Sexual Harassment Risk, Governance, and Audit,-governance,-and-audit.aspxSexual Harassment Risk, Governance, and Audit<p>​None of us want to see our organizations in the news and our people accused of sexual harassment. The implications for our reputation as an organization, as well as that of our executives, can be huge. So what do we do:</p><ul><li>As members of the board?</li><li>As risk practitioners?</li><li>As internal auditors?</li></ul><p><br></p><p>Let's start by making sure that:</p><ul><li>We not only have a policy in place but that is the <em>right</em> policy. It is understood by all employees, who are trained in and regularly certify their understanding of and adherence to the policy.</li><li>We not only have a whistleblower mechanism available for any of our employees to tell us of suspected sexual (or other) harassment, but they know about it and it is answered by people outside the regular chain of command — people who can listen objectively and make sure the right people are notified promptly.</li><li>Reports of suspected sexual harassment are properly investigated by objective and competent professionals and the results brought to the attention of the proper authorities within the organization.</li><li>Care is taken to avoid punishing those who come forward, paying particular attention to employees whom their managers say are under-performing. While those employees may be seeking to avoid disciplinary action with a false report, the performance assessment may be an attempt by their manager either to escape punishment themselves or to punish the employee for coming forward.</li><li>The right people receive the results of such investigations and deal with them objectively, without bias, and without regard for position or title — and ensure appropriate action is taken consistently.</li></ul><p><br></p><p>But let's also ensure that:</p><ul><li>The same protections apply to everybody who works at the organization or is subject to the actions of its employees, such as temporary personnel, contractors, consultants, vendors, customers, and partners.</li><li>Appropriate training is in place for everybody. That training goes beyond reading the policy to training based on scenarios and case studies; training not only on what not to do but also training that guides people on what to do if they see or are told of sexual (or other) harassment. Additional training may be required for the executive team to ensure they know what to do, how to set expectations, and how to respond to incidents.</li><li><span style="text-decoration:underline;">We understand the level of risk</span>. How many reports are received? How many are investigated? How many are found to be credible? What disciplinary actions are being taken? What are the trends? The Risk function (not internal audit, please) may want to use analytics to monitor the area.</li><li><span style="text-decoration:underline;">We monitor, spot patterns, and act</span>. I heard one large organization talking about hundreds of allegations over a short period. Questions should be asked about the culture, the leaders of the area of the organization where most of the reports arose, and whether there was a broader problem.</li><li><span style="text-decoration:underline;">The level of risk is discussed by the executive committee and the board</span>. I would expect at least annual discussion at the board level, more frequent if the level of reports demands.</li><li><span style="text-decoration:underline;">We are confident that people are coming forward</span>. If the culture is perceived as punishing the innocent, then people will be reluctant to come forward — even anonymously. There are tools that can help, from monitoring social media (especially internal posts) to providing safe venues for employees to speak up anonymously.</li><li><span style="text-decoration:underline;">Our leaders are setting the right example</span>. Not only are they vocal, but exemplars in practice.</li><li><span style="text-decoration:underline;">We are prepared for the worst case</span> of a senior executive or board member being subject to accusations. When will the board, CEO, and others be informed? What should they do when? How will the organization respond to media reports?</li><li><span style="text-decoration:underline;">This is on the radar of internal audit</span>. The CAE should work with Legal, HR, and the board to ensure appropriate audit work is performed to ensure the organization understands, monitors, and addresses the risk.</li></ul><p><br></p><p>Anybody, even people we view as high integrity people, may be accused. Let's not get caught by surprise.</p><p>I welcome your comments.</p><p> </p>Norman Marks0
