Governance in View in View<p>​Today's business landscape creates some tricky terrain for organizations to navigate. Heightened scrutiny of boards and management, and transformational internal and market forces are the rule, rather than the exception. In this environment, a corporate governance assessment can yield significant value for organizations. Moreover, it enables internal audit to satisfy the requirements of Standard 2110: Governance.</p><p>Corporate governance is the system of rules, practices, and processes by which an organization is controlled and directed. It sets the foundation not only for business protection and strategic performance, but also for the confidence of the markets, investors, regulators, and other key stakeholders. Effective corporate governance is a powerful driver for achieving strategic objectives in dynamic environments while supporting a strong risk culture (see "The Value of Corporate Governance" below right).</p><h2>Laying the Groundwork</h2><p>Determining whether strong corporate governance practices are in place entails taking a hard look at big-ticket issues such as the board's and the executives' roles and practices, how leadership sets and agrees on strategy, how that strategy translates into overall action plans, how those plans are managed, and how progress is measured against goals. Performing this analysis has enormous advantages, but there is a potential catch. This is an assessment of the top of the organization — its board, management, business strategy, and risk management and compliance functions. The return is high, but so are the risks to internal audit. Planning, execution, and reporting must be aligned to the broad based stakeholder group so internal audit's findings and recommendations are fully supported and acted upon. That makes it imperative that corporate governance audits are well planned and skillfully executed. Internal audit must obtain the necessary buy-in at the highest levels, provide excellent communication and project management throughout the audit, and ensure it has the right expertise focused on the review from the start through the final deliverable. </p><p>​As chief audit executives consider these issues, they should keep in mind the expectations of key stakeholders such as the board, C-suite, and business unit management. Without stakeholder commitment — including making time for interviews, reviewing results, and implementing improvements — the audit can't succeed. By seeking high-level input and perspective early on, internal audit can respond to stakeholder concerns, incorporate their priorities, and ensure the audit goes forward with the appropriate backing from senior management.</p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>The Value of Corporate Governance</strong></p><p>Corporate governance has several tangible benefits:</p><ul><li> <strong>Meeting heightened expectations of regulators and stakeholders.</strong> Faced with unprecedented scrutiny, many boards are challenged to move their organizations forward while meeting the ever-increasing demands of stakeholders and regulators. <br></li><li> <strong>Managing the organization's shifting risk profile because of internal and market forces.</strong> Organizations in many industries are striving to transform themselves. Changing business models and expansion into new businesses, services, and products continually reshape an organization's risk profile. Adapting corporate governance to these new realities is an important component of a successful business transformation.<br></li><li> <strong>Identifying blind spots that could impede achievement of the organization's strategy.</strong> Without strong corporate governance, organizations may struggle with conflicting objectives or a competing strategy that is diverting resources from a priority project.<br></li><li> <strong>Addressing concerns about risk culture.</strong><em> </em>Without a business strategy, it's difficult — if not impossible — to determine whether the organization is taking appropriate risks. Robust corporate governance can maintain focus on the organization's strategy and how it aligns with its risk culture.<br></li><li> <strong>Surveying the organization's lines of defense.</strong> There's a great deal to be gained from looking carefully at the organization's 1) revenue-generating business units and their accountability for the risks they create, 2) risk management teams and the framework they have created for business units, and 3) internal audit function, including internal and board reporting objectives. ​<br></li></ul></td></tr></tbody></table><p>​It's also important to focus on the organization's external stakeholders such as regulators, shareholders, and external auditors. Once announced, internal audit's decision to undertake a corporate governance audit will generate intense interest. Auditors should prepare for regulator requests to look at their approach and findings. </p><div><p>Delving into governance audits without the right expertise, timeline, and scope can hurt the internal audit function. Depending on its depth of expertise, internal audit may want to bring in third-party subject-matter specialists to provide additional credibility, experience, and an industry sector perspective that is benchmarked against leading practices. Working closely with outside subject-matter experts also provides an excellent knowledge transfer opportunity that can assist internal audit in future reviews. </p><div><h2>Governance and Risk</h2><p>A look at the corporate governance risk framework is a helpful way to understand the structure for an audit (see "The Corporate Governance Risk Framework" below right). Internal auditors should ask several questions about the organization's corporate governance framework. Auditors at highly regulated organizations already may be hearing these questions from regulators. However, any organization would benefit from exploring whether its governance model:</p><ul><li>Guides strategic direction and day-to-day control.<br></li><li>Outlines the rules and procedures for making decisions.<br></li><li>Specifies and distributes rights and responsibilities, including decision-making authority, among the organization's various stakeholders.<br></li><li>Provides structure and accountability through which the organization can achieve its objectives and monitor how it performs.<br></li><li>Maintains the integrity of the organization's structure and accountability.<br></li><li>Influences the appropriate tone and risk culture.<br></li></ul><p> <br> </p><p>Risk culture merits special emphasis because it is at the heart of corporate governance. If internal auditors fail to consider the organization's risk culture, they may miss the subtle indicators of ineffective governance.​ For example, a company may have a well-designed governance structure but ineffective governance because its risk culture discourages managers from escalating risk issues for fear of the consequences. </p><p>Finally, the organization needs to decide where it wants to be in the corporate governance maturity model. Does it want to be a leader in one or more areas, or is average sufficient? A corporate governance audit can benchmark where the organization stands on categories ranging from board governance to strategic planning to tone at the top to risk management and corporate compliance. For each of these areas (and more), auditors can chart whether the organization is lagging, average, or leading against peers. </p><h2>Structuring the Audit</h2><p>There is not one ideal way to assess the state of corporate governance. An example of an approach that is well-suited to an organization embarking on this process for the first time is to execute a two-phase assessment comprising an initial advisory phase and an audit phase.