Good Governance Is All About Quality Governance Is All About Quality<p>​Much has been written about the benefits of quality management: its measures and assurance in all types of organizations worldwide. The performance and success of hundreds of thousands of organizations and their operations around the world owe much to the development of, and compliance with, quality standards, total quality principles, quality auditing, and assurance frameworks.  </p><p>Quality can be seen in the effectiveness of an organization's processes and the products and services it provides; seen by its customers, both internal and external, across all its supply chains; and by those who use its products and services. Quality is created by a focus on customer needs, leadership, teamwork, measurement, and a total commitment to continuous improvement. </p><p>As head of internal audit in a large manufacturing company in the 1980s, I was asked to join its Quality Council, established to drive a total commitment to register the company to the international quality systems standard ISO 9000 (The International Organization for Standardization has recently published updated principles for its ISO 9000 Quality management systems, <a href=""></a>). This responsibility introduced me to total quality management principles and the principles underpinning the standards for quality management systems. At the time, I developed and published five quality rules to guide my learning (see "Five Quality Rules" below). These rules have been a guide for me in understanding how to achieve high standards of quality and also the importance of achieving them in all that makes up good governance.</p><p>Associations of quality professionals around the world recognize these rules to be fundamental for a commitment to quality. They can be seen in their visions and missions, their knowledge base, competency frameworks, training, and qualifications. Go to the Chartered Quality Institute website (<a href="" target="_blank"></a>), or the quality institute in your own country, and compare these rules with its strategic objectives. World Quality Day, Nov. 10, 2016, adopted the theme "Making Operational Governance Count," sending the message that good governance is all about quality.  </p><p>Quality, like good governance, is an assessor of risk and a driver of control activities. It requires high levels of accountability, integrity, and openness in how it is achieved and perceived by an organization's stakeholders. Like good governance, trust is at the core of all quality systems and quality auditing. Quality assurance is a must for every type of activity, service, and product, both for the supplier and the customer. It is a requirement for the efficiency, effectiveness, and economy of every organization in the performance of its activities and achievement of its vision and missions. It must always be present in the values the organization promotes for itself and in its services and products.</p><p>In my five quality rules, replace the word "customer" with "stakeholder" and "quality" with "good governance" to relate each of the rules to the policies and regulations for good governance. Good governance is all about quality, and quality is all about good governance — both for organizations and in the audit, inspection, and compliance services they use.</p><p>These rules can be found in the values of good corporate governance. Quality achievement is required in each of the recently redeveloped and published G20/Organisation for Economic Co-operation and Development corporate governance principles. It can be found in corporate governance codes everywhere, and in many standards and laws. It is a requirement for all audit practices. Quality achievement and monitoring also is seen by many as part of the second line of defense in achieving good risk management and control. The IIA promotes this in The Three Lines of Defense for Effective Risk Management and Control. Requiring collaboration at the second line of defense with other monitoring activities  is fundamental to good governance. In fact, quality should be more than a collaborator in an organization's second or third lines of defense; quality should be an attack. </p><p>Audit committees have a key role in monitoring governance in each of the three lines of defense throughout the organization. This monitoring should include the standard of quality in the performance of all those it relies upon for assurance as a defense. Audit committees should also recognize the importance of quality, not just as a defense, but also as an attack on inefficiency, ineffectiveness, and waste in all its forms. </p><p><br></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>​Five Quality Rules</h2> <strong><br>Customer Focus</strong><br> <ul><li>All customers are different; their satisfaction is paramount.</li><li>Focus on both internal and external customers, primary and secondary. </li><li>View all customers as partners in your supply chains.</li><li>Understand all your customers' needs.</li><li>Aim for customer delight, not just satisfaction, at all times.</li><li>Do not ignore customer complaints.</li></ul> <br> <strong>Management Leadership</strong> <br> <ul><li>Organize for quality.</li><li>Establish a clear and motivating vision understood by everyone.</li><li>Identify your key success factors and build these into a clear mission statement.</li><li>Provide the right structures, methods, and resources for quality achievement. </li><li>Communicate well at all levels, both in clarity and timeliness.</li><li>Give high visibility to your quality policy. </li></ul> <br> <strong>Teamwork </strong> <br> <ul><li>Recognize and encourage the power of teams. </li><li>Develop teams across the entire supply chain, internal and external. </li><li>Interlock all teams at operation, function, and cross function levels.</li><li>Reinforce and reward teams for success.</li><li>Teach teams to focus on your vision and mission statements.</li><li>Delegate responsibility to teams to take action.</li></ul> <br> <strong>Measurement</strong><br> <ul><li>If it cannot be measured, it cannot be improved.</li><li>Measure by statistics — do not inspect. </li><li>Establish measures in all processes, across all supply chains, with high visibility.</li><li>Relate all measures to your vision and mission statements.</li><li>Focus measures on customers, both internal and external.</li><li>Take prompt corrective action on all measurements.</li></ul> <br> <strong>Total Commitment to Continuous Improvement</strong><br> <ul><li>Look for problems, develop solutions, and train.</li><li>Create a learning organization with a constant commitment to improve.</li><li>Encourage a constant and continuous search for excellence.</li><li>Be creative — look for paradigm shifts.</li><li>Benchmark, internally and externally. </li><li>Verify the success of change.</li></ul></td></tr></tbody></table><p></p>Jeffrey Ridley1
