From Risk Management to Risk Leadership Risk Management to Risk Leadership<p>​My congratulations go to <em>NonProfit Quarterly</em> for their interview this month with David Renz [1].</p><p>"<a href="" target="_blank">From Risk Management to Risk Leadership: A Governance Conversation with David O. Renz</a>" has great content, not only for nonprofits but for <span style="text-decoration:underline;">all</span> of us. Here are some excerpts (<em>emphasis</em> added):</p><ul><li>The imperative here is to embrace risk leadership rather than just risk management. The question is, <em>are we taking the most appropriate risks our constituents and stakeholders deserve from us, as well as engaging in an appropriate level of fiduciary care</em>? </li><li><em>The risk-averse — and, frankly, risk-agnostic — character of board behavior leads organizations to continue operations in program areas beyond the time when they are really delivering the greatest value to and for the stakeholder and client communities they exist to serve</em>. There is less perceived risk in being slow to act to make change; organizations seem to think it's safer to make the move to new and different kinds of programming — innovative and entrepreneurial new strategies — only when it's extremely clear that such change is necessary and well advised. <em>But the risk is that of mission performance</em>. You may well be short-changing your clients in a world where the changes in client need warrant earlier and more dramatic changes in programs and services.</li><li>For me, the bottom line is that there is <em>a myriad of elements that combine to affect how well a board and its members address the issue of risk</em> in the governance of a nonprofit organization. Some are the result of varying levels of knowledge, experience, and overt attention that boards and their members bring to the consideration of risk and what is warranted and appropriate for their organization; and some are the result of seemingly irrelevant factors, such as group and interpersonal dynamics. And they all affect organizational effectiveness. <em>It's time for executives and boards to consider how to more fully and effectively prepare boards to engage in the increasingly important work of risk leadership as well as risk management. Our organizations' futures depend on doing this well.</em></li></ul><p><br></p><p>What I like is the recommended shift from traditional risk management thinking — <em>what might go wrong</em> — to a focus on whether the <em>right levels of the right risks are being taken</em> (something I discuss at length in <a href="" target="_blank"><em>World-Class Risk Management</em></a>) — the result of <em>informed and intelligent decision-making</em>.</p><p>Those involved in nonprofit leadership will benefit from the discussion of board functions at those organizations, but several of the points also are relevant for other organizations, including whether group dynamics affect board decisions.</p><p>I close my in-person presentations with a slide that asks whether you are helping your organizations succeed.</p><p>The focus of risk practitioners has to be answering this same question: "Are you helping your executives, board, and management across the extended enterprise make informed and intelligent decisions that drive the organization to success —​ the achievement of its objectives by intelligent risk-taking?"</p><p>Making executives or the board risk-averse is paving the path to failure, not to success.</p><p>Please contrast this article and discussion with my other post on <a href="" target="_blank">Positioning risk management to succeed</a>.</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe button, below.</p><p>​<br></p><p>[1] David Renz is the Beth K. Smith/Missouri Chair in Nonprofit Leadership and the director of the Midwest Center for Nonprofit Leadership, an education, research, and outreach center of the Department of Public Affairs in the Henry W. Bloch School of Management at the University of Missouri-Kansas City.</p><p><br></p><p><br></p>Norman Marks0
Those Who Serve and Lead the Practice of Internal Auditing Who Serve and Lead the Practice of Internal Auditing<p>​Recently, my good friend Mike Jacka made some interesting observations in his post, <a href="/blogs/jacka/2017/Pages/Standards-Versus-the-Status-Quo.aspx?utm_campaign=Jacka+Blog&utm_medium=social&utm_postdate=07/05/17&utm_source=facebook">Standards Versus the Status Quo</a>.</p><p>He pointed out that:</p><ol><li>Many volunteer their time and serve on committees and leadership positions, helping move the practice of internal auditing forward. Mike references membership of The IIA's international committees (I met Mike when we served on the same committee), but people also volunteer their time at the national and local level.</li><li>If you don't like The IIA's <a href="" target="_blank"><em>International Standards for the Professional Practice of Internal Auditing</em></a>, you can influence change by joining one of the committees that write them or by providing guidance on their adoption. (I served on one of those committees). You can also provide feedback to The IIA when updated or new standards are proposed.</li></ol><p>Others volunteer their time with presentations at IIA and other conferences, writing articles for the global and national IIA periodicals (which I strongly encourage), and more.</p><p>The majority serve without the appreciation and recognition they deserve.