Risk and Compliance



From Risk Management to Risk Leadershiphttps://iaonline.theiia.org/blogs/marks/2017/Pages/From-Risk-Management-to-Risk-Leadership.aspxFrom Risk Management to Risk Leadership<p>​</p><p>My congratulations go to <em>NonProfit Quarterly</em> for their interview this month with David Renz<a href="file:///C:/Users/nmark/Documents/wp/Norman's%20articles/Blogs/From%20Risk%20Management%20to%20Risk%20Leadership.docx#_ftn1">[1]</a>. </p><p><a href="https://nonprofitquarterly.org/2017/07/18/from-risk-management-to-risk-leadership-a-governance-conversation-with-david-o-renz/" target="_blank">From Risk Management to Risk Leadership: A Governance Conversation with David O. Renz</a> has great content, not only for nonprofits but for <span style="text-decoration:underline;">all</span> of us. Here are some excerpts (<em>emphasis</em> added):</p><ul><li>the imperative here is to embrace risk leadership rather than just risk management. The question is, <em>are we taking the most appropriate risks our constituents and stakeholders deserve from us, as well as engaging in an appropriate level of fiduciary care</em>? </li><li><em>the risk-averse—and, frankly, risk-agnostic—character of board behavior leads organizations to continue operations in program areas beyond the time when they are really delivering the greatest value to and for the stakeholder and client communities they exist to serve</em>. There is less perceived risk in being slow to act to make change; organizations seem to think it's safer to make the move to new and different kinds of programming—innovative and entrepreneurial new strategies—only when it's extremely clear that such change is necessary and well advised. <em>But the risk is that of mission performance</em>. You may well be short-changing your clients in a world where the changes in client need warrant earlier and more dramatic changes in programs and services.</li><li>For me, the bottom line is that there is <em>a myriad of elements that combine to affect how well a board and its members address the issue of risk</em> in the governance of a nonprofit organization. Some are the result of varying levels of knowledge, experience, and overt attention that boards and their members bring to the consideration of risk and what is warranted and appropriate for their organization; and some are the result of seemingly irrelevant factors, such as group and interpersonal dynamics. And they all affect organizational effectiveness. <em>It's time for executives and boards to consider how to more fully and effectively prepare boards to engage in the increasingly important work of risk leadership as well as risk management. Our organizations' futures depend on doing this well.</em></li></ul><p><br></p><p>What I like is the recommended shift from traditional risk management thinking – <em>what might go wrong</em> – to a focus on whether the <em>right levels of the right risks are being taken</em> (something I discuss at length in <a href="https://www.amazon.com/World-Class-Risk-Management-Norman-Marks/dp/151199777X/ref=sr_1_1?ie=UTF8&qid=1451362676&sr=8-1&keywords=world+class+risk" target="_blank">World-Class Risk Management</a>) – the result of <em>informed and intelligent decision-making</em>.</p><p>Those involved in nonprofit leadership will benefit from the discussion of board functions at those organizations, but several of the points also are relevant for other organizations, including whether group dynamics affect board decisions.</p><p>I close my in person presentations with a slide that asks whether you are helping your organizations succeed.</p><p>The focus of risk practitioners has to be answering this same question:</p><p>"Are you helping your executives, board, and management across the extended enterprise make informed and intelligent decisions that drive the organization to success – the achievement of its objectives by intelligent risk-taking?"</p><p>Making executives or the board risk-averse is paving the path to failure, not to success.</p><p>Please contrast this article and discussion with my other post on <a href="https://normanmarks.wordpress.com/2017/07/22/positioning-risk-management-to-succeed/" target="_blank">Positioning risk management to succeed</a>.</p><p>I welcome your comments.</p><p>Please join the conversation by clicking on the Subscribe button, below.</p><p><br><br></p><p><a href="file:///C:/Users/nmark/Documents/wp/Norman's%20articles/Blogs/From%20Risk%20Management%20to%20Risk%20Leadership.docx#_ftnref1">[1]</a> David Renz is the Beth K. Smith/Missouri Chair in Nonprofit Leadership and the director of the Midwest Center for Nonprofit Leadership, an education, research, and outreach center of the Department of Public Affairs in the Henry W. Bloch School of Management at the University of Missouri-Kansas City.</p><p><br></p><p><br></p>Norman Marks0
A Smarter Approach to Third-party Riskhttps://iaonline.theiia.org/2017/Pages/A-Smarter-Approach-to-Third-party-Risk.aspxA Smarter Approach to Third-party Risk<p>​For many organizations, third-party risk became a serious topic of conversation in late 2013 when the U.S. Office of the Comptroller of the Currency (OCC) released its 2013-29 bulletin, Third-party Relationships: Risk Management Guidance, replacing its more basic principles from 2001. Although some businesses had previously begun addressing third-party data security concerns, most were not evaluating controls across the full spectrum of third-party risks before this new guidance was issued.</p><p>The near implosion of the global financial system several years ago played a large part in the increased focus on third-party risk management. It placed a direct light on critical banking operations that had been outsourced to third parties. Financial institutions, starting with national banks, were now being held responsible not only for their own risk management practices but for those of the third parties they rely on. And of course, these risks extended to industries far beyond financial services. High-profile data breaches at well-known corporations brought additional attention to the role third parties play and the impact they can have on a company's clients and employees. </p><p>Today, organizations across industries continue to look for ways to lower costs and increase efficiencies by outsourcing services to third parties. The trend has led companies to expand or optimize their third-party risk programs. Many programs, especially within regulated industries, are evolving to meet business performance goals and regulatory expectations, requiring the right balance between managing risks and stifling the business, without costing too much. Organizations have invested significant capital toward hiring qualified staff, implementing an effective governance and organizational structure, and procuring the right technology to run third-party risk programs.  </p><p>But as these programs have developed, are they truly efficient and sustainable? For many, the answer is no. Organizations are finding they lack risk management efficiencies to adequately support business objectives. Business units find themselves unable to contract with third parties as quickly as they have in the past, delaying the launch of new products and services. The experience has left business leaders frustrated, often pitting procurement and risk management functions at odds over how much risk management overhead is enough.</p><p>So what are forward-thinking companies doing? First, they focus with laser precision on the third parties and services that represent the biggest risks and they efficiently implement strategies to manage them. Second, they realize the value of pooling resources and sharing risk intelligence with their peers. This two-pronged approach yields more robust and efficient management of third-party risk, with internal audit playing a key role in the process. </p><h2>Identify the Greatest Risks</h2><p>Organizations need to develop plans to mitigate and monitor those threats that create the biggest impact on business operations. Resources and skills should center on what matters most to the business, which requires careful planning and a true understanding of the third-party risk profile.  </p><p>Organizations focused on high-impact risks take a smarter approach by creating risk profiles at the service and third-party levels. They understand the inherent risk of the services they procure and the specific due diligence required to evaluate the third party's control environment. This knowledge limits the need to repeatedly ask questions of the business each time they require services. This approach enables the organization to shift focus to exceptions that don't meet the standard risk profile for the outsourced service. Other attributes of forward-looking companies with a desire to work smarter include: </p><p></p><ul><li>Maintaining an accurate and ongoing inventory of third parties and their services with a map to the specific risks to be assessed and monitored (e.g., those third parties that have access to personally identifiable information for employees or clients).