​</p><p> <strong>Advisory Phase </strong>In the first phase, the goal is to establish a baseline by focusing on the entire governance framework. The assessment relies heavily on interviews with a selection of board members, senior executives, and others in the organization. The questions should focus on a broad range of governance topics, including corporate strategy, board oversight and committee structure, management committee structure, tone at the top and culture, the state of the compliance program, and the state of the risk management program. At the highest level, these interviews should provide a view of their understanding of the organization's governance processes and how those processes are aligned with corporate objectives. </p><p> Auditors also should review supporting documentation, such as bylaws, board committee charters, policies, and organizational charts, to create a holistic picture of the organization's culture and processes. They then should analyze information developed through the interviews and document review processes and assess it against a maturity scale. Audit recommendations should assist the organization to ultimately move farther along that scale.</p><p>A corporate governance assessment will require the audit team to make qualitative judgments about the design of the governance structure. Internal audit will need to determine how formal the corporate governance elements should be compared to leading practices in the industry and at peer companies. Performing the initial work as an advisory review allows for a freer two-way exchange of ideas and observations ahead of the formal audit.</p><p>During the advisory phase, internal audit should communicate the results of its interviews and assessment to management as recommendations instead of formal issues. The absence of an opinion positions the internal auditor as a business advisor, which promotes candid discussions and more informed recommendations. </p><p>At the end of the advisory phase, suitable time is needed to allow the organization to implement corrective actions in response to recommendations resulting from the first phase. The amount of time depends on the extent of remediation required and often will be more than a year to allow for policies to be developed or enhanced and implemented.​</p><p> <img src="/2018/PublishingImages/Schwartz-the-corporate-governance-risk-framework.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /> <strong>Audit Phase </strong>With an established framework in place, the company can conduct a formal audit to assess the effectiveness of governance processes. Here, the scope is narrower and builds on the previous review work. As during the first phase, interviewing board members and executives is a key component. In-depth testing of key risk areas also is important. Examples of key risk areas include delegation of authority, board and management committee charters, risk appetite, and the compliance testing program. The outcome is an analysis of targeted issues, leading practice recommendations for improvements, and a formal audit opinion. </p><p>Internal auditors should keep in mind that they are auditing the leadership of the organization. Presenting corporate governance audit findings to the CEO or board members is the ultimate "seat at the table" for CAEs. They must ensure their facts are thoroughly vetted and benchmarking against leading practices is well supported. Anything short of that could damage internal audit's credibility.</p><p>This two-phase method is just one approach to auditing corporate governance. Organizations with a well-honed governance structure may prefer to start directly with the audit phase. The key is to tailor an approach for the organization, considering issues such as the maturity of its structures, availability of resources, and leadership and regulatory expectations.</p><h2>Driving Change</h2><p>The value proposition for a corporate governance assessment is significant. Working closely with the board and senior management, internal auditors have an opportunity to drive change. This is a high-risk, high-reward effort, though. A thoughtful, measured approach and stakeholder buy-in are critical at every stage — from planning through report issuance. </p></div></div>Doug Watt1
Taking the Lead on Blockchain the Lead on Blockchain<p>​Internal auditors are no strangers to change, and change continues to transform even the most traditional of processes. The latest revolutionary innovation is blockchain. Initially the technology underlying digital currencies such as Bitcoin, blockchain is beginning to change processes across many industries. </p><p>Like all new technologies, blockchain may produce innumerable new risks. Yet ultimately, it has the potential to help manage and mitigate many traditional audit risks. Internal auditors need to understand how blockchain may change business processes, determine the risks to the organization, and revisit audit processes and procedures to leverage the technology in their work. </p><h2>How It Works</h2><p>A blockchain is effectively a type of decentralized database known as a distributed ledger. Unlike traditional databases, blockchains have no sole administrator. As each transaction is recorded, it is time-stamped in real time onto the "block." Each block is linked to the previous block, and each user has a copy of that block on his or her own device. That process effectively creates an audit trail. </p><p>Blockchain is most notably used for transactions involving the buying or selling of digital currencies. Although the electronic encrypted audit trail is one by-product of the underlying technology of interest to internal auditors, another interesting side effect of the process is an accounting methodology called triple-entry accounting. Modern financial accounting is based on double-entry bookkeeping dating back to the 1400s. With triple-entry accounting, all entries for a given transaction are made to the blockchain to verify and document receipt of the transaction.Thus, triple-entry accounting blends traditional double-entry accounting with third-party validation. As such, this methodology potentially could vastly alter traditional accounting processes and the subsequent control activities, risk assessment, and monitoring activities.</p><h2>Impact on Audit Process</h2><p>Often, internal auditors must catch up with technologies that are already in place, making modifications to the existing audit plan arduous and further emphasizing the need for a dynamic and adaptable audit plan. The complexity and incremental cost associated with blockchain implementation creates additional risk to the organization, making it vital that auditors are involved from inception and not just after implementation when a final process must be audited. Other risks associated with blockchain include scalability constraints, new privacy and security risks, and the need to consider new regulatory requirements, many of which have not yet been promulgated.</p><p>Historically, auditors have been tasked with verifying the management assertions of existence, valuation, rights and obligations, completeness, and presentation and disclosure. The use of a distributed general ledger virtually eliminates the possibility of altering transactional data or inputting fictitious data, as the encrypted signatures of both parties involved in a given transaction are required. </p><p>Even with recent media coverage of digital currency hacks, the supporting technology underlying blockchain continues to be touted as "tamper-proof," "validated," "secure," and "private." Hacks are possible on applications that use blockchain, just as on an organization's intranet. However, for a hack or data leak to occur, an attacker not only has to concurrently hack each user on the network, but also bypass encryption. Such an intrusion would be highly visible to those on the network.<strong><em> </em></strong>Internal auditors must perform comprehensive risk assessments to determine the likelihood, magnitude, and nature of potential threats as well as the appropriate preventive, detective, and corrective controls. </p><p>In addition to the data being more secure and valid, using a distributed public ledger gives auditors access to transactional data needed for the audit in real time, thus allowing for more continuous auditing. While continuous auditing has the potential to enable auditors to be more efficient, proactive, adaptive, and forward-looking, internal audit departments must explore the impact continuous auditing may have on existing audit programs and the potential disruption to the traditional audit cycle. Specifically, auditors must consider how it could impact scheduling, planning, and the actual collection of audit evidence.  </p><p>While blockchain would in no way be a substitute for U.S. Sarbanes-Oxley Act of 2002 control testing, it could greatly increase the efficiency of traditional audits, creating a more uniform and highly verified audit trail from which to work. The improved quality of data and fewer reconciliations can potentially reduce the amount of work necessary throughout the year. Auditors may be able to conduct more work remotely, because less fieldwork will have to occur at the client's site.<strong><em> </em></strong>Moreover, efficiency gains from blockchain may enable internal auditors to focus on other high-risk areas such as internal control, compliance, or operational audits. </p><h2>Audit Implications</h2><p>With the advent of blockchain, the nature of audit work may change pervasively. Potential changes to consider include: </p><ul><li> <em>Systematically less reliance on paper documentation that can be altered or falsified easily.</em> Matching and vouching to test for existence and appropriate valuation may largely be outdated, as auditors will have easy access to transactional data that already has been mutually agreed upon and verified by an independent third party.<br></li><li> <em>Differing cybersecurity risks and controls.</em><strong> </strong>As the use of blockchain makes data available to everyone on the network, both physical and logical access controls will be more important than ever. In addition, use of a distributed public ledger can decrease the risk of successful computer attacks and may increase the visibility of attacks. The increased visibility elevates the importance of an organization's incident response plan.   <br></li><li> <em>More involvement in creating new processes based on blockchain technology.</em><strong> </strong>As recent publications from the Big 4 firms note, the reliance on blockchain technology may require auditors to collaborate with IT professionals and raise the demand for auditors with IT expertise. Subsequent documentation of new processes and changes to old processes are key controls that auditors should not overlook. Over time, the use of blockchain may lead to increased standardization in both business processes and audit processes across industries as best practices emerge. <br></li></ul><h2>Risks and Rewards</h2><p>To prevent or lessen the risk of crisis that often precedes imminent change, internal auditors must stay abreast of emerging technologies such as blockchain. Yet, as with many new technologies and processes, blockchain may present a steep learning curve for auditors. Understanding the underlying technology of a distributed public ledger can enable auditors to assess the new control environment and new risks to the organization. In this way, internal auditors can be change agents who help mitigate the negative risks that all too often accompany the rewards associated with any new technology.​</p>Jamie L. Hoelscher1
Internal Auditors: More Than Cybersecurity Police Auditors: More Than Cybersecurity Police<p>​​New guidance announced by the U.S. Securities and Exchange Commission last week is raising the bar on how publicly traded companies report on their handling of one of the top challenges facing every organization — cybersecurity.</p><p>The new cyber-risk guidance, an evolution of guidance first released by the regulator in 2011, boosts reporting requirements in various ways, from disclosures about board involvement in cyber-risk oversight to enhancing internal reporting procedures that more effectively determine when cyber issues rise to the level of materiality and, therefore, should be reported publicly. The new guidelines inevitably will create new compliance challenges and, with that, additional need for internal audit to provide assurance on those compliance efforts.</p><p>The new U.S. rules, along with the upcoming deadline to meet strict European Union guidelines on data protection, are high-profile examples of where internal audit can provide important assurance on information technology (IT). </p><p>But it is important, indeed crucial, for organizations to understand that management of cyber risks and data protection are only part of the overall IT governance picture and that internal audit can and should play a larger role than simply acting as the cybersecurity police.</p><p>A recently published IIA <a href="">Global Technology Audit Guide (GTAG)</a> provides direction and insight on internal audit's approach to auditing IT governance. The GTAG's executive summary captures the benefits of strong IT governance and describes how proper IT governance can help organizations achieve their goals.</p><p>From the GTAG executive summary:</p><p><span class="ms-rteStyle-BQ">"Effective IT governance contributes to control efficiency and effectiveness​​​​​, and allows the organization's investment in IT to realize both financial and nonfinancial benefits. Often when controls are poorly designed or deficient, a root cause is weak or ineffective IT governance." </span></p><p>The benefits of effective IT governance are significant. In addition to aligning IT strategies with organizational objectives, it helps identify and properly manage risks; optimizes IT investments to deliver value; defines, measures, and reports on IT performance using meaningful metrics; and helps manage IT resources.</p><p>Sound IT governance helps organizations address IT challenges, such as the growing complexity of IT environments, growing use of data to make business decisions, and, as previously discussed, the growing number of laws and regulations associated with the threat of cyberattacks.</p><p>As with all governance issues, internal audit is uniquely positioned to give management and the board a clear-eyed assessment on the effectiveness and efficiency of the processes and structures that make up IT governance.</p><p>The GTAG provides valuable insights on how responsibilities of multiple governance structures within the organization can overlap. For example, corporate governance oversees conformance processes and is involved in compliance and business governance oversees performance processes.</p><p>The key is for internal audit to examine — and to help management and the board understand — the interplay among all three governance structures and not view IT governance as somehow separate and apart. A key message from the GTAG captures this well:</p><p><span class="ms-rteStyle-BQ">"Alignment of organizational objectives and IT is more about governance and less about technology. Governance assures alternatives are evaluated, execution is appropriately directed, and risk and performance are monitored."</span></p><p>The GTAG provides internal auditors the tools and techniques to build work programs and perform engagements involving IT governance. These include a step-by-step description of engagement planning, from understanding the context and purpose of the engagement to reporting results. Additionally, five appendices provide related IIA standards and guidance, a glossary of key terms, a sample internal controls questionnaire, a risk and controls matrix, and a list of additional resources.</p><p>It is important to emphasize that having a well-developed IT governance audit program in place will help integrate IT into the overall governance strategy and take the mystery out of IT, which often contributes to poor IT controls. It also will help position organizations to respond quickly and efficiently to changes in regulations or IT-related risks.</p><p>The current scramble to meet upcoming European Union rules on data protection suggest that not enough organizations are taking a comprehensive approach to IT governance. Indeed, those troubles were clearly reflected in an August survey by DocsCorp, reported in <a href="">The Current State of GDPR Readiness</a>. The survey found 43 percent of respondents from Europe and the United Kingdom identified financial penalties for noncompliance as their biggest concern with the new rules. In Canada and the United States, the survey found 73 percent of respondents had yet to start preparing for the new rules and 54 percent were unaware of the May 25 compliance deadline.</p><p>I encourage every chief audit executive to download and review the new GTAG and discuss IT governance with their management and boards. Providing an accurate and unbiased assessment of how IT operates within the organization is another example of where internal audit can add value and help organizations achieve their goals.</p><p>As always, I look forward to your comments.​</p>Richard Chambers0
