Risk and Compliance

 

 

PwC gets it right on internal audithttps://iaonline.theiia.org/blogs/marks/2017/Pages/PwC-gets-it-right-on-internal-audit.aspxPwC gets it right on internal audit<p>​</p><p>I have two hands. While one is <a href="https://normanmarks.wordpress.com/2017/05/27/pwc-confuses-boards-on-risk-oversight/" target="_blank">slapping at PwC and their paper on risk oversight</a>, the other is stretched out in acknowledgement of an excellent short article by them on internal audit.</p><p><a href="https://www.accountingtoday.com/opinion/agility-and-internal-audit-yes-these-two-can-and-should-go-hand-in-hand" target="_blank">Agility and internal audit? Yes, these two can and should go hand in hand</a> is spot on target.</p><p>While I still believe that it is not internal audit's role to identify risks (as the author, Jason Pett says at one point), it is certainly imperative that internal audit engage on every major initiative and ensure that risks to their achievement are being identified and addressed by management.</p><p>In this time of technology innovation and disruption, the technology specialists in internal audit (previously known as IT auditors) have a critical role to play.</p><p>I like Jason's talk about:</p><ul><li>Preparedness, or thinking ahead. "…agile internal audit requires auditors to face forward, plan strategically and then share their perspective with other departments and the C-suite. Working across the organization to build in flexibility and enable faster reactions are all part of preparedness.</li><li>Adaptiveness: "Agile internal audit functions are sufficiently flexible that they can shift their audit plan development, audit planning, fieldwork and reporting as circumstances change." As Richard Chambers and I have both said, "audit at the speed of risk" or "audit at the speed of the business". Discard annual audit plans in favor or agile, continuously updated audit plans that reflect the risks of today and tomorrow, not the past.</li><li>Having the skills to execute. Where necessary, partner with co-sourcing providers to enhance the internal audit team's ability to go where the risks are and will be.</li></ul><p><br></p><p>The IIA's core principles for effective internal audit talk to this.</p><p>An effective internal audit function:</p><ul><li>Provides risk-based assurance.</li><li>Is insightful, proactive, and future-focused.</li><li>Promotes organizational improvement.</li></ul><p><br></p><p>Does yours?</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe line below.</p><p><br></p>Norman Marks0
Elevating the Board’s Oversight of Cyber Riskhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Elevating-the-board’s-oversight-of-cyber-risk.aspxElevating the Board’s Oversight of Cyber Risk<p>​I have known Jim DeLoach of Protiviti for a very long time. He's a friend. </p><p>While we may disagree on details and the way of saying things, we tend to agree more than we disagree.</p><p>For example, I frequently quote Jim when it comes to the periodic review of a list of risks. As he says, this is "enterprise <em>list</em> management," not enterprise risk management — which is about taking the right level of the right risks (my expression).</p><p>When it comes to cyber risk and the board's role, I think we again agree on more than we disagree. He has written a couple of posts for the (U.S.) National Association of Corporate Directors (the second is a continuation of his thinking):</p><ul><li><a href="https://blog.nacdonline.org/2017/03/elevating-board-oversight-of-cyber-risk/" target="_blank">Elevating Board Oversight of Cyber Risk</a>, March 2017.</li><li><a href="https://blog.nacdonline.org/2017/04/cyber-risk-oversight-questions/" target="_blank">Ask These Key Questions to Assess Cyber-Risk Oversight</a>, April 2017.</li></ul><p><br></p><p>These are both good food for thought. But are they enough? Are his questions and insights consistent with what I would do as a board member?</p><p>Frankly, no.</p><p>I would take each of the organization's key objectives (such as the earnings target, customer satisfaction goal, and so on) and ask the executive team how a breach might affect their achievement. It's a simple question, but it's not simple for them to answer. They would have had to complete a careful assessment of the risk to the enterprise, the effect on its various business initiatives, of a breach. </p><p>Most don't go far enough. They may consider the effect on a critical application and its availability, or the cost of disruption, but they haven't thought through how a breach could affect its ability to provide quality products and services to their customers, the organization's reputation and what that means to revenue, and so on.</p><p>So, I would start with a single simple question. The discussion may extend to consideration of his other points, such as the ability to detect a breach and then respond. I have decided that it is better for the board (and management, including the risk officer) to stop trying to manage or mitigate risk. Instead, they should focus on what it will take to achieve the objectives of the organization: How will potential events, situations, and decisions affect that achievement?</p><p>It is easy to go overboard with concern about cyber risk. Of course it is important. But is it the most significant threat to earnings per share?</p><p>The only way to know is to answer my question: "How would a breach affect our ability to attain our critical targets, our measures for success?"</p><p>I welcome your thoughts and comments.</p><p><br></p><p>Please join the conversation by subscribing to this post. See link below.</p><p> </p>Norman Marks0
