Governance

 

 

Are You Prepared?https://iaonline.theiia.org/2017/Pages/Are-You-Prepared.aspxAre You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0
Beyond the Numbershttps://iaonline.theiia.org/2017/Pages/Beyond-the-Numbers.aspxBeyond the Numbers<p>​Internal auditing should be about tomorrow,” Charlotta Hjelm, chief internal auditor at the Swedish insurance co-operative Länsförsäkringar, Stockholm, says. “If the function focuses mainly on financial audits, it is mostly looking at what happened yesterday and today.”</p><p>Hjelm says boards and audit clients are looking to their chief audit executives (CAEs) to provide assurance over their forward-looking operations and strategies — no more so than in areas of rapid change, such as product launches or IT initiatives. As a result, functions that have historically concentrated on auditing controls over financial information have been pushed out of their comfort zones and into the fuzzier world of nonfinancial auditing.</p><p>“If you are conducting financial audits, things are black and white,” Hjelm says. “The controls are right or wrong.” So-called nonfinancial audits, on the other hand, may be concerned with improving the efficiency of business processes, or the quality of services. Auditors working in those areas need adequate knowledge of the business and its functions — from human resources and sales, to supply chains and customers. “If a business wants to be the best, most efficient, and offer the highest quality of goods or services, that can be hard to define,” she says. </p><p>This lack of clarity has an impact on internal audit. If an organization’s goal setting is not precise, auditors can struggle to grasp what separates the most important audit area, for example, from the slightly less important. Moreover, risks in dynamic areas of the business can change rapidly, impact business processes in other parts of the business and prove difficult to cover comprehensively. Internal audit teams working in nonfinancial areas of the business need a wider range of technical skills, broader soft skills, and deeper business knowledge. But the rewards of engaging in these areas include providing better insight to the business on the quality of its operations and the risks it faces tomorrow.</p><h2>Aligning With the Business  </h2><p>The shift in emphasis from static, backward-looking audits has come from boards and from the profession itself as it has sought to win that coveted seat at the top table. In fact, over the past 15 years internal auditors in most sectors have been aligning themselves more closely with their organizations’ strategies. According to Driving Success in a Changing World: 10 Imperatives for Internal Audit, a 2015 report from The IIA containing the most recent figures, globally 57 percent of audit departments say they are aligned fully or mostly to their business’ goals and objectives. As that percentage continues to grow, increasing numbers of auditors will be  moving into those dynamic areas of the business that need assurance most — whether they are primarily financial in nature or not.</p><p>This realignment to auditing nonfinancial areas has led to a shift in approach that places greater value on what audit findings mean to the business than whether or not the organization is compliant with regulations. In regulated areas such as finance, for example, boards still want to know whether they are compliant with Solvency II — a European Union directive that focuses primarily on capital obligations for insurance firms — where there is a clear role for traditional internal audit, Hjelm says. “But they also want to know how much it will cost, whether we have the resources to do what is necessary, how it will affect the strategic plan, and whether I have audited the right areas.” Communicating on such a wide range of issues clearly has become an important dimension of Hjelm’s work.</p><p>Malcolm Zack, who has led audit teams in the consumer, payments, foodservice, mail, entertainment and travel sectors and now heads Zack Associates, an internal audit consultancy based in London, says he has been auditing nonfinancial areas of the businesses in which he has worked for more than<br> 20 years. Over that time, he has worked across a range of areas including IT audit, contingency planning, health and safety, codes of conduct, supplier risk, buying and merchandising, and social media, to name just a few. But he agrees with Hjelm that more recently boards have been encouraging internal auditors to move into areas where the business is changing rapidly because that is where the big risks can be. </p><p>“In recent years, I’ve been working more and more on business change projects, and project and program assurance,” he says. “New products and systems are where the higher risks are, and the ongoing auditing of those has become very important.” </p><p>He sees that trend intensifying in the coming years with auditors becoming more focused on the commercial and operational significance of their findings in such dynamic areas, rather than just on the financial data itself. Because finance is only one element the board needs assurance on, Zack says, that has changed the composition of many audit teams away from accountants and pure audit specialists. Experts in project management, IT, or human resources, for example, could be needed as much as technical auditing ability. An audit team in one financial institution Zack was familiar with, for instance, employed psychologists on its team during an audit of its culture.