</p><p>The Global and North American Boards recognize a few with formal awards:</p><ul><li><a href="" target="_blank">IIA Global</a><strong>: </strong>Bradford Cadmus Memorial Award; Victor Z. Brink Award for Distinguished Service; and William G. Bishop III, CIA Lifetime Achievement Award.</li></ul><ul><li><a href="" target="_blank">IIA North America</a>: American Hall of Distinguished Audit Practitioners</li></ul><p><br></p><p>IIA–Australia has the <a href="" target="_blank">Bob McDonald Award</a> and I am sure other national institutes and local chapters recognize outstanding contributors.</p><p>But there are many who deserve more.</p><p>They may have been nominated for awards. I don't know how all the selections are made, but in my experience they are by committees whose members may not appreciate in full the contributions and even sacrifices people have made.</p><p>Sometimes, the awards are made more for their work within The Institute than how they have helped the practice of internal auditing move forward.</p><p>Sometimes, the people recognized are paid by their organization to be active in the profession because it is a form of marketing. I much prefer those that volunteer their time simply to advance professional practices rather than for personal reward.</p><p>Nevertheless, the few selected have certainly made significant contributions and merited recognition.</p><p>So what is my point?</p><ol><li>I salute those who serve out of the goodness of their heart, especially without recognition.</li><li>​I encourage everybody to join in the nomination processes when the notices come out.</li><li>I ask that you name, here, individuals that you believe should be recognized.</li></ol><p>Who should we applaud for their contributions to the practice of internal auditing?</p><p> </p><p>Please join the conversation and see how is nominated by clicking on Subscribe, below.</p><p><br></p>Norman Marks0
Navigating Privacy in a Sea of Change Privacy in a Sea of Change<p>​In the global governance landscape — including risk, audit, and compliance functions — change is pervasive and continuous, making oversight and management of change critical to an organization's governance model. There is perhaps no better example than the ongoing upheaval, questions, and transformation occurring in the European Union (EU) in regard to data protection regulations. Following the finalization of the General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, legal challenges and a stream of questions began immediately. While these events may seem removed from daily concern for U.S.-based organizations, the GDPR is required to operate in the EU/European Economic Area and can no longer be a casual function for organizations. </p><p>The GDPR focuses on personal data and, specifically, the right to privacy — that is any information relating to the data subject, who can be identified, directly or indirectly, by reference to an identification number or to one or more specific factors, such as: name, birth date, gender, address, phone number, resume or talent information, national identifiers, or bank account or credit card numbers. These broad considerations require analysis by compliance and audit professionals to ensure risks are identified and addressed and control points captured. </p><p>Both data controllers and data processors have specific obligations under the new regulation. The data controller is the organization that controls access to and processing of personal information; the data controller determines the purposes and means of the processing of personal data. The data processor is the natural or legal person, public authority, agency, or any other body, including service providers, that processes personal data on behalf of the controller.</p><p>While core elements of the regulation are based on prior requirements such as fairness, transparency, purpose limitation, data minimization, quality, security, and confidentiality, the new regulation introduces the accountability principle, providing a direct requirement for oversight and governance of the privacy program. </p><p>The changes incorporated into the new regulations require focus, analysis, investment, and incorporation of privacy governance into an organization's governance model, including the audit universe and plan. Review and assessment of these structures should be part of the ongoing audit plan.</p><p><strong>Extraterritoriality Effect</strong> The GDPR regulations were designed to extend beyond the EU and do not exclude organizations based on size or corporate jurisdiction. Even businesses without a geographical presence in the EU may fall under the scope of the regulation. This can be triggered simply by providing goods or services to EU citizens or by allowing individuals to create user online accounts or profiles that can then be tracked and monitored. EU-based organizations must comply with the regulation based on their jurisdiction. Internal audit should coordinate with compliance and privacy professionals to ensure the new requirements are understood and assessed.