risk management program without the ability to continuously monitor risks in this turbulent business environment? When you are assessing the effect of uncertainty on objectives (i.e., risk), how do you do that when you have no way to identify the risks to each objective?
2. They talk about governance, but their assessment includes next to nothing that supports governance. Even their definition of governance is limited and, in my opinion, wrong. It doesn’t include board communications, for example.
3. Gartner assumes that you need a single platform for risk management and compliance. I believe that compliance-related risks should be included in the risk management program, and that a risk-based approach to compliance is generally wise. However, I find it difficult to believe that all the requirements for a compliance program (e.g., ethics certification and training, investigation case management, legal case management, whistleblower services, anti-money laundering and FCPA compliance, and more) can be found in a single solution – let alone one that supports risk management as well.
4. Gartner assumes value in the integration of these various functionalities. However, that integration has much less value in practice than they consider. I would prefer to see integration between strategy and risk management than risk management and internal audit!
5. They don’t consider the need to integrate risk and performance (and strategy) reporting. If we are to integrate risk management into the fabric of the organization, you need combined reporting on both performance and risk indicators.
6. Few organizations have a ‘GRC’ organization, one that combines (as Gartner sees it) risk management, compliance management, policy management, internal audit, and some limited aspects of governance. So why should we think about a GRC solution?

I will stop there, that looking for a ‘GRC solution’ is (IMHO) short-sighted and likely to lead to selecting the wrong software for your organization.

I might use the MQ to make sure I am considering all the vendors that might have solutions to meet your needs.

But, I would define my requirements based on my needs, my requirements, my potential ROI, and not the needs of the fictional organization considered by Gartner.

I would also be concerned if a vendor presented their solution as addressing the requirements of an EGRC platform, as they may be designing a solution to get better grades from Gartner instead of satisfying their real customers.

What are your needs? If your priority is risk management, look for a risk management solution that has the functionality to meet your current and anticipated needs. If you are looking for compliance solutions, pick the solutions (probably more than one) that will work effectively as a combination.

If you need to address needs in multiple areas, where is the value from integration? Is it better to get separate solutions that are optimal for each area than one that perhaps is good in one or two but less so in others?

As I look back at my former companies where I was chief risk officer, ethics and compliance officer, and led internal audit, I would not have acquired one of these EGRC solutions. I would have acquired separate solutions for risk management, legal case management, SOX compliance, ethics management, and so on. The integration I would have prioritized would have been between risk management and strategy/performance management, and I would also have given significant weight to risk monitoring (using the sophisticated analytics tools now available from SAP, IBM, and Oracle).

I welcome your views.

What is your risk appetite?

The regulators and others around the world are asking organizations, especially those in financial services, to establish a risk appetite. This is typically in the form of a risk appetite statement or framework.

Let’s look at a couple of definitions of risk appetite.

COSO says:

“Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value” (Understanding and Communicating Risk Appetite)

They continue:

“To fully embed ERM in an organization, decision makers must know how much risk is acceptable as they consider ways of accomplishing objectives, both for their organization and for their individual operations (division, department, etc.)”

[You may have seen my review of the COSO publication, which includes links to other thoughts on risk appetite.]

A similar view is expressed by a global financial services authority:

“Risk appetite is the amount and type of risk that a company is able and willing to accept in pursuit of its business objectives” – Institute of International Finance (http://www.iif.com/regulatory/article+968.php)

But, there are a number of people who believe that risk appetite is a flawed concept. I recommend a read of a paper by Grant Purdy, Demystifying Risk Appetite. When risk practitioners from around the world convened to develop a global risk management standard, ISO 31000:2009, they preferred to discuss risk criteria – a preference I share.

Is risk appetite a useful concept?

Let’s approach this by asking, as individuals, “What is your risk appetite?”

Perhaps you are saying that you are not a business, agency, or enterprise. But you still have objectives you want to achieve and you are more likely to succeed in achieving or surpassing them if you understand and treat/manage/address the risks and opportunities in your path towards those objectives.

Your personal objectives may include long-term ones like saving sufficient money to retire at a certain age, maintaining a certain level of health, or getting to vice president before you turn 35; short-term objectives might include being able to get to work on time today, or finishing a certain number of tasks at work so you can both make your manager happy and have dinner with a happy spouse at 7pm.

You will take risks in accomplishing these objectives. There is no “may” about it; you will take risks. With respect to your drive to work, your arrival time might be affected by weather (both good and bad), the volume of traffic (less traffic meaning you will surpass your objective), dangerous drivers, the possibility that you will fail to see another car when you change lanes, a request from your spouse to take the kids to school on your way, and so on. As you decide to leave, these are all uncertain events or situations that might or might not happen.