In the Face of Naturehttps://iaonline.theiia.org/2017/Pages/In-the-Face-of-Nature.aspxIn the Face of Nature<h3> When considering natural disasters, what are the biggest risks to organizations?</h3><p> <strong>​​KASTENSCHMIDT</strong> Unlike events that impact only the organization, natural disasters can affect an entire local area or even a region. As a result, natural disasters have the potential to impact a large portion of the organization's staff, making them unavailable to participate in the recovery effort. Such events also often impact the organization's vendors, business partners, customers, etc. — all of which are factors that may significantly increase the impact of a business disruption event and the nature of the required response.​​<br><br></p><p> <strong>​​<img src="/2017/PublishingImages/Pages/In-the-Face-of-Nature/Damian%20Walch%2070%20x%2070.jpg" alt="Damian Walch 70 x 70.jpg" class="ms-rtePosition-1" style="margin:5px;" />​<span style="white-space:nowrap;">WALCH</span> </strong>Generally speaking, the biggest natural disaster risks in the U.S. are tornadoes, hurricanes, and floods. While the U.S. hasn't seen a significant earthquake in many years, Ecuador, Italy, and Taiwan all experienced catastrophic earthquakes resulting in major loss of life and business disruptions with global impact. No matter the form of the natural disaster, they all pose possible major disruption to employee health, safety, and housing — not to mention disruption to business partners and supply chain participants.​<br></p><h3>What are the greatest risks to organizations of prolonged downtime? </h3><p> <strong><strong><span style="white-space:nowrap;">WALCH</span></strong></strong> Disruption of normal operations due to prolonged downtime can slow communications, ultimately resulting in brand and reputation damage that leads to customer loss, C-suite and board involvement, negative media coverage, and shareholder value loss. ​<br><br></p><p> <strong><img src="/2017/PublishingImages/Pages/In-the-Face-of-Nature/Kastenschmidt_Rob_business%20attire%2070%20x%2070.jpg" alt="Kastenschmidt_Rob_business attire 70 x 70.jpg" class="ms-rtePosition-1" style="margin:5px;" />​<strong>KASTENSCHMIDT</strong></strong> Being unable to adequately recover key systems and business functions timely can expose an organization to any number of unacceptable consequences. Beyond the more immediate impacts the organization may incur during downtime, such as lost revenue and additional expenses, one of the more serious long-term concerns is the potential erosion of hard-earned market share. After working for years or even decades to develop a solid market share, an organization can see it erode quickly if it is not able to meet the needs of its customers following a disaster. To keep their own businesses operational, even the most loyal customers may turn to a competitor to obtain required products or services — and once they've departed, they may never return.<br></p><h3> What types of staff protections should be in place?</h3><p> <strong><strong>KASTENSCHMIDT</strong></strong><strong> </strong>A comprehensive recovery plan must consider situations that substantially limit the availability of the organization's staff. To mitigate the risk associated with a limitation of employee availability, organizations should factor contingency staffing considerations into their recovery plans. Such considerations may include staffing redundancy or overlap for critical functions, formal cross-training of key activities, thoroughly documented standard operating procedures, and arrangements with third parties to provide required assistance when needed.<br></p><p> <strong><strong>WALCH</strong></strong> Employee protections should include basic protections like the ability to shelter in place and evacuation plans, training on how to respond in a crisis, and resources available to them in the unlikely event of widespread disaster. Companies should have simple playbooks to instruct employees, notification systems, and training programs that include simulations.<br></p><h3> What safeguards should organizations have to protect against data loss?</h3><p> <strong><strong>WALCH</strong></strong> Having a strategy for data backup, off-site storage, and recovery is considered mature by many business leaders. However, the exponential growth in data combined with interdependencies between systems and applications has made that more difficult. Companies of all sizes are struggling to protect against storage corruption, data leakage, and ransomware attacks. Special precautions some companies are leveraging include taking frequent data snapshots to minimize data loss, moving data off site or far from an incident location, and creating isolated networks for data backups to protect against malware attacks.<br></p><p> <strong><strong>KASTENSCHMIDT</strong></strong> Many organizations have adopted system replication or similar technologies to minimize the data that would be lost if their primary systems were destroyed and they were forced to restore the systems in an alternate environment. However, despite these modern technologies and the small window of potential lost data, organizations still must consider how lost data and transactions would be replaced, reconciled, etc., following a disaster, through using a backup solution that considers various factors such as potential data corruption, geographic separation, and security threats. While the potential data loss, or recovery point objective, may have decreased substantially in recent years, few backups are truly "real-time" copies, and losing even a few minutes' worth of data/transactions can be devastating.<br></p><h3> Why is a coordinated response important?</h3><p> <strong><strong>KASTENSCHMIDT</strong></strong> Following a disaster, time and resources are both severely constrained. As a result, efficiency is paramount in executing an effective response/recovery effort. Without thorough coordination across the response process, participating teams and individuals may unnecessarily duplicate tasks, while other key activities may be overlooked. Furthermore, key elements of the response process — including internal and external communication — can be inconsistent or even contradictory, if not coordinated across the organization. Coordination of the response effort can not only allow the organization to recover quicker and more successfully, but it can also help to alleviate some of the impacts that can be encountered as a result of the event.<br></p><p> <strong><strong>WALCH</strong></strong> We have seen strong coordinated response and recovery efforts help decrease the financial and reputational impact of prolonged outages, disasters, and incidents. A good response requires consistent information synthesis during the event. Information sharing among executives in communication, legal, operations, and human resources is vital to the success of response. Coordinated response is required for transparency to shareholders, stakeholders, and customers in the event of a natural disaster or negative event.<br></p><h3> What lessons can organizations learn from past large-scale disasters?<br></h3><p> <strong><strong>WALCH</strong></strong> As with most things, having a plan in place is better than not. Companies that analyze their critical business processes and develop appropriate resiliency strategies to protect them are often able to respond in a more measured and cohesive manner during the hours immediately following a disaster. Planning efforts can include creating and thinking through crisis response playbooks and strategies, as well as war gaming or simulating crisis events to train leaders, employees, and sometimes business partners how to respond. <br></p><p> <strong><strong>KASTENSCHMIDT</strong></strong> In the aftermath of major events such as Superstorm Sandy, many organizations determined that the way they have traditionally approached disaster recovery plan testing was simply not adequate. In particular, organizations discovered that making assumptions — or cutting corners — in their testing prevented them from uncovering severe deficiencies in their recovery strategies and plans. Although effective testing has always been an important part of the recovery planning process, some previous large-scale disasters have only increased awareness of the importance of assuring that such testing is truly realistic.​<br></p> <style> </style>Staff1