</p><p><strong>Program Governance and Policy Management </strong>Organizations must identify the privacy/data protection program owner and name a data privacy officer. This owner must be aligned organizationally to allow for oversight of the many departments required to participate. Given the extensive requirements associated with the GDPR, full compliance cannot be achieved through disparate or disconnected efforts. Further, application of organizationwide policies, procedures, controls, and monitoring will help ensure consistent alignment of data protection requirements across locations and operations. Privacy program reviews should consider applicable policy updates to ensure specific consideration is given to the regulation within the company's privacy policy. In addition, given the cross-functional reach of privacy requirements, auditors should ensure updates are considered within other functional policies such as software development (e.g., privacy by design considerations) and human resources (e.g., employee data management practices).</p><p><strong>Data Mapping and Privacy Impact Assessments</strong> Under-standing the scope and associated obligations is critical in establishing any governance program. The GDPR considers the activities of data mapping — identification and classification of information assets — and a privacy impact assessment. The results of these activities will guide the remaining program structure and assessment activities. Auditors should coordinate with the compliance or privacy team to ensure these key scoping steps are completed. They provide the foundation for the privacy program assessment as well as key inputs into overall audit universe and risk assessment activities, and thus should be incorporated into audit planning and testing programs.</p><p><strong>Contract Management</strong> Contractual partnerships and organizations also are in scope for considering the impact to privacy, as often these entities touch, handle, or transfer data. Through an established contract management process, an organization can identify, assess, and respond to data protection obligations across entities. Processes should consider both client contracts, which may require use of standard contractual clauses for cross-border transfers, and vendor and supplier contracts. Within vendor and supplier contracts, companies must ensure obligations are extended to the partner organizations. Internal audit should review contract management procedures with legal and procurement teams to ensure processes are in place to extend and monitor compliance with obligations.</p><p><strong>Notice and Consent Obligations</strong> Specific obligations for notice and consent may vary based on an organization's service offering and client interactions. The GDPR requires specific, informed, unambiguous, and in some cases explicit consent to process personal data. Audit should review these processes to ensure both internal associate and client data is maintained and used in accordance with the notice and consent structures in place, or that necessary modifications are made.</p><p><strong>Operational Considerations</strong> Organizations also must consider storage and movement of personal data within their systems, especially if data is being transferred to or accessed from a non-EU country. A "cross-border transfer" considers both actual data movements and access to the data from outside the originating jurisdiction. Collecting, recording, accessing, using, storing, retrieving, or reading data outside the originating jurisdiction constitutes a transfer. Auditors should incorporate into annual test plans both access-based and process-based control tests to ensure data transfers are managed correctly.</p><p><strong>Data Security Considerations</strong> While obligations for appropriate technical and organizational measures continue to apply as established by prior regulations, the GDPR includes enhanced breach notification obligations. As such, organizations must ensure their incident response policies and procedures align with the requirements. Review of both incident response and overall security controls should be included in audit's annual plan to ensure a timely response is possible and, if not, that adjustments are made. </p><p>These steps can set a course toward governance structures aligned with the data protection regulations. Repercussions of noncompliance are high, with impact to core operations and fines potentially reaching 2 percent to 4 percent of global revenues. Internal audit is key in enhancing ongoing compliance. </p><p>As the global privacy landscape changes, organizations must establish both privacy governance structures and a regulatory change management process. This includes defining ownership, refining assessments to incorporate new and changed requirements, and continuing to enhance internal plans and programs. Change must be part of the governance model for privacy and data protection, and auditors should review these structures to confirm appropriateness. </p><p><br></p>Melissa Ryan1