</li><li>Evaluating and managing preferred suppliers for each expenditure category, eliminating those that don't fit the organization's defined criteria (including risk profiles).</li><li>Defining inherent risk rating by service type and managing to those exceptions as described earlier.</li><li>Communicating third-party risk in business terms using advanced data analytics.</li><li>Developing key risk and key performance indicators that help identify areas where third-party risk levels may</li><li>be increasing. </li><li>Actively monitoring third-party networks for signs of security incidents and malicious activity using threat intelligence feeds such as BitSight, RiskRecon, or SecurityScorecard.</li><li>Managing reputation and compliance risks, such as negative news and new regulations, with continuous monitoring tools.</li><li>Understanding and monitoring geopolitical risk for outsourced services.</li><li>Lowering program costs by implementing integrated third-party risk technology solutions.</li></ul><p> <br> </p><p>Internal audit should help ensure that the business is managing these processes effectively. Moreover, it should make sure the third-party risk management team's program is updated as new risks are identified and evaluate the overall governance and risk management program each year to determine whether the greatest effort is focused on the highest risks.</p><h2>Optimize Due Diligence </h2><p><img src="/2017/PublishingImages/Rose-Frio_p.41.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;height:244px;" />A company's third-party risk programs can raise hundreds of due diligence questions. Targeted areas commonly include information security, business continuity/disaster recovery, legal and compliance, technology systems, and financial, to name just a few. Due diligence is often performed manually across these areas, and the process can be time consuming. Third-party risk leaders first need to understand the outsourced service to determine risk exposure and appetite and then send the right questionnaires to the third party, hoping they're completed and returned on time. Leaders must then review the responses, followed by issuance of risk recommendations — all before the business can sign a contract.  </p><p>Many organizations seeking a better approach are beginning to value the concept of group intelligence and consortiums as a means of sharing third-party due diligence data. They've discovered that third-party risk is not an area one company should solve on its own. When it comes to critical services, nearly every organization —regardless of industry — will most likely be sharing a third party with competitors or industry peers. Why should an organization develop its own set of risk domains and due diligence questions when others are compiling the same information?</p><p>Third-party companies receive numerous risk questionnaires from their other customers and most likely do not maintain consistency across all their responses. More importantly, when an incident occurs with a third party, it can affect multiple clients. Having the ability to collaborate quickly with industry partners to respond to risk and potential fraud provides a consistent and more efficient way to address the impact. </p><p>As an example, four global investment banking and wealth management companies, along with a leading data aggregator, collaborated to build a third-party risk consortium designed to solve the inefficiencies created by their individual third-party risk programs. They developed a centralized data utility that enables firms to standardize and simplify their third-party risk management programs — specifically, due diligence and ongoing monitoring processes. The utility simplifies these processes considerably by aggregating third-party data in a centralized, multilateral model. Members can download third-party due diligence responses on demand as opposed to sending out individual questionnaires. They can also receive proactive notification of negative news and relevant events (e.g., mergers/divestitures) as well as monitor information security threats and financial viability measures in one centralized utility. Moreover, members who share the same third parties have the opportunity to collaborate over on-site visits and data verification exercises, aimed at lowering costs and improving data consistency. The consortium is designed to adjust over time as the threat landscape changes and improvements are made.     </p><p>Consortium models are not new and have proven successful in certain circumstances. Many forward-looking companies are now evaluating risk consortiums as they seek broader views on how risks are managed across their own industries, in light of pressure to reduce costs and the need to increase efficiency. Internal audit has an important role with regard to consortiums. Auditors can examine the integrity of the consortium technology, access and security control, permissions, and data integration into company systems. The integrity of the data used by members of the consortium is critical, and it constitutes an area of high risk and priority. Auditors may also want to determine whether the consortium has been reviewed by Legal to ensure the arrangement does not run afoul of anti-trust regulations.</p><h2>Additional Areas of Focus for Internal Audit</h2><p>Because third-party risk can affect the whole business, internal audit is in a unique position to assist by performing monitoring activities and reporting on its organizationwide findings. As the third line of defense, internal audit provides assurance on the effectiveness of governance, risk management, and internal controls. The third-party risk management team is normally organized as part of the second line of defense, with the business forming its first line. To collaborate effectively, internal audit must understand the working relationship between the business and the third-party risk management team. This process starts with understanding the organization's risk culture, typically defined as the beliefs, values, attitudes, and behaviors related to risk awareness, risk taking, and risk management. How are the business and third-party risk teams interacting? Do they meet regularly to assess their most critical third parties? Do they agree on the priority of third-party risk? </p><p>Internal auditors should examine meeting minutes and other communications between key business leaders and the third-party risk team, as they will provide insight as to the strength of processes and controls around third-party risk. Some additional leading risk management practices for internal audit include: </p><p></p><ul><li>Naming a central point of contact within the audit function to liaise with the third-party risk management team, similar to other enterprise risk functions. </li><li>If operating in a regulated environment, understanding the guidelines organizational business and risk leaders must follow in addition to any available exam procedures (e.g., OCC's 2017-7, Third-party Relationships: Supplemental Examination Procedures).</li><li>Determining whether the third-party risk program is focusing its efforts on areas that pose the greatest risk. If so, is the risk management team consistent with this approach? Has it outlined the methodology used to segment risk profiles by severity? Is the team working smart or just working hard?</li><li>Reviewing the program governance and risk escalation process. Is it disciplined? Is the vendor due diligence robust? Does it include a sufficient approval process?</li><li>Evaluating the process for handling unplanned terminations for a critical third party. Has the program adequately defined a workaround while the service is either brought in house or replaced by another third party?</li><li>Determining what documentation is maintained and whether it provides an adequate audit trail to easily determine what risks and related controls are operating as designed.</li></ul><h2>Keeping Risk in Check</h2><p>Without a doubt, companies need to enhance their third-party risk programs as third parties continue to drive the execution of organizational processes and help optimize performance. The value of managing risks associated with outsourcing a critical business service to a third party is shared across the organization, and it represents a vital component of protecting shareholder value. Internal auditors should keep in mind that their role in this process is critical to providing assurance that third-party risk management performs optimally.</p><p>Forward-thinking organizations focus their skills and talents on core business processes and look for creative ways to outsource noncore processes. Although more and more organizations are moving in this direction, they must still make sure their vendors are providing consistent, efficient services and that risks associated with using third-party vendors are minimized. </p><p> <br> </p>Michael Rose1