The Idea of a Unified Risk Oversight Council Idea of a Unified Risk Oversight Council​<p> <a href="" target="_blank">A report by the Security Executive Council ​</a>(a firm that "specializes in corporate security risk mitigation solutions") makes interesting reading.</p><p>For example, it says the following:</p><p> <span class="ms-rteStyle-BQ">We find, that despite best intentions, enterprise-wide risk management often fails. </span><span class="ms-rteStyle-BQ"><a href="" target="_blank">British Petroleum's Deepwater Horizon catastrophe </a><span style="font-size:inherit;">is one of many examples. All-hazards risk mitigation assurance requires that we get beyond one-dimensional, compliance-only, enterprise risk "list" management. </span></span></p><p>It is interesting that rather than talking about risk management or ERM, they talk about "all hazards risk mitigation assurance." Hold that thought for a moment.</p><p>​I like the reference (I believe the phrase was created by Jim DeLoach) to "list management." I join Jim and the Council in calling that practice out as ineffective, although it creates the <em>illusion</em> of risk management.</p><p>The report continues with:</p><p> <span class="ms-rteStyle-BQ">Programs that work are multi-dimensional, operationally integrated and relevantly informed by cross-functional subject matter expertise. They include:</span></p><p> <span class="ms-rteStyle-BQ">· 24 x 7 x ​365 situational risk awareness communications.</span></p><p> <span class="ms-rteStyle-BQ">· Continuous risk/threat/vulnerability assessments.</span></p><p> <span class="ms-rteStyle-BQ">· Mitigation design, performance testing, and innovation pilots.</span></p><p> <span class="ms-rteStyle-BQ">· Persistent all-hazards risk monitoring, anomaly detection and response assurance.</span></p><p> <span class="ms-rteStyle-BQ">· Critical event management; including near-miss after-action queries with objective targeted performance improvement.</span></p><p> <span class="ms-rteStyle-BQ">· Engaged leadership governance.</span></p><p> <span class="ms-rteStyle-BQ">· Ongoing prevention/mitigation systems hygiene.</span></p><p> <span class="ms-rteStyle-BQ">· Understood roles and responsibilities including compliance-plus brand reputation Duty of Care dependencies.</span></p><p>All the items surely belong, but an effective program needs more.</p><p>This is focused on harms (or hazards) and not on what might happen that could affect the achievement of our objectives.</p><p>As such, it remains incomplete and unlikely to be effective in helping the organization succeed.</p><p>An important part of the report talks about why ERM often fails:</p><p> <span class="ms-rteStyle-BQ">A review of the literature reveals enterprise risk management has shortfalls in the 5 following areas:</span></p><p> <span class="ms-rteStyle-BQ">1. Organizations adopt frameworks or processes that are siloed, regulatory-focused, and overly prescriptive; often self-focused with insufficient attention on emerging hazards.</span></p><p> <span class="ms-rteStyle-BQ">2. Risk inventories are often "personal-opinion" management polls that are infrequently supported by research, or weighted subject matter expert opinion or proven practices.</span></p><p> <span class="ms-rteStyle-BQ">3. Plans speak to, but seldom assure integrated cross-functional prevention, protection, mitigation planning, funding, testing, or performance inside and outside the organization.</span></p><p> <span class="ms-rteStyle-BQ">4. Compliance requirements are often less rigorous than intended and do not sufficiently educate, incent, or protect anomaly reporters and whistleblowers.</span></p><p> <span class="ms-rteStyle-BQ">5. Leadership governance is largely in name only, part-time and seldom involved in cross-functional resilience operational dependency planning, testing and performance oversight.</span></p><p>Note the reference to "siloed" risk management functions.</p><p>I believe, based on what I read here, that the Council's recommendations are putting corporate security's risk activities in yet another silo.</p><p>That's not to say that the corporate security function shouldn't have a program to address the risks in their area of responsibility. But they should be integrated with the management of other risks.</p><p>For example, the potential for thieves to break into a warehouse should be aggregated with risks such as the potential for failing to comply with employee safety regulations or waste water disposal rules when considering a decision to establish a new building to house valuable metals.</p><p>In addition, the authors are focused on hazards and not on results, or what can influence results.</p><p>They also seem to see operational risk management (ORM) and enterprise risk management (ERM) as separate and distinct. If that is their experience, no wonder risk management is failing! The whole point of ERM, as I see it, is to bring an enterprisewide view to all risks, everything that might happen and influence the achievement of objectives.</p><p>Only when all related risks are considered can  the best decision be made.</p><p>However, I think their concept of a risk oversight council and their list of benefits is on the right track. To quote:</p><p> <span class="ms-rteStyle-BQ">· It enables persistent Unified Risk Oversight governance. Subject matter expert business leaders and section chiefs may now cross-functionally evaluate, prioritize and resource mitigation options for both emerging and residual threats.</span></p><p> <span class="ms-rteStyle-BQ">· Many senior management leaders recognize that the expanding organizational strategy faces persistent and evolving external and internal risk factors that require collaborative, continuous, and nimble processes, including emerging and residual threat vigilance with operational oversight.</span></p><p> <span class="ms-rteStyle-BQ">· It is often a course correction for efforts that did not cross-functionally connect enterprise risk management for emerging and fast onset of risks, especially at the operational levels.</span></p><p>When I was chief risk officer, I had an executive risk committee that performed a similar function and more. For example, it:</p><ul><li>Was comprised of direct reports to the CEO.</li><li>Owned the management of risk across the extended enterprise.</li><li>Ensured management participation, resources, and actions as appropriate.</li><li>Approved policies and processes.</li><li>Resolved differences in risk assessment and evaluation.</li><li>Approved reporting to the CEO and the board.</li><li>Monitored the performance of risk management and initiated changes as necessary.</li></ul><p> <br> </p><p>The paper references ISO 31000 but it is interesting that COSO ERM is not mentioned.</p><p>They close with 13 questions for "responsible leaders." What do you think of them? Are they useful?</p><p>I welcome your comments.​</p><p> <br> </p>Norman Marks0