</p><p>“This has been a shift for the profession,” he says. “We are being asked to give a view of risk and controls across the entire organization potentially.” That requires the audit team to be staffed by a core of experienced auditors supported by a more fluid mix of people from different specialist areas and cultures to provide depth of knowledge in the area being audited, he says. </p><h2>Shift in Focus </h2><p>The difference between a financial audit and a nonfinancial audit can be one of focus, explains Phil Tarling, an internal audit consultant based in South East England, U.K., and former vice president, Internal Audit Capability, and head of the Internal Audit Centre of Excellence at global telecommunications firm Huawei Technologies. In one supply chain audit he was involved in, for example, when goods did not ship in time by sea, they were sent at greater cost by air. The financial findings were significant, but the nonfinancial part of the audit also showed that the supply chain was poorly structured and included recommendations on how to fix the problem.</p><p>“In nonfinancial auditing, you need people to understand that the business exists to make a profit and that cost has a negative impact on its ability to do so,” he says. “Not all auditors think that way, and not all people working in the business do either.”</p><p>That is why Tarling is cautious about bringing people with business acumen, or with subject-area expertise, into the audit function. “When you say ‘business acumen,’ do you mean that people understand the way things are done, or the way they should be done?” he asks. He warns that external staff from the business can bring with them negative baggage and may be too caught up in the minutiae of their role to see the bigger picture, or to imagine different ways of working.</p><p>“It means you have to work a lot harder to get the right people on the audit team,” he says. Going back to his supply chain example, he would recommend hiring someone who possesses high-level experience with establishing a supply chain and training him or her in audit and risk. Smaller audit functions would need to cosource such staff with an internal audit provider and transfer knowledge to the core team during the project, he says.</p><h2>Integrated Thinking </h2><p>Trends in auditing nonfinancial areas are coming under the spotlight from regulators, standard setters, and business groups mulling over the causes of the financial and economic crash of 2007 — the effects of which are still felt today in the form of historically low interest rates and slow growth in many countries. The consensus among groups such as the International Integrated Reporting Council (IIRC) is that many businesses did not understand how the risks within their businesses are related to each other and to the wider business world. Providing some form of coordinated assurance over all nonfinancial aspects of corporate activity can be achieved by integrated reporting (<IR>). </p><p>The IIRC’s International <IR> Framework argues that, too often, companies have disjointed reporting practices that are driven more by regulation than by business need. That has led to a fragmented approach to what is reported. What is needed, the framework says, is <IR> delivered to shareholders and stakeholders that provides a complete picture of the business and its risks, which is underpinned by integrated thinking. </p><p>“Integrated thinking is the active consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects,” the framework says. “Integrated thinking leads to integrated decision-making and actions that consider the creation of value over the short, medium, and long term.” </p><p>The IIA recently articulated internal audit’s potential role in the integrated thinking arena. Its project concluded that internal audit’s holistic purview of the organization uniquely positions it to support integrated thinking’s goals of strategic decision-making, planning, and delivery in a way that considers the perspectives of the business, its various stakeholders, and the resources needed to create wealth.</p><p>“Internal auditing is focused on the same central concerns that prompt the move toward integrated thinking and enhanced external reporting,” says Anton van Wyk, a former IIA board chairman who led the organization’s integrated reporting task force. “By providing well-informed insight, advice, and assurance, consistent with The IIA’s Core Principles for the Professional Practice of Internal Auditing, internal auditors can have a significant contribution to make in supporting their clients in their journey to integrated thinking.”</p><h2>Connecting the Dots</h2><p>Some practitioners agree. Karem Obeid, CAE, Tawazun Economic Council in Abu Dhabi, United Arab Emirates, says boards have become more sophisticated in their understanding of what internal audit can offer — especially the function’s ability to create value by driving business improvement and advising on risk in dynamic areas of the organization. “If as an auditor you get involved in benchmarking integrated thinking and reporting at an early stage,” Obeid says, “you can be the facilitator that helps join the dots across the whole organization and beyond.”</p><p>He sees taking on the role of driving the integrated thinking project as a great way of demonstrating the value that internal audit can add to the business. It can also help the audit team better direct its work and resources to where they are most needed, and enable internal audit to serve the organization as a trusted advisor.</p><p>Auditors can do this by building on their experience of auditing nonfinancial areas of the business, says Obeid — who contributed to the IIA white paper, Global Perspectives and Insights: Beyond the Numbers — Internal Audit’s Role in Nonfinancial Reporting. But, he adds, integrated thinking is a project that has challenges. The CAE and his or her team, for example, must understand the business both from a technical and practical point of view. Those with many years of nonfinancial audit experience will be better placed to see how the risks in different areas — often called silos — are related and how they may be audited across the business. Others would require a steep learning curve.