CISOs and Many Others Need to Talk the Language of the Business and Many Others Need to Talk the Language of the Business<p>​</p><p>I came across an interesting piece by Cybereason, <a href="" target="_blank">CISO Tips: Speaking the language of business</a>.</p><p>The concept of using the language of the business to connect with leadership extends to people like the CRO, CAE, CIO, and many others.</p><p>They recommend six phrases:</p><p>1.      Risk</p><p>2.      Revenue</p><p>3.      Employee efficiency</p><p>4.      Strategic value</p><p>5.      Cost</p><p>6.      Customer satisfaction</p><p>These are six phrases that can come in useful, although I don't like their definition of risk at all!</p><p>I can think of other phrases that should be learned, not in any particular order:</p><p>7.      Opportunity</p><p>8.      Agility</p><p>9.      Compliance</p><p>10.   Objectives</p><p>11.   Win</p><p>12.   Competitive environment</p><p>There are many more.</p><p>But, it all comes down to thinking like your customer and talking in ways that resonate with them.</p><ul><li><span style="font-size:12px;">Know what your organization is trying to achieve.</span><br></li><li><span style="font-size:12px;">Know how you can help it succeed, not just avoid failure.</span><br></li><li><span style="font-size:12px;">Communicate in plain language without techno-babble, and listen actively.</span><br></li><li><span style="font-size:12px;">Help everybody else succeed. Make that your job.</span><br></li></ul><p></p><p>What do you think?</p><p>Are there phrases that should be embraced? What about ones that should be avoided?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0
Maybe Objectives, Risk, and Controls Are the Wrong Focus,-risk,-and-controls-are-the-wrong-focus.aspxMaybe Objectives, Risk, and Controls Are the Wrong Focus<p>​</p><p>Here's a radical idea.</p><p>Think about it.</p><p>Who takes risk? It's the decision-makers across the extended enterprise.</p><p>If we want reasonable assurance that they are taking the desired level of risk to achieve objectives, we need to know they are making effective decisions.</p><p>How many of us think about whether people know how to, let alone actually make, quality decisions?</p><p>I recently wrote about <a href="/blogs/marks/2017/Pages/The-most-important-audits-I-ever-performed.aspx" target="_blank">audits that I performed</a> to obtain assurance that people had reliable information on which to base their decisions.</p><p>But what if they don't give the decision enough thought, don't involve others, or so on?</p><p>Maybe this should be a focus of our attention.</p><p>Perhaps we should talk to and perhaps partner with human resources and make training in decision-making a required course for every decision-maker.</p><p>Maybe we should think about how we can prevent or detect poor decisions.</p><p>What do you think?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0
The Most Important Audits I Ever Performed Most Important Audits I Ever Performed<p>​As I look back at many years in internal audit, two audits stand out — not because we found anything significant, but because they addressed the most significant risks.</p><p>The first was on the reliability (completeness, accuracy, timeliness, and so on) of the "board package." That is the set of materials provided to each of the board members as the basis for discussions at the full board and committee meetings.</p><p>Arguably, the meetings of the board and its committees are where the greatest risks are taken by the organization. So, auditing the controls over the completeness, accuracy, timeliness, and so on of the information provided by the executive team to the board was an important engagement.</p><p>The audit identified some interesting points of concern, including:</p><ul><li>The board package was so massive that it made it very difficult for board members to read, understand, absorb, and be prepared to discuss the materials prior to the meeting. The size was a disincentive. It was also difficult to pick out the key points on which to focus.</li><li>Major portions of the package were provided only a few days before the meeting. As a result, the directors were unlikely to do more than give it a quick review. The meeting spent most of its time just knowing what was in the board package instead of discussing the issues it raised.</li><li>The CEO and sometimes his direct reports were selective with the information provided to the board. Information that the board might want to see, such as alternatives to the strategies and plans recommended by the CEO, were not shared with them.</li><li>Information derived from the company's systems was "massaged" prior to being included in the package. That massaging might adversely affect the integrity of the information seen by the board. Fortunately, we did not see any errors introduced at my organization.</li></ul><p><br></p><p>The second audit was around the information that the executive team used as a basis for their key decisions. Again, the risk I was concerned about was that the executives would make decisions based on faulty information — surely, a huge potential source of risk to the achievement of objectives.</p><p>We talked to each of the members of the executive team to find out what information they used, both for major strategic decisions and for the daily running of the business. We then identified, assessed, and tested the related controls. I believe this is an area frequently overlooked, both by risk and audit practitioners.</p><p>Risk is taken through decision-making. One of the greatest sources of risk to quality decisions is the information that people rely on when making their decisions.</p><p>Is your audit department concerned with the risk of poor decision-making? Note that faulty information is just one source of risk.</p><p>Does your risk identification and assessment activity consider the potential for poor decision-making? Is this not a critical area to address?</p><p>I welcome your comments.</p><p><br></p><p><br></p>Norman Marks0