​​The Integration of Governance, Risk, Compliance, and Related Activities,-risk,-compliance-and-related-activities.aspx​​The Integration of Governance, Risk, Compliance, and Related Activities<p>​The Open Compliance and Ethics Group (OCEG) has been on the forefront of GRC for a very long time.</p><p>Not only do they have a definition of GRC that makes sense and has practical meaning, but they recognize the need for all the functions of the organization to work together if objectives are to be achieved.</p><ul><li>The role of governance in setting objectives, establishing expectations, monitoring performance and adapting as necessary, and ensuring an appropriate culture.</li><li>The consideration of risk (what might happen) in both the setting and execution of strategies.</li><li>Compliance with both laws/regulations and the expectations of society.​</li></ul><p><br></p><p>This is reflected in their definition of GRC:</p><p><span class="ms-rteStyle-BQ">GRC is a capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].</span></p><p>In their <a href="" target="_blank">2017 GRC Maturity Survey</a>, the author (Michael Rasmussen, a friend for whom I have great personal and professional respect) states:</p><p><span class="ms-rteStyle-BQ">In the ideal world there is a natural flow through to GRC. Governance sets objectives and directs and steers the organization setting the context for risk management. Risk management aims to understand and minimize uncertainty in those objectives and reduce exposure to loss while maximizing performance. Compliance assures that the organization operates with integrity to the boundaries established in organization values, policies, regulatory and legal requirements, as well as boundaries set by risk limits and thresholds. </span></p><p><span class="ms-rteStyle-BQ">However, within many organizations there are often many GRC functions operating in isolation producing redundancy and gaps while remaining ignorant of the interrelationship of risk across silos. This has a measurable cost to the organization in inefficiency, ineffectiveness, and lack of agility. </span></p><p><span class="ms-rteStyle-BQ">Other organizations have mature and structured processes and reporting on GRC that brings together an integrated and orchestrated view of GRC processes and information.</span></p><p>I strongly encourage everybody to become a member of OCEG, which is free for individuals. It is an excellent source of reference materials and thought leadership. (Like Michael, I am an OCEG Fellow.)</p><p>The latest OCEG GRC Maturity Survey reports that the great majority of organizations still have functions that operate in silos without the coordination and cooperation necessary to realize and deliver full value to stakeholders.</p><p>There is progress, but it is slow.</p><p>Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.</p><p>This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.</p><p>The survey results are biased in that the 697 respondents are members of OCEG, primarily risk practitioners (41 percent), internal auditors (31 percent), and compliance personnel (28 percent).</p><p>That implies that they are more familiar than the general work population with the problem of silos and the need to manage risk.</p><p>Even so, only about a quarter of the respondents from organizations where they have integrated risk management and other activities have confidence that risks can be mapped to their sources or drivers.</p><p>A few more believe significant risks have identified owners and are managing those risks effectively.</p><p>Let me repeat what I said before:</p><p><span class="ms-rteStyle-BQ">Organizations need to recognize that when the different parts of the organization operate to their own instead of the collective rhythm of the enterprise, sub-optimal performance is ensured.</span></p><p><span class="ms-rteStyle-BQ">This can result not only in the failure to achieve the possible, but falling short of ethical and legal obligations.</span></p><p>Is this a problem in your organization?</p><p>Has it been recognized?</p><p>Is anything being done?</p><p>Is that enough?</p><p>I welcome your comments.</p><p>​ </p>Norman Marks0
Auditing Organizational Governance Organizational Governance<p>​Organizational governance is a broad concept that ensures superior strategy formulation, development, and execution in ways that balance performance, conformance, and accountability. It includes systems, controls, and associated processes that promote ethics and values, performance and accountability, and risk communication and coordination among the board, external and internal auditors, and management in meeting and exceeding stakeholder expectations. Internal audit’s role in organizational governance has always been recognized and valued, but it has become increasingly important in the wake of governance failures in financial and public sectors throughout the world. As a result, more and more boards as well as executive management are turning to internal audit for assurance on governance effectiveness, culture, and strategy implementation.<br></p><p>The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey assesses the current role of internal audit in the governance process and how it can better position itself to contribute to effective organizational governance. Through their work, internal auditors can help achieve a balance between value creation (i.e., profitability and growth) and value preservation (i.e., sustainable, long-term performance). Governance reviews give internal audit the opportunity to help prevent governance failures and improve strategic performance. However, to take advantage of these opportunities, internal audit must continue to embrace these assurance and advisory roles related to governance and adapt and evolve globally.<br></p><p>The survey’s key findings include: <br></p><ul><li>Four out of 10 internal audit functions say a governance code is in place at their organization.</li><li>About 27 percent say internal audit conducts extensive reviews of organizational governance.</li><li>More than six out of 10 say their organization has a long-term strategic plan in place.</li><li>Only 16 percent say internal audit conducts reviews of their organization’s strategy.</li></ul><p><br></p><p>The fact that less than one in five internal audit functions conduct extensive reviews of their organization’s strategy is problematic, because it is impossible to provide assurance without fully understanding the organization’s strategy. Specifically, in such a scenario, it becomes difficult to identify when executive management is pursuing riskier strategies at the expense of stockholders, or inappropriately placing a premium on short-term risk taking rather than long-term, sustainable value creation.