</p><p>Second, integrated thinking and the reporting it produces need to serve a wider range of stakeholders — both within and outside the business. Although most internal auditors are effective at dealing with the board, management, and some other functions — such as risk and compliance — few have experience in dealing directly with external stakeholders, such as customers and external pressure groups. </p><p>“Internal auditors need to communicate more with stakeholders, not just through business meetings, but through social media, socializing in person, and getting to know the culture and mind-sets of these groups,” Obeid says. “Also, the audit team has to increase among those groups an awareness and understanding of audit’s role — and the importance of following The IIA’s Standards.”</p><h2>Sustainability </h2><p>One area of rapid change in the integrated reporting world is that of climate-related financial disclosures. Although a paper published in June by the U.S. Financial Stability Board (FSB) relates to financial services businesses, it is a good example of how important governments now view the environmental impact of investor decisions on society. The paper, Task Force on Climate-related Financial Disclosures: Overview of Recommendations, proposes enhanced, voluntary disclosures on how each organization’s governance, strategy, risk management, and metrics help it report accurately and effectively on climate-related risks.</p><p>For Richard Goode, an executive director in the Americas Climate Change and Sustainability Services practice at EY, the paper is a clear indication of how government agencies and investors are increasingly asking to see proof of an organization’s “social license to operate.” According to the EY Center for Board Matters, more than half of the shareholder proposals during the 2017 proxy season related to environmental and social issues — in other words, pressure is growing for companies to demonstrate their social, ethical, and environmental credentials.</p><p>“This is a key area for internal audit to act as a trusted business advisor,” he says. “Business managers are asking internal auditors to help them articulate what their nonfinancial risks are and how well their sustainability programs are being put in place and run.” </p><p>Goode adds that while internal auditors can take a leading role, they should avoid an emotional plea to senior leadership and the board. “Speak the language of risk, collate and analyze the data, benchmark within your industry and among standout performers in other industries, and prove what is important and why.”</p><h2>Trusted Nonfinancial Advisor</h2><p>Goode stresses the importance of having the right expertise to help tackle the more technical aspects of such nonfinancial areas. On the other hand, the lack of such expertise should not be used as an excuse for inaction.</p><p>“Make sure you get the topic on the risk register and talk to the business about what risks they are facing in that area,” he says. “Talk to managers, institutional investors, and stakeholders and put together an honest materiality assessment.” If the risk is real and material, the resources are likely to follow, he adds. </p><p>Hjelm agrees. “The more success you have in these nonfinancial areas, the more trusted you will be to do less testing,” she says. “You will be providing true insight for the company about their potential future risks and helping the company make money tomorrow. Besides, as an internal auditor it’s much more rewarding to help people and have fun while doing it.” ​</p>Arthur Piper1
The Time Has Come for Marks on Governancehttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-time-has-come-for-Marks-on-Governance.aspxThe Time Has Come for Marks on Governance<p>​In <em>The Walrus and the Carpenter</em>, Lewis Carroll wrote:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>"The time has come," the Walrus said,</p><p>      "To talk of many things:</p><p>Of shoes — and ships — and sealing-wax —</p><p>      Of cabbages — and kings —</p><p>And why the sea is boiling hot —</p><p>      And whether pigs have wings."</p></blockquote><p> <br> </p><p>[I will let my friend and fellow blogger, <a href="/blogs/jacka" target="_blank">Mike Jacka</a>, talk about flying pigs.]</p><p> <br> </p><p>Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.</p><p>The blog was born in 2008 with "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=607cd1df-2cc8-490e-bac2-ba8391dee68f" target="_blank">A Broken Relationship</a>." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.</p><p>While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in <em>Internal Auditor</em> magazine and on my personal site.</p><p>Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.</p><p>I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as <a href="https://bookstore.theiia.org/trusted-advisors-key-attributes-of-outstanding-internal-auditors" target="_blank">trusted advisors</a>.</p><p>Then I asked who they would invite to sit at <em>their</em> table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.</p><p>Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.</p><p>If we do what I suggested in <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a>, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>For internal audit to "matter," it needs to:</p><ol><li>Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.</li><li>Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.</li><li>Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.</li><li>Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.</li><li>Communicate <em>what</em> its stakeholders need to know, <em>when</em> they need to know, and <em>in a form</em> that is easily consumed, relevant, and actionable.</li><li>Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.