The Corporate Governance Audit Corporate Governance Audit<p>​All too often and too easily, corporate governance is evaluated and measured simply by reviewing the structures and processes that an organization implements to achieve lofty ethical principles. However, assessing the effectiveness of governance requires more than reviewing how frequently a board meets, the number of committees an organization may maintain, the language in a code of ethics, or the aspirational pronouncements from the CEO’s office. Evaluating the effectiveness of governance is, at its core, a continuous process of reviewing and measuring behaviors. Such an assessment begins with understanding an organization’s business strategy and culture.<br></p><p>Ideally, organizations have a business strategy and an aligned business culture. The business culture is a set of risk practices and behaviors that are critical to the success of the business strategy. Accepted risk practices might be driven by the elements of the strategy itself — such as quick decisions, rapid growth, and speed to market — or they might be requested by shareholders concerned with capital preservation and adherence to risk appetite. Third parties, such as regulators interested in compliance, or accepted industry practices, such as fair dealing, also can shape accepted risk practices.<br></p><p>Good governance provides the oversight to ensure behaviors, however sourced, remain within accepted risk parameters. An effective governance program sets boundaries against conduct that might cause undue risk or ethical impairment to the business strategy, and it includes measurable tools to reward conduct within the accepted culture. Just as business strategies vary, so too do governance oversight models. <br></p><p>A good starting point when evaluating the scope and efficacy of a governance program is to review the organization’s enterprise risk management (ERM) framework. Ideally, the organization will have already identified significant inherent risks in a variety of disciplines, including market, strategy, reputation, operations, technology, law and compliance, and human resources. This risk analysis provides a solid indicator as to the scope, type, and level of governance oversight required.<br></p><p>The effectiveness of a governance program is best measured in terms of the level of adherence to accepted behaviors. In making this determination, some specific areas to review include: strategy and governance alignment; focused messaging; and measurement, accountability, and consequences.<br><br><strong>Strategy and Governance Alignment</strong> A first step in examining the effectiveness of governance is to review the fundamental alignment of the organization’s business strategy and culture with the governance oversight model and framework. The type, level, nature (such as proactive or reactive), and scope of the overall governance program should be commensurate with the business strategy and culture. For example, organizations with hard-driving business strategies often require cultures that “push the envelope” on risk taking. What behaviors does the organization require and reward to accomplish its business strategy? High sales levels? Rapid revenue growth? Continuous product introduction? This type of aggressive strategy and culture can result in a substantial level of organizational risk. In such a case, the internal auditor would expect to see a high level of proactive governance oversight in terms of structures, regular reporting on the quality and effectiveness of internal controls, multiple communication channels and issue-escalation paths, scenario-based staff training, and a robust reporting structure to capture potentially adverse behaviors and risks.<br></p><p>Consider an example in financial services. Wells Fargo’s high-risk business strategy was based on rapid and substantial customer fee growth and tied staff compensation to numbers of accounts created. This strategy carried the obvious inherent risk of bogus account creation, which, indeed, occurred. Employees created an estimated 3.5 million false customer accounts. From the outset, this high-risk strategy should have demanded proactive attention to protect the organization and its customers. Ultimately, the lack of a targeted level of governance oversight had dramatic, negative consequences.