<br></p><p>Corporate governance failures can be viewed through the prism of “information integrity,” as executives and boards use information to make decisions. Information integrity failures can be traced back to information errors, ethical lapses, integrity failures, or a combination of these factors. Accordingly, governance audits and reviews primarily focus on validating the information used for strategic decision-making, or provide the context in which relevant information can be meaningfully interpreted.<br></p><h2>The Governance Audit Approach</h2><p>Assurance activities are intended to protect against governance failures, while advisory activities permit superior execution of strategy for growth, performance, and overall success. Both activities rely on a deep understanding of how organizational culture can be a driver and enabler of effective governance and superior performance.<br></p><p>Owing to political and cultural barriers within organizations, it may be difficult to have an audit plan approved with a separate comprehensive audit of governance. The chief audit executive (CAE) may be more successful using a strategy that incorporates governance reviews and recommendations as part of routine audits. <br></p><p>Using this approach, internal auditors address governance as a part of assurance or advisory services, rather than launching an enterprisewide governance audit or a comprehensive governance review. Conducting smaller, more digestible governance reviews during routine audits can serve to change attitudes from within the business organization and help lay the foundation for a subsequent comprehensive governance audit when the time is right. <br></p><p>Internal auditors in highly regulated organizations often find it easier to incorporate governance reviews into their audit universe, especially if the regulatory agencies express specific expectations for governance activities to be performed and monitored.<br></p><p>Governance audits must be based on two pillars: <br></p><ol><li>Auditing governance structures and processes by providing assurance about information used for strategic decision-making (mostly based on hard controls where an analytical approach can be helpful).</li><li>Auditing organizational culture where qualitative factors may need to be assessed and interpreted contextually to assess risk (mostly based on soft controls where intuition, common sense, and understanding of human behavior are indispensable).</li></ol><p></p><h2>Governance Structures and Processes </h2><p><img src="/2017/PublishingImages/Ramamoorti-Focus-on-Risks.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:480px;height:419px;" />Ensuring that an organization has a sound governance structure with effective and ethical policies and practices — along with decision-relevant information that is accurate, reliable, and timely — is critical to the organization’s success. These combined factors, including a credible attitude of transparency and accountability, impact the company’s reputation, stakeholder satisfaction, and overall growth and profitability. A wide swath of stakeholders, including the board of directors and executive management, seeks assurance about the information they use for strategic decision-making. They also need assurance that the organization’s governance structures and processes, founded upon a well-established system of internal controls, operate effectively to achieve objectives, increase company profit, and ensure sustainability.<br></p><p>Organizational Culture Organizational culture and tone at the top play a significant role in how involved the internal audit function is in reviewing and adding value to organizational governance. Culture embeds many intangibles, including soft controls. As referenced in the CBOK report, Promoting and Supporting Effective Organizational Governance, some of the soft controls that can be audited to help improve organizational governance include:<br></p><ul><li>Management and board competence, philosophy, and style.</li><li>Mutual trust and openness.</li><li>Strong leadership and a powerful vision.  </li><li>High performance and quality expectations.</li><li>Shared values/understanding.</li><li>High ethical standards.</li></ul><p><br></p><p>These are areas in which most internal auditors lack audit experience and for which there are less formal training and tools, making such culture audits much more challenging.<br></p><p>Periodic culture and ethics audits are one way to assess the ethical climate and control environment. Audits of incentives and compensation, as well as their alignment with the strategic plan and capital structure among key stakeholders, may also be helpful. For example, if the company is financed primarily through debt, the strategic plan should be more conservative and the executives’ compensation should be more salary or bonus and less stock. Otherwise, there is an inherent conflict between what is desired and what is incentivized.  <br></p><p>Clearly, the audit of soft controls embedded within organizational cultures consists of many intangibles that do not lend themselves to quantitative measurement and analysis. Accordingly, to be successful, internal auditors must possess soft skills, such as relationship-building acumen, political and cultural savvy, interpersonal communication abilities, diplomacy and tact, and an ability to read people and situations quickly and correctly.<br></p><h2>Assurance and Advisor Roles</h2><p>Internal audit can undertake specific activities as part of their assurance and advisory work in supporting organizational governance (see “Internal Audit Activities for Organizational Governance Assurance and Consulting” below). Many organizations enlist the assistance of internal audit to provide fraud risk awareness training, or help divisional units carry out control self-assessments by systematically conducting risk and control mapping in their specific context. <br><br><strong>Assurance Services</strong> When providing assurance with respect to organizational governance, internal audit assesses the processes used to obtain relevant, reliable, and timely information for strategic decision-making. By providing assurance regarding the accuracy, consistency, and reliability of information, internal audit can help mitigate information for decision-making risk. Internal audit’s work in assuring the quality of information used for decision-making allows the board and executive management to use information with confidence.   <br><br><strong>Advisory Services</strong> Internal audit provides consulting and advisory services to improve governance without assuming management responsibility. The types of consulting and advisory services that internal audit can offer include advising the board and executive management on decision-making processes, providing information on best practices, and offering interpretation/insight. Advisory services also encompass internal audit facilitating board and executive management awareness and education, instilling best practices in governance, and providing briefings on trending topics. </p><h2><img src="/2017/PublishingImages/Ramamoorti-IA-Activities.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:580px;height:437px;" />Strategic Gap</h2><p>All over the world, internal audit seems to take action more on risk indicators from perceived or actual weaknesses in internal controls over financial reporting, rather than those pertaining to strategic performance and operational risk factors, as indicated by the CBOK survey. This happens even though internal audit acknowledges the importance of strategic risk and believes that management and the board place a high priority on strategic risk. In other words, internal audit may not be meeting stakeholder expectations when it comes to strategy audits (i.e., how well is the planned and approved strategy being executed?).<br></p><p>A huge gap exists in terms of internal audit undertaking comprehensive strategic reviews, even where a long-term strategic plan is in place. According to the CBOK survey, while approximately 50 percent or more of respondents’ organizations around the world have a long-term strategic plan in place, internal audit only conducts strategic reviews 11 percent (South Asia) to 28 percent (Sub-Saharan Africa) of the time. Just as they do for general governance reviews, Sub-Saharan Africa and Middle East/North Africa have the highest levels of activity for reviews of strategy linked to performance. <br></p><p>Most surprising is that in North America, an average of 71 percent of respondents report having a long-term strategic plan in place, but only 8 percent of internal auditors report that they actually review the organization’s strategic plan. The reasons for this gap in the “strategic plan existence vs. extensive strategic reviews” could be that they perform such reviews as part of other routine audits and make governance recommendations along the way rather than comprehensively, have immature or inexperienced internal audit functions that are not adequately supported or confident to carry out such strategic reviews, or strategic risks are given a low priority because they are not perceived to be a matter for concern. It could also be that managment does not support internal audit being in this space, that internal audit lacks support of the audit committee, or it doesn’t have sufficient resources.<br></p><h2>Looking Forward</h2><p>In the future, more reliance will be placed on strategic and operational risk and performance data (forward looking) and on internal audit functions for more effective monitoring and governance oversight. Operational data provide a closer look at what is really happening with the business, but they also provide early warning signs of emerging risks that, if heeded, can prompt a critical and timely assessment of the business model and potentially preempt or avert business and governance failures. With internal audit’s help, organizations can adapt to changing conditions in the marketplace, such as shifting consumer tastes and preferences and making needed course corrections to strategy, which can ensure continued growth and success. <br></p>Sridhar Ramamoorti1
Cybersecurity Effectiveness Effectiveness<p>​I think it is fair to say that cybersecurity is one of the issues that are top of mind for board​​s, risk, and audit professionals.</p><p>I have written quite a lot about it in previous posts, including:</p><ul><li> <a href="" target="_blank">Cyber and Reputation Risk Are Dominoes</a>.</li><li> <a href="" target="_blank">How Much Cyber Risk Should an Organization Take?</a></li><li> <a href="/blogs/marks/2017/Pages/Cyber-root-cause-alarm-bells-are-ringing.aspx">Cyber Root Cause Alarm Bells Are Ringing</a>. </li><li> <a href="/blogs/marks/2017/Pages/An-important-cyber-risk-framework.aspx">An Important Cyberrisk Framework</a>.</li><li> <a href="/blogs/marks/2016/Pages/How-much-cyber-risk-should-we-take.aspx">How Much Cyberrisk Should We Take?</a></li></ul><p> <br> </p><p>Now The IIA's Internal Audit Foundation has partnered with Crow​e Horwath to publish <a href="" target="_blank" style="background-color:#ffffff;">The Security Intelligence Center Next Steps: Beyond Response to Anticipation</a>.<br></p><p>I recommend it to every IT auditor and CAE.</p><p>But, it's not perfect (sorry, IIA).</p><p>This is good:</p><blockquote><ul><li>As cyberattacks become increasingly commonplace, much of the discussion among security professionals has moved from the desire to avoid and block all intrusions. Instead, there is growing recognition that despite everyone's best efforts to prevent it, there is always a probability that an intrusion will occur. This shift in outlook has extensive implications in terms of cybersecurity operations. Once it is recognized that 100 percent protection 100 percent of the time is not achievable, the cybersecurity emphasis can begin to shift from a defensive posture to a more offensive and proactive one that focuses on learning about how certain threats operate, how their effects can be limited or mitigated, and how the incident response time (from identification to remediation) can be accelerated.<br><br></li><li>Organizations that rate higher on the cybersecurity maturity scale are not necessarily spending more dollars overall, but are taking a more predictive approach to cybersecurity intelligence by integrating well-rounded security solutions and avoiding bolt-on products. As they do this, they also help bring the issue of cybersecurity further into the mainstream and make the anticipation and mitigation of attacks a more manageable experience. By following this example, organizations that are less mature in cybersecurity can begin to focus their existing IT security resources and budgets more intelligently as they make the transition to a more mature approach to the overall cybersecurity challenge.</li></ul></blockquote>​ <p> <br> </p><p>The report has some good reference materials, identifying cyber and information security frameworks and guides.</p><p>It focuses on the existence and attributes of security operations centers, which may be of value in assessing what your organization has implemented.</p><p>I also like the emphasis on the emerging field of threat intelligence — trying to anticipate attacks and how they may be made.</p><p>But when it comes to the involvement of internal audit and some basic first steps, I have a problem.