What is your risk appetite when you are deciding whether to change lanes because the traffic in front of you is too slow?

What is your risk appetite when you are deciding whether to agree to take the kids to school or ask your spouse to do it?

You have to decide whether to take these risks. You will certainly have a number of criteria that will help you decide, such as the potential for reward (arriving earlier or avoiding a delay in arrival) and the potential for loss (an angry spouse or manager, or physical injury in a car hits you). You will consider the magnitude or the potential loss or reward, the likelihood of each happening, and your ability or capacity to sustain any loss.

Can you put a number, a monetary value, on it? Is it a percentage of your net wealth?

No.

When you decide whether to take a risk, you will be influenced by the likelihood and size of reward against the likelihood and size of loss. Will you decide to change lanes when there is an 80% chance of arriving on time if you do vs. 15 minutes late if you don’t, when you assess the risk of a car hitting you at less than 1%? How about if the chances of a crash are 5%, because there’s a lot of traffic, or 15% because visibility is low?

You will try to make an informed, management decision. You will use your judgment, and you will not even think about anything like risk appetite. “Criteria” is a concept that makes sense, but not “appetite”.

Isn’t running a business similar to driving a car, in that you want to make informed management decisions using your best judgment?

Will you decide whether to expand operations into a new country using your judgment about the likelihood of success (at various levels) and the likelihood of failure (also at various levels)? Failure could mean loss of funds as you abandon new offices, lay off newly-hired staff, and write off assets; it could also mean loss of customer confidence, reputation damage, and even loss of life (depending on where you expand).

Can you put a risk appetite value on this and say, as COSO says “how much risk is acceptable”?

I can understand that it may be important to know that management is not putting the survival of the company at risk, or that the company has not put on the casino table of business more than it can afford to lose.

But is that how you make decisions? Is that how you decide whether or not to take a risk?

What is most important is that:

• Managers and executives recognize that when they make decisions they have to consider what might happen, and the effect of that is what we call risk
• If a manager is to be successful, he has to recognize risk, assess it (upside and downside), and if it is at an unacceptable level act to modify it – because that increases his chances of being successful and the level of success he will achieve
• Decisions-makers should use their best and informed judgment to take risks. When the potential effect is outside their authority level, they should escalate the decision to more senior management – in the same way they make purchasing decisions
• The consideration of risk is an integral and essential element of decision-making and management in general. It is not a separate discipline

What is your appetite for risk appetite? Should we limit the concept to situations where it makes sense, like how much money to put at risk in the financial market? Mind you, we used to call those trading or position limits rather than risk appetite.

I welcome your comments.

Information Security Disconnected from Management?

The information security software firm, Tripwire, released the interesting results of a “state of risk-based security management” study performed in conjunction with the Ponemon Institute. (The link above is to the press release and summary. The complete study is downloadable in parts – not a good idea, Tripwire – from this location.)

The study has some disturbing comments:

1. According to the study, not only do two thirds of IT professionals fail to communicate security risks, but 59% filter negative facts before they are disclosed!
2. About half said that communication between security risk management and business personnel is “poor, nonexistent, or adversarial”.

Tripwire’s CTO is quoted as saying:

“Risk provides the common language that enables a broader business conversation about cybersecurity risks, particularly when dealing with non-technical executives. However, it’s clear from this report that most organizations are missing the majority of opportunities to integrate security risks into day-to-day business decisions. Changing this paradigm will require security professionals to develop new communication skills so they can talk about security risks in terms that are clearly relevant to the top-level business goals.”

In my opinion, Dwayne (the CTO) has this backwards.

These IT professionals need to communicate business risks – the potential effect on the business and its objectives from a potential information security exposure.

Talking about security risks is using a language that the business executives don’t speak naturally, one that does not communicate how their and the organization’s success might be affected.

As my good friend Jay Taylor says, and ISACA in its guidance reiterates, there is no such thing as IT risk – only the business risk created from an IT-related issue. For example, the loss of a server farm is not the risk; the risk is the effect of that loss on the business, such as the inability to support normal business operations such as accounting, sales, etc. which leads to loss of revenue.

Yes, IT professionals need to (as Dwayne says) “develop new communication skills”. They need to learn how to communicate in the language of the business. They need to talk about IT-related business risk, and cut out the techno-babble of “information security risk”.

Let’s not put all the blame for poor communications on IT. The business and especially any risk management personnel need to translate any techno-babble into business risk. They must not accept talk of “IT risk”. In the process, they can help the IT staff learn to speak the language of the business.

Just my opinion. What is yours?