<br><br><strong>Focused Messaging</strong> Sound governance requires a clear articulation of the acceptable (and unacceptable) behaviors necessary for accomplishing the business strategy. Senior management is responsible for clearly articulating expected behaviors and verifying the governance structures that effectively carry this message throughout the organization.<br></p><p>For this reason, the content, level, and quality of the messaging should be reviewed. The messaging should speak to the inherent high-risk areas identified in the ERM framework and provide direction for issue identification, escalation, and resolution. The internal auditor should determine how the messaging is communicated throughout the organization. The auditor also should consider the size and scope of the organization as, especially in the case of large organizations, it is important that the message resonates across wide geographic boundaries, languages, and customs. <br><br><strong>Measurement, Accountability, and Consequences</strong> While the determination of the business strategy and culture, the governance framework, and the articulated message of acceptable behaviors come from the top down, the determination of the effectiveness of the governance program is best seen in the measurement of behaviors. In other words, measuring effectiveness is a “bottom-up” exercise.<br></p><p>Behavior measurement is not as difficult as one might expect. Behaviors that result in adverse risk taking, lawsuits, fines and penalties, fraudulent or illegal actions, or a wide range of discriminatory or unethical practices generally are tracked and reported. Issues involved in job performance often are tracked in the organization’s performance evaluation system. The reviewer should determine whether the organization has compared the adverse events that are reported to the criteria of acceptable risk and ethical behaviors to improve the governance platform. Questions to consider include:<br></p><ul><li>Has the organization determined where gaps and vulnerabilities have occurred?</li><li>Has the organization used the results to determine how proactive the governance system has been?</li><li>Have potentially damaging issues been escalated for remediation?</li><li>Have certain categories of adverse behavior decreased?</li><li>Have new controls or training been implemented in significant areas of risk and conduct?</li><li>Has the organization identified geographic areas in which the governance program operates better than others?</li><li>Have the risk issues correlated to those delineated in the organization’s ERM framework?</li></ul><p></p><p>In assessing the sustainability of a governance framework, internal audit should look for two ingredients: accountability and consequence. Were instances of adverse behavior subject to both personal accountability and appropriate consequence? Employees quickly know when adverse behavior goes unpunished or when responsibility for such behavior is not acknowledged. Adverse behavior for which there is no accountability results in lack of confidence in the integrity of the governance program, and, ultimately, it impairs program sustainability.<br>Internal audit also should evaluate the reward framework: Does the governance program reinforce appropriate behavior via a reward system? Organizations in which exemplary behaviors are rewarded are characterized by a governance framework that shows strength and sustainability.<br>Every business has its own culture and goals and, therefore, its own risk comfort levels. All businesses can benefit from a strong governance oversight program, with an assessment led by internal audit. An evaluation of governance effectiveness should address not only structure, but also the alignment among strategy, culture, and measurable behaviors. <br> <br>Dawnella J. Johnson is a partner at Crowe Horwath LLP and the global leader of its internal audit practice in New York. <br>Gary E. Peterson is a managing director at Crowe Horwath in New York. </p>Dawnella J. Johnson1
What Are the Biggest Risks for Internal Audit This Year and Next Year? Are the Biggest Risks for Internal Audit This Year and Next Year?<p>​There's an interesting article by the consultants at Barclay Simpson on the topic of "<a href="" target="_blank">What Are 6 of the Biggest Risks for Internal Auditors in 2018?</a>"</p><p>It is not clear to me whether they are answering the question of "What are the biggest risks for internal auditors?" or whether it is an attempt to answer "What are the biggest risks that should be on the audit plan?"</p><p>If it is the first, there's nothing new here and a lot is missing. If it is the second, they have totally missed the mark.</p><p>So what are the biggest risks for internal auditors in 2018? Here are eight things for you to consider.</p><p><strong>1. Auditing risks that don't matter to the board and top executives.</strong></p><p>If internal audit continues to audit risks to processes and business units rather than risks to the achievement of <em>enterprise</em> objectives, it will remain a staff function that costs money rather than delivers critical value.