Does Your Organization’s Cyber Culture Make You #Wannaaudit?https://iaonline.theiia.org/blogs/chambers/2017/Pages/Does-Your-Organization’s-Cyber-Culture-Make-You-Wannaaudit.aspxDoes Your Organization’s Cyber Culture Make You #Wannaaudit?<p>​It didn't take long for social media to adopt #wannacry for last week's massive cyberattack, which hit computer networks in nearly 100 countries from the U.S. to the U.K. to China. The ransomware virus, called Wanna Decryptor, encrypted valuable data on compromised networks, then threatened to destroy it unless payments were made.</p><p>For those of us who have spent our careers promoting good internal controls and risk management, this latest cyberattack could indeed bring tears of frustration because the attack successfully exploited some of the most basic and easily mitigated cyber risks.</p><p>First, the perpetrators relied on simple phishing to introduce the virus through an email attachment, according to cybersecurity experts quoted by multiple news outlets.</p><p>The news media also reported that a patch to fix vulnerabilities to the specific malware was distributed by Microsoft Corp. at the end of March. Yet, many of the attack's targets, including the U.K.'s National Health Service, fell victim because they failed to apply the patch.</p><p>It is unfathomable to me that such attacks continue to succeed, yet the global reach of Friday's attack reflects how vulnerable we remain. It has become vogue to declare that it is no longer a matter of "if" but "when" an organization will be successfully hacked. But that message, designed to urge organizations to focus beyond prevention, may be enabling weak cybersecurity cultures.</p><p>The recently released <a href="http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/" target="_blank">2017 Data Breach Investigations Report</a> by Verizon offers telling information that confirms just how much work is left to be done. Here's a sampling of its findings, based on analysis of data breaches in 2016:</p><ul><li>80 percent of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.</li><li>1 in 14 users were tricked into following a link or opening an attachment.</li><li>66 percent of malware was installed via malicious email attachments.</li><li>95 percent of phishing attacks that led to breaches were followed by some sort of software installation.</li></ul><p> <br> </p><p>If those statistics don't send a chill down your spine, two other key data points should:</p><ul><li>61 percent of data breach victims were businesses with fewer than 1,000 employees.</li><li>Ransomware has gone from being the 22nd most-common form of malware in 2014 to fifth in 2017.</li></ul><p> <br> </p><p>These statistics raise the alarming specter that organizations don't appreciate the risks they face or the value of even the most basic prophylactic cybersecurity measures. As internal auditors, we must question whether our organizations' cybersecurity cultures could unwittingly allow these breaches to happen.</p><p>Providing assurance on cybersecurity involves more than just looking at whether the protocols and policies designed to block or discourage cyberattacks are in place and operating effectively. We must consider how the organization's culture influences how those protections are carried out. For example, organizations may be willing to accept higher-risk behavior in email practices in exchange for higher productivity. Efforts to protect data through encryption may be undone if rules prohibiting or limiting hard-copy versions of the data are not in place or are ignored. We also must be attuned to an organization's "IT mystique," which accepts that only IT understands certain aspects of cybersecurity and therefore can't be questioned.</p><p>Part of the solution is for internal auditors to build cooperative relationships with IT, chief risk officers, chief information security officers, human resources, and others who manage cyber risks. This is essential for internal audit to gain a clear understanding of what drives cyber risks and what influences the organization's cybersecurity culture. It must then share those insights with management and the board.</p><p>I'll leave you with a number of quick takeaways from the Verizon report that offer sound advice all organizations should take to heart:</p><ul><li> <strong>Be vigilant.</strong> Log files and change-management systems can give you early warning of a breach.</li><li> <strong>Make people your first line of defense.</strong> Train staff to spot the warning signs.</li><li> <strong>Only keep data on a "need-to-know" basis.</strong> Only staff members who need access to systems to do their jobs should have it.</li><li> <strong>Patch promptly.</strong> This could guard against many attacks.</li><li> <strong>Encrypt sensitive data.</strong> Make your data next to useless if it is stolen.</li><li> <strong>Use two-factor authentication.</strong> This can limit the damage that can be done with lost or stolen credentials.</li><li> <strong>Don't forget physical security.</strong> Not all data theft happens online.</li></ul><p> <br> </p><p>Internal auditors often deal with frustrating failures of risk management and internal controls in our organizations. Cybersecurity breaches are perfect examples of failures in multiple lines of defense. While the temptation in the face of calamitous failures is to #Wannacry, we must instead roll up our sleeves and embrace the challenges as internal audit professionals. We must #Wannaaudit.</p><p>As always, I look forward to your comments.</p><p> <br> </p>Richard Chambers0