What Makes a Good Board? Makes a Good Board?<p>​Recently, a number of pieces have been published with guidance for assessing how well your board of directors is performing.</p><p>They merit the attention not only of board members and their advisor​s, but internal auditors and risk practitioners (because of governance-related risks).</p><p>One is by Dr. Debra Brown of Governance Solutions (formerly Brown Governance). </p><p><a href="" target="_blank">The Top Ten Markers Of A High-Performance Board</a> is the result of her 25 years of working with boards and makes some interesting points.</p><p>The ten attributes are:</p><ol><li>Practice participative leadership.</li><li>Share responsibility.</li><li>Align with purpose.</li><li>Encourage high levels of communication.</li><li>Focus on the tasks of the board and the results of the organization.</li><li>Orient toward the future.</li><li>Make use of diverse and creative talents.</li><li>Respond rapidly to organizational needs.</li><li>Have a healthy risk appetite.</li><li>Are comfortable with dissent.</li></ol><p>I like all ten, especially #6 and #9. This is what she says about risk appetite, which may surprise you:</p><p><span class="ms-rteStyle-BQ">An inordinate amount of focus has been placed on the downside of risk at the cost of upside opportunity. A high-performance board has a risk appetite suitable for the organization and the sector it is in — it decides on opportunities in a calculated and measured way, while at the same time acting with courage, wisdom, and common sense.</span></p><p>A different perspective is offered in <a href="" target="_blank">12 Questions to Determine Board Effectiveness</a>. The twelve questions are true or false questions:</p><ol><li>My board maintains a proper ratio of governing vs. executing.</li><li>My board possesses the required competencies to fulfil its duties.</li><li>The frequency and duration of my board meetings are sufficient.</li><li>How frequently does your chairperson meet with management: weekly, fortnightly, monthly, or otherwise?</li><li>Is this frequency excessive, adequate, or insufficient?</li><li>My board possesses the ideal mix of competencies to handle the most pressing issue on the agenda.</li><li>The executive team is competent/capable. If "false," is your board acting on this?</li><li>My chairperson is effective.</li><li>Does your board effectively make use of committees? If "yes," how many and for which topics? If "no," why not?</li><li>Recruitment/nomination of new board members adheres to a robust process.</li><li>My board performs a board review annually.</li><li>Think of a tough decision your board has made. Recall how the decision was reached and results were monitored. Was "fair process leadership" (FPL) at play?<br> <br></li></ol><p>These are all good food for thought, but are they sufficient?</p><p>While #7 is critical ("The executive team is competent/capable. If "false," is your board acting on this?") surely it should be #1, not #7!</p><p>How about these questions?</p><ol><li>Does the board exercise an appropriate balance of trust and skepticism when listening to the executive team? Does it at all times represent the interests of the stakeholders?</li><li>Does the board persist with its questions when the answers from the executive team are insufficient?</li><li>Does the board have a sufficient understanding of the organization's ability to create value for stakeholders and the environment in which it operates to be comfortable that the best strategies, goals, and objectives have been set among available options?</li><li>Does the board have a sufficient understanding of those strategies and plans to provide effective oversight and constructive advice?</li><li>Does the board have confidence in the ability of management to identify and manage risks to the achievement of its objectives in a dynamic and turbulent world?</li><li>Does the board have confidence in the culture of the organization and behavior of its personnel at all levels?</li><li>Is the board ready and willing to "fire" directors when they no longer provide the necessary value?</li><li>Do the members of the board have sufficient access to members of the management team?</li><li>Does the board receive the information it needs, when it needs it, in a useful form?</li><li>Does the board set executive compensation levels and targets that balance the need to attract and retain talent with the interests of its stakeholders?</li></ol><p>I think the board is unlikely to be effective if it fails any of these 30 questions, and there are probably more that can be asked.</p><p><span style="text-decoration:underline;">For the board</span>: consider these in your self-assessment and in driving necessary change.</p><p><span style="text-decoration:underline;">For risk practitioners</span>: understand the risk of poor or ineffective governance and consider how that should be communicated.</p><p><span style="text-decoration:underline;">For internal auditors</span>: understand the risk of poor or ineffective governance and find a way to help the board address them.</p><p>I welcome your comments.</p><p><br></p><p>Please join the conversation by clicking the Subscribe button, below.</p>Norman Marks0
Responding to the Cyber Crisis to the Cyber Crisis<p>​It's in the news again.</p><p>A new ransomware attack (Petya) that spans the globe was not promptly detected or prevented by corporate defenses. It's headline news everywhere.</p><p>Plus, all indications are that our ability to address the mounting threats is insufficient. Have a look at this survey, <a href="" target="_blank"><em>Majority of Organisations Are in the Dark Regarding Daily Network Attacks</em></a>.</p><p>So what should the board, top management, risk practitioners, and internal auditors do?</p><p>Some consultants and advisors are diving into the weeds. I put a recent piece by a marketing manager at Protiviti in that category. Her blog post "<a href="" target="_blank">What Is Internal Audit's Role in Cyber Security?</a>" is not particularly useful.</p><p>Frankly, I don't find The IIA's Global Technology Guide (GTAG) <a href="" target="_blank">Assessing Cybersecurity Risk</a>, particularly helpful either.