Are You Prepared? You Prepared?<h2>​What is internal audit's role in ensuring the organization has a disaster recovery plan? </h2><p>As we've recently seen, disasters — whether natural or from human activity — have shown the need for sound disaster recovery plans. Internal auditors play an assurance and consulting role in this arena, so they need to understand attitudes toward disaster recovery risk within their organizations. Disaster recovery should be part of the overall business continuity management process. For organizations that are ad hoc or reactive in their level of disaster recovery maturity, internal audit may need to assist in making the case to senior management for better preparedness.</p><p>As part of its risk assessment process, internal audit should examine the plan to determine if operations have been prioritized appropriately, and risk assessments and responses are sufficient and cost effective. Internal audit should note whether the plan is a working document that is updated timely as important changes take place, including acquired businesses and new software and technologies. Based on the level of risk, internal audit should schedule audits of the disaster recovery processes to provide assurance there are no significant gaps. ​Another opportunity for internal audit is educating senior management and the board on their responsibilities for ensuring effective risk management practices are in place for any outsourcing arrangements.​<br></p><h2>What should internal audit look for in a disaster recovery audit?</h2><p>The areas to cover in a disaster recovery audit can depend to some extent on the size, number of locations, and complexity of the organization. The most common areas to review are which functions and systems are covered or excluded in the plan and why, testing multiple scenarios to identify vulnerabilities and gaps in the plan, inventory of equipment and software, and documentation of backup and recovery processes (IT and non-IT). Auditors should consider critical data back-up storage and frequency — including data stored on computers, smartphones, and devices, which employees may use for work and personal use. Other items to review include testing of back-up systems to be sure data can be restored; insurance coverage; legal involvement and review; disaster recovery contract provisions, including service-level agreements with outsourcers and suppliers; and whether responsibilities are clearly defined.​​</p>Staff0
Beyond the Numbers the Numbers<p>​Internal auditing should be about tomorrow,” Charlotta Hjelm, chief internal auditor at the Swedish insurance co-operative Länsförsäkringar, Stockholm, says. “If the function focuses mainly on financial audits, it is mostly looking at what happened yesterday and today.”</p><p>Hjelm says boards and audit clients are looking to their chief audit executives (CAEs) to provide assurance over their forward-looking operations and strategies — no more so than in areas of rapid change, such as product launches or IT initiatives. As a result, functions that have historically concentrated on auditing controls over financial information have been pushed out of their comfort zones and into the fuzzier world of nonfinancial auditing.</p><p>“If you are conducting financial audits, things are black and white,” Hjelm says. “The controls are right or wrong.” So-called nonfinancial audits, on the other hand, may be concerned with improving the efficiency of business processes, or the quality of services. Auditors working in those areas need adequate knowledge of the business and its functions — from human resources and sales, to supply chains and customers. “If a business wants to be the best, most efficient, and offer the highest quality of goods or services, that can be hard to define,” she says. </p><p>This lack of clarity has an impact on internal audit. If an organization’s goal setting is not precise, auditors can struggle to grasp what separates the most important audit area, for example, from the slightly less important. Moreover, risks in dynamic areas of the business can change rapidly, impact business processes in other parts of the business and prove difficult to cover comprehensively. Internal audit teams working in nonfinancial areas of the business need a wider range of technical skills, broader soft skills, and deeper business knowledge. But the rewards of engaging in these areas include providing better insight to the business on the quality of its operations and the risks it faces tomorrow.</p><h2>Aligning With the Business  </h2><p>The shift in emphasis from static, backward-looking audits has come from boards and from the profession itself as it has sought to win that coveted seat at the top table. In fact, over the past 15 years internal auditors in most sectors have been aligning themselves more closely with their organizations’ strategies. According to Driving Success in a Changing World: 10 Imperatives for Internal Audit, a 2015 report from The IIA containing the most recent figures, globally 57 percent of audit departments say they are aligned fully or mostly to their business’ goals and objectives. As that percentage continues to grow, increasing numbers of auditors will be  moving into those dynamic areas of the business that need assurance most — whether they are primarily financial in nature or not.</p><p>This realignment to auditing nonfinancial areas has led to a shift in approach that places greater value on what audit findings mean to the business than whether or not the organization is compliant with regulations. In regulated areas such as finance, for example, boards still want to know whether they are compliant with Solvency II — a European Union directive that focuses primarily on capital obligations for insurance firms — where there is a clear role for traditional internal audit, Hjelm says. “But they also want to know how much it will cost, whether we have the resources to do what is necessary, how it will affect the strategic plan, and whether I have audited the right areas.” Communicating on such a wide range of issues clearly has become an important dimension of Hjelm’s work.</p><p>Malcolm Zack, who has led audit teams in the consumer, payments, foodservice, mail, entertainment and travel sectors and now heads Zack Associates, an internal audit consultancy based in London, says he has been auditing nonfinancial areas of the businesses in which he has worked for more than<br> 20 years. Over that time, he has worked across a range of areas including IT audit, contingency planning, health and safety, codes of conduct, supplier risk, buying and merchandising, and social media, to name just a few. But he agrees with Hjelm that more recently boards have been encouraging internal auditors to move into areas where the business is changing rapidly because that is where the big risks can be. </p><p>“In recent years, I’ve been working more and more on business change projects, and project and program assurance,” he says. “New products and systems are where the higher risks are, and the ongoing auditing of those has become very important.” </p><p>He sees that trend intensifying in the coming years with auditors becoming more focused on the commercial and operational significance of their findings in such dynamic areas, rather than just on the financial data itself. Because finance is only one element the board needs assurance on, Zack says, that has changed the composition of many audit teams away from accountants and pure audit specialists. Experts in project management, IT, or human resources, for example, could be needed as much as technical auditing ability. An audit team in one financial institution Zack was familiar with, for instance, employed psychologists on its team during an audit of its culture.