Three Lines in Harmonyhttps://iaonline.theiia.org/2017/Pages/Three-Lines-in-Harmony.aspxThree Lines in Harmony<p>​Many organizations have implemented a three lines of defense model with each line performing risk mo​​​​​​nitoring and testing activities. As described in The IIA's Position Paper: The Three Lines of Defense in Effective Risk Management and Control, front-line unit management is the first line of defense, risk and compliance functions are the second line of defense, and internal audit is the third line of defense. In many cases those monitoring and testing activities overlap, which can cause audit fatigue within the business units. It also takes time away from serving customers. Or in some cases, there could be gaps in coverage that expose the organization to unnecessary risks. </p><p>Each line of defense has its own monitoring and oversight responsibilities, but in many cases there are areas where the testing activities to achieve these responsibilities overlap. In these instances, organizations can benefit from ensuring each line of defense coordinates with the others to avoid performing duplicate testing or monitoring activities. Coordinating the three lines of defense can minimize audit fatigue and maximize efficiency.</p><h2>Mutual Reliance</h2><p>If the testing or monitoring activities performed by the first line are well-designed and executed, the second and third lines can validate and rely on what the first line does. Similarly, if the testing performed by the second line is well-designed and executed, the third line can validate and rely on the second-line testing. Benefits an organization can realize from ensuring its three lines of defense are well-coordinated include greater efficiency, cost savings, alignment with best practices, enhanced productivity, improved consistency and quality, standardized testing methodologies, and leveraging the "right" skills for specific products or lines of business. Moreover, all three lines can use software to automate the monitoring and testing of key controls and risks.</p><p>Organizations also need to be aware of challenges they may encounter when coordinating testing across the three lines. Bringing together people with the right skills, providing necessary training, and identifying technical solutions are challenges, as is ensuring the process has appropriate quality controls. Another challenge is ensuring the appropriate service-level agreements are in place so each group is clear about its roles and responsibilities, particularly with respect to a centralized testing unit. </p><h2>Centralized Testing</h2><p><span id="DeltaPlaceHolderMain"><span><span id="DeltaPlaceHolderMain"><span><img src="/2017/PublishingImages/Pages/Three-Lines-in-Harmony/Burch_centralized-testing-model.jpg" alt="Burch_centralized-testing-model.jpg" class="ms-rtePosition-2" style="margin:5px;width:550px;height:495px;" /></span></span></span></span>Coordination among the three lines of defense should enable the organization to design testing activities so that controls can be tested once and relied on by other <span id="DeltaPlaceHolderMain"><span></span></span>groups to meet various regulatory requirements and needs. Organizations can leverage a shared service model to perform testing activities based on detailed test scripts. A centralized testing approach needs to reflect the roles, responsibilities, and accountabilities for each line of defense. </p><p>The "Centralized Testing Model" (see right) can be used as a framework to implement more effective testing activities. Subject matter experts in each line of defense would be responsible for the more complex activities and designing the test scripts. Centralized testing groups would be responsible for conducting the detailed testing in accordance with the test scripts designed by the subject matter experts.​</p><p> This model emphasizes communication, collaboration, and reliance among all three lines of defense. Organizations also should consider automating testing as much as possible and providing integrated reporting of test results. Senior management should receive consistent reporting regarding the strength of the control environment.</p><p>When considering a centralized testing model, maintaining the independence of the third line of defense is critical. Depending on the organization's structure, it may make sense to have one testing team for the first two lines, as depicted in the model, and a separate team for internal audit.</p><p>Finally, cultural maturity should be considered because organizations with more mature cultures tend to have better collaboration among business units, be proactive rather than reactive, think more strategically, and have increased consistency.</p><h2>Implementing Incrementally</h2><p>An incremental approach to implementing centralized testing across the three lines of defense may allow the organization to see benefits more quickly. Standardizing processes can lead to lower organizational costs and greater predictability.</p><p>Starting with cross-functional areas, such as third-party risk, complaint handling, credit quality, payment systems, or data quality can yield quick wins and demonstrate the value of a centralized testing function. As the approach is implemented in the various risk domains, it is important to use a consistent methodology. The "Three Lines Implementation Methodology" (see below) can be applied to any risk domain to evaluate testing across the three lines of defense. This evaluation can identify areas where testing can be streamlined and made more efficient as well as reveal any gaps in testing.</p><p> The first step is to develop and document the risk framework based on regulatory requirements and guidance, as well as best practices. From there, the testing performed in each line of defense can be mapped to the risk framework, which can enable the organization to identify gaps and overlaps in testing. </p><p>Once the gaps are identified, the organization can determine where the testing should take place and implement the appropriate testing or monitoring. In addition, the analysis will show areas where multiple lines of defense are performing testing or monitoring activities. These are areas where the organization can focus to optimize testing and improve efficiencies to minimize audit fatigue. The organization should analyze whether testing conducted by the first or second line can be refined so it can be relied on by the second or third line of defense. Using a consistent methodology can help ensure the implementation process is repeatable.