</p><p>If you want <a href="" target="_blank">auditing that matters</a>, audit <em>what</em> matters.</p><p><strong>2. Failing to communicate what matters when it matters.</strong></p><p>The traditional way of communicating audit results is a formal written report issued weeks if not months after issues are identified. The report says what internal audit wants to say rather than what management and the board need to know.</p><p>We need to deliver the information leadership needs, when they need it, in an easy-to-consume and actionable form.</p><p>There should be more talking and less writing.</p><p><strong>3. An inability to change direction as risks change.</strong></p><p>How agile is internal audit? If you don't have the ability to modify the audit plan rapidly and frequently, what assurance is there that you are auditing what matters today and tomorrow?</p><p>Can you provide the information management needs in time to affect their decisions?</p><p><strong>4. A lack of the resources necessary to address the risks that matter.</strong></p><p>Some internal audit departments shy away from sources of risk because, they say, they don't have the ability to audit them. My response to that is that if they are important to the organization, you have to find a way.</p><p><strong>5. Wasting precious time and resources.</strong></p><p>We may start each audit with a focus on enterprise risks that matter. But the work often extends to include risks of concern to local management — or the internal audit staff. Extending the audit work has a cost — the opportunity to perform another audit, one that is focused on another enterprise risk. Consider <a href="" target="_blank">Parkinson's Law</a>: don't keep auditing just because the time has been scheduled. Once you have an opinion and agreed with management on the necessary corrective actions, STOP.</p><p><strong>6. Auditing the past and not the future.</strong></p><p>There's a reason that the core principles for internal auditing talk about being forward-looking. Richard Chambers talks about foresight vs. hindsight, and I talk about auditing forward.</p><p>The challenges for the organization in the current and future periods should be where we spend our time, assess related controls, and share our insights.</p><p>Telling people what they did wrong in the past only has value it if is relevant to how they will do things in the future.</p><p><strong>7. Losing key members of the audit department.</strong></p><p>Hiring, retaining, and getting the most out of personnel is not only an issue for the organization as a whole, it is always an issue for internal audit.</p><p>If CAEs fail to pay attention, fail to be effective leaders and managers of their own team, the quality of work will suffer — and the value of internal audit decline along with it.</p><p><strong>8. Failing to attain and retain the confidence of management.</strong></p><p>If management does not believe we are helping them succeed, why should they support us?</p><p>One area I frequently pick on is the percentage of internal audit "findings" and recommendations that are embraced and implemented by management. Some internal auditors blame management when their recommendations are not acted on promptly, when perhaps they should be questioning whether their recommendations were the right ones. Managers are not stupid. If they don't see the reason for a change, they won't make it. Auditors need to listen actively to ensure they understand management's perspective and whether suggested corrective actions make business sense. They also need to ensure that they have communicated their concerns effectively. Putting issues in writing is not the same as being persuasive.</p><p>Internal audit can and should be perceived as helping management and the organization as a whole succeed. When 90 percent of their recommendations are embraced (i.e., not just passively implemented because "internal audit said so"), that is an unacceptable 10 percent failure rate.</p><p>Our focus should 100 percent be on helping the organization succeed. We are at risk ourselves if we are seen as irrelevant to that task.</p><p>I welcome your comments and perspectives.​</p><p><br></p>Norman Marks0
The Auditor of the Future Auditor of the Future<p>​The concept of the "future" auditor was introduced by Protiviti three years ago.</p><p>Brian Christensen and Jim DeLoach have returned to the topic in <a href="" target="_blank">Internal Auditors: Want To Ensure Your Value And Relevance? Raise The Bar Within Your Profession</a>.</p><p>This is a useful piece that merits our attention.