The Risk in the Control Environmenthttps://iaonline.theiia.org/2017/Pages/The-Risk-in-the-Control-Environment.aspxThe Risk in the Control Environment<p>​The control environment was not routinely discussed in executive or board discussions before the U.S. Sarbanes-Oxley Act of 2002 was enacted. Since that time, auditors have focused on evaluating the existence and execution of elements of the environment. Most discussions reflect how a positive control environment can strengthen the organization's overall culture and ethics program. However, it can also be viewed in reverse — what risk does a poor control environment bring to the organization? </p><p>"Tone at the top," "management philosophy and operating style," and "segregation of duties" are phrases commonly used to describe the control environment. These attributes are difficult to measure accurately. An environment that is not effectively evaluated, measured, and monitored may spawn many unacceptable internal and external risks. </p><p>As if the risk of an improperly functioning control environment is not enough, the concept is complicated when internal auditors attempt to communicate control environment weaknesses to management. Many organizations rely on questionnaires and anonymous surveys for their assessments. Organizations must proactively peer through these techniques and evaluate the overall transparency of their assessment methods. </p><p>The subjective, nontransaction-oriented nature of the control environment creates many challenges. Organizations establish policies, but as changes occur, those policies may no longer be effective. The control environment changes, as well. To address the risk of a poor control environment, organizations must evolve their assessment methods. </p><h2>Tone at the Top </h2><p>An organization's tone is often interpreted as the tone conveyed by senior leaders. This makes evaluation a political hot potato. It can be perilous for internal auditors to advise management that certain actions may not be "setting the right tone." Yet, to address the risk appropriately, auditors must provide assurance that the policies management has put in place are executed effectively.</p><p>For example, Acme Inc. maintains an authorization policy for procurement professionals. On the surface, this appears to contribute to a strong control environment while mitigating the risk of conflict of interests. However, what if the policy does not cover strategic areas such as contract approvals, management overrides, and monitoring methods? Also, assume the policy was created strictly by the finance organization. Taken in the aggregate, each of these factors could create risk to the control environment. </p><p>This situation creates a dilemma. How should these risks be communicated to management? What if issues are communicated, but management concludes the gaps are not significant concerns? Management's basis for this conclusion may be that no actual problems have been identified to date. To address the risk appropriately, auditors must ask, "If an issue has not yet come to light or been identified, should that fact minimize the finding?" </p><p>What if the auditor's opinion of the gap's severity differs from management's opinion? Organizational leaders may push back if they receive a poor control environment assessment. An obvious step for internal auditors may be to speak to the audit committee, but this can be challenging. It may be difficult to communicate a control environment gap to an audience that has been preconditioned by management's view. </p><p>To resolve these dilemmas, auditors can: </p><p></p><ul><li>Ensure they have authority to analyze and communicate the situation beyond just the existence of policies. </li><li>Ensure management understands the difference between a control gap and a control failure. It is important to know whether the gap has created a failure, but just because it hasn't failed to date should not minimize the impact of the gap. The inability to recognize this cause-and-effect relationship will put the control environment at significant risk.</li><li>Encourage independent communication with board members. If management and the auditor disagree about the severity of the issue, the board must be open to both sides of the argument. </li></ul><h2>Management Philosophy and Operating Style </h2><p>Philosophy and operating style include how management executes its day to day responsibilities and the manner in which executives provide overall direction. Consider an example of quarterly attestations and their impact on the control environment. U.S.-traded companies have procedures in place for affirmation of internal control processes for Sarbanes-Oxley Section 302. These procedures often involve business-unit managers providing personal subcertifications on controls for their areas of responsibility. </p><p>Assume the procedure for quarterly attestations was established several years ago. The subcertification states: "To the best of my knowledge, internal control procedures and financial information within my area of responsibility are accurate and complete." The certification was originally accompanied by specific training for the business-unit leaders. </p><p>Fast forward several years. Many personnel signing the attestations are individuals who have been promoted into new positions but have not been trained on the attestation requirements. New management views the process as a "step" they must complete each quarter because of compliance requirements. If the auditor assumes the standard process of attestation is effective, there may be a risk to the control environment. Because the attestation is a simple signature, the risk exists that management is simply following a legacy process and does not understand the need for disclosure controls. One solution is to review the Sarbanes-Oxley requirements and potential fines and liabilities to management for improper attestations. Outlining the risk may convince management to re-evaluate and solidify the process. </p><h2>Segregation of Duties </h2><p>A strong control environment can only be supported through appropriate segregation of duties. Segregation of duties assist in mitigating the potential for one person to maintain control over an entire process, thus having the opportunity to perpetrate some undesirable behavior. When evaluating the sufficiency of segregation of duties, internal auditors examine responsibilities around transaction authorization, recording, custody of asset, and reconciliation. </p><p>Depending on organizational resources, it may not be possible for the organization to fully implement appropriate segregation of duties. In this situation, auditors must assess the risk embedded in the processes, attempt to quantify the risk, communicate to management their observations, and provide alternative methods in which management can monitor transaction activity or provide additional checks and balances for the process.  </p><h2>A Thorough Assessment</h2><p>The control environment is the foundation upon which an organization can effectively execute strategy. If management focuses only on "check the box" activities, it will miss critical attributes that may result in major gaps that ultimately impact the organization's viability and control environment. That is why it is important for internal auditors to fully assess gaps or flaws and provide adequate assurance regarding the sufficiency of controls.  </p><p><br></p>Lynn Fountain1