<span id="DeltaPlaceHolderMain"><span><img src="/2017/PublishingImages/Pages/Three-Lines-in-Harmony/Burch_three-lines-implementation-methodology.jpg" alt="Burch_three-lines-implementation-methodology.jpg" class="ms-rtePosition-2" style="margin:5px;width:625px;height:315px;" /></span></span></p><h2>Best Testing Practices</h2><p>Organizations that are thinking about implementing a centralized testing model should leverage lessons learned by others who have gone down this path. Some of the leading practices for coordinating or centralizing testing in the three lines of defense include:</p><ul><li>Use subject-matter experts to support risk identification, assessment of control design, and development of test scripts.<br></li><li>Leverage automation through continuous monitoring routines that run regularly.<br></li><li>Use advanced data analytics to identify patterns and trends.<br></li><li>Empower small, nimble teams with advanced testing capabilities and tools to perform targeted reviews in high-risk areas in off-cycle periods.<br></li><li>Coordinate acquisition of data among the three lines of defense to reduce the impact on internal resources within the business lines.<br></li><li>Leverage the organization's off-shore resources to perform routine, high-volume testing, subject to appropriate oversight.<br></li><li>Leverage contingent staff and consultants to supplement the testing staff when special reviews or seasonal spikes demand increased testing efforts.<br></li></ul><p> <br> </p><p>Although adopting these practices to coordinate testing activities across the three lines of defense may take considerable effort, they may yield great rewards. This effort can help the organization validate that key controls are being tested and streamline testing across the three lines. Such gains can reduce audit fatigue on the front-line units so they can focus on serving customers and improve efficiencies in second- and third-line units. This can allow internal audit to provide broader, more in-depth, and complete coverage of risks and controls.  </p><p> <br> </p>Susan Burch1
The Internal Audit Risk Assessmenthttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-internal-audit-risk-assessment.aspxThe Internal Audit Risk Assessment<p>​I am not talking about the risk assessment that drives the audit plan. I am talking about the risk that the internal audit function will not achieve its objectives!</p><p>The external audit profession has standards that require that they identify and assess the risk of an incorrect opinion on the financial statements or the system of internal control over financial reporting. (In the U.S., these are standards established by the Public Company Accounting Oversight Board. In 2010, they released Auditing Standards 8 through 15 on the issue.)</p><p>The question is whether the CAE performs a risk assessment that identifies, assesses, and then treats risks to the efficient and effective delivery of quality internal audit services to the board and other stakeholders.</p><p>I'm not an expert on The IIA's quality assurance program, but I don't see any reference in The IIA's <em>International Standards for the Professional Practice of Internal Auditing </em>that requires such a risk assessment.</p><p>I see a lot of objectives and mandates, but I don't see where the CAE is expected to identify, assess, and then treat risks to them.</p><p>As CAE, I would certainly consider risks such as:</p><ul><li>The possibility that the audit risk assessment is incomplete or inaccurate, leading to the "wrong" audit plan.</li><li>Audit staffing (including both quality and quantity) is insufficient to deliver quality results on every engagement.</li><li>The board, audit committee, and management fail to understand those results and their implications for the governance and management of the organization (such as the need to change strategies).</li><li>Audit communications fail to provide the information our stakeholders need, when they need it, in actionable form.</li><li>Expectations from the board, audit committee, and management limit, due to their lack of knowledge, the services performed and the value delivered by internal audit.</li><li>Changes in the business are not identified promptly so that the audit plan can be updated.</li></ul><p><br></p><p>Does your CAE perform such a risk assessment? How confident are you in it?</p><p>I welcome your comments.</p><p><br></p><p>Please join the conversation by subscribing to this post — see below.</p><p><br></p>Norman Marks0
Risk, Controls, and Culturehttps://iaonline.theiia.org/blogs/marks/2017/Pages/Risk,-controls,-and-culture.aspxRisk, Controls, and Culture<p>​This is a post in two parts.</p><p>First, I want to discuss the relationship betwee​n risk and controls.</p><p>The traditional view, which is not incorrect, is that you have controls to manage risk — to ensure that risk (both the positive and negative effects of uncertainty on objectives) is maintained at desired levels. Nothing wrong with that, except that it is an incomplete explanation of the relationship.</p><p>When the chief financial officer provides a report on the financial condition and results, perhaps with a forecast for the next period, we might be concerned about the completeness and accuracy of that information. We rely on the system of internal control to provide us with reasonable assurance that the report is complete, accurate, and up-to-date.</p><p>When the chief risk officer provides a report on the current level of risks and their potential to effect the achievement of objectives, we should similarly be concerned about the completeness, accuracy, and currency of the report.</p><p>Just as with the financial report, we should have internal controls over the risks that might affect the completeness, accuracy, and currency of the risk report. While we assess controls over financial reporting (internal as well as external), we may fail to consider and assess the controls over risk reporting. To do that, we must first understand the risks to reliable risk reporting — in fact, to effective risk management in decisions across the extended enterprise.</p><p>I discuss the many sources of risk in <a href="https://www.amazon.com/World-Class-Risk-Management-Norman-Marks/dp/151199777X/ref=sr_1_1?ie=UTF8&qid=1451362676&sr=8-1&keywords=world+class+risk" target="_blank"><em>World-Class Risk Management</em></a> and suggest we should only assess <strong>risk management as effective when we have </strong>r<strong>easonable assurance that risks to it are at acceptable levels</strong>. That is what internal audit should set as the criterion for their assessment of risk management.