</p><p>Let me first share and then comment on the primary points from 2014, reprised in Jim and Brian's piece:</p><p><span class="ms-rteStyle-BQ">[The future auditor]:</span></p><ul><li><p><span class="ms-rteStyle-BQ">Is positioned to be objective with regard to the enterprise's operating units, business processes and shared functions and is vested with a direct reporting line to the board of directors or a committee of the board;</span></p></li><li><p><span class="ms-rteStyle-BQ">Understands the organization's business objectives and strategy and identifies risks that create barriers to the organization's achieving its objectives and executing its strategy successfully;</span></p></li><li><p><span class="ms-rteStyle-BQ">Is authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management and internal control processes that address its critical risks and creates value by making recommendations to strengthen those processes and keeping the appropriate executives and directors informed regarding open matters;</span></p></li><li><p><span class="ms-rteStyle-BQ">Uses a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;</span></p></li><li><p><span class="ms-rteStyle-BQ">Articulates the value contributed by a risk-based audit plan to the organization, providing an assurance perspective that the board and executive management can understand;</span></p></li><li><p><span class="ms-rteStyle-BQ">Maximizes the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and</span></p></li><li><p><span class="ms-rteStyle-BQ">Possesses escalation authority and proactively exercises that authority to bring important matters to the attention of executive management and the board on a timely basis.</span></p></li></ul><p>Each of these points is important, but:</p><ul><li>It is critical for <span style="text-decoration:underline;">the people running the business</span> to understand the objectives and related risks. Internal audit should determine whether that is the case and, if not, bring that serious matter to the attention of leadership. <em>It is not internal audit's job to identify and assess risk</em> — that's a management function and one of the most important responsibilities they have.<br></li><li>Internal audit should seek to rely on management's identification and assessment of risks. If that is not reliable, <em>teach them to fish</em>.<br></li><li>Internal audit should not only be "authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management, and internal control processes that address its critical risks." They should actually <em>evaluate those processes and share their assessment with leadership</em>.<br></li><li>While technology can be a great tool, emphasizing it instead of other points like having a deep understanding of the business seems more like a marketing point for Protiviti's services.</li></ul><p><br></p><p>The rest of the Protiviti points are very good and I won't comment further — please read and consider them.</p><p>However, there is an important omission. We addressed this when we (The IIA's task force) developed the core principles for effective internal auditing.</p><p>The principles talk about "<em>foresight</em>." I like to talk about "<em>auditing forward</em>."</p><p>In other words, worry about the risks that like ahead of us rather than those in our past. Does the organization have the capability to anticipate what might happen and take appropriate action?</p><p>Let's not audit history — let's provide advice and insight that helps the organization navigate its way forward to its objectives.</p><p>I welcome your comments and observations.</p><p> </p>Norman Marks0
<IR> Makes Progress<IR> Makes Progress<h2>​​As integrated reporting <IR> gains traction globally, what role can internal auditors play? </h2><p>Internal audit professionals’ expertise puts them in a prime position to provide guidance to management on ways to protect and create value. The role of internal auditors is becoming more strategic as they identify key risks and provide assurance over increasingly broad value drivers. Internal auditors are key to effective integrated thinking, already having a sound understanding of the business and close relationships with the key players in the reporting process. The IIA has been a driving force behind <IR>. </p><p>However, <IR> is not yet well known enough in the U.S. There are big advocates of <IR> within the U.S. — General Electric, PepsiCo, JLL, and Prudential Financial are among the 25 organizations producing integrated reports. The largest U.S. public pension fund, CalPERS, has called on boards to provide an integrated report, and Black Rock CEO Larry Fink has called on businesses to set out a strategic framework for long-term value creation.</p>Staff0