</p><p>This is what the report says:</p><p>The authors of the report recommended seven key questions for internal audit to ask about cybersecurity preparedness. The questions are:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><ol><li>Is the organization able to monitor suspicious network intrusion?<br></li><li>Is the organization able to identify whether an attack is occurring?<br></li><li>Can the organization isolate the attack and restrict potential damage?<br></li><li>Is the organization able to know whether confidential data is leaving the organization?<br></li><li>If an incident does occur, is a written crisis-management plan in place that has been tested and is in line with organizational risk?<br></li><li>If an incident does occur, does the organization have access to forensic skills to assist with the incident?<br></li><li>Is the incident team in place, and do they know their roles and responsibilities?<br></li></ol></blockquote><p> <br> </p><p>The most critical omission is a business risk assessment. As I have explained in other posts (listed above), it is mandatory in my opinion to understand how the business and the achievement of its objectives would be affected by a breach.</p><p>Then there is the omission of any question relating to the adequate resourcing of the cyber team, or the <span style="text-decoration:underline;">timely</span> detection of a breach.</p><p>The seven questions are a decent start, but there is more that needs to be done.</p><p>I welcome your thoughts.</p><p> <br> </p>Norman Marks0
Cyber Root Cause Alarm Bells Are Ringing Root Cause Alarm Bells Are Ringing<p>​<a href="" target="_blank" style="background-color:#ffffff;">A new study by Tripwire</a> should be setting off your alarms.</p><p>The company surveyed 403 IT security professionals, the people who should know about the true state of information security or cyber at their organization.</p><p> <strong>90 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>skills</strong></span><strong> to address the full range of cyber threats!</strong></p><p>There have been repeated reports that information security experts are in high demand but low supply. This confirms the problem.</p><p> <strong>97 percent of organizations lack the </strong> <span style="text-decoration:underline;"> <strong>technology</strong></span><strong> they need to address the threats!</strong></p><p>If I was on the board and heard this, I would be questioning the executive team hard.</p><p>Other surveys indicate that the majority of executives know they have been hacked in the past and expect hackers to be successful in the future.</p><p>​But do they know the true extent of the problem?</p><p>Do they know their defenses are down — and that their people don't have the ability to detect intrusions promptly?</p><p>When I took over the internal audit function at a company years ago, I was concerned by what I saw in the information security area.</p><p>Rather than audit the defenses, I had my team audit whether the company had the <strong>capability</strong> to build, maintain, and manage the defenses.</p><p>Key questions include:</p><ul><li>Do you understand the risk to the business (the consequences) if there is a successful intrusion? How will the objectives of the organization be affected? Can you and have you assessed cyber risk in business terms? How recent is that assessment?</li><li>Are you satisfied and if so why? If not, what are you doing about it?</li><li>Do you have the people to understand (on a continuing basis) and then address cyber risk?</li><li>Do they have the tools? Is that your opinion or theirs?</li><li>Is the voice of information security heard and listened to at senior and board levels?</li><li>Would a reasonable, prudent individual believe the risk to the organization is at an acceptable level, and will continue to be at an acceptable level over the next year?</li><li>How often is an <strong>objective</strong> assessment of information security performed and is it reliable? Are its recommendations acted on?</li><li>Does it still make sense to expect employees to handle cyber risk? Is it better to outsource it, and to what extent should we do that?</li></ul><p> <br> </p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
​​​Reports That Provide Actionable Information​​​Reports That Provide Actionable Information<p>​Stories make it easier, in my experience, to explain a concept. So if you are sitting comfortably, its storytime (fictional).​</p><p>A young couple is fast asleep when they feel a tug on the bedsheets.</p><p>"Mommy, daddy, my tummy hurts and I don't feel well!" Sob.</p><p>"Come here. Let me feel your forehead. Oh, it's quite hot. Darling, get the thermometer. We need to check his temperature."</p><p>"Here it is."</p><p>"Son, you have a temperature. Where does it hurt?"</p><p>"Here," pointing and then doubling up in pain.</p><p>They look at each other and decide to take him to the ​doctor. They don't want to wait until the morning to see their regular doctor so they dress, bundle the boy up, and drive to the hospital.</p><p>A doctor is found quickly and checks the boy out. He decides some tests are needed, including (to the child's distress) taking some blood.</p><p>The doctor leaves them in the care of a nurse, telling them that he will get the results to them as quickly as possible.</p><p>An hour passes. Two hours.</p><p>Finally, the nurse appears.</p><p>"Here's the doctor's report. I know it's quite long but you can see from the Table of Contents that the Executive Summary starts on page 2."</p><p>The father takes the report and starts to leaf through it.</p><p>"OK, it has his picture on the cover so we know it's the right report. But, that looks like an old picture. Let's see what's in the Executive Summary.</p><p>"His weight is 45 pounds, which the doctor notes is average for his height and age. I guess that's good. His temperature is a few degrees above normal. We already knew that. His white cell count is …"</p><p>The father stops talking except to mumble to himself as he reads on. Every so often you hear a muttered "So what?"</p><p>Finally, he throws the report down and accosts the nurse.</p><p>"Is our boy going to be all right? Why is his fever high and why does he have stomach pain? What can we do to help him?"<br></p><p>There's a huge difference between reporting facts and providing the information your audience needs.</p><p>For risk practitioners, can you answer these questions?</p><ul><li>Do you know what decisions your executive team and board are trying to make?</li><li>Do you know what information they need about what might happen, information they could use to make more intelligent and informed decisions?</li><li>Are you helping them be more successful or are you only helping them avoid harm?</li></ul><p> <br> </p><p>For internal auditors:</p><ul><li>Do you know what your executive management team and board are trying to achieve?</li><li>Do you know what they need from you to have assurance that risks to success are being managed at acceptable levels?</li><li>Do you only provide assurance on controls rather than risks to objectives?</li><li>When you assess the adequacy of controls, is it clear what potential effect they may have on specific objectives?</li></ul><p> <br> </p><p>For everybody, do you know what your customer wants from you?</p><p>Are you informing him or her what they need to know — will their child (the organization) be OK, what do they need to know about the condition of risk management and internal control, and, what do they need to do about it?</p><p>Are your providing <strong> <em>actionable</em></strong> information?</p><p>I welcome your comments.</p><p> <br> </p>Norman Marks0