</p><p>One source of risk is an ineffective culture. The culture of the organization will affect the taking of risk.</p><p>And so to part two.</p><p>When most people talk about risk and culture, they are thinking about curbing behavior that involves taking more risk than desired. But how about when the culture leads people to be so risk averse that they don't take enough risk?</p><p>At the beginning of the 2008 Great Recession, according to my good English friend Richard Anderson, the banks in the U.K. were so risk averse that they stopped taking risk and were not making enough money to survive long term. </p><p>Banks, insurance companies, hedge funds and so on exist to take risk. They have to assess the situation, the potential for loss and for gain, and take the desired amount of risk to drive returns.</p><p>In fact, every organization needs to take risk to survive. The only way to eliminate risk for a business is to close the business.</p><p>Another example is the risk of disruptive technology.</p><p>It used to be that a company couldn't afford to be on the "bleeding edge." Now they can't afford to be the second company to disrupt the market with new technology. They have to take more risk than they did a decade or so ago if they want to retain or grow market share. If they are too risk averse, they will not survive.</p><p>But there is more to culture.</p><p>Do you want a culture that emphasizes compliance with laws and regulations?</p><p>Arguably, that was United Airlines. If you were one of its employees, you had to follow the rules or else. The ability to use your judgment was limited.</p><p>Now we are starting to appreciate that a relentless focus on a single aspect of culture, such as compliance or keeping risk below "risk appetite," can increase risks in other areas such as reputation, customer satisfaction, market share, and stock price.</p><p>So, where am I going?</p><p>You have controls to provide reasonable assurance that risk is at desired levels. You have controls to provide reasonable assurance that risk management is effective. You also have controls to ensure that the behavior of management and staff is as desired, some combination of taking the desired level of risk, complying with applicable laws and regulations, and being focused on delivering optimal performance.</p><p>If you emphasize one aspect of culture at the expense of others, it might reduce risk in one area and increase it in others. It's all interwoven and not as simple a model as some might portray.</p><p>What do you think?</p><p>Comments, as always, are very welcome.</p><p><br></p><p>Please subscribe to this post by clicking on the link below so you will be notified of comments.</p><p><br></p>Norman Marks0
The Many Facets of Riskhttps://iaonline.theiia.org/2017/Pages/The-Many-Facets-of-Risk.aspxThe Many Facets of Risk<p>​Feeding the world is the great legacy of Cyrus McCormick, whose invention of the mechanical grain reaper in 1832 was the first harvesting productivity improvement in 1,000 years. Shortening harvesting time decreased the risk of missing the narrow window for harvesting ripened grain. To grow sales, he produced reapers of higher quality than competitors. Perhaps a greater innovation was the widespread introduction of equipment financing to enable farmers to buy a reaper before they received the money from their harvest. For this, McCormick had to manage credit risk.</p><p>McCormick's innovations illustrate that risk always has been a multifaceted concern for companies, with each facet's methods refined over time. Practically every role in any organization is directly or indirectly related to risk management. Different industries and professions have long-standing methods for managing risk. To be conversant in how the organization addresses risk, internal auditors navigating today's complex and interdependent business environment must be able to understand the risk management views and calculations used by many different disciplines. </p><h2>Many Perspectives</h2><p>Over time, organizations have created a plethora of functions that manage business risks from their own point of view. </p><p><strong>Product and Market </strong><strong>Research</strong> Researchers look at risk by product or market life cycle. For example, missing customer needs, mistakes in product design, poor messaging, insufficient trial or repeat purchases, product extensions, upgrades, and delays in discontinuing a product are all risks that product managers routinely face. Mathematically, a key formula is "expected value of perfect information." Product managers are constantly asking themselves, "What is the risk (probability) of missing an insight if we don't invest more in research?" <em>New Products Management</em> by Merle Crawford and Anthony Di Benedetto is a key resource.<br></p><p><strong>Strategy and Competitive Analysis</strong> Strategic professionals look at risk in stark terms — the potential of having business value diminished by failing to understand dynamics in competitors, customers, and products (including substitutions). They are constantly asking, "What am I missing?" and looking for ways to overcome structural blindness. For strategists, the risk that springs from change creates opportunity. Taking risk and managing it better than competitors is the ultimate competitive differentiator. This is illustrated by popular books such as Jim Collins' <em>How the Mighty Fall</em>, Harold Evans' <em>They Made America</em>, and Peter Diamandis' <em>Bold</em>.<br></p><p><strong>Financial Management</strong> A central responsibility of finance is to allocate capital to the best investments. Two frequently used formulas for guiding these investment decisions are net present value (NPV) and options modeling. NPV is the more popular of the two. The numerator in the NPV formula is the risk-adjusted return of a proposed investment. The denominator is the overall or average risk-adjusted cost of capital to a business or business line. Both the proposed investment and average NPV include the time value of money. If the proposal's return is better than the average, the decision criterion is to fund the project. Options modeling extends NPV by breaking an initiative into phases. At each phase, the question is asked, "What is the probability that the value of the business options for action created by funding the initiative is greater than the cost of funds?"