Should Internal Audit Have a Seat at the Table? Internal Audit Have a Seat at the Table?<p>​<span class="ms-rteThemeForeColor-9-0">**Warning** The comments in this post do not reflect those of The IIA!</span></p><p> </p><p>Having a "seat at the table" seems to be the goal of many internal auditors.</p><p>Do they deserve a seat alongside senior executives at the top management table? Or do they deserve a seat with other support personnel, at a table designated for leaders of a business unit, or one where middle management sits?</p><p>The goal seems to be to sit among people like the CEO, chief financial officer, chief operating officer, general counsel, and the executive vice presidents. In practice, that is rarely achieved. Why?</p><p>It's because title and position (such as reporting to the board or CEO) matter much less than what you can contribute to the discussion at the top table.</p><p>When board members and CEOs share the views of <a href="" target="_blank">Drew Stein</a> (a board member and former CEO in New Zealand), internal audit will sit somewhere closer to the kitchen than to the CEO. He considers internal audit today and asserts:</p><ul style="list-style-type:disc;"><li>Almost all of internal audit findings are mundane operational compliance issues, which management, when notified, can attend to and rectify in an immediate sense. While important to ensuring operational integrity, these issues are not earth-shattering.</li><li>The majority of operational compliance issues and minor financial irregularities are in the first instance identified by management during their normal duties and not by the internal audit group.</li></ul><p><strong><br></strong></p><p><strong>If internal audit is to earn a place at the top table, they have to:</strong></p><ul><li><strong>Audit what matters, and</strong></li><li><strong>Communicate assurance, advice, and insights that matter.</strong></li></ul><p> </p><p>What they do has to <em>matter</em> to the people at the top table, so they are <span style="text-decoration:underline;">eager</span> to listen to what internal audit has to say. </p><p>Why? Because it matters to the achievement of their personal and enterprise goals. It helps them run the organization successfully.</p><p><a href="" target="_blank"><em>Auditing That Matters</em></a> is my attempt to guide those seeking a seat at the top table by accomplishing these two objectives. It challenges CAEs to understand and address risks to <em>enterprise</em> objectives, then to tell those at the top table <em>what they need to know</em> instead of what we traditionally like to report: what they need to know to be successful.</p><p>I thought people were coming along with me in this direction, but then I saw a new Practice Guide from The IIA: <a href="" target="_blank">Engagement Planning: Establishing Objectives and Scope</a>. The underlying IIA <em>Standards</em>, the 2200 series, talk about identifying the risks "relevant to the activity under review." This <em>should</em> mean understanding where what happens at that location, department, or unit is a <em>source of risk</em> to an <span style="text-decoration:underline;"><em>enterprise</em></span> objective. In other words, the audit should still focus on <em>enterprise</em> risk, though limited to how it is affected by local operations, rather than risk to local objectives.</p><p>However, when the Practice Guide talks about performing a "preliminary engagement-level risk assessment" by mapping local business processes and brainstorming, I fear that the result will be audits of what matters <em>to that location</em> but not necessarily what matters to the enterprise as a whole.</p><p><strong>It shouldn't be necessary to perform a detailed engagement-level risk assessment</strong>. The location, unit, or process should be on the audit plan because it has already been identified as a potential source of risk to one or more enterprise objectives.</p><p>An audit should not be put on the audit plan because it has a lot of revenue, assets, people, or even complex systems. </p><p><strong>It should be there because it is seen as </strong><strong><em>a source of risk to enterprise objectives</em></strong><strong>.</strong></p><p>All you need to do at the engagement level is focus a little (not a lot) deeper on those potential sources of risk and decide how to assess and audit related controls. Recommending detailed process and control mapping is more often than not unnecessary and a waste of our most valuable resource — time.</p><p><strong>The goal should be to provide assurance, advice, and insights that matter to the board and top management because it will help them navigate risks to the achievement of the objectives that matter to them — enterprise objectives.</strong></p><p>If what you have to say matters to the people at the top table, because it includes advice, assurance, and insights that are actionable and help leaders run the organization as a whole, you will be welcome! If what you have to say only really matters to middle management, there is where you will sit. If what you have to say is seen as a police report, you will sit by the kitchen.</p><p>Does your internal audit function assess, audit, and provide assurance, advice, and insight on what matters to the top table?</p><p>I welcome your comments.</p><p><br></p><p>Please join the discussion by clicking the Subscribe button.</p><p>​ </p>Norman Marks0