Just what is “reasonable assurance”?

Do we care what this term means? We should, because it should guide assessments of internal control by management, internal audit, and external audit (and the latter use it when they express an opinion on the financial statements). It also comes into play as internal auditors and management assess the adequacy of governance and risk management processes.

Is it, as the SEC and PCAOB once told me “a term of science”? Not really. It all comes down to professional judgment by a reasonable or prudent person: judgment as to the level of risk that the assessment is incorrect.

There are regulations that guide the external audit firms and define what reasonable assurance should mean when they use the term.

Auditing Standard Number 5 (AS5) says:

“Effective internal control over financial reporting provides reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes…….. The auditor must plan and perform the audit to obtain appropriate evidence that is sufficient to obtain reasonable assurance about whether material weaknesses exist as of the date specified in management’s assessment……………….. When evaluating the severity of a deficiency, or combination of deficiencies, the auditor also should determine the level of detail and degree of assurance that would satisfy prudent officials in the conduct of their own affairs that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles. If the auditor determines that a deficiency, or combination of deficiencies, might prevent prudent officials in the conduct of their own affairs from concluding that they have reasonable assurance that transactions are recorded as necessary to permit the preparation of financial statements in conformity with generally accepted accounting principles, then the auditor should treat the deficiency, or combination of deficiencies, as an indicator of a material weakness.”

AS5 points to AU sec. 230, Due Professional Care in the Performance of Work for a definition of reasonable assurance. However, that document doesn’t provide a great deal more clarification:

“While exercising due professional care, the auditor must plan and perform the audit to obtain sufficient appropriate audit evidence so that audit risk will be limited to a low level that is, in his or her professional judgment, appropriate for expressing an opinion on the financial statements. The high, but not absolute, level of assurance that is intended to be obtained by the auditor is expressed in the auditor’s report as obtaining reasonable assurance about whether the financial statements are free of material misstatement (whether caused by error or fraud). Absolute assurance is not attainable because of the nature of audit evidence and the characteristics of fraud. Therefore, an audit conducted in accordance with generally accepted auditing standards may not detect a material misstatement.”

The guidance continues:

“The independent auditor’s objective is to obtain sufficient appropriate audit evidence to provide him or her with a reasonable basis for forming an opinion. The nature of most evidence derives, in part, from the concept of selective testing of the data being audited, which involves judgment regarding both the areas to be tested and the nature, timing, and extent of the tests to be performed. In addition, judgment is required in interpreting the results of audit testing and evaluating audit evidence. Even with good faith and integrity, mistakes and errors in judgment can be made. Furthermore, accounting presentations contain accounting estimates, the measurement of which is inherently uncertain and depends on the outcome of future events. The auditor exercises professional judgment in evaluating the reasonableness of accounting estimates based on information that could reasonably be expected to be available prior to the completion of field work. As a result of these factors, in the great majority of cases, the auditor has to rely on evidence that is persuasive rather than convincing.”

OK, what does this all mean? There are some key phrases:

• “the level of detail and degree of assurance that would satisfy prudent officials that they have reasonable assurance”
• “audit risk will be limited to a low level that is, in his or her professional judgment, appropriate”

It all comes down to the judgment of a prudent person or official.

AS5 and AU sec.230 both point to the fact that absolute or perfect assurance is impossible. They are concerned about assurance over financial reporting and their opinion on the system of internal control and the financial statements.

What does the COSO Internal Control – Integrated Framework (2013) say? It also refers to reasonable assurance:

“Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

It goes on to say that internal control is “able to provide only reasonable assurance, not absolute assurance”.

“The term ‘reasonable assurance’ rather than ‘absolute assurance’ acknowledges that limitations exist in all systems of internal control, and that uncertainties and risks may exist, which no one can confidently predict with precision. Absolute assurance is not possible. Reasonable assurance does not imply that an entity will always achieve its objectives. Effective internal control increases the likelihood of an entity achieving its objectives. However, the likelihood of achievement is affected by limitations inherent in all internal control systems, such as human error and the uncertainty inherent in judgment. Additionally, a system of internal control can be circumvented if people collude. Further, if management is able to override controls, the entire system may fail. In other words, even an effective system of internal control can experience a failure.”

So, let’s see if we can come up with something that makes practical sense.

Let’s start with saying that a system of internal control is designed to ensure risks to the achievement of objectives are within desired levels. But, there are limitations inherent in any system of internal control, as described by COSO in the excerpt above.