</p><p><strong>Operations Management</strong> Operations managers use a huge tool kit of risk-balancing equations. One of the most basic equations is the "economic order quantity" (EOQ), which centers on stock-out risk. For example, if too much of a perishable product is ordered, it expires and is wasted. If too little is ordered, sales opportunities are lost. To calculate the EOQ given risk, this formula includes factors such as delivery time, cost of capital, and cost of storage space. Bar code check-outs have become important because they provide more precise data to calculate EOQ to manage stock-out risk.<br></p><p><strong>Marketing Execution and Sales Management</strong> "What will be the year, quarter, month, week, and day-end sales?" This is the critical question from marketing and sales managers. Forecasting is vital to allocating marketing and sales resources as well as ordering the right quantities of the right products for the right locations. A key risk management method is analysis of the marketing-sales funnel. In the new world of online sales, "clicks" funnel stages include people aware of a product, aware of a seller, visiting a website, clicking around, putting a product in a shopping cart, ordering, ordering again, and telling their friends. Today's forecasts are cascades of probabilistic equations tracking the clicks through online shopping chains. <br></p><p><strong>Human Resources</strong> Hiring and resource planning, from the initial job posting to the interview and selection process, is about risk management. What's the risk a job candidate won't perform as expected? Reducing this risk is the reason organizations engage expensive consultants to conduct personality surveys, emphasize employee benefits and retirement plans, and create on-boarding plans. <br></p><p><strong>Quality Management</strong> Quality and risk are closely related. Quality is about the probability that products will meet expectations. Risk is about the probability of a defective product.  <br></p><h2>The Common Thread</h2><p>For all their differences, these business disciplines share many risk-related concepts and assumptions. A common thread running through their risk management processes relates to the use of mathematical concepts, which have been refined over many decades. For all of them, math based on probabilities is central to managing risk. Other common ground includes: </p><ul><li>Managing risk is needed to enable taking risk — som​etimes huge risk — to achieve objectives.<br></li><li>Risk resides in a dynamic world of change, complexity, and fatigue. These are the three catalysts of risk. <br></li><li>Each process requires an appreciation of systems, interconnectedness, and the need to understand deep root causes and process interactions. <br></li><li>Asking "what if?" with scenario analysis is the heart of managing risk.<br></li><li>Decisions seek to optimize risk and return.<br></li><li>The roots of risk management are millennia old.<br></li></ul><p><br></p><p>In short, appropriate risk mathematical and management methods matter. Internal auditors, while rotating their focus from one part of the organization to another, can observe and learn from each role's math and methods.</p><h2>Cross-pollinating Risk </h2><p>By learning from the risk methods in each business area, internal auditors can help cross-pollinate risk methods across the organization. Opportunities to cross-pollinate include bridging strategy and finance through the options modeling approach, smoothing the flow of risk math from all business areas into the risk calculation used inside options models or NPV, streaming together the quality improvement and sales risk analyses to make it more likely that quality will be free of cost, and encouraging teams to come together in scenario analysis workshops to more easily achieve shared business objectives. Each bridge built could become financial value created and personal trust earned.</p>Brian Barnier1
Internal Audit and Fraud Riskhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Internal-audit-and-fraud-risk.aspxInternal Audit and Fraud Risk<p>​Are internal au​ditors obsessed with fraud?</p><p>Are they terrified that a fraud might be uncovered and that management and the board would ask "where was internal audit?"</p><p>There is some merit to each of these. But does it mean that every audit department should have fraud risk toward the top of its risk-ranked audit plan?</p><p>Okay, the Association of Certified Fraud Examiners' annual surveys put the risk of fraud at around 5 percent of revenue every year. But that statistic should be viewed with caution. For example, it includes the risk that employees will use corporate assets like laptops for their personal use. Few individual frauds amount to more than $100,000 so to get to 5 percent of revenue you have to assume that many, if not most or even all, possible frauds occur. Is that likely?</p><p>In fact, few organizations are brought down or even materially impacted by fraud.</p><p>Let's consider some sources of risk that may be found at many, if not most, organizations:</p><ul><li>The effectiveness of risk management.</li><li>The quality of information used in decision-making.</li><li>Strategy-setting.</li><li>The decision to acquire or divest a business.</li><li>The ability to develop and introduce successfully new products and services.</li><li>The ability to identify the value of and then deploy new technology.</li><li>Cybersecurity.</li><li>Customer satisfaction and product/service quality.</li><li>Marketing.</li><li>Hiring, retention, and development of people.</li><li>The effectiveness of the management team.</li><li>The effectiveness of the board.</li><li>The ability of IT to meet the needs of the business.</li><li>The completion of major projects on time and within budget.</li><li>Efficient procurement.</li><li>Management of the sales pipeline.</li><li>Sales contracting.</li><li>Revenue recognition.</li><li>Tax.</li></ul><p> <br> </p><p>Now where would fraud risk rank among these <span style="font-size:12pt;line-height:115%;font-family:"times new roman", serif;">—</span>​ and I am sure your organization would have other high-risk areas?</p><p>Have a look at the following from The IIA:</p><ul><li> <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Definition-of-Internal-Auditing.aspx" target="_blank">The Definition of Internal Auditing</a>.</li><li> <a href="https://na.theiia.org/standards-guidance/Pages/Mission-of-Internal-Audit.aspx" target="_blank">The Mission of Internal Audit</a>.</li><li> <a href="https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Core-Principles-for-the-Professional-Practice-of-Internal-Auditing.aspx" target="_blank">The Core Principles for the Professional Practices of Internal Auditing</a>.