How Should You Audit and Assess Risk Management? Should You Audit and Assess Risk Management?<p>​A few years ago, I wrote that CAEs who didn't audit risk management at their organization "deserved a seat at the children's table."</p><p>This upset a few people, including some in positions of authority.</p><p>But the underlying position has become pretty much accepted around the world, and is even required by a number of corporate governance codes.</p><p>If you don't have manage risk effectively (it's better to talk about how the organization as a whole manages risk than infer you are talking about the risk management function), then you are driving the freeway of life without looking ahead.</p><p>Risk management is about more than the periodic review of a list of top risks. That is driving the freeway of life and only looking up and ahead every 15-20 minutes.</p><p>Risk management is about:</p><ul><li>Setting the right strategies and objectives to deliver value, considering what might happen (risk).</li><li>Understanding how the achievement of objectives may be affected by events and situations as management and staff execute those strategies.</li><li>Acting to modify the likelihood and effect of those events and situations, recognizing that each event or situation can have multiple consequences — some favorable and some adverse.</li><li>Ensuring that decisions are informed and intelligent, whether in setting or modifying strategies, or in executing them every day through management decisions across the extended enterprise, such that the <em>right levels of the right risks</em> are taken.</li><li>Monitoring and reporting so that board members and senior managers understand not only the levels of individual sources of risk, but whether they are likely (or not) to achieve each of their objectives.</li></ul><p><br></p><p>You could audit and assess risk management in a number of ways. For example:</p><ul><li>An audit of compliance with corporate risk policies and procedures.</li><li>Assessing risk management maturity, using one of the available risk management maturity models (I have a few in <a href="" target="_blank"><em>World-Class Risk Management</em></a>).</li><li>Assessing whether the principles for effective risk management are achieved (drawing on those in ISO31000:2009 or in COSO ERM 2017 — <a href="" target="_blank">see here for a discussion</a>).</li></ul><p><br></p><p>I personally like a risk and objectives-based approach to pretty much any audit. Here the objective is to manage risk at desired levels. There are multiple risks to achieving that objective (again, described in detail in my book), such as failures to:</p><ul><li>Include the appropriate people in decisions, where risk is taken.</li><li>Obtain reliable, current, and timely information on which to base decisions.</li><li>Address cognitive bias, which can affect both an individual and a group's assessment of risk.</li><li>Ensure the desired attitude towards risk: behaviors that are influenced by the culture of the organization, a location, function, or business unit.</li><li>Obtain buy-in from all key individuals at all levels of management.</li></ul><p><br></p><p>This is what I recommend for anybody seeking to audit and assess risk management (or the management or risk).</p><ul><li>Understand risk management and its principles. The ISO31000:2009 and the 2017 COSO ERM Framework are just two possible sources, but I would also recommend my book and that of John Fraser, <a href="" target="_blank" style="background-color:#ffffff;"><em>Implementing Enterprise Risk Management: Case Studies and Best Practices</em></a>.<br></li><li>Understand what the organization needs from risk management. Start with understanding how and where decisions are made and risks taken. In fact, understanding who makes decisions and therefore takes risk is critical to understanding how risk is managed. Is it centralized or decentralized? Do individuals have a lot of autonomy and decision-making or is consensus required? Is risk dynamic, volatile, or relatively stable?</li><li>What are the risks to effective risk management? What could go wrong and what needs to go right for there to be reasonable assurance that the right levels of the right risks are taken? ("Right" means what is desired and possibly approved by the executive management team and the board.)</li><li>What controls are in place to address these risks?</li><li>Is the design adequate? If the controls are operating consistently as designed, is there reasonable assurance that risk will be managed at desired levels?</li><li>Perform controls testing to obtain assurance that they are operating effectively as designed.</li><li>Assess the results of your work. Where is risk management on the maturity curve? What can and should be done to improve it at an appropriate cost? Recognize that one of the costs may be slowing down decision-making and losing operational opportunities.</li><li>Communicate the results and your insights.</li></ul><p><br></p><p>This should work.</p><p>It will provide assurance and insight on whether you have the <em>right</em> risk management for the organization, not just whether it complies with any standard or policy.</p><p>I welcome your comments.​</p><p><br></p><p>Please join the conversation by clicking Subscribe, below.</p>Norman Marks0

  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z