</p><p>“This has been a shift for the profession,” he says. “We are being asked to give a view of risk and controls across the entire organization potentially.” That requires the audit team to be staffed by a core of experienced auditors supported by a more fluid mix of people from different specialist areas and cultures to provide depth of knowledge in the area being audited, he says. </p><h2>Shift in Focus </h2><p>The difference between a financial audit and a nonfinancial audit can be one of focus, explains Phil Tarling, an internal audit consultant based in South East England, U.K., and former vice president, Internal Audit Capability, and head of the Internal Audit Centre of Excellence at global telecommunications firm Huawei Technologies. In one supply chain audit he was involved in, for example, when goods did not ship in time by sea, they were sent at greater cost by air. The financial findings were significant, but the nonfinancial part of the audit also showed that the supply chain was poorly structured and included recommendations on how to fix the problem.</p><p>“In nonfinancial auditing, you need people to understand that the business exists to make a profit and that cost has a negative impact on its ability to do so,” he says. “Not all auditors think that way, and not all people working in the business do either.”</p><p>That is why Tarling is cautious about bringing people with business acumen, or with subject-area expertise, into the audit function. “When you say ‘business acumen,’ do you mean that people understand the way things are done, or the way they should be done?” he asks. He warns that external staff from the business can bring with them negative baggage and may be too caught up in the minutiae of their role to see the bigger picture, or to imagine different ways of working.</p><p>“It means you have to work a lot harder to get the right people on the audit team,” he says. Going back to his supply chain example, he would recommend hiring someone who possesses high-level experience with establishing a supply chain and training him or her in audit and risk. Smaller audit functions would need to cosource such staff with an internal audit provider and transfer knowledge to the core team during the project, he says.</p><h2>Integrated Thinking </h2><p>Trends in auditing nonfinancial areas are coming under the spotlight from regulators, standard setters, and business groups mulling over the causes of the financial and economic crash of 2007 — the effects of which are still felt today in the form of historically low interest rates and slow growth in many countries. The consensus among groups such as the International Integrated Reporting Council (IIRC) is that many businesses did not understand how the risks within their businesses are related to each other and to the wider business world. Providing some form of coordinated assurance over all nonfinancial aspects of corporate activity can be achieved by integrated reporting (<IR>). </p><p>The IIRC’s International <IR> Framework argues that, too often, companies have disjointed reporting practices that are driven more by regulation than by business need. That has led to a fragmented approach to what is reported. What is needed, the framework says, is <IR> delivered to shareholders and stakeholders that provides a complete picture of the business and its risks, which is underpinned by integrated thinking. </p><p>“Integrated thinking is the active consideration by an organization of the relationships between its various operating and functional units and the capitals that the organization uses or affects,” the framework says. “Integrated thinking leads to integrated decision-making and actions that consider the creation of value over the short, medium, and long term.” </p><p>The IIA recently articulated internal audit’s potential role in the integrated thinking arena. Its project concluded that internal audit’s holistic purview of the organization uniquely positions it to support integrated thinking’s goals of strategic decision-making, planning, and delivery in a way that considers the perspectives of the business, its various stakeholders, and the resources needed to create wealth.</p><p>“Internal auditing is focused on the same central concerns that prompt the move toward integrated thinking and enhanced external reporting,” says Anton van Wyk, a former IIA board chairman who led the organization’s integrated reporting task force. “By providing well-informed insight, advice, and assurance, consistent with The IIA’s Core Principles for the Professional Practice of Internal Auditing, internal auditors can have a significant contribution to make in supporting their clients in their journey to integrated thinking.”</p><h2>Connecting the Dots</h2><p>Some practitioners agree. Karem Obeid, CAE, Tawazun Economic Council in Abu Dhabi, United Arab Emirates, says boards have become more sophisticated in their understanding of what internal audit can offer — especially the function’s ability to create value by driving business improvement and advising on risk in dynamic areas of the organization. “If as an auditor you get involved in benchmarking integrated thinking and reporting at an early stage,” Obeid says, “you can be the facilitator that helps join the dots across the whole organization and beyond.”</p><p>He sees taking on the role of driving the integrated thinking project as a great way of demonstrating the value that internal audit can add to the business. It can also help the audit team better direct its work and resources to where they are most needed, and enable internal audit to serve the organization as a trusted advisor.</p><p>Auditors can do this by building on their experience of auditing nonfinancial areas of the business, says Obeid — who contributed to the IIA white paper, Global Perspectives and Insights: Beyond the Numbers — Internal Audit’s Role in Nonfinancial Reporting. But, he adds, integrated thinking is a project that has challenges. The CAE and his or her team, for example, must understand the business both from a technical and practical point of view. Those with many years of nonfinancial audit experience will be better placed to see how the risks in different areas — often called silos — are related and how they may be audited across the business. Others would require a steep learning curve.</p><p>Second, integrated thinking and the reporting it produces need to serve a wider range of stakeholders — both within and outside the business. Although most internal auditors are effective at dealing with the board, management, and some other functions — such as risk and compliance — few have experience in dealing directly with external stakeholders, such as customers and external pressure groups. </p><p>“Internal auditors need to communicate more with stakeholders, not just through business meetings, but through social media, socializing in person, and getting to know the culture and mind-sets of these groups,” Obeid says. “Also, the audit team has to increase among those groups an awareness and understanding of audit’s role — and the importance of following The IIA’s Standards.”</p><h2>Sustainability </h2><p>One area of rapid change in the integrated reporting world is that of climate-related financial disclosures. Although a paper published in June by the U.S. Financial Stability Board (FSB) relates to financial services businesses, it is a good example of how important governments now view the environmental impact of investor decisions on society. The paper, Task Force on Climate-related Financial Disclosures: Overview of Recommendations, proposes enhanced, voluntary disclosures on how each organization’s governance, strategy, risk management, and metrics help it report accurately and effectively on climate-related risks.</p><p>For Richard Goode, an executive director in the Americas Climate Change and Sustainability Services practice at EY, the paper is a clear indication of how government agencies and investors are increasingly asking to see proof of an organization’s “social license to operate.” According to the EY Center for Board Matters, more than half of the shareholder proposals during the 2017 proxy season related to environmental and social issues — in other words, pressure is growing for companies to demonstrate their social, ethical, and environmental credentials.