What Makes a Good Board?https://iaonline.theiia.org/blogs/marks/2017/Pages/What-makes-a-good-board.aspxWhat Makes a Good Board?<p>​Recently, a number of pieces have been published with guidance for assessing how well your board of directors is performing.</p><p>They merit the attention not only of board members and their advisor​s, but internal auditors and risk practitioners (because of governance-related risks).</p><p>One is by Dr. Debra Brown of Governance Solutions (formerly Brown Governance). </p><p><a href="https://www.governancesolutions.ca/governance-solutions/publications/highperformancemarkersboard?lipi=urn:li:page:d_flagship3_profile_view_base_recent_activity_details_shares%3bvbikvLtqQIS9krDxqxL1Tw%3D%3D" target="_blank">The Top Ten Markers Of A High-Performance Board</a> is the result of her 25 years of working with boards and makes some interesting points.</p><p>The ten attributes are:</p><ol><li>Practice participative leadership.</li><li>Share responsibility.</li><li>Align with purpose.</li><li>Encourage high levels of communication.</li><li>Focus on the tasks of the board and the results of the organization.</li><li>Orient toward the future.</li><li>Make use of diverse and creative talents.</li><li>Respond rapidly to organizational needs.</li><li>Have a healthy risk appetite.</li><li>Are comfortable with dissent.</li></ol><p>I like all ten, especially #6 and #9. This is what she says about risk appetite, which may surprise you:</p><p><span class="ms-rteStyle-BQ">An inordinate amount of focus has been placed on the downside of risk at the cost of upside opportunity. A high-performance board has a risk appetite suitable for the organization and the sector it is in — it decides on opportunities in a calculated and measured way, while at the same time acting with courage, wisdom, and common sense.</span></p><p>A different perspective is offered in <a href="https://knowledge.insead.edu/blog/insead-blog/12-questions-to-determine-board-effectiveness-6166" target="_blank">12 Questions to Determine Board Effectiveness</a>. The twelve questions are true or false questions:</p><ol><li>My board maintains a proper ratio of governing vs. executing.</li><li>My board possesses the required competencies to fulfil its duties.</li><li>The frequency and duration of my board meetings are sufficient.</li><li>How frequently does your chairperson meet with management: weekly, fortnightly, monthly, or otherwise?</li><li>Is this frequency excessive, adequate, or insufficient?</li><li>My board possesses the ideal mix of competencies to handle the most pressing issue on the agenda.</li><li>The executive team is competent/capable. If "false," is your board acting on this?</li><li>My chairperson is effective.</li><li>Does your board effectively make use of committees? If "yes," how many and for which topics? If "no," why not?</li><li>Recruitment/nomination of new board members adheres to a robust process.</li><li>My board performs a board review annually.</li><li>Think of a tough decision your board has made. Recall how the decision was reached and results were monitored. Was "fair process leadership" (FPL) at play?<br> <br></li></ol><p>These are all good food for thought, but are they sufficient?</p><p>While #7 is critical ("The executive team is competent/capable. If "false," is your board acting on this?") surely it should be #1, not #7!</p><p>How about these questions?</p><ol><li>Does the board exercise an appropriate balance of trust and skepticism when listening to the executive team? Does it at all times represent the interests of the stakeholders?</li><li>Does the board persist with its questions when the answers from the executive team are insufficient?</li><li>Does the board have a sufficient understanding of the organization's ability to create value for stakeholders and the environment in which it operates to be comfortable that the best strategies, goals, and objectives have been set among available options?</li><li>Does the board have a sufficient understanding of those strategies and plans to provide effective oversight and constructive advice?</li><li>Does the board have confidence in the ability of management to identify and manage risks to the achievement of its objectives in a dynamic and turbulent world?</li><li>Does the board have confidence in the culture of the organization and behavior of its personnel at all levels?</li><li>Is the board ready and willing to "fire" directors when they no longer provide the necessary value?</li><li>Do the members of the board have sufficient access to members of the management team?</li><li>Does the board receive the information it needs, when it needs it, in a useful form?</li><li>Does the board set executive compensation levels and targets that balance the need to attract and retain talent with the interests of its stakeholders?</li></ol><p>I think the board is unlikely to be effective if it fails any of these 30 questions, and there are probably more that can be asked.</p><p><span style="text-decoration:underline;">For the board</span>: consider these in your self-assessment and in driving necessary change.</p><p><span style="text-decoration:underline;">For risk practitioners</span>: understand the risk of poor or ineffective governance and consider how that should be communicated.</p><p><span style="text-decoration:underline;">For internal auditors</span>: understand the risk of poor or ineffective governance and find a way to help the board address them.</p><p>I welcome your comments.</p><p><br></p><p>Please join the conversation by clicking the Subscribe button, below.</p>Norman Marks0
How to Audit Culturehttps://iaonline.theiia.org/2017/Pages/How-to-Audit-Culture.aspxHow to Audit Culture<p>Enron, Worldcom, FIFA, General Motors, Volkswagen, and Wells Fargo are just a few examples of scandals caused by organizational cultures that encouraged inappropriate behavior. The reputation risk cries out for audit coverage, yet only 42 percent of internal audit functions are auditing their organization's culture, according to The IIA's 2016 North American Pulse of Internal Audit study. </p><p>Auditing an organization's culture can be challenging because of its complexity, its subjectivity, and the potential resistance of key players. However, approaches and techniques pioneered by some internal audit functions can help auditors successfully enhance coverage of culture.</p><h2>Complexity of Culture</h2><p>One definition of culture is "the actual values that influence everyday behavior within the organization." These are not the organization's stated values or desired values, but the values people actually live by in the workplace. Culture is shaped primarily by tone at the top, but it is also influenced by factors such as business strategy, organizational structure, incentives, employees' personal values, and human resource practices. Each factor interacts with the others in a complex web. Adding to this complexity are: </p><p> <strong> Subcultures Managers</strong> create subcultures within their spheres of influence, which might not be consistent with the organization's culture. This challenge is an opportunity for internal audit because it can be identified during audits and provide valuable information for higher-level management. </p><p> <strong> Different Cultures</strong> There is no right culture and no ideal risk/reward balance, even for different parts of the organization. For example, finance may have a more conservative culture, and sales may have a more aggressive culture, which is appropriate within limits. To meet this challenge, internal auditors must have good judgment, business knowledge, and transparent communication to put such differences into perspective and determine whether they are appropriate.</p><p> <strong><img src="/2017/PublishingImages/Roth_p.33.png" class="ms-rtePosition-2" alt="" style="margin:5px;width:550px;height:390px;" />No Defined Criteria</strong> Ideally, management and the board should define expectations for each part of the business, as well as the observable behaviors that illustrate consistency with, or variance from, that expectation. This is rarely done. The lack of clear, specific criteria to audit against increases the challenge of auditing culture. To address this challenge, some internal audit departments have developed a culture model — usually starting from a model developed by an outside firm. For example, Prudential uses a model it co-developed with EY (see "Auditing Prudential's Control Environment: Areas of Focus" at right). Once the board and executives buy into the model, internal audit can develop audit programs and tools to address specific expectations and behaviors within that framework. </p><p> <strong>The Extended Organization</strong> Although they are difficult to identify, cultural inconsistencies in global operations, outsourced functions, vendors, and joint venture partners can be harmful to the organization. Internal auditors must adapt their approach, audit tools, and judgment to account for differences in country cultures. Some organizations require their vendors and third-party providers to submit a report annually showing how they comply with the organization's values. Then they meet to discuss the report, which can be more meaningful than the report, itself.</p><h2>Culture Is Perception</h2><p>Before addressing the techniques internal auditors are using to audit culture, a basic principle and its related challenges are worth discussing. An organization's culture does not exist in formal documents such as codes of ethics or value statements, which only reflect what the organization says it wants the culture to be. Nor does it exist in what the board and executives tell auditors about the culture. They can describe what they think the culture is, but their perception of the culture is filtered by employees' unwillingness to tell them there are problems in the culture. </p><p>The culture exists in the perceptions of employees. If employees believe the culture is "win at all costs, do whatever it takes," that's the way they behave. If employees believe the culture is "put the customer first," that's the way they behave. That's why a common definition of culture is simply "how we do things around here."