Risk and Compliance



Sexual Harassment Risk, Governance, and Audithttps://iaonline.theiia.org/blogs/marks/2017/Pages/Sexual-harassment-risk,-governance,-and-audit.aspxSexual Harassment Risk, Governance, and Audit<p>​None of us want to see our organizations in the news and our people accused of sexual harassment. The implications for our reputation as an organization, as well as that of our executives, can be huge. So what do we do:</p><ul><li>As members of the board?</li><li>As risk practitioners?</li><li>As internal auditors?</li></ul><p><br></p><p>Let's start by making sure that:</p><ul><li>We not only have a policy in place but that is the <em>right</em> policy. It is understood by all employees, who are trained in and regularly certify their understanding of and adherence to the policy.</li><li>We not only have a whistleblower mechanism available for any of our employees to tell us of suspected sexual (or other) harassment, but they know about it and it is answered by people outside the regular chain of command — people who can listen objectively and make sure the right people are notified promptly.</li><li>Reports of suspected sexual harassment are properly investigated by objective and competent professionals and the results brought to the attention of the proper authorities within the organization.</li><li>Care is taken to avoid punishing those who come forward, paying particular attention to employees whom their managers say are under-performing. While those employees may be seeking to avoid disciplinary action with a false report, the performance assessment may be an attempt by their manager either to escape punishment themselves or to punish the employee for coming forward.</li><li>The right people receive the results of such investigations and deal with them objectively, without bias, and without regard for position or title — and ensure appropriate action is taken consistently.</li></ul><p><br></p><p>But let's also ensure that:</p><ul><li>The same protections apply to everybody who works at the organization or is subject to the actions of its employees, such as temporary personnel, contractors, consultants, vendors, customers, and partners.</li><li>Appropriate training is in place for everybody. That training goes beyond reading the policy to training based on scenarios and case studies; training not only on what not to do but also training that guides people on what to do if they see or are told of sexual (or other) harassment. Additional training may be required for the executive team to ensure they know what to do, how to set expectations, and how to respond to incidents.</li><li><span style="text-decoration:underline;">We understand the level of risk</span>. How many reports are received? How many are investigated? How many are found to be credible? What disciplinary actions are being taken? What are the trends? The Risk function (not internal audit, please) may want to use analytics to monitor the area.</li><li><span style="text-decoration:underline;">We monitor, spot patterns, and act</span>. I heard one large organization talking about hundreds of allegations over a short period. Questions should be asked about the culture, the leaders of the area of the organization where most of the reports arose, and whether there was a broader problem.</li><li><span style="text-decoration:underline;">The level of risk is discussed by the executive committee and the board</span>. I would expect at least annual discussion at the board level, more frequent if the level of reports demands.</li><li><span style="text-decoration:underline;">We are confident that people are coming forward</span>. If the culture is perceived as punishing the innocent, then people will be reluctant to come forward — even anonymously. There are tools that can help, from monitoring social media (especially internal posts) to providing safe venues for employees to speak up anonymously.</li><li><span style="text-decoration:underline;">Our leaders are setting the right example</span>. Not only are they vocal, but exemplars in practice.</li><li><span style="text-decoration:underline;">We are prepared for the worst case</span> of a senior executive or board member being subject to accusations. When will the board, CEO, and others be informed? What should they do when? How will the organization respond to media reports?</li><li><span style="text-decoration:underline;">This is on the radar of internal audit</span>. The CAE should work with Legal, HR, and the board to ensure appropriate audit work is performed to ensure the organization understands, monitors, and addresses the risk.</li></ul><p><br></p><p>Anybody, even people we view as high integrity people, may be accused. Let's not get caught by surprise.</p><p>I welcome your comments.</p><p> </p>Norman Marks0
CISOs and Many Others Need to Talk the Language of the Businesshttps://iaonline.theiia.org/blogs/marks/2017/Pages/CISOs-and-many-others-need-to-talk-the-language-of-the-business.aspxCISOs and Many Others Need to Talk the Language of the Business<p>​</p><p>I came across an interesting piece by Cybereason, <a href="https://hi.cybereason.com/hubfs/Content%20PDFs/CISO-Tips-Speaking-the-Language-of-Business.pdf?t=1510177968617" target="_blank">CISO Tips: Speaking the language of business</a>.</p><p>The concept of using the language of the business to connect with leadership extends to people like the CRO, CAE, CIO, and many others.</p><p>They recommend six phrases:</p><p>1.      Risk</p><p>2.      Revenue</p><p>3.      Employee efficiency</p><p>4.      Strategic value</p><p>5.      Cost</p><p>6.      Customer satisfaction</p><p>These are six phrases that can come in useful, although I don't like their definition of risk at all!</p><p>I can think of other phrases that should be learned, not in any particular order:</p><p>7.      Opportunity</p><p>8.      Agility</p><p>9.      Compliance</p><p>10.   Objectives</p><p>11.   Win</p><p>12.   Competitive environment</p><p>There are many more.</p><p>But, it all comes down to thinking like your customer and talking in ways that resonate with them.</p><ul><li><span style="font-size:12px;">Know what your organization is trying to achieve.</span><br></li><li><span style="font-size:12px;">Know how you can help it succeed, not just avoid failure.</span><br></li><li><span style="font-size:12px;">Communicate in plain language without techno-babble, and listen actively.</span><br></li><li><span style="font-size:12px;">Help everybody else succeed. Make that your job.</span><br></li></ul><p></p><p>What do you think?</p><p>Are there phrases that should be embraced? What about ones that should be avoided?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0