</p><p>Board members, executives, and practitioners need to take a breath and step back.</p><p>Look at the big picture, not the weeds.</p><p>Ask yourselves these questions:</p><ul><li>We are being attacked constantly. What would happen if and when there is a breach of our defenses and we are held to ransom? What would the consequences be? How would our corporate objectives be affected by an inability to use the systems until the threat is removed, probably by paying the ransom? Do we have a response plan and process in place to act quickly enough?</li><li>What if the breach led to a longer period of disruption? How would that affect our business and our ability to achieve our strategic objectives? How confident are we in our ability to respond and bring our systems back quickly?</li><li>On the other hand, what if the hackers wanted to steal confidential information, our intellectual property, or information they could use to attack our partners and customers? How confident are we that we would be able to prevent or detect a breach by such hackers, know what they have taken, and then respond to mitigate any damage? How would our business be affected? What strategic objectives might fail?</li></ul><p><br></p><p>Then ask how much you would be willing to pay to prevent any of the above. Is it more than currently dedicated? Would committing additional funds and resources reduce the risk sufficiently?</p><p>I am not persuaded that any but a few massive organizations can afford all the resources, including tools, to satisfactorily address the risk.</p><p>I would ask whether it would make more sense to use a cybersecurity service provider. They have the specialists with current knowledge and the tools necessary.</p><p>But first you have to know how the business would be affected — the effect of one or more cyber breaches on the business.</p><p>Risk and audit professionals should be paying attention to cyber risk.</p><ol><li>Does the organization have a good handle on the organization's cyber-related business risk, as discussed above?</li><li>Does leadership, from the CEO down to and including the information security team, have confidence that there is an acceptable level of prevention and detection, that the risk they are taking is acceptable?</li><li>Is the information security team sufficiently resourced, in their opinion? If not, why do they believe there are gaps and why has management not provided additional funding? Is it because the practitioners and executives have a different view of cyber risk; is it because resources need to be allocated to more important areas — and that is appropriate? Can the risk or audit practitioner help bridge the gap in understanding between management and the information security team?</li></ol><p>Only after addressing these questions and related issues would I dive into assessing individual or groups of weeds — the detail.</p><p>Understand the big picture and the level of cyber-related business risk before assessing individual vulnerabilities, defense, detection, and response mechanisms</p><p>Do you agree?</p><p>I welcome your views.</p><p> </p><p>Please join the conversation by clicking on the Subscribe button.</p><p> </p>Norman Marks0
Taking Richard Chambers’ Post to the Next Level’-post-to-the-next-level.aspxTaking Richard Chambers’ Post to the Next Level<p>​In "<a href="/blogs/chambers/2017/Pages/Management-vs-Internal-Audit-5-Frequent-Sources-of-Tension.aspx" style="background-color:#ffffff;">Management vs. Internal Audit: 5 Frequent Sources of Tension</a>," Richard Chambers (whom I consider a friend) raises some good points about tension between internal audit and management.</p><p>He first covers the situation where management wants to cut internal audit resources (perhaps as part of an overall cost-cutting initiative). I agree with Richard's perspective that the audit committee needs to make an informed decision and have actually used the technique he recommends. I also agree with his comments about disagreements on the level of risk when internal audit is not able to rely on a mature ERM program. </p><p>I only wish that Richard had pointed out that the absence of effective risk management is itself a serious risk to the organization that merits discussion with top management, the audit committee, and possibly the full board.</p><p>His third point relates to disagreements about the results of an audit.</p><p>I think we have to be very, very careful here.</p><p>The people who run the business are not idiots.</p><p>Let's not hastily assume they "don't get it."</p><p>We need to listen actively and very carefully to their rebuttal. There are multiple potential reasons for disagreement, including:</p><ul><li>We are right and they don't understand their own operation and its risks — how likely is that?</li><li>We are right and they are willing to take risks that we believe the board would not support — this happens, but not that often (thank goodness).</li><li>We are right on the facts but don't have a complete view of the big picture. Perhaps the risk is one that should be taken by the organization. We need to listen so we can grasp that big picture. We may still disagree, but it would be an informed disagreement and management would know that we have an honest and informed disagreement that can be settled by senior management or the audit committee.</li><li>We are wrong on the facts and need to listen to understand how.