</p><p>Employees are the best source of information about the culture, but getting that information presents several challenges for auditors:</p><p></p><ul><li>Employees might not be fully candid, especially if they fear retribution for saying something negative to the auditors.</li><li>They may have cultural blind spots that make them unable to see a cultural weakness from within the culture.</li><li>Some employees may be chronic complainers. </li><li>Surveys, interviews, and workshops by internal auditors might be influenced by the same blind spots. </li><li>The response to the results will be influenced by the culture.</li></ul><p> <br> </p><p>Internal auditors must be aware of these challenges and use knowledge of their organization, good judgment, and interpersonal skills to deal with them as they develop and apply their assessment techniques. There are several keys to auditing culture successfully.</p><h2>Success Factors</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>The Subjectivity of Culture</strong> <p>Culture is inherently subjective. So how can internal auditors obtain objective evidence about something that is, itself, subjective? The answer is the evidence obtained in auditing culture doesn’t have to be as objective as the evidence obtained in auditing hard controls. The applicable International <em>Standards for the Professional Practice of Internal Auditing</em> (1100, 1120, 2310, 2320, and 2420) do not require objective evidence. To summarize what the <em>Standards</em> say, internal auditors must identify the best attainable information about the culture through the use of appropriate engagement techniques. This information must be factual, adequate, and convincing so that a prudent, informed person would reach the same conclusions as the auditor. Internal auditors must base their conclusions and engagement results on appropriate analyses and evaluations. Their reporting of results must be fair, impartial, and the result of a balanced assessment of all relevant facts and circumstances.</p><p>To comply with the <em>Standards</em>, internal auditors typically use a combination of objective and subjective evidence, evaluate it objectively, and “connect the dots” about the culture in a way that is persuasive. They are careful not to conclude more firmly than the evidence supports, and they present results as giving perspective into the culture rather than stating audit opinions or ratings.<br></p></td></tr></tbody></table><p>Executives and board members are at least intuitively aware of the challenges in auditing culture and may be skeptical of internal audit's ability to deal with them. For the audit to succeed, executives and board members must be willing to accept less hard evidence than they are used to receiving and accept that there are gray areas (see "The Subjectivity of Culture" at right). Chief audit executives (CAEs) must persuade them that their internal audit team has the skills, judgment, tools, and techniques to provide valuable insights into the culture. The team, of course, must in fact have these attributes. If it does and the board agrees, it is helpful to establish auditing culture as a mandate in the internal audit charter. If the team does not have the skills, it is best to take baby steps into evaluating soft controls while building the team toward a more robust focus on culture.</p><p> <strong>Audit Skills</strong> The Chartered Institute of Internal Auditors' 2016 report, Organisational Culture — Evolving Approaches to Embedding and Assurance, details the skills and competencies internal auditors in the U.K. and Ireland say the profession needs to audit culture:</p><p></p><ul><li>Professional judgment (84 percent).</li><li>Use of experienced or senior auditors to lead the work </li><li>(71 percent).</li><li>Enhanced communication skills to deliver unpalatable findings (60 percent).</li><li>Influence and negotiation skills (48 percent).</li><li>Training from specialists on qualitative methods and survey design (33 percent).</li></ul><p> <br> </p><p>Just 21 percent of respondents say auditors already have the skills necessary to assess culture and soft controls, the survey notes. Organizations could supplement the skills of the audit team by partnering with other assurance providers, such as those in the second line of defense. Cosourcing with outside providers can be another good option.<br></p><p> <strong>Audit's Relationship to the Business</strong> Support from the top is crucial but not sufficient. Internal audit must have earned the trust and credibility of managers throughout the organization to deal with sensitive issues appropriately. If this is not the case, auditors should rely on tools such as anonymous employee surveys initially and focus on building relationships. Extra care should be taken in reporting audit results in ways that are most likely to get corrective action taken without unintended negative repercussions. The CAE and audit managers will have to work more closely with the audit team to be sure they are using mature judgment and communicating appropriately with their clients.</p><h2>Scope and Techniques </h2><p>The most comprehensive culture audits combine hard and soft control testing at a variety of levels. For example:</p><p></p><ul><li>Audits of entity-level governance and risk management structures and activities.</li><li>Audits of processes with significant cultural influence such as ethics training, incentives, and human resource practices.</li><li>Cross-functional thematic audits such as culture of compliance and management initiatives.</li><li>Cultural auditing embedded in every audit project. </li></ul><p> <br> </p><p>Audit results should include hard evidence where it applies, as well as the results of interviews and other self-assessment techniques. All audit evidence should be correlated and analyzed until reasonable and persuasive statements about culture emerge. Conclusions should be discussed and modified, if appropriate, at all levels before they are finalized. Internal audit techniques that have proven effective for auditing culture are root cause analysis, structured interviews, employee surveys, and self-assessment workshops. </p><p> <strong>Root cause analysis</strong> is basic-to-good internal auditing. Pushed deeply enough, the root cause of an audit issue is often cultural. It might be a disconnect between the desired overall culture and the subculture created by a manager. Or it might be pervasive. "Connecting the dots" from numerous audits can create persuasive evidence of an issue in the overall culture. </p><p> <strong>Structured interviews</strong> enable internal auditors to ask a sample of employees the same questions. For example, to determine whether a "culture of compliance" exists in his company, a CAE personally interviews 65 of the 1,000 employees. He starts with simple questions to set each employee at ease and later gets into sensitive questions like, "Have you ever been asked to do anything that you believe violates the code of business conduct or company policies?" </p><p>This technique is more objective than unstructured interviews because one set of questions and one skilled interviewer bring consistency to the process. It does, however, require a high level of interviewing skills to detect when someone's positive answer isn't what the person is really thinking and ask the right follow-up questions. It also relies on the interviewer's understanding of what was said and the willingness of upper management to believe its accuracy.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Culture Audit Resources</strong><br>Internal auditors can use these tools as they prepare to audit culture in their organization.