Changing of the Guard of the Guard<h2>​What compliance trends can auditors expect in 2017?</h2><p>This will be a year of tremendous change that creates volatility and uncertainty in the internal audit profession. Top political appointees at U.S. regulatory agencies will turn over, and there will be marked changes in priorities with the incoming presidential administration. Those changes in priorities will filter down to the enforcement arena. With a new president who is prone to using social media to provoke policy confrontations with corporations and individuals, there is a material risk that companies may face some negative consequences if they become the focal point of President Trump’s attention.</p><h2><br>How can a new presidential administration affect the risks that organizations face?</h2><p>President Trump was elected on an agenda to tear down the central legislative, regulatory, and executive actions of his predecessor. There will be a number of recent rulemakings rescinded through legislation, a number of in-progress rulemakings halted or significantly modified, and a number of pending court cases over regulations abandoned to better reflect the new president’s priorities and philosophies. It will be critical for internal auditors to stay aware of the state of play for laws and regulations that most affect their organization’s operations on a daily basis.</p>Staff0
​​What Is Holding the Company Back?​​What Is Holding the Company Back?<p>​Okay, the risk purists are going to be annoyed with me — again.</p><p>We like to focus on potential events or situations that could affect the achievement of objectives. </p><p>That's fine.</p><p>But they argue that if the event or situation is <em>certain</em>, then it's not something covered by risk management. It's no longer a possibility; it's a sure thing.</p><p>Hmm.</p><p>My thinking is that while it may be <em>certain</em> that the event or situation will happen, the <em>effect</em> may be <em>uncertain </em>[1]. Maybe there's something we can and should do about it to change the potential effect and/or its likelihood.</p><p>In an earlier post, <a href="" target="_blank">The Real Risks: The Ones Not in the Typical List of Top Risks</a>, I included a number of situations (the purists could argue, correctly, that they are <em>sources of risk</em> rather than a risk themselves).</p><p>Included in the list were:</p><ul><li>Not having sufficient people.<br></li><li>Lack of teamwork.<br></li></ul><p> <br> </p><p>Some of the comments I received said that these were very often conditions already in place, so they weren't really risks (or sources of risk).</p><p>I have to question whether that matters, even if correct (which I doubt)!</p><p>Both of these conditions create the possibility of harm to the organization.</p><p>There probably is harm now, but there is a possibility of harm continuing unless the conditions are changed.</p><p>Where I am going is this: Let's not get hung up over terminology! Words can get in our way.</p><p>Instead, let's focus on:</p><ul><li>What might happen?</li><li>Is that okay?</li><li>What are we going to do about it?</li></ul><p> <br> </p><p>Risk managers should include these conditions as sources of future risk as well as current harm.</p><p>Internal auditors should consider the value of auditing the controls to address these problems.</p><p>Management and the board should pay attention and fix the problems! Risk and audit practitioners can help by shining a light on the situation.</p><p>I still call <a href="" target="_blank">auditing what matters</a> "enterprise risk-based auditing." I don't care whether people want to call the topics covered by my audits risks, sources of risk, or gizmos.​</p><p>What do you think? </p><p> <br> </p><p>[1] Technically, risk is the <em>effect</em> of uncertainty on objectives, so the fact that the event or situation is certain is not the deciding factor.</p><p>​<br></p>Norman Marks0
​Do Internal Audit Reports Matter?​Do Internal Audit Reports Matter?<p>​In <a href="" target="_blank" style="background-color:#ffffff;"> <em>Auditing That Matters</em></a> I point out that it's not enough to <strong>audit what matters</strong> if you are unable to <strong>communicate what matters</strong> — and by that I am talking about what matters to the most important stakeholders: the audit committee and executive management.</p><p>Recently, The IIA published a Practice Guide, <a href="" target="_blank">Audit Reports: Communicating Assurance Engagement Results</a>.</p><p>I cannot over-emphasize the importance of effective communications.​​</p><p>In my presentations on world-class internal auditing, I say that an effective audit report is:</p><ul><li>A communication that is read and acted on right away. Why? Because it is i​mportant to the reader, easy to read, and makes business sense <em>to the reader</em>.</li><li>A communication that matters because what it has to say matters <em>to the reader</em>.</li><li>Says what the stakeholder needs to know and no more.​</li></ul><p> <br> </p><p>​​We should aim for stakeholders actively wanting to read audit reports rather than reading them because it's their duty.</p><p>The IIA has a challenge when it comes to writing guidance on matters like this. I recall, as a member of the committee responsible for developing Practice Guides and Practice Advisories, energetic discussions about whether our guidance should reflect current practices or what leaders of the profession were doing: a more aspirational tone intended to lead the profession forward.</p><p>Should they reflect <em>common</em> practice, <em>best </em>practice, or <em>leading</em> practice?</p><p>Unfortunately, my assessment is that this Practice Guide reflects age-old customs that will not move professional practices forward.</p><p>As I said, this is a critical topic and I spend longer on the topic in <em>Auditing That Matters</em> than the Practice Guide. My aim in that book is to help departments upgrade to leading practices.</p><p>Here are some key excerpts. (Please read the book for details, with examples.)