</p><p>“This is a key area for internal audit to act as a trusted business advisor,” he says. “Business managers are asking internal auditors to help them articulate what their nonfinancial risks are and how well their sustainability programs are being put in place and run.” </p><p>Goode adds that while internal auditors can take a leading role, they should avoid an emotional plea to senior leadership and the board. “Speak the language of risk, collate and analyze the data, benchmark within your industry and among standout performers in other industries, and prove what is important and why.”</p><h2>Trusted Nonfinancial Advisor</h2><p>Goode stresses the importance of having the right expertise to help tackle the more technical aspects of such nonfinancial areas. On the other hand, the lack of such expertise should not be used as an excuse for inaction.</p><p>“Make sure you get the topic on the risk register and talk to the business about what risks they are facing in that area,” he says. “Talk to managers, institutional investors, and stakeholders and put together an honest materiality assessment.” If the risk is real and material, the resources are likely to follow, he adds. </p><p>Hjelm agrees. “The more success you have in these nonfinancial areas, the more trusted you will be to do less testing,” she says. “You will be providing true insight for the company about their potential future risks and helping the company make money tomorrow. Besides, as an internal auditor it’s much more rewarding to help people and have fun while doing it.” ​</p>Arthur Piper1
The Time Has Come for Marks on Governance Time Has Come for Marks on Governance<p>​In <em>The Walrus and the Carpenter</em>, Lewis Carroll wrote:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>"The time has come," the Walrus said,</p><p>      "To talk of many things:</p><p>Of shoes — and ships — and sealing-wax —</p><p>      Of cabbages — and kings —</p><p>And why the sea is boiling hot —</p><p>      And whether pigs have wings."</p></blockquote><p> <br> </p><p>[I will let my friend and fellow blogger, <a href="/blogs/jacka" target="_blank">Mike Jacka</a>, talk about flying pigs.]</p><p> <br> </p><p>Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.</p><p>The blog was born in 2008 with "<a href="/_layouts/15/FIXUPREDIRECT.ASPX?WebId=85b83afb-e83f-45b9-8ef5-505e3b5d1501&TermSetId=2a58f91d-9a68-446d-bcc3-92c79740a123&TermId=607cd1df-2cc8-490e-bac2-ba8391dee68f" target="_blank">A Broken Relationship</a>." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.</p><p>While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in <em>Internal Auditor</em> magazine and on my personal site.</p><p>Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.</p><p>I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as <a href="" target="_blank">trusted advisors</a>.</p><p>Then I asked who they would invite to sit at <em>their</em> table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.</p><p>Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.</p><p>If we do what I suggested in <a href="" target="_blank"><em>Auditing That Matters</em></a>, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:</p><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px;"><p>For internal audit to "matter," it needs to:</p><ol><li>Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.</li><li>Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.</li><li>Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.</li><li>Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.</li><li>Communicate <em>what</em> its stakeholders need to know, <em>when</em> they need to know, and <em>in a form</em> that is easily consumed, relevant, and actionable.</li><li>Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.</li></ol></blockquote><p>These principles are consistent with The IIA's four results-oriented <a href="" target="_blank">Core Principles for the Effective Practice of Internal Auditing</a>. They state that an effective internal audit function:</p><ul><li>Communicates effectively.</li><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul> <br> <p>Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the <em>middle</em> management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.</p><p>We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.</p><p>We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.</p><p>One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.</p><p>No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.</p><p>Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.</p><p>Think about this. <a href="" target="_blank">According to McKinsey</a>, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.</p><p>Almost always, the root cause of risk and control problems is <em>people</em>. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.</p><p>Our goal is not popularity. Our goal has to be to provide our stakeholders with <em>actionable</em> information that will enable them to correct what needs to be corrected.</p><p>Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.</p><p>As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.</p><p>The path to success lies in our ability to challenge <em>everything</em> we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?</p><p>Challenge:</p><ul><li>What we are auditing.</li><li>How we are auditing.</li><li>How we communicate the results of our work.</li><li>How we provide stakeholders with what they need — actionable information.</li><li>How we can help the organization succeed.</li></ul><p> </p><p>We need to be <a href="" target="_blank">brave</a> (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.</p><p>But if we move forward and show them the value <strong><em>to them</em></strong><strong> </strong>of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.</p><p>What do you think?</p><p>Are we there yet?</p><p> </p>Norman Marks0
How to Improve Your SOX Compliance Program to Improve Your SOX Compliance Program<p>If you have been following either of my blogs (hopefully both, here and at <a rel="nofollow" href="" class="vglnk"><span>normanmarks</span><span>.</span><span>wordpress</span><span>.</span><span>com</span></a>), you know that I frequently call out so-called expert guidance that is anything but expert.</p><p>Recently, a software vendor teamed up with a mid-size accounting firm to publish a white paper, with guidance for companies on optimizing their Sarbanes-Oxley program that should never have seen the light of day. Frankly, I am not going to waste time and space criticizing it.</p><p>Instead, I will share some suggestions of my own:</p><ol><li>Make sure you are focused on financial reporting risk! The scope should include controls required to provide <em>reasonable assurance</em> that <em>material errors or omissions</em> will be either prevented or detected. That means that the likelihood is more than a <em>reasonable possibility</em>. That means more than simply a theoretical possibility, and the error or omission has to be <em>material</em> to the consolidated financial statements.</li><li>Question why you have controls included in scope where, should they fail, there is less than a reasonable possibility of a material error or omission.</li><li>Apply the risk-based, top-down approach to the whole program, including IT general controls (ITGC) and how you address the COSO Principles. The ITGC scoping should be a continuation of the scoping, not a separate evaluation. Identify the controls that provide reasonable assurance that the COSO Principles are <em>present and functioning</em> (as defined by COSO, a defect would not be a <em>major</em> deficiency).</li><li>Be experts not only in the U.S. Public Company Accounting Oversight Board (PCAOB) standards (including AS10 and so on) but also in the U.S. Securities and Exchange Commission's (SEC's) <a href="">Interpretive Guidance</a> and SEC/PCAOB staff guidance.</li><li>Re-evaluate the program every year! The business changes every year and the scope should be reviewed and refined every year.</li><li>Read The IIA's updated guidance (my book): <a href="">Management's Guide to Sarbanes-Oxley Section 404, 4th Edition</a>. (FYI, I receive no income from sales of this book: It all goes to the Internal Audit Foundation.)