How much risk should we take that the system of internal control will fail, with significant implications for the achievement of objectives? How much should we spend on controls to limit the risk? That is a matter of judgment: management and the board, as appropriate, should decide. In some cases, regulation and law may guide the definition of an acceptable level of risk that the system of internal control will fail. In all cases, whether a reasonable person (or official) would agree should be a consideration.

If the level of risk that the system of internal control will fail is acceptable, we can call the system of internal control effective.

But the problem is not quite that easy. We also have to consider the use of the term in an auditor’s opinion. External and internal audit seek reasonable assurance that the system of internal control is effective. Said another way, the auditors seek reasonable assurance that the system of internal control provides reasonable assurance that risks to the achievement of objectives are at acceptable levels.

Here, we are talking about the level of risk that the assessment by the auditor is incorrect. Again, the judgment of a prudent person or official comes into play. For the reasons expressed in AU sec.230, an auditor cannot be certain that his assessment is correct.

OK, so what does this all mean?

As I said earlier, this is not a matter of science. It is a matter of judgment and common sense. Professional auditors are presumed to have both and should be required to exercise both when making assessments.

Where am I going with this?

I believe that external auditors, management, and internal auditors should be prepared to form and express opinions on the adequacy of internal control, management of risk, governance processes, and more. They should rely on, without qualms, their common sense and judgment in that process. Perfect assurance that the system of internal control is perfect is doubly impossible. Reasonable assurance based on professional judgment is possible.

I welcome your comments and perspectives.

PS. I will write a post shortly about the form an internal auditor’s opinion might take on the adequacy of an organization’s overall processes for governance, management of risk, and internal controls.

Little compliance issues that can trip you in a big way

Another compliance issue hit the news on Monday. According to USA Today, “Chevron agreed to pay $2m in fines and restitution and pleaded no contest to six charges in a fire last summer at its refinery in the San Francisco Bay Area city of Richmond that sent thousands of residents to hospitals, many complaining of respiratory problems”. The fine was in addition to $10m already paid in restitution to affected citizens, health services and others; a likely $1m fine by state safety officials; and, potential litigation by the city of Richmond.

For a company as large as Chevron (revenue of $231 billion, net income of $26 billion, and return on capital employed of 18.7%), these costs are trivial. The reputation cost is likely to be larger, as is the business disruption caused by investigations by the various federal, state and local agencies – not only as a result of the fire but at a higher continuing frequency and intensity because of the compliance failure. In fact, the failure in Richmond is likely to result in all of Chevron’s US-based operations coming under increased scrutiny for some years to come.

The charges filed by the state and local governments included failing to correct deficiencies identified by the company’s own inspectors.

As I reflect on other news stories of fires, pipeline explosions, and other man-made disasters, they always seem to include reports of prior irregularities in inspections, examinations, etc. These reports make the company look reckless, negligent, and less than diligent when it comes to compliance. Clearly, a history of compliance failures, especially failures to correct known deficiencies, only exacerbates fines and reputation damage.

So what does this mean for boards, executives, auditors, risk practitioners, and compliance professionals?

If we look at the COSO Internal Control – Integrated Framework (2013), it has a useful principle: “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” The related points of focus are:

• Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
• Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
• Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.

While this points us in the right direction, asking to whom compliance issues are reported, who assesses them in terms of risk, and who monitors corrective action, the COSO guidance doesn’t include much in the way of detail.

The U.S. Federal Sentencing Guidelines provide guidance that is essential knowledge, not only to compliance professionals but also to boards, executives, risk and audit practitioners of organizations operating within the United States. In its section on “Sentencing of Organizations”, it states: The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility”.

Every board member, senior executive, compliance, risk, and audit professional should become familiar with the requirements for an effective compliance program, outlined in “§8B2.1. Effective Compliance and Ethics Program”. Key points include:

• The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
• High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
• Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
• The organization shall take reasonable steps—

1. to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
2. to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
3. to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

We need to combine the guidance from COSO and the Federal Sentencing Guidelines, add risk management techniques for understanding the related risks – especially when there potentially multiple failures, even if they are in different locations and are of quite different rules and regulations – and we can start to see what is needed:

1. An effective compliance program that meets at least the minimum requirements of the Federal Sentencing Guidelines (which are not limited to the points above)
2. A risk management program that works collaboratively with those responsible for compliance to ensure that compliance-related risks (including possible reputation risk, potential loss of customer confidence, and business disruption risk) are understood, assessed, and addressed
3. Evaluations and responses to compliance issues that address the root cause. Too many organizations put a Band-Aid on the obvious wound without making the investment necessary to fix the underlying problem
4. Processes that ensure all deficiencies, whether identified internally, as a result of internal audits or inspections, or by third parties including regulators, are reported to the appropriate managers, assessed, addressed by appropriate corrective actions, and then remediated within an appropriate timeframe. Those assessments should be updated on a regular basis as risk levels may change (for example, if there is a second compliance failure)
5. Processes that ensure senior management and, as appropriate the board, are informed of all significant or potentially significant compliance failures and risks, whether the risk is being managed as desired, and whether appropriate corrective actions are being completed

How effective is your organization when it comes to ensuring it won’t be bitten by prior year compliance failures, especially failures that have not been resolved by addressing and fixing the root cause?