</li></ul><p><br></p><p>If we take every disagreement to more senior management and possibly higher without making every effort to both listen and understand, we are asking for trouble. Even if we are right, it will be a Pyrrhic victory as we deservedly lose the confidence and trust of operating management.</p><p>Richard goes on to talk about ratings and opinions.</p><p>I hate ratings. They don't mean anything!</p><p>Our stakeholders need <em>actionable</em> information about the effect of any deficiencies we find on the achievement of enterprise objectives. A rating is an expression of pleasure or displeasure that is unlikely to change any strategic decision or action.</p><p>But if we use the full extent of the (English or other native) language to explain why what we find matters, providing them with assurance, advice, and insight that helps them lead the organization to success, then we are earning our pay.</p><p>Tell them which objectives may be at risk, not that things are or are not satisfactory.</p><p>His last point is about relations with the audit committee and, by inference, management. One of the causes for this can be that we are not seen as helping top management succeed. We are pointing out possibilities for failure but not positioning ourselves as partners in success — and then delivering on that promise.</p><p>That requires a culture shift by internal audit that can lead to a culture shift by management.</p><p>As always, I welcome your comments.</p><p>Please join the conversation by clicking the Subscribe button, below. </p><p>​ </p>Norman Marks0
Very Useful Guidance on Risk Management Best Practices Useful Guidance on Risk Management Best Practices<p>​I​​ want to congratulate IIA–Norway for their recent publication, <a href="" target="_blank" style="background-color:#ffffff;">Guidelines for the Risk Management Function</a> (PDF). A group of practicing risk practitioners developed this guide with the aim of describing best practices regardless of industry.</p><p>I like a lot of what they say, for example (<span class="ms-rteForeColor-2">emphasis </span>added):</p><ul><li><span class="ms-rteForeColor-2">The taking of risk is a natural part of running any enterprise, but it is often not explicitly stated in the formulation of business decisions</span>. The expression "risk" has often been exclusively associated with unwanted events, and risk management has been defined as analyzing and restricting the probability and impact of unwanted events. This is only one dimension of the total picture. <span class="ms-rteForeColor-2">Evaluating positive outcomes is just as important an element of ERM as evaluating the downside as ERM is concerned with the whole picture enterprisewide and evaluating risk strategy in relation to a portfolio of risks.</span></li><li>The objective of ERM is to maintain risk at an acceptable level and ensure the best balance possible between threats and opportunities — in line with the risk appetite and business strategy of the board and executive management. It is <span class="ms-rteForeColor-2">concerned with ensuring the achievement of goals</span> as the enterprise develops and appropriate management of the organization's assets, including avoidance of losses as a result of unwanted events.</li><li>A prerequisite for being able to exercise sound risk management is therefore that there are clearly defined goals at the strategic level, to which goals at other levels in the organization may be linked. In this way <span class="ms-rteForeColor-2">risk evaluations at all levels will be linked to a hierarchy of objectives which supports the enterprise's overall strategy</span>.</li><li>In practice this means <span class="ms-rteForeColor-2">ensuring the best possible basis for arriving at decisions at the various levels of the organization, so that the decisions made will support the overall objectives</span>. Subsequently it is important to have a sound mechanism to ensure the achievement and monitoring of the decided activities.</li><li><span class="ms-rteForeColor-2">Risk management may be defined as systematic, coordinated, and proactive activities aimed at the evaluation and treatment of uncertainty and events which can impact the achievement of goals.</span> This includes amongst other things the organization's ability to: </li><ul><li>Influence the probability and positive or negative impact of events. </li><li>Understand/exploit correlation between various types of risk. </li><li>Monitor development of the risk profile over time. </li><li>Initiate activities which align the path of development with the required direction. </li><li>Build a culture which ensures the implementation of activities and leads to sound risk management.</li></ul><li><span class="ms-rteForeColor-2">ERM means taking a holistic perspective, not just of the enterprise's status at a given moment, but also probable positive and negative developments in the future</span>. In this way it becomes a tool for the balanced prioritization of resource utilization. For this reason, this work should also be harmonized with other management activities such as performance scorecards.