</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Structured for Strength for Strength<p>​​​Audit, compliance, and risk functions have always emphasized first line of defense ownership of risk management and controls. Yet audit professionals routinely encounter clients who lack a basic understanding of controls for managing risks. How pervasive is this condition, and should senior management and the board be concerned? A formal review of the first line's risk and control capabilities may identify some significant findings:</p><ul><li>Lack of clear accountability for developing and sustaining risk and control proficiency across the first line.<br></li><li>Insufficient knowledge and skills among first line personnel regarding control design and risk management fundamentals.<br></li><li>Nonexistent monitoring of first line control design competence.<br></li><li>Inadequate integration of risk and control disciplines within management activities.<br></li></ul><p> <br> </p><p>If such potential findings ring true for your organization, I recommend establishing a function that is fully devoted to, and accountable for, closing these gaps and maintaining a capable first line. This first line center of excellence (CoE) is primarily responsible for demonstrably improving the risk and control capabilities and performance of the first line of defense across all organizational units.</p><p>Services and deliverables provided by the CoE go beyond training and awareness to include risk management tools, best practice sharing, risk and control advisement, and collaboration with the second and third lines of defense on matters of common interest. Suitably positioned, the CoE could influence management activities, performance incentive mechanisms, and operations methodologies to integrate sound risk management and control design into the organizational culture.</p><p>The CoE should be staffed with a small team of professionals who have strong working relationships across business units and all lines of defense. Their qualifications should include an understanding of a broad range of disciplines used by the organization, and how these disciplines map to risk and control frameworks. Skills and experience in internal consulting, change management, and developing training and tools also are desirable, supported by the ability to lead, collaborate, and influence to overcome obstacles.</p><p>Where should this team reside within the organization? Let's look for a home in each of the lines of defense.</p><p> <strong>Third Line — Internal Audit — Functions That Provide Independent Assurance</strong> While audit shops have expertise in risk and control, and audit fieldwork provides insights into control weakness themes across the enterprise, internal audit is not chartered to equip the first line. Audit teams need to maintain their independence, and their primary focus is completion of the audit plan to enable relevant reporting to senior management and the board. Advisement to the first line is a secondary role, and accountability for enabling first line capabilities would be an awkward fit within the third line. </p><p> <strong>Second Line — Specialty Risk and Compliance Groups — Functions That Oversee Risk</strong> These functions likewise have expertise in risk and control, but their focus is on specialty areas such as financial control, security, fraud, quality, risk quantification, and compliance. Though enterprise risk management departments sometimes provide first line training and advisement, these services are subordinate to their risk oversight obligations, such as standards, risk aggregation, and reporting. As oversight units, second line functions are commonly perceived by the first line as enforcers of requirements rather than enablers, reflecting the natural tension between overseers and the overseen.</p><p> <strong>First Line — Business Operations — Functions That Own and Manage Risks</strong> Personnel across the first line are, by definition, embedded in the business and thus closest to the action. They take and manage risks constantly. They design, redesign, and execute controls daily. However, there are generally only limited pockets of risk and control proficiency, and the typical first line professional has little exposure to control design and risk management training or advice. Given the expectation that the first line excel in owning and managing risk, it appears this would be the most logical place to insert the CoE.</p><p>Many organizations have precedents for CoEs within the first line, such as specialty units devoted to project management, data analytics, or supplier management. A CoE dedicated to the first line's fundamental control and risk management responsibilities, positioned within the first line, itself, would be a natural fit. It would provide first line process owners and management an unintimidating place to go to for risk and control expertise, advice, and best practices.</p><p>The pluses for the first line are clear: improved design of control environments, stronger risk management, and smarter risk taking, leading to more effective operations and increased likelihood of achieving business objectives. Moreover, an effective CoE fosters stronger ownership of risk and control where it belongs.</p><p>The second line benefits by having to spend less energy cultivating the first line, thereby enabling stronger second line concentration on its oversight mandate and risk specialties. A proficient first line also will contribute to more positive messaging in the second line's oversight reports, reflecting a more effective first line and an improved risk management culture.</p><p>The third line can enhance its assurance that the first line is committed to excellence in risk management. The CoE, itself, is an auditable entity and should be regularly reviewed as such, along with its impact on the organization's risk maturity.</p><p>Senior management can leverage the existence and effectiveness of the CoE to tangibly illustrate dedication to proactive management of risk across the organization. This may be especially beneficial in highly regulated industries, as external auditors and regulatory examiners are likely to be interested in how the CoE approach improves risk diligence and operational compliance.</p><p>The organization as a whole benefits by enabling lines of defense functions to focus more fully on their primary and distinct responsibilities. This approach also improves the risk culture by enabling a healthy balance between proactive risk management through capable control design, and reactive identification of issues that need fixing.</p><p>As a key advocate for effective risk management and controls, internal audit can wield its influence with senior management and the board in support of the CoE. To bolster this business case, audit may conduct a root-cause analysis pointing to a lack of controls understanding as a key contributor to weaknesses across the enterprise. Internal audit can highlight the dangers of not having a risk and control savvy first line, and play a part in holding the CoE accountable for embedding risk and control know-how across operations.</p><p>Internal audit also may collaborate with the second line of defense to analyze repositories of audit reports, reviews, and assessments to distill control weakness themes and best practice recommendations. These would be combined with lessons learned by the first line, itself, and disseminated by the CoE to help process owners and managers avoid similar problems.</p><p>Judicious risk takers and control designers don't happen by accident, and they warrant a targeted investment. But the promise of an effective CoE goes well beyond reducing the number of disconcerting interactions with clients who don't understand risk and control. The entire organization stands to gain as improvements in business results arise from a risk culture characterized by pervasive control capabilities.</p>Lane Kimbrough1