<br><br> <ul><li> <a href="/2017/Documents/Roth_univ-of-minn-employee-survey.pdf"> <span class="ms-rteThemeForeColor-5-0">University of Minnesota Employee Survey</span></a></li><li> <a href="/2017/Documents/Roth_Corporate-compliance-review-questionnaire.pdf"> <span class="ms-rteThemeForeColor-5-0">Corporate Compliance Review Questionnaire</span></a></li><li> <a href="/2017/Documents/Roth_compliance-quiz.pdf"> <span class="ms-rteThemeForeColor-5-0">Compliance Quiz</span></a></li><li> <a href="/2017/Documents/Roth_culture-audit-metrics.pdf"> <span class="ms-rteThemeForeColor-5-0">Culture Audit Metrics</span></a></li></ul></td></tr></tbody></table><p> <strong>Employee surveys</strong> have the advantages of gathering evidence from a large sample of employees and producing objective data. The most common survey technique for internal auditors is asking employees to respond to a series of statements by indicating whether they strongly agree, agree, disagree, or strongly disagree with each statement, with an option like "not applicable" or "don't know" off to the side and not factored into the results. The audit report can then state, for example, that "46 percent of responding employees disagreed or strongly disagreed with the statement. …" This is an objective fact. The auditor then must look for corroborating evidence and investigate the root cause. </p><p>A well-constructed survey — provided that employees believe it is anonymous and action will be taken to address their concerns — can generate data that accurately reflects employees' perceptions of the culture. It is possible, of course, that the results reflect a misperception. This is why the auditor must look for corroborating evidence. If it turns out to be a misperception, that is valuable information that should be reported to the local manager, who can then correct it. </p><p>Employee surveys can be used at two levels: on audit projects or organizationwide. Some internal audit departments have a standard survey they use on every audit, with a section in the audit report including corrective action plans. Others develop a survey for just one audit when the situation and level of risk justify the time involved. Some internal audit departments have developed and administer an organizationwide survey, usually annually.</p><p>Many large organizations have an existing, organizationwide employee survey. Most of these surveys include little or nothing on topics such as ethics or risk that are essential to the culture. Some internal auditors have reviewed the content, developed survey statements that address these issues, and persuaded management to add them to the survey. They can then use the survey results as a key risk factor in developing their periodic audit plan. When the survey suggests cultural issues in an auditable entity, the results also can be used to help plan and scope that audit. And when process deficiencies are found, the root cause might be identified in the survey. Linking the objectively evidenced deficiency to the survey results can be very persuasive to management that a cultural issue exists.</p><p>Facilitated workshops were the first tools used by internal auditors for evaluating soft controls. In this technique, a group of employees is guided through a disciplined analysis, often using the same kind of statements that are used in surveys, together with confidential voting technology to gather and tabulate the results. Discussing the issues that emerge with the employees who experience them can be powerful. Today, workshops are used more by risk management departments for risk assessment, while internal auditors more frequently use surveys.</p><h2>Metrics</h2><p>In addition to these techniques, internal audit can leverage metrics that reflect the culture to develop the periodic audit plan, plan and scope audit projects, and support audit results. Hard data can be persuasive. A monthly dashboard could give meaningful perspective on the culture to executives and the board. The dashboard could present metrics such as:</p><p></p><ul><li>Customer survey results.</li><li>Number and trend of customer complaints.</li><li>Turnover statistics.</li><li>Sick time statistics.</li><li>Warranty claims.</li><li>Frequency of performance targets being missed. </li><li>Frequency of large projects failing.</li><li>Hotline statistics.</li><li>Environmental impact data.</li></ul><p> <br> </p><p>The best metrics auditors can use depends on the organization. Several metrics would be specific to the organization or its industry.</p><h2>Maturity Model</h2><p>Culture does not lend itself to a pass/fail type of audit opinion. IIA guidance addressing sensitive topics often recommends considering a maturity model to report results. With a maturity model, executives and the board can decide how mature they want the organization to be with each attribute listed. Internal audit results can then be presented in terms of the model and help measure how mature each attribute actually is. This reporting vehicle assumes that the organization is working to get better (more mature) with the attributes important to it and helps measure progress along the way.</p><h2>Cultural Evidence</h2><p>Culture might be the most challenging audit topic the profession has ever faced. Internal auditors must be realistic about the constraints they have in their own organizations. If the constraints are substantial, auditors should do what they can at present and look for opportunities to expand over time. It may be impossible to ever give a firm opinion on the quality of an organization's culture. But good auditors using good techniques, judgment, and communication skills can present solid evidence about the culture to executives and the board. Over time, the picture this evidence paints will become clearer and more persuasive. This may be the most valuable information internal audit will ever provide. </p><p> <br> </p>James Roth1
Responding to the Cyber Crisishttps://iaonline.theiia.org/blogs/marks/2017/Pages/Responding-to-the-cyber-crisis.aspxResponding to the Cyber Crisis<p>​It's in the news again.</p><p>A new ransomware attack (Petya) that spans the globe was not promptly detected or prevented by corporate defenses. It's headline news everywhere.</p><p>Plus, all indications are that our ability to address the mounting threats is insufficient. Have a look at this survey, <a href="https://www.scmagazine.com/majority-of-organisations-are-in-the-dark-regarding-daily-network-attacks/article/633952/?DCMP=EMC-SCUS_Newswire&spMailingID=16428998&spUserID=MzEyNTk5NzMzNjUS1&spJobID=942227724&spReportId=OTQyMjI3NzI0S0" target="_blank"><em>Majority of Organisations Are in the Dark Regarding Daily Network Attacks</em></a>.</p><p>So what should the board, top management, risk practitioners, and internal auditors do?</p><p>Some consultants and advisors are diving into the weeds. I put a recent piece by a marketing manager at Protiviti in that category. Her blog post "<a href="http://info.knowledgeleader.com/what-is-internal-audits-role-in-cyber-security" target="_blank">What Is Internal Audit's Role in Cyber Security?</a>" is not particularly useful.</p><p>Frankly, I don't find The IIA's Global Technology Guide (GTAG) <a href="https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-Risk-Roles-of-the-Three-Lines-of-Defense.aspx" target="_blank">Assessing Cybersecurity Risk</a>, particularly helpful either.</p><p>Board members, executives, and practitioners need to take a breath and step back.</p><p>Look at the big picture, not the weeds.</p><p>Ask yourselves these questions:</p><ul><li>We are being attacked constantly. What would happen if and when there is a breach of our defenses and we are held to ransom? What would the consequences be? How would our corporate objectives be affected by an inability to use the systems until the threat is removed, probably by paying the ransom? Do we have a response plan and process in place to act quickly enough?</li><li>What if the breach led to a longer period of disruption? How would that affect our business and our ability to achieve our strategic objectives? How confident are we in our ability to respond and bring our systems back quickly?</li><li>On the other hand, what if the hackers wanted to steal confidential information, our intellectual property, or information they could use to attack our partners and customers? How confident are we that we would be able to prevent or detect a breach by such hackers, know what they have taken, and then respond to mitigate any damage? How would our business be affected? What strategic objectives might fail?</li></ul><p><br></p><p>Then ask how much you would be willing to pay to prevent any of the above. Is it more than currently dedicated? Would committing additional funds and resources reduce the risk sufficiently?</p><p>I am not persuaded that any but a few massive organizations can afford all the resources, including tools, to satisfactorily address the risk.</p><p>I would ask whether it would make more sense to use a cybersecurity service provider. They have the specialists with current knowledge and the tools necessary.</p><p>But first you have to know how the business would be affected — the effect of one or more cyber breaches on the business.</p><p>Risk and audit professionals should be paying attention to cyber risk.</p><ol><li>Does the organization have a good handle on the organization's cyber-related business risk, as discussed above?</li><li>Does leadership, from the CEO down to and including the information security team, have confidence that there is an acceptable level of prevention and detection, that the risk they are taking is acceptable?</li><li>Is the information security team sufficiently resourced, in their opinion? If not, why do they believe there are gaps and why has management not provided additional funding? Is it because the practitioners and executives have a different view of cyber risk; is it because resources need to be allocated to more important areas — and that is appropriate? Can the risk or audit practitioner help bridge the gap in understanding between management and the information security team?</li></ol><p>Only after addressing these questions and related issues would I dive into assessing individual or groups of weeds — the detail.</p><p>Understand the big picture and the level of cyber-related business risk before assessing individual vulnerabilities, defense, detection, and response mechanisms</p><p>Do you agree?</p><p>I welcome your views.</p><p> </p><p>Please join the conversation by clicking on the Subscribe button.</p><p> </p>Norman Marks0