</li></ol></blockquote><p>These principles are consistent with The IIA's four results-oriented <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">Core Principles for the Effective Practice of Internal Auditing</a>. They state that an effective internal audit function:</p><ul><li>Communicates effectively.</li><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul> <br> <p>Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the <em>middle</em> management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.</p><p>We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.</p><p>We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.</p><p>One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.</p><p>No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.</p><p>Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.</p><p>Think about this. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank">According to McKinsey</a>, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.</p><p>Almost always, the root cause of risk and control problems is <em>people</em>. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.</p><p>Our goal is not popularity. Our goal has to be to provide our stakeholders with <em>actionable</em> information that will enable them to correct what needs to be corrected.</p><p>Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.</p><p>As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.</p><p>The path to success lies in our ability to challenge <em>everything</em> we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?</p><p>Challenge:</p><ul><li>What we are auditing.</li><li>How we are auditing.</li><li>How we communicate the results of our work.</li><li>How we provide stakeholders with what they need — actionable information.</li><li>How we can help the organization succeed.</li></ul><p> </p><p>We need to be <a href="https://www.youtube.com/watch?v=QUQsqBqxoR4" target="_blank">brave</a> (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.</p><p>But if we move forward and show them the value <strong><em>to them</em></strong><strong> </strong>of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.</p><p>What do you think?</p><p>Are we there yet?</p><p> </p>Norman Marks0
How to Improve Your SOX Compliance Programhttps://iaonline.theiia.org/blogs/marks/2017/Pages/How-to-Improve-Your-SOX-Compliance-Program.aspxHow to Improve Your SOX Compliance Program<p>If you have been following either of my blogs (hopefully both, here and at <a rel="nofollow" href="http://normanmarks.wordpress.com/" class="vglnk"><span>normanmarks</span><span>.</span><span>wordpress</span><span>.</span><span>com</span></a>), you know that I frequently call out so-called expert guidance that is anything but expert.</p><p>Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.</p><p>Instead, I will share some suggestions of my own:</p><ol><li>Make sure you are focused on financial reporting risk! The scope should include controls required to provide <em>reasonable assurance</em> that <em>material errors or omissions</em> will be either prevented or detected. That means that the likelihood is more than a <em>reasonable possibility</em>. That means more than simply a theoretical possibility, and the error or omission has to be <em>material</em> to the consolidated financial statements.</li><li>Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.</li><li>Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are <em>present and functioning</em> (as defined by COSO, a defect would not be a <em>major</em> deficiency).</li><li>Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwiztpXW5vrXAhUJ8GMKHXpgBkwQFggpMAA&url=https://www.sec.gov/rules/interp/2007/33-8810.pdf&usg=AOvVaw2N8inpeXRkZw96h-p_Q7qh">Interpretive Guidance</a> and SEC/PCAOB staff guidance.</li><li>Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.</li><li>Read The IIA's updated guidance (my book): <a href="https://bookstore.theiia.org/managements-guide-to-sarbanes-oxley-section-404-4th-edition">Management's Guide to Sarbanes-Oxley Section 404, 4th Edition</a>. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Structured for Strengthhttps://iaonline.theiia.org/2017/Pages/Structured-for-Strength.aspxStructured for Strength<p>​​​Audit, compliance, and risk functions have always emphasized first line of defense ownership of risk management and controls. Yet audit professionals routinely encounter clients who lack a basic understanding of controls for managing risks. How pervasive is this condition, and should senior management and the board be concerned? A formal review of the first line's risk and control capabilities may identify some significant findings:</p><ul><li>Lack of clear accountability for developing and sustaining risk and control proficiency across the first line.<br></li><li>Insufficient knowledge and skills among first line personnel regarding control design and risk management fundamentals.<br></li><li>Nonexistent monitoring of first line control design competence.<br></li><li>Inadequate integration of risk and control disciplines within management activities.<br></li></ul><p> <br> </p><p>If such potential findings ring true for your organization, I recommend establishing a function that is fully devoted to, and accountable for, closing these gaps and maintaining a capable first line. This first line center of excellence (CoE) is primarily responsible for demonstrably improving the risk and control capabilities and performance of the first line of defense across all organizational units.</p><p>Services and deliverables provided by the CoE go beyond training and awareness to include risk management tools, best practice sharing, risk and control advisement, and collaboration with the second and third lines of defense on matters of common interest. Suitably positioned, the CoE could influence management activities, performance incentive mechanisms, and operations methodologies to integrate sound risk management and control design into the organizational culture.