The Challenge of Risky Decisions Challenge of Risky Decisions<p>​I have said many times that decision-making is at the heart of risk management. Every decision creates or modifies risk.</p><p>Decisions are where risks are taken! Decisions determine how risks are "treated" (if you like that word; "modified," "managed," or "addressed" if you don't). So we should be concerned about the quality of decision-making.</p><p>But, let's first remind ourselves about the core principles of risk management. Then let's see where decision-making fits.</p><p>The ISO 31000:2009 global risk management standard has 11 principles:</p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px;"><p> <strong>1:</strong><strong> </strong>Risk management creates and protects value.</p><p> <strong>2:</strong><strong> </strong>Risk management is an integral part of all organizational processes.</p><p> <strong>3:</strong><strong> </strong>Risk management is part of decision making.</p><p> <strong>4:</strong><strong> </strong>Risk management explicitly addresses uncertainty.</p><p> <strong>5:</strong><strong> </strong>Risk management is systematic, structured and timely.</p><p> <strong>6:</strong><strong> </strong>Risk management is based on the best available information.</p><p> <strong>7:</strong><strong> </strong>Risk management is tailored.</p><p> <strong>8:</strong><strong> </strong>Risk management takes human and cultural factors into account.</p><p> <strong>9:</strong><strong> </strong>Risk management is transparent and inclusive.</p><p> <strong>10:</strong><strong> </strong>Risk management is dynamic, iterative and responsive to change.</p><p> <strong>11:</strong><strong> </strong>Risk management facilitates continual improvement of the organization.</p></blockquote><p> <br> </p><p>These are all very good. But I think they can be simplified and clarified. In <a href="" target="_blank" style="background-color:#ffffff;"> <em>World-Class Risk Management</em></a>, I have six principles:</p><ol><li>Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.</li><li>Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.</li><li>Risk management is dynamic, iterative and responsive to change.</li><li>Risk management is systematic and structured.</li><li>Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.</li><li>Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.</li></ol><p>The very first sentence in COSO's 2017 <em>Enterprise Risk Management: Integrating with Strategy and Performance</em> is: "Integrating enterprise risk management practices throughout an organization improves de​cision-making in governance, strategy, objective-setting, and day-to-day operations."</p><p>Unfortunately, while COSO has 20 risk management principles, not one relates to decision-making.</p><p>Let me suggest that if the processes for making decisions are poor, that is a huge source of risk to any organization. It is highly likely that the wrong risks are being taken (or not taken) and this will significantly impact the achievement of objectives and the delivery of value. So achieving ISO's and my principles (arguably, they all relate to decision-making) is essential if risk management (in fact, 'management') is to be effective.</p><p>Here's an interesting fact. <a href="" target="_blank" style="background-color:#ffffff;">According to McKinsey</a>, "60 percent of senior executives say that bad decisions were about as frequent as good ones"! That should worry us all.</p><p>The McKinsey piece (see link above) has some useful information on the causes of poor decision-making. I recommend reading it. The causes of poor decision-making, which I refer to as "risks to effective risk management," are also covered in Chapter 18 of <em>World-Class Risk Management</em>.</p><p>Here are a couple of additional, useful articles on decision-making:</p><ul><li>"<a href="" target="_blank">The Anatomy of a Decision: An Introduction to Decision Making</a>"</li><li> <span style="text-decoration:underline;">"<a href="" target="_blank">What Matters More in Decisions: Analysis or Process?​</a>"</span></li></ul><p> <br> </p><p>So what does this all mean?</p><p> <span style="text-decoration:underline;">For board members and the executive team</span>:</p><ul><li>Do you have reasonable assurance that quality decisions are being made? </li><li>Are the right risks being taken? Remember that risk is not taken only by the board or executive team. It is being taken through decisions made every day across the extended enterprise.</li><li>If the wrong risks are being taken as a result of poor decision-making processes, when will you know?</li><li>What is the risk of poor quality decisions?</li><li>How can the incidence and effect of poor decision-making be reduced to acceptable levels?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For risk professionals</span>:</p><ul><li>What is the level of risk of poor decisions?</li><li>Is that acceptable?</li><li>What can and should be done?</li><li>Should there be guidance from risk practitioners on decision-making?</li><li>Should the chief risk officer help management develop a decision-making framework?</li></ul><p> <span style="text-decoration:underline;"><br></span></p><p> <span style="text-decoration:underline;">For internal audit practitioners</span>:</p><ul><li>Should the risk of poor decisions be included as a priority on the audit plan?</li><li>Are there specific sources of risk to decision-making (such as poor information, lack of process and discipline, failure to work as a team and include all affected parties, and so on) that should be addressed in the audit plan?</li><li>Should the chief audit executive facilitate a discussion with the executive team on this topic?</li></ul><p> <br> </p><p>I believe this is a very important topic.</p><ol><li>Do you agree with me?</li><li>What should be done and by whom?</li><li>Is this something that should concern every practitioner?</li></ol><p>I welcome your thoughts.</p><p> </p>Norman Marks0
Focusing on Internal Audit Communications on Internal Audit Communications<p>​My friend Jim DeLoach and his colleague, Brian Christensen, of Protiviti have continued their advice for internal auditors. Captioned as advice for the "future auditor," the three-part series addresses in turn risk, value, and communication.</p><p>The latest is "<a href="" target="_blank">Focusing on Communication</a>."</p><p>There is nothing wrong with the advice they offer. Each of their recommendations has value. But, as is so often the case, I believe they have missed the most critical point — especially if internal audit is to make a difference.</p><p>As I say in my presentations as well as in <a href="" target="_blank"><em>Auditing That Matters</em></a>, it is essential to:</p><p style="text-align:center;"><strong class="ms-rteStyle-BQ">Tell them what they need to know, not what you want to tell them.</strong></p><p>What do the senior executive team and the board need to know? What assurance, advice, and insight will help them succeed and achieve or even exceed their objectives?</p><p>They are focused on achieving earnings target, improving market share and customer satisfaction, and bringing exciting new products and services to market. How do audit reports on inventory management or accounts payable relate to what they are trying to achieve?</p><p>Not so long ago, I supported the National Association of Directors at a number of events where they provided advice to board members on cybersecurity. What I heard over and over from the directors was a need for <strong><em>actionable information</em></strong>.</p><p>CAEs and their team need to put themselves in the shoes of their stakeholders. What do they need from internal audit that will help them move with confidence to success? Do they need assurance that the controls over risks to new product introduction are reliable?</p><p>If you don't know what they need, how can you provide them with the assurance, advice, and insight that will help them succeed? If all you do is provide them with audit reports that are, at best, peripheral to enterprise objectives such as EPS growth, why should you expect a seat at the top table? Why should they give you more than momentary attention? Why should you believe you are valuable?</p><p>Audit the risks that matter, and then <strong><em>communicate</em></strong> your assurance, advice, and insight <strong><em>when</em></strong> it matters, in an <strong><em>actionable</em></strong> form.</p><p>Is that the traditional audit report?</p><p>I welcome your thoughts.​</p><p><br></p>Norman Marks0

  • MNP_Apr 2018 IAO_Premium 1
  • ITACS_Spring18_sapr 2018 IAO_Premium 2 Apr15_Apr30
  • IIA CIA Cert_Apr2018 IAO_Premium 3