I welcome your views and commentary.

IIA Research Foundation report only adds to confusion about GRC

A new report published by the IIA Research Foundation, Contrasting GRC and ERM: Perceptions and Practices Among Internal Auditors, is not to blame for the confusion about GRC that it reports. The confusion existed before this report highlighted (and to some extent added to it).

It raises the question of why we should continue to talk about GRC as if we all share the same understanding of what it means, when we clearly don’t.

For a start, the document (influenced by an academic advisor whom I normally respect but on this topic is way off base) can’t seem to decide whether the “C” in GRC stands for compliance or control. While many of us think it should stand for control, it doesn’t. That debate ended a long time ago. It stands for compliance and, given the roots of the term, that is appropriate.

To see how bad the confusion is, just look at any GRC thought leadership paper (from other than OCEG, Michael Rasmussen, or me) and replace the term GRC with risk management. I would bet that the paper would make more sense that way.

In fact, most of the published work on GRC has either been about risk management or the combination of risk and compliance. Governance is rarely in the picture except for the oversight by the board of risk and compliance.

The IIA Research Foundation is free to IIA members, so download it for yourself and see whether it helps understand GRC or simply confirms that the world remains confused by the term.

I still think there is some value in thinking about GRC (see my explanation here), but in practice we should stop focusing on GRC as it is getting in the way of fixing risk management, organizational governance, and compliance. See this discussion for details.

Do you agree? If so, are we tilting at windmills?

How did a term whose meaning we don’t agree on become so firmly established?

I welcome your views and commentary.

Let’s get practical with COSO 2013

The highly respected periodical Compliance Week just published an article that appears to reflect misunderstanding if not panic in some quarters over the updated COSO Internal Control – Integrated Framework.

Written by Tammy Whitehouse with a title of COSO Framework Update Introduces New Measure of Deficiency , the piece includes quotes from interviews with a number of consultants and other experts, including the new chairman of COSO and me.

I was struck by a number of apparent inferences:
1. There is confusion over the use by COSO of the term “major deficiency” when for SOX purposes we have been using the terms deficiency, significant deficiency, and material weakness.
2. People are worried because they are unsure how the updated framework will affect their SOX program.
3. Some seem to believe that if they have a deficiency related to one risk area that will affect their assessment for SOX.

Let’s take each of these in turn. By the way, Tammy was unable to include in the article my comments on these points, presumably for lack of space.

1. When it comes to SOX, we continue to use the same terms as before. As Bob Hirth pointed out, COSO recognizes that when there are regulations in an area, as there are for SOX with SEC and PCAOB guidance, that takes precedence.

We should also recognize that the term in COSO is not new. Organizations and their internal auditors have been using it for decades.

2. If an organization was truly basing their SOX assessment on the prior version of the COSO framework, they are already “compliant” with the updated version. The only issue is that they have to be able to show how they achieve the principles. This can be done with minimal effort through a management self-assessment. Where the level of risk justifies, consistent with current practice, related key controls are identified and tested. (I expect the IIA will publish an update to my SOX book in a few months that guides this process.)

3. If you have a deficiency in a different risk area, such as in compliance with safety regulations or the delivery of revenue growth, that will not prevent you from assessing your internal control over financial reporting as effective.

I believe the only implementation issue will be on how much evidence you need to support management’s assertion that all the principles are present and functioning. I believe, and have many experts supporting me on this, that you need to consider the risk to the financial statements if there is a defect in a principle. That risk is indirect; please refer to the discussion in AS5 on entity-level controls that have an indirect effect. The greater the risk, the greater the need for key controls to support and augment management’s self-assessment.

As for those who are concerned because they haven’t read this long document. Let me reassure you. If you read and understood COSO 1992 you will not find anything different in 2013, at least anything substantial. The 17 principles were there before; they now have been emphasized. Some discussions, such as on monitoring, are improved.

This is NOT a radical new document that should cause concern.

But that doesn’t mean you should leave implementation for SOX to 2014! Do your self-assessment now and start any remediation now, because it will take time to upgrade issues like the composition and practices of the audit committee, or the training of staff.

I welcome your comments.