</p><p>The CoE should be staffed with a small team of professionals who have strong working relationships across business units and all lines of defense. Their qualifications should include an understanding of a broad range of disciplines used by the organization, and how these disciplines map to risk and control frameworks. Skills and experience in internal consulting, change management, and developing training and tools also are desirable, supported by the ability to lead, collaborate, and influence to overcome obstacles.</p><p>Where should this team reside within the organization? Let's look for a home in each of the lines of defense.</p><p> <strong>Third Line — Internal Audit — Functions That Provide Independent Assurance</strong> While audit shops have expertise in risk and control, and audit fieldwork provides insights into control weakness themes across the enterprise, internal audit is not chartered to equip the first line. Audit teams need to maintain their independence, and their primary focus is completion of the audit plan to enable relevant reporting to senior management and the board. Advisement to the first line is a secondary role, and accountability for enabling first line capabilities would be an awkward fit within the third line. </p><p> <strong>Second Line — Specialty Risk and Compliance Groups — Functions That Oversee Risk</strong> These functions likewise have expertise in risk and control, but their focus is on specialty areas such as financial control, security, fraud, quality, risk quantification, and compliance. Though enterprise risk management departments sometimes provide first line training and advisement, these services are subordinate to their risk oversight obligations, such as standards, risk aggregation, and reporting. As oversight units, second line functions are commonly perceived by the first line as enforcers of requirements rather than enablers, reflecting the natural tension between overseers and the overseen.</p><p> <strong>First Line — Business Operations — Functions That Own and Manage Risks</strong> Personnel across the first line are, by definition, embedded in the business and thus closest to the action. They take and manage risks constantly. They design, redesign, and execute controls daily. However, there are generally only limited pockets of risk and control proficiency, and the typical first line professional has little exposure to control design and risk management training or advice. Given the expectation that the first line excel in owning and managing risk, it appears this would be the most logical place to insert the CoE.</p><p>Many organizations have precedents for CoEs within the first line, such as specialty units devoted to project management, data analytics, or supplier management. A CoE dedicated to the first line's fundamental control and risk management responsibilities, positioned within the first line, itself, would be a natural fit. It would provide first line process owners and management an unintimidating place to go to for risk and control expertise, advice, and best practices.</p><p>The pluses for the first line are clear: improved design of control environments, stronger risk management, and smarter risk taking, leading to more effective operations and increased likelihood of achieving business objectives. Moreover, an effective CoE fosters stronger ownership of risk and control where it belongs.</p><p>The second line benefits by having to spend less energy cultivating the first line, thereby enabling stronger second line concentration on its oversight mandate and risk specialties. A proficient first line also will contribute to more positive messaging in the second line's oversight reports, reflecting a more effective first line and an improved risk management culture.</p><p>The third line can enhance its assurance that the first line is committed to excellence in risk management. The CoE, itself, is an auditable entity and should be regularly reviewed as such, along with its impact on the organization's risk maturity.</p><p>Senior management can leverage the existence and effectiveness of the CoE to tangibly illustrate dedication to proactive management of risk across the organization. This may be especially beneficial in highly regulated industries, as external auditors and regulatory examiners are likely to be interested in how the CoE approach improves risk diligence and operational compliance.</p><p>The organization as a whole benefits by enabling lines of defense functions to focus more fully on their primary and distinct responsibilities. This approach also improves the risk culture by enabling a healthy balance between proactive risk management through capable control design, and reactive identification of issues that need fixing.</p><p>As a key advocate for effective risk management and controls, internal audit can wield its influence with senior management and the board in support of the CoE. To bolster this business case, audit may conduct a root-cause analysis pointing to a lack of controls understanding as a key contributor to weaknesses across the enterprise. Internal audit can highlight the dangers of not having a risk and control savvy first line, and play a part in holding the CoE accountable for embedding risk and control know-how across operations.</p><p>Internal audit also may collaborate with the second line of defense to analyze repositories of audit reports, reviews, and assessments to distill control weakness themes and best practice recommendations. These would be combined with lessons learned by the first line, itself, and disseminated by the CoE to help process owners and managers avoid similar problems.</p><p>Judicious risk takers and control designers don't happen by accident, and they warrant a targeted investment. But the promise of an effective CoE goes well beyond reducing the number of disconcerting interactions with clients who don't understand risk and control. The entire organization stands to gain as improvements in business results arise from a risk culture characterized by pervasive control capabilities.</p>Lane Kimbrough1