</li><li><span class="ms-rteForeColor-2">It is important that defined risk appetite can be translated into operational practice</span>. There should be a common thread going through an organization's various objectives, management limits, authorities, and scope of action which accords with the total risk appetite and strategy. In those organizations where it is difficult to quantify risk appetite, it is especially important to devise suitable guiding principles delineating who as a decision maker can decide what should be the acceptable level of risk based on the relevant qualitative evaluations.</li><li>Risk management and decision making are interconnected. When making any major strategic decision, executive management should require a set of scenarios to be presented detailing impact and alternative actions, especially in the situation where there may be a high level of uncertainty.</li></ul><p><br></p><p>There is a lot more useful information, including guidance on the roles of the various parties charged with managing risk in the pursuit of objectives.I leave you to read the paper in full.</p><p>What do you think of it? Do you agree? Is it practical to expect that potential positive effects to be evaluated with the same discipline as adverse consequences?</p><p>I welcome your comments.</p><p>Please join the conversation and subscribe to this post by clicking on the button below.<br></p><p><br></p>Norman Marks0
The Culture Impact Culture Impact<h2>​How can a board or management best change a toxic culture or nurture a positive culture? </h2><p>While the board has oversight of the alignment of the company’s culture with its strategic vision, it is difficult for a board to directly shape corporate culture. Management is in the best position to impact culture. The tone at the top and management’s visible support of a compliance and ethics program are crucial. For example, how management responds when its most beloved, top-performing employees misbehave sends an important cultural message as to what is tolerated and the collective values of the organization.    <br></p><h2>Is culture always to blame for misconduct? </h2><p>While culture is frequently a significant factor when misconduct occurs, culture is not always the only culprit. Rogue employees can behave poorly, contrary to company culture, and create liability for companies. How a company reacts to misconduct by an employee or group of employees can say a great deal about the company’s culture and goes a long way toward cultivating the right tone. Leveraging information and resources from internal audit, human resources, finance, and legal helps keep a pulse on the culture.</p><h2>Should boards be more proactive in identifying early signs of CEO and employee misconduct?</h2><p> The board has oversight of the company's risk which include risks associated with CEO and employee misconduct. It is important for the board to cultivate open channels of communications among key members of management, including a company's chief compliance officer, to better evaluate the corporate culture and understand what an organization is doing to promote an ethical culture. </p>Staff0
Do Internal Audit Departments Focus on What Matters? Survey Says They Do Not Internal Audit Departments Focus on What Matters? Survey Says They Do Not<p>​<a href="" target="_blank" style="background-color:#ffffff;">The 2017 Internal Audit Planning and Staffing Priorities Report</a> from MISTI shares the results of a survey of more than 600 internal auditors in North America. (I am not sure the results would be much different if the survey obtained responses from a global group.)</p><p>I can't say that the results are surprising. Disappointing, perhaps, but not surprising. After all, this why I wrote <a href="" target="_blank" style="background-color:#ffffff;"><em>Auditing That Matters</em></a>!</p><p>Here are some excerpts from the MISTI report:</p><ul><li>To truly add value to their organizations, many internal audit leaders need to look beyond traditional internal audit focus areas, such as procurement and travel and expense reporting, and take a more critical look at functions and processes that really make organizations grow and become more profitable, such as sales and marketing, product innovation, and leadership development.</li><li>Here, the survey identifies a disconnect: While the vast majority of respondents say they use risk assessments to formulate audit plans, few seem to be focused on the biggest threats facing most businesses, such as sales declines, aging product lines, or the loss of key employees. Fewer than 15 percent are looking at anything related to these categories, while tried and true topics, such as accounts payable, compliance and ethics, and travel and expenses remain the most common.</li><li>"CAEs say they are developing risk-based audit plans," says Tom O'Reilly, vice president and general manager for internal audit and seminars at MISTI. "But what we find is that there is still a lack of correlation between what internal audit is focused on and what CEOs are typically focused on."</li><li>Many are finding it difficult to attract and retain talent with the skills and competencies to reposition internal audit to assess what really matters in the organization and provide value.</li><li>More than a third (35 percent) say they expect the resources for internal audit to increase, 57 percent expect them to stay the same. And more than half (55 percent) consider the resources they have adequate to do the job, even if they might like more.</li><li>A full 89 percent say the products and services provided by internal audit meet or exceed audit committee expectations, proportions that hold true for both audit staff and audit executives.