</p><ul><li>Most internal auditors do not realize that the <em>Standards</em> do not require that every audit conclude with a formal, written, audit report. The <em>Standards</em> only require that the results of the engagement be <em>communicated</em>. They do not specify that the communication has to be in a formal, written report.</li><li>It is not about communicating what matters to the auditor. It is about <strong>communicating what matters to each of our stakeholders</strong> — in operating management, senior and executive management, on the board, and others as appropriate (e.g., regulators and external auditors).</li><li>Operating management need to know when anything beyond the trivial is not working the way they intend. I expect the audit team to communicate that information, relevant <strong>insights</strong> about root causes and so on, and actionable advice about how to correct the situation as soon as possible.</li><li> <em>If there is no value in informing more senior management that there was an issue, then I typically won't mention it</em> — except, perhaps, to say that "additional issues were identified during the audit that were immediately corrected by management." If I do mention it because the risk, until corrected, was significant, I will also indicate that the risk has now been addressed by management.</li><li>Executive management doesn't need all the details; they should be able to rely on their direct reports in operating management to take care of them. </li><li>I like to ask the question: "What do they [executive management] need to know?" They need to know anything that:</li></ul><ul><ul><li>They need to act on;</li><li>They need to monitor; or,</li><li>Represents a significant and unacceptable risk to their or the organization's objectives.</li></ul></ul><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p>​​​​Anything beyond that is not just immaterial to them, but can actually degrade the quality of the report.</p></blockquote><ul><li>We need to make it easy for busy executives to read, absorb, and then act on the results of our work.</li><li>I believe internal audit should provide an opinion: their assessment of the condition of controls and whether they provide assurance that the risks in scope are managed at desired levels.</li><li>I like, whenever possible, for the reader of the audit report to see that <em>immediately</em>.</li><li>It's the most important piece of information we communicate, so it should be <strong>front and center</strong>. The only exception is where it is necessary to provide some context before the reader will understand our assessment —​ what it covers, why it should be important to them, and so on.</li><li>After the opinion, we answer the questions, "Are there any issues of significance?" and "Do they require my attention?"</li><li> <em>I am not easily persuaded that anything else needs to be in the audit report.</em></li><li>The oldest communication tool is <em>talking.</em></li><li>When a simple "everything is OK" is insufficient, I believe the audit report is only the <em>start</em> of the communication. </li><li>A face-to-face discussion where the auditor can explain what he or she found, the implications, as well as share his or her advice and insight is invaluable. A meeting provides the executive with the opportunity to ask questions and make sure he or she fully understands the situation before making decisions and taking actions.</li></ul><p> <br> </p><p>Please review the Practice Guide and ask yourself whether the audit reports that would be published based on this guidance would be effective.</p><p>Do such reports communicate what stakeholders need to know (and no more), do they communicate what the auditor wants to say (a big difference), or (even worse) are they documentation of the results and an effort to prove audit capabilities?</p><p>There are some "magic" words and phrases in a couple of The IIA's Core Principles for Effective Internal Auditing:</p><ul><li>Provides <strong>risk</strong>-based <strong>assurance</strong>.<br></li><li>Is <strong>insightful</strong>, <strong>proactive</strong>, and <strong>future</strong>-focused.<br></li></ul><p> <br>The first should focus the auditor's attention on what their assessment should mean to the organization. <br> <br>While it is important to dive deep into root causes, because only by addressing the root cause can the issue causing the symptom be fixed, it is at least as important to step back and think about the bigger picture: what this should all mean to the executives and the board.<br><br>Be future-focused. For example, should there be a change in strategies, plans, or objectives?<br><br>Is there a management or staffing problem that could have broader implications?<br><br>Should scarce resources be shifted?<br><br>In fact, the auditor should be thinking of what they would do, if anything, if they were a member of the board or executive committee. Is simply correcting the control deficiencies sufficient?<br><br>What additional insight can he or she share with decision-makers? What needs to be communicated in private rather than in the audit report?<br><br>I'm not going to pick the Practice Guide apart. However, this sentence simply annoys me: "A well-written audit report presents an opportunity to <em>market the internal audit activity</em> by showcasing internal auditors' in-depth knowledge of the organization's business processes and internal audit's willingness to partner with management and provide recommendations for improvement."<br><br>The audit report is not about proving how good we are and how thorough our work is. If that is your aim, you are in trouble!<br><br>It's about communicating what our stakeholders need to know.<br><br>This post is getting very long, but I want to close by asking you to look at the examples of an audit report in the Practice Guide's Appendix D. Answer these questions for me:</p><ul><li>How long does it take you to find the auditor's assessment? Is it front and center?</li><li>Does the assessment explain whether and how it should matter to the executive or board reader of the report?</li><li>Does it include information that the executive or board member does not need to know?</li><li>Where there are issues, is it clear what risks to enterprise objectives (if any) are affected and why that is critical?</li><li>If the assessment is rated Red, how does the executive or board member compare the importance of the issue to an audit of Cyber where the assessment was also rated Red?</li><li>If you were the CEO, would you want to spend your time reading reports like these?</li></ul><p> <br> </p><p>These are my personal view​s — and I appreciate The IIA's openness to contrary views.</p><p>I welcome your thoughts and observations.​​</p><p> <br> </p><p>​​<br></p>Norman Marks0

  • TeamMate_Prem 1
  • RSM_Prem 2
  • IIA Sydney Conf_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z