Taking Richard Chambers’ Post to the Next Levelhttps://iaonline.theiia.org/blogs/marks/2017/Pages/Taking-Richard-Chambers’-post-to-the-next-level.aspxTaking Richard Chambers’ Post to the Next Level<p>​In "<a href="/blogs/chambers/2017/Pages/Management-vs-Internal-Audit-5-Frequent-Sources-of-Tension.aspx" style="background-color:#ffffff;">Management vs. Internal Audit: 5 Frequent Sources of Tension</a>," Richard Chambers (whom I consider a friend) raises some good points about tension between internal audit and management.</p><p>He first covers the situation where management wants to cut internal audit resources (perhaps as part of an overall cost-cutting initiative). I agree with Richard's perspective that the audit committee needs to make an informed decision and have actually used the technique he recommends. I also agree with his comments about disagreements on the level of risk when internal audit is not able to rely on a mature ERM program. </p><p>I only wish that Richard had pointed out that the absence of effective risk management is itself a serious risk to the organization that merits discussion with top management, the audit committee, and possibly the full board.</p><p>His third point relates to disagreements about the results of an audit.</p><p>I think we have to be very, very careful here.</p><p>The people who run the business are not idiots.</p><p>Let's not hastily assume they "don't get it."</p><p>We need to listen actively and very carefully to their rebuttal. There are multiple potential reasons for disagreement, including:</p><ul><li>We are right and they don't understand their own operation and its risks — how likely is that?</li><li>We are right and they are willing to take risks that we believe the board would not support — this happens, but not that often (thank goodness).</li><li>We are right on the facts but don't have a complete view of the big picture. Perhaps the risk is one that should be taken by the organization. We need to listen so we can grasp that big picture. We may still disagree, but it would be an informed disagreement and management would know that we have an honest and informed disagreement that can be settled by senior management or the audit committee.</li><li>We are wrong on the facts and need to listen to understand how.</li></ul><p><br></p><p>If we take every disagreement to more senior management and possibly higher without making every effort to both listen and understand, we are asking for trouble. Even if we are right, it will be a Pyrrhic victory as we deservedly lose the confidence and trust of operating management.</p><p>Richard goes on to talk about ratings and opinions.</p><p>I hate ratings. They don't mean anything!</p><p>Our stakeholders need <em>actionable</em> information about the effect of any deficiencies we find on the achievement of enterprise objectives. A rating is an expression of pleasure or displeasure that is unlikely to change any strategic decision or action.</p><p>But if we use the full extent of the (English or other native) language to explain why what we find matters, providing them with assurance, advice, and insight that helps them lead the organization to success, then we are earning our pay.</p><p>Tell them which objectives may be at risk, not that things are or are not satisfactory.</p><p>His last point is about relations with the audit committee and, by inference, management. One of the causes for this can be that we are not seen as helping top management succeed. We are pointing out possibilities for failure but not positioning ourselves as partners in success — and then delivering on that promise.</p><p>That requires a culture shift by internal audit that can lead to a culture shift by management.</p><p>As always, I welcome your comments.</p><p>Please join the conversation by clicking the Subscribe button, below. </p><p>​ </p>Norman Marks0
Very Useful Guidance on Risk Management Best Practiceshttps://iaonline.theiia.org/blogs/marks/2017/Pages/Very-useful-guidance-on-risk-management-best-practices.aspxVery Useful Guidance on Risk Management Best Practices<p>​I​​ want to congratulate IIA–Norway for their recent publication, <a href="http://iia.no/wp-content/uploads/2017/05/2017-Guidance-for-the-Risk-Management-Function.pdf" target="_blank" style="background-color:#ffffff;">Guidelines for the Risk Management Function</a> (PDF). A group of practicing risk practitioners developed this guide with the aim of describing best practices regardless of industry.</p><p>I like a lot of what they say, for example (<span class="ms-rteForeColor-2">emphasis </span>added):</p><ul><li><span class="ms-rteForeColor-2">The taking of risk is a natural part of running any enterprise, but it is often not explicitly stated in the formulation of business decisions</span>. The expression "risk" has often been exclusively associated with unwanted events, and risk management has been defined as analyzing and restricting the probability and impact of unwanted events. This is only one dimension of the total picture. <span class="ms-rteForeColor-2">Evaluating positive outcomes is just as important an element of ERM as evaluating the downside as ERM is concerned with the whole picture enterprisewide and evaluating risk strategy in relation to a portfolio of risks.</span></li><li>The objective of ERM is to maintain risk at an acceptable level and ensure the best balance possible between threats and opportunities — in line with the risk appetite and business strategy of the board and executive management. It is <span class="ms-rteForeColor-2">concerned with ensuring the achievement of goals</span> as the enterprise develops and appropriate management of the organization's assets, including avoidance of losses as a result of unwanted events.</li><li>A prerequisite for being able to exercise sound risk management is therefore that there are clearly defined goals at the strategic level, to which goals at other levels in the organization may be linked. In this way <span class="ms-rteForeColor-2">risk evaluations at all levels will be linked to a hierarchy of objectives which supports the enterprise's overall strategy</span>.</li><li>In practice this means <span class="ms-rteForeColor-2">ensuring the best possible basis for arriving at decisions at the various levels of the organization, so that the decisions made will support the overall objectives</span>. Subsequently it is important to have a sound mechanism to ensure the achievement and monitoring of the decided activities.</li><li><span class="ms-rteForeColor-2">Risk management may be defined as systematic, coordinated, and proactive activities aimed at the evaluation and treatment of uncertainty and events which can impact the achievement of goals.</span> This includes amongst other things the organization's ability to: </li><ul><li>Influence the probability and positive or negative impact of events. </li><li>Understand/exploit correlation between various types of risk. </li><li>Monitor development of the risk profile over time. </li><li>Initiate activities which align the path of development with the required direction. </li><li>Build a culture which ensures the implementation of activities and leads to sound risk management.</li></ul><li><span class="ms-rteForeColor-2">ERM means taking a holistic perspective, not just of the enterprise's status at a given moment, but also probable positive and negative developments in the future</span>. In this way it becomes a tool for the balanced prioritization of resource utilization. For this reason, this work should also be harmonized with other management activities such as performance scorecards.</li><li><span class="ms-rteForeColor-2">It is important that defined risk appetite can be translated into operational practice</span>. There should be a common thread going through an organization's various objectives, management limits, authorities, and scope of action which accords with the total risk appetite and strategy. In those organizations where it is difficult to quantify risk appetite, it is especially important to devise suitable guiding principles delineating who as a decision maker can decide what should be the acceptable level of risk based on the relevant qualitative evaluations.</li><li>Risk management and decision making are interconnected. When making any major strategic decision, executive management should require a set of scenarios to be presented detailing impact and alternative actions, especially in the situation where there may be a high level of uncertainty.</li></ul><p><br></p><p>There is a lot more useful information, including guidance on the roles of the various parties charged with managing risk in the pursuit of objectives.I leave you to read the paper in full.</p><p>What do you think of it? Do you agree? Is it practical to expect that potential positive effects to be evaluated with the same discipline as adverse consequences?</p><p>I welcome your comments.</p><p>Please join the conversation and subscribe to this post by clicking on the button below.<br></p><p><br></p>Norman Marks0