</li></ul><p><br></p><p>The MISTI survey was of internal audit professionals. Surveys of audit committee members and executives do not show the same level of confidence that internal audit is contributing the value it should.</p><p>As the report says, few internal audit functions are auditing the areas that are of concern to the CEO — the areas he or she is focusing on, typically those that relate to the success of the organization.</p><p>I believe there are a number of reasons, each of which needs to be addressed if internal audit is to audit what matters, contributing the valuable insight and assurance our stakeholders need.</p><ul><li>Have a deep understanding of the business: its operations, organization, people, and extended enterprise (such as partners and suppliers).</li><li>Understand not only the enterprise objectives and strategies, but what is necessary to achieve them — in other words, not only what could go wrong but what needs to go right.</li><li>Discard the traditional audit universe (obsolete thinking) in favor of a risk universe. The latter is the set of risks to key enterprise objectives. If risk management is effective, leverage it as much as you can. If it is not, then work hard to help management improve it.</li><li>Build and maintain the audit plan to address the risks that matter — what needs to go right as well as what could go wrong — with the goal of helping the organization achieve or exceed its objectives.</li><li>Be agile. Strip every audit down to essentials so it can deliver results to our stakeholders when they need them. Update the audit plan continuously, always asking, "is this the right audit to do next?"</li><li>For every audit, every communication, ask whether it is something that will provide actionable information that executives and/or the board need. If not, then question why you are doing the audit.</li><li>Make sure you have the resources to address the risks that matter. If necessary, change the resources and tools of the department.</li><li>Question whether there is any part of your process that can be discarded to improve the efficient delivery of the actionable information your stakeholders need. For example, what is the value of working papers? Why do you write an audit report?</li></ul><p><br></p><p>Of course, there is more in the book. You might also read Richard Chambers' book on <a href="" target="_blank"><em>Trusted Advisors</em></a>.</p><p>Questions for you:​</p><ul><li>Does your audit department address the risks that could affect the achievement of enterprise objectives like EPS growth, revenue growth, customer satisfaction, and product innovation?</li><li>Does it provide insight and assurance that merits the attention of the full board? Do they report issues that require action by the CEO and discussion by the full board?</li><li>If the internal audit function disappeared, how would that affect the achievement of enterprise objectives?</li></ul><p> </p><p> Please join the discussion by clicking on the Subscribe button below.</p><p><br></p><p><br></p>Norman Marks0
PwC Gets It Right on Internal Audit Gets It Right on Internal Audit<p>​I have two hands. While one is <a href="" target="_blank">slapping at PwC and their paper on risk oversight</a>, the other is stretched out in acknowledgement of an excellent short article by them on internal audit.</p><p>"<a href="" target="_blank">Agility and Internal Audit? Yes, These Two Can and Should Go Hand in Hand</a>," published in <em>Accounting Today</em>, is spot on target.</p><p>While I still believe that it is not internal audit's role to identify risks (as the author, Jason Pett, says at one point), it is certainly imperative that internal audit engage on every major initiative and ensure that risks to their achievement are being identified and addressed by management.</p><p>In this time of technology innovation and disruption, the technology specialists in internal audit (previously known as IT auditors) have a critical role to play.</p><p>I like Jason's talk about:</p><ul><li>Preparedness, or thinking ahead. "… agile internal audit requires auditors to face forward, plan strategically, and then share their perspective with other departments and the C-suite. Working across the organization to build in flexibility and enable faster reactions are all part of preparedness."</li><li>Adaptiveness. "Agile internal audit functions are sufficiently flexible that they can shift their audit plan development, audit planning, fieldwork, and reporting as circumstances change." As Richard Chambers and I have both said, "audit at the speed of risk" or "audit at the speed of the business." Discard annual audit plans in favor of agile, continuously updated audit plans that reflect the risks of today and tomorrow, not the past.</li><li>Having the skills to execute. Where necessary, partner with cosourcing providers to enhance the internal audit team's ability to go where the risks are and will be.</li></ul><p><br></p><p>The IIA's core principles for effective internal audit talk to this. An effective internal audit function:</p><ul><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul><p><br></p><p>Does yours?</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe line below.</p><p><br></p>Norman Marks0

  • MNP_Natonal Can Conf_July2017_Premium 1
  • LockPath2_July2017_Premium 2
  • IIA_GRC_July2017_Premium 3



Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z