The Challenge of Risky Decisionshttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-challenge-of-risky-decisions.aspxThe Challenge of Risky Decisions<p>​I have said many times that decision-making is at the heart of risk management. Every decision creates or modifies risk.</p><p>Decisions are where risks are taken! Decisions determine how risks are "treated" (if you like that word; "modified," "managed," or "addressed" if you don't). So we should be concerned about the quality of decision-making.</p><p>But, let's first remind ourselves about the core principles of risk management. Then let's see where decision-making fits.</p><p>The ISO 31000:2009 global risk management standard has 11 principles:</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p> <strong>1:</strong><strong> </strong>Risk management creates and protects value.</p><p> <strong>2:</strong><strong> </strong>Risk management is an integral part of all organizational processes.</p><p> <strong>3:</strong><strong> </strong>Risk management is part of decision making.</p><p> <strong>4:</strong><strong> </strong>Risk management explicitly addresses uncertainty.</p><p> <strong>5:</strong><strong> </strong>Risk management is systematic, structured and timely.</p><p> <strong>6:</strong><strong> </strong>Risk management is based on the best available information.</p><p> <strong>7:</strong><strong> </strong>Risk management is tailored.</p><p> <strong>8:</strong><strong> </strong>Risk management takes human and cultural factors into account.</p><p> <strong>9:</strong><strong> </strong>Risk management is transparent and inclusive.</p><p> <strong>10:</strong><strong> </strong>Risk management is dynamic, iterative and responsive to change.</p><p> <strong>11:</strong><strong> </strong>Risk management facilitates continual improvement of the organization.</p></blockquote><p> <br> </p><p>These are all very good. But I think they can be simplified and clarified. In <a href="https://www.amazon.com/World-Class-Risk-Management-Norman-Marks/dp/151199777X/ref=sr_1_1?ie=UTF8&qid=1451362676&sr=8-1&keywords=world+class+risk" target="_blank" style="background-color:#ffffff;"> <em>World-Class Risk Management</em></a>, I have six principles:</p><ol><li>Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.</li><li>Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.</li><li>Risk management is dynamic, iterative and responsive to change.</li><li>Risk management is systematic and structured.</li><li>Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.</li><li>Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.</li></ol><p>The very first sentence in COSO's 2017 <em>Enterprise Risk Management: Integrating with Strategy and Performance</em> is: "Integrating enterprise risk management practices throughout an organization improves de​cision-making in governance, strategy, objective-setting, and day-to-day operations."</p><p>Unfortunately, while COSO has 20 risk management principles, not one relates to decision-making.</p><p>Let me suggest that if the processes for making decisions are poor, that is a huge source of risk to any organization. It is highly likely that the wrong risks are being taken (or not taken) and this will significantly impact the achievement of objectives and the delivery of value. So achieving ISO's and my principles (arguably, they all relate to decision-making) is essential if risk management (in fact, 'management') is to be effective.</p><p>Here's an interesting fact. <a href="https://www.mckinsey.com/business-functions/organization/our-insights/five-fifty-better-decision" target="_blank" style="background-color:#ffffff;">According to McKinsey</a>, "60 percent of senior executives say that bad decisions were about as frequent as good ones"! That should worry us all.</p><p>The McKinsey piece (see link above) has some useful information on the causes of poor decision-making. I recommend reading it. The causes of poor decision-making, which I refer to as "risks to effective risk management," are also covered in Chapter 18 of <em>World-Class Risk Management</em>.</p><p>Here are a couple of additional, useful articles on decision-making:</p><ul><li>"<a href="https://www.farnamstreetblog.com/2009/07/an-introduction-to-decision-making/" target="_blank">The Anatomy of a Decision: An Introduction to Decision Making</a>"</li><li> <span style="text-decoration:underline;">"<a href="https://www.farnamstreetblog.com/2013/03/what-matters-more-in-decisions-analysis-or-process/" target="_blank">What Matters More in Decisions: Analysis or Process?​</a>"</span></li></ul><p> <br> </p><p>So what does this all mean?</p><p> <span style="text-decoration:underline;">For board members and the executive team</span>:</p><ul><li>Do you have reasonable assurance that quality decisions are being made? </li><li>Are the right risks being taken? Remember that risk is not taken only by the board or executive team. It is being taken through decisions made every day across the extended enterprise.</li><li>If the wrong risks are being taken as a result of poor decision-making processes, when will you know?</li><li>What is the risk of poor quality decisions?</li><li>How can the incidence and effect of poor decision-making be reduced to acceptable levels?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For risk professionals</span>:</p><ul><li>What is the level of risk of poor decisions?</li><li>Is that acceptable?</li><li>What can and should be done?</li><li>Should there be guidance from risk practitioners on decision-making?