The Culture Impacthttps://iaonline.theiia.org/2017/Pages/The-Culture-Impact.aspxThe Culture Impact<h2>​How can a board or management best change a toxic culture or nurture a positive culture? </h2><p>While the board has oversight of the alignment of the company’s culture with its strategic vision, it is difficult for a board to directly shape corporate culture. Management is in the best position to impact culture. The tone at the top and management’s visible support of a compliance and ethics program are crucial. For example, how management responds when its most beloved, top-performing employees misbehave sends an important cultural message as to what is tolerated and the collective values of the organization.    <br></p><h2>Is culture always to blame for misconduct? </h2><p>While culture is frequently a significant factor when misconduct occurs, culture is not always the only culprit. Rogue employees can behave poorly, contrary to company culture, and create liability for companies. How a company reacts to misconduct by an employee or group of employees can say a great deal about the company’s culture and goes a long way toward cultivating the right tone. Leveraging information and resources from internal audit, human resources, finance, and legal helps keep a pulse on the culture.</p><h2>Should boards be more proactive in identifying early signs of CEO and employee misconduct?</h2><p> The board has oversight of the company's risk which include risks associated with CEO and employee misconduct. It is important for the board to cultivate open channels of communications among key members of management, including a company's chief compliance officer, to better evaluate the corporate culture and understand what an organization is doing to promote an ethical culture. </p>Staff0
Do Internal Audit Departments Focus on What Matters? Survey Says They Do Nothttps://iaonline.theiia.org/blogs/marks/2017/Pages/Do-internal-audit-departments-focus-on-what-matters.-Survey-says-they-do-not.aspxDo Internal Audit Departments Focus on What Matters? Survey Says They Do Not<p>​<a href="http://misti.com/resource-center/2017-internal-audit-planning-survey-report?utm_term=2017-internal-audit-planning-survey-report&utm_campaign=LG17_EB0508_EXP_REPORT_USI&utm_content=email&utm_source=Act-On+Software&utm_medium=email&cm_mmc=Act-On%20Software-_-email-_-The%202017%20Internal%20Audit%20Planning%20and%20Staffing%20Priorities%20Report-_-2017-internal-audit-planning-survey-report" target="_blank" style="background-color:#ffffff;">The 2017 Internal Audit Planning and Staffing Priorities Report</a> from MISTI shares the results of a survey of more than 600 internal auditors in North America. (I am not sure the results would be much different if the survey obtained responses from a global group.)</p><p>I can't say that the results are surprising. Disappointing, perhaps, but not surprising. After all, this why I wrote <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank" style="background-color:#ffffff;"><em>Auditing That Matters</em></a>!</p><p>Here are some excerpts from the MISTI report:</p><ul><li>To truly add value to their organizations, many internal audit leaders need to look beyond traditional internal audit focus areas, such as procurement and travel and expense reporting, and take a more critical look at functions and processes that really make organizations grow and become more profitable, such as sales and marketing, product innovation, and leadership development.</li><li>Here, the survey identifies a disconnect: While the vast majority of respondents say they use risk assessments to formulate audit plans, few seem to be focused on the biggest threats facing most businesses, such as sales declines, aging product lines, or the loss of key employees. Fewer than 15 percent are looking at anything related to these categories, while tried and true topics, such as accounts payable, compliance and ethics, and travel and expenses remain the most common.</li><li>"CAEs say they are developing risk-based audit plans," says Tom O'Reilly, vice president and general manager for internal audit and seminars at MISTI. "But what we find is that there is still a lack of correlation between what internal audit is focused on and what CEOs are typically focused on."</li><li>Many are finding it difficult to attract and retain talent with the skills and competencies to reposition internal audit to assess what really matters in the organization and provide value.</li><li>More than a third (35 percent) say they expect the resources for internal audit to increase, 57 percent expect them to stay the same. And more than half (55 percent) consider the resources they have adequate to do the job, even if they might like more.</li><li>A full 89 percent say the products and services provided by internal audit meet or exceed audit committee expectations, proportions that hold true for both audit staff and audit executives.</li></ul><p><br></p><p>The MISTI survey was of internal audit professionals. Surveys of audit committee members and executives do not show the same level of confidence that internal audit is contributing the value it should.</p><p>As the report says, few internal audit functions are auditing the areas that are of concern to the CEO — the areas he or she is focusing on, typically those that relate to the success of the organization.</p><p>I believe there are a number of reasons, each of which needs to be addressed if internal audit is to audit what matters, contributing the valuable insight and assurance our stakeholders need.</p><ul><li>Have a deep understanding of the business: its operations, organization, people, and extended enterprise (such as partners and suppliers).</li><li>Understand not only the enterprise objectives and strategies, but what is necessary to achieve them — in other words, not only what could go wrong but what needs to go right.</li><li>Discard the traditional audit universe (obsolete thinking) in favor of a risk universe. The latter is the set of risks to key enterprise objectives. If risk management is effective, leverage it as much as you can. If it is not, then work hard to help management improve it.</li><li>Build and maintain the audit plan to address the risks that matter — what needs to go right as well as what could go wrong — with the goal of helping the organization achieve or exceed its objectives.</li><li>Be agile. Strip every audit down to essentials so it can deliver results to our stakeholders when they need them. Update the audit plan continuously, always asking, "is this the right audit to do next?"</li><li>For every audit, every communication, ask whether it is something that will provide actionable information that executives and/or the board need. If not, then question why you are doing the audit.</li><li>Make sure you have the resources to address the risks that matter. If necessary, change the resources and tools of the department.</li><li>Question whether there is any part of your process that can be discarded to improve the efficient delivery of the actionable information your stakeholders need. For example, what is the value of working papers? Why do you write an audit report?</li></ul><p><br></p><p>Of course, there is more in the book. You might also read Richard Chambers' book on <a href="https://bookstore.theiia.org/trusted-advisors-key-attributes-of-outstanding-internal-auditors" target="_blank"><em>Trusted Advisors</em></a>.</p><p>Questions for you:​</p><ul><li>Does your audit department address the risks that could affect the achievement of enterprise objectives like EPS growth, revenue growth, customer satisfaction, and product innovation?</li><li>Does it provide insight and assurance that merits the attention of the full board? Do they report issues that require action by the CEO and discussion by the full board?</li><li>If the internal audit function disappeared, how would that affect the achievement of enterprise objectives?</li></ul><p> </p><p> Please join the discussion by clicking on the Subscribe button below.</p><p><br></p><p><br></p>Norman Marks0

  • MNP_Natonal Can Conf_July2017_Premium 1
  • LockPath2_July2017_Premium 2
  • IIA_GRC_July2017_Premium 3



Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z