</li></ul><p> <br> </p><p>Can you find the word​ "fraud" in any of the above?</p><p>Internal audit cannot ignore fraud, but it should not be obsessed with it either. We should understand the level of risk, give it an appropriate level of attention, and then explain that to the board and top management. After all, it is, or should be, management's responsibility to prevent and detect fraud. We can help by providing assurance that they are managing the risk of fraud, but it is theirs to manage, not ours.</p><p>If the audit committee insists that we have a larger role, then fine. But they should understand that this would mean diverting our scarce resources away from higher risk areas.</p><p>I agree that internal audit should align its work with the interests and desires of the board. But those interests and desires should be educated ones. One of the duties of the chief audit executive is to help the board understand the role and capabilities of internal auditing.</p><p>Our work should be driven by risks to the enterprise as a whole, what I refer to in my book, <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"> <em>Auditing That Matters</em></a>, as enterprise risk-based auditing.</p><p>Do you agree or disagree?</p><p>I welcome your comments.​</p><p> <br> </p><p>If you want to be notified of comments so you can join the conversation on this post, please subscribe using the link below.</p><p> <br> </p>Norman Marks0
Risk and the United Airlines Fiascohttps://iaonline.theiia.org/blogs/marks/2017/Pages/Risk-and-the-United-Airlines-fiasco.aspxRisk and the United Airlines Fiasco<p>​I think we can all agree that what happened to the United Airlines passenger who was forcibly removed from the plane was a disaster not only for the passenger but for the airline.</p><p>Sometimes being in the right according to the law is not enough.</p><p>But this post is not about that.</p><p>It's about the fact (a highly likely assumption) that what happened was not on the company's risk register or the heat map shared with executives and the board.</p><p>It's fine to have a list of the "top risks" or the "strategic risks," but what actually causes harm or even disaster to an organization is more often than not the result of a bad decision. Perhaps there have been a series of bad decisions, where people didn't think through well enough what might or might not happen.</p><p>The United (UA) CEO said that the company's on-site staff was following policy.</p><p style="text-decoration:underline;"><em>Somebody wrote and somebody else approved that policy.</em></p><p>Did they think through what might happen if the policy was followed and the passenger refused to leave? Did they consider not only the possibilities of legal action (assuming that the action was legal and the "risk" was low) but the reputation damage, including whether other passengers would decide not only to avoid UA in the future but spread the word and video recordings on social media? What about the possibility that other passengers would be affected, either defending the passenger or being harmed by him or the security personnel?</p><p>I doubt that they thought it through. As a result, they made what most would agree was a poor decision.</p><p style="text-decoration:underline;"><em>Somebody within UA decided to follow the policy.</em></p><p>Did they also think through what might happen? Did they consider that the airport security staff might use what others might consider excessive force to remove the passenger? Did they even consider not following policy and exercising their legal rights?</p><p>Again, I doubt that they thought it through.</p><p>They may or may not have considered all other options to get crew to their destination (the passenger was removed so that UA crew members could get to a plane they were to man). For example, I wonder whether the issue was escalated so that more senior UA management could assess other options for getting crew for that plane, including moving other personnel around, or delaying the departure of the plane so that crew could get to it on another flight.</p><p style="text-decoration:underline;"><em>UA on the plane took no action when the passenger was being removed.</em></p><p>To my knowledge, neither UA gate personnel nor crew members stepped in on behalf of the passenger when force, perhaps excessive force, was being used to remove him.</p><p>Was that a good decision? In hindsight, no, it was not.</p><p>Did those individuals consider what might happen if they took action, including whether they stood by and allowed it to happen without comment?</p><p>UA's stock price declined 1.13 percent on April 11th following the news. They also refunded the fares of every passenger on the flight and are now facing a lawsuit.</p><p>Was that within management's "risk appetite"?</p><p>Risk was taken with each of the decisions and lack of decision in this incident.</p><p><strong>Did the company's risk appetite statement help the decision makers?</strong> I strongly doubt it.</p><p>I am recounting all of this in support of my contention that a risk appetite framework, a list of top risks in a risk register, the periodic review of a list of risks by management and the board, and even "objective-based ERM" (i.e., the assessment of whether objectives are likely to be achieved) are insufficient.</p><p>Risk is being taken every hour of every day across the extended enterprise.</p><p>Every hiring decision creates or modifies risk.</p><p>Every selection of a vendor creates or modifies risk.</p><p>Every sales proposal creates or modifies risk.</p><p>Every word to an employee can create or modify risk.</p><p><strong>The only way to provide reasonable assurance that the right level of the right risk is being taken is to address the quality of decision-making at all levels of the organization.</strong></p><p>Is it disciplined, informed, and are all potentially affected individuals included?</p><p>In other words, risk management is about effective decision making, or should I say effective management.</p><p>I welcome your thoughts.</p><p><br></p>Norman Marks0

  • PwC_May2017_Prem1
  • SCCE May2017_Prem 2
  • IIA CIA LS_Prem 2

 

 

Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Five Classic Myths About Internal Auditinghttps://iaonline.theiia.org/five-classic-myths-about-internal-auditingFive Classic Myths About Internal Auditing2012-06-20T04:00:00Z2012-06-20T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z