</li><li>Should the chief risk officer help management develop a decision-making framework?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For internal audit practitioners</span>:</p><ul><li>Should the risk of poor decisions be included as a priority on the audit plan?</li><li>Are there specific sources of risk to decision-making (such as poor information, lack of process and discipline, failure to work as a team and include all affected parties, and so on) that should be addressed in the audit plan?</li><li>Should the chief audit executive facilitate a discussion with the executive team on this topic?</li></ul><p> <br> </p><p>I believe this is a very important topic.</p><ol><li>Do you agree with me?</li><li>What should be done and by whom?</li><li>Is this something that should concern every practitioner?</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Focusing on Internal Audit Communicationshttps://iaonline.theiia.org/blogs/marks/2017/Pages/Focusing-on-internal-audit-communications.aspxFocusing on Internal Audit Communications<p>​My friend Jim DeLoach and his colleague, Brian Christensen, of Protiviti have continued their advice for internal auditors. Captioned as advice for the "future auditor," the three-part series addresses in turn risk, value, and communication.</p><p>The latest is "<a href="https://www.protiviti.com/US-en/insights/bulletin-vol-6-issue-7" target="_blank">Focusing on Communication</a>."</p><p>There is nothing wrong with the advice they offer. Each of their recommendations has value. But, as is so often the case, I believe they have missed the most critical point — especially if internal audit is to make a difference.</p><p>As I say in my presentations as well as in <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a>, it is essential to:</p><p style="text-align:center;"><strong class="ms-rteStyle-BQ">Tell them what they need to know, not what you want to tell them.</strong></p><p>What do the senior executive team and the board need to know? What assurance, advice, and insight will help them succeed and achieve or even exceed their objectives?</p><p>They are focused on achieving earnings target, improving market share and customer satisfaction, and bringing exciting new products and services to market. How do audit reports on inventory management or accounts payable relate to what they are trying to achieve?</p><p>Not so long ago, I supported the National Association of Directors at a number of events where they provided advice to board members on cybersecurity. What I heard over and over from the directors was a need for <strong><em>actionable information</em></strong>.</p><p>CAEs and their team need to put themselves in the shoes of their stakeholders. What do they need from internal audit that will help them move with confidence to success? Do they need assurance that the controls over risks to new product introduction are reliable?</p><p>If you don't know what they need, how can you provide them with the assurance, advice, and insight that will help them succeed? If all you do is provide them with audit reports that are, at best, peripheral to enterprise objectives such as EPS growth, why should you expect a seat at the top table? Why should they give you more than momentary attention? Why should you believe you are valuable?</p><p>Audit the risks that matter, and then <strong><em>communicate</em></strong> your assurance, advice, and insight <strong><em>when</em></strong> it matters, in an <strong><em>actionable</em></strong> form.</p><p>Is that the traditional audit report?</p><p>I welcome your thoughts.​</p><p><br></p>Norman Marks0
Sexual Harassment Risk, Governance, and Audithttps://iaonline.theiia.org/blogs/marks/2017/Pages/Sexual-harassment-risk,-governance,-and-audit.aspxSexual Harassment Risk, Governance, and Audit<p>​None of us want to see our organizations in the news and our people accused of sexual harassment. The implications for our reputation as an organization, as well as that of our executives, can be huge. So what do we do:</p><ul><li>As members of the board?</li><li>As risk practitioners?</li><li>As internal auditors?</li></ul><p><br></p><p>Let's start by making sure that:</p><ul><li>We not only have a policy in place but that is the <em>right</em> policy. It is understood by all employees, who are trained in and regularly certify their understanding of and adherence to the policy.</li><li>We not only have a whistleblower mechanism available for any of our employees to tell us of suspected sexual (or other) harassment, but they know about it and it is answered by people outside the regular chain of command — people who can listen objectively and make sure the right people are notified promptly.</li><li>Reports of suspected sexual harassment are properly investigated by objective and competent professionals and the results brought to the attention of the proper authorities within the organization.</li><li>Care is taken to avoid punishing those who come forward, paying particular attention to employees whom their managers say are under-performing. While those employees may be seeking to avoid disciplinary action with a false report, the performance assessment may be an attempt by their manager either to escape punishment themselves or to punish the employee for coming forward.</li><li>The right people receive the results of such investigations and deal with them objectively, without bias, and without regard for position or title — and ensure appropriate action is taken consistently.</li></ul><p><br></p><p>But let's also ensure that:</p><ul><li>The same protections apply to everybody who works at the organization or is subject to the actions of its employees, such as temporary personnel, contractors, consultants, vendors, customers, and partners.</li><li>Appropriate training is in place for everybody. That training goes beyond reading the policy to training based on scenarios and case studies; training not only on what not to do but also training that guides people on what to do if they see or are told of sexual (or other) harassment. Additional training may be required for the executive team to ensure they know what to do, how to set expectations, and how to respond to incidents.</li><li><span style="text-decoration:underline;">We understand the level of risk</span>. How many reports are received? How many are investigated? How many are found to be credible? What disciplinary actions are being taken? What are the trends? The Risk function (not internal audit, please) may want to use analytics to monitor the area.</li><li><span style="text-decoration:underline;">We monitor, spot patterns, and act</span>. I heard one large organization talking about hundreds of allegations over a short period. Questions should be asked about the culture, the leaders of the area of the organization where most of the reports arose, and whether there was a broader problem.</li><li><span style="text-decoration:underline;">The level of risk is discussed by the executive committee and the board</span>. I would expect at least annual discussion at the board level, more frequent if the level of reports demands.</li><li><span style="text-decoration:underline;">We are confident that people are coming forward</span>. If the culture is perceived as punishing the innocent, then people will be reluctant to come forward — even anonymously. There are tools that can help, from monitoring social media (especially internal posts) to providing safe venues for employees to speak up anonymously.</li><li><span style="text-decoration:underline;">Our leaders are setting the right example</span>. Not only are they vocal, but exemplars in practice.</li><li><span style="text-decoration:underline;">We are prepared for the worst case</span> of a senior executive or board member being subject to accusations. When will the board, CEO, and others be informed? What should they do when? How will the organization respond to media reports?</li><li><span style="text-decoration:underline;">This is on the radar of internal audit</span>. The CAE should work with Legal, HR, and the board to ensure appropriate audit work is performed to ensure the organization understands, monitors, and addresses the risk.</li></ul><p><br></p><p>Anybody, even people we view as high integrity people, may be accused. Let's not get caught by surprise.</p><p>I welcome your comments.</p><p> </p>Norman Marks0
CISOs and Many Others Need to Talk the Language of the Businesshttps://iaonline.theiia.org/blogs/marks/2017/Pages/CISOs-and-many-others-need-to-talk-the-language-of-the-business.aspxCISOs and Many Others Need to Talk the Language of the Business<p>​</p><p>I came across an interesting piece by Cybereason, <a href="https://hi.cybereason.com/hubfs/Content%20PDFs/CISO-Tips-Speaking-the-Language-of-Business.pdf?t=1510177968617" target="_blank">CISO Tips: Speaking the language of business</a>.</p><p>The concept of using the language of the business to connect with leadership extends to people like the CRO, CAE, CIO, and many others.</p><p>They recommend six phrases:</p><p>1.      Risk</p><p>2.      Revenue</p><p>3.      Employee efficiency</p><p>4.      Strategic value</p><p>5.      Cost</p><p>6.      Customer satisfaction</p><p>These are six phrases that can come in useful, although I don't like their definition of risk at all!</p><p>I can think of other phrases that should be learned, not in any particular order:</p><p>7.      Opportunity</p><p>8.      Agility</p><p>9.      Compliance</p><p>10.   Objectives</p><p>11.   Win</p><p>12.   Competitive environment</p><p>There are many more.</p><p>But, it all comes down to thinking like your customer and talking in ways that resonate with them.</p><ul><li><span style="font-size:12px;">Know what your organization is trying to achieve.</span><br></li><li><span style="font-size:12px;">Know how you can help it succeed, not just avoid failure.</span><br></li><li><span style="font-size:12px;">Communicate in plain language without techno-babble, and listen actively.</span><br></li><li><span style="font-size:12px;">Help everybody else succeed. Make that your job.</span><br></li></ul><p></p><p>What do you think?</p><p>Are there phrases that should be embraced? What about ones that should be avoided?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0
Maybe Objectives, Risk, and Controls Are the Wrong Focushttps://iaonline.theiia.org/blogs/marks/2017/Pages/Maybe-objectives,-risk,-and-controls-are-the-wrong-focus.aspxMaybe Objectives, Risk, and Controls Are the Wrong Focus<p>​</p><p>Here's a radical idea.</p><p>Think about it.</p><p>Who takes risk? It's the decision-makers across the extended enterprise.</p><p>If we want reasonable assurance that they are taking the desired level of risk to achieve objectives, we need to know they are making effective decisions.</p><p>How many of us think about whether people know how to, let alone actually make, quality decisions?</p><p>I recently wrote about <a href="/blogs/marks/2017/Pages/The-most-important-audits-I-ever-performed.aspx" target="_blank">audits that I performed</a> to obtain assurance that people had reliable information on which to base their decisions.</p><p>But what if they don't give the decision enough thought, don't involve others, or so on?</p><p>Maybe this should be a focus of our attention.</p><p>Perhaps we should talk to and perhaps partner with human resources and make training in decision-making a required course for every decision-maker.</p><p>Maybe we should think about how we can prevent or detect poor decisions.</p><p>What do you think?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0

  • MNP_Feb2018 IAO_Premium 1
  • IIA Training_Feb2018_Premium 2
  • IIA CIA_Feb2018_Premium 3