Maybe Objectives, Risk, and Controls Are the Wrong Focushttps://iaonline.theiia.org/blogs/marks/2017/Pages/Maybe-objectives,-risk,-and-controls-are-the-wrong-focus.aspxMaybe Objectives, Risk, and Controls Are the Wrong Focus<p>​</p><p>Here's a radical idea.</p><p>Think about it.</p><p>Who takes risk? It's the decision-makers across the extended enterprise.</p><p>If we want reasonable assurance that they are taking the desired level of risk to achieve objectives, we need to know they are making effective decisions.</p><p>How many of us think about whether people know how to, let alone actually make, quality decisions?</p><p>I recently wrote about <a href="/blogs/marks/2017/Pages/The-most-important-audits-I-ever-performed.aspx" target="_blank">audits that I performed</a> to obtain assurance that people had reliable information on which to base their decisions.</p><p>But what if they don't give the decision enough thought, don't involve others, or so on?</p><p>Maybe this should be a focus of our attention.</p><p>Perhaps we should talk to and perhaps partner with human resources and make training in decision-making a required course for every decision-maker.</p><p>Maybe we should think about how we can prevent or detect poor decisions.</p><p>What do you think?</p><p>I welcome your comments.</p><p> </p><p> </p>Norman Marks0
The Most Important Audits I Ever Performedhttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-most-important-audits-I-ever-performed.aspxThe Most Important Audits I Ever Performed<p>​As I look back at many years in internal audit, two audits stand out — not because we found anything significant, but because they addressed the most significant risks.</p><p>The first was on the reliability (completeness, accuracy, timeliness, and so on) of the "board package." That is the set of materials provided to each of the board members as the basis for discussions at the full board and committee meetings.</p><p>Arguably, the meetings of the board and its committees are where the greatest risks are taken by the organization. So, auditing the controls over the completeness, accuracy, timeliness, and so on of the information provided by the executive team to the board was an important engagement.</p><p>The audit identified some interesting points of concern, including:</p><ul><li>The board package was so massive that it made it very difficult for board members to read, understand, absorb, and be prepared to discuss the materials prior to the meeting. The size was a disincentive. It was also difficult to pick out the key points on which to focus.</li><li>Major portions of the package were provided only a few days before the meeting. As a result, the directors were unlikely to do more than give it a quick review. The meeting spent most of its time just knowing what was in the board package instead of discussing the issues it raised.</li><li>The CEO and sometimes his direct reports were selective with the information provided to the board. Information that the board might want to see, such as alternatives to the strategies and plans recommended by the CEO, were not shared with them.</li><li>Information derived from the company's systems was "massaged" prior to being included in the package. That massaging might adversely affect the integrity of the information seen by the board. Fortunately, we did not see any errors introduced at my organization.</li></ul><p><br></p><p>The second audit was around the information that the executive team used as a basis for their key decisions. Again, the risk I was concerned about was that the executives would make decisions based on faulty information — surely, a huge potential source of risk to the achievement of objectives.</p><p>We talked to each of the members of the executive team to find out what information they used, both for major strategic decisions and for the daily running of the business. We then identified, assessed, and tested the related controls. I believe this is an area frequently overlooked, both by risk and audit practitioners.</p><p>Risk is taken through decision-making. One of the greatest sources of risk to quality decisions is the information that people rely on when making their decisions.</p><p>Is your audit department concerned with the risk of poor decision-making? Note that faulty information is just one source of risk.</p><p>Does your risk identification and assessment activity consider the potential for poor decision-making? Is this not a critical area to address?</p><p>I welcome your comments.</p><p><br></p><p><br></p>Norman Marks0
The Corporate Governance Audithttps://iaonline.theiia.org/2017/Pages/The-Corporate-Governance-Audit.aspxThe Corporate Governance Audit<p>​All too often and too easily, corporate governance is evaluated and measured simply by reviewing the structures and processes that an organization implements to achieve lofty ethical principles. However, assessing the effectiveness of governance requires more than reviewing how frequently a board meets, the number of committees an organization may maintain, the language in a code of ethics, or the aspirational pronouncements from the CEO’s office. Evaluating the effectiveness of governance is, at its core, a continuous process of reviewing and measuring behaviors. Such an assessment begins with understanding an organization’s business strategy and culture.<br></p><p>Ideally, organizations have a business strategy and an aligned business culture. The business culture is a set of risk practices and behaviors that are critical to the success of the business strategy. Accepted risk practices might be driven by the elements of the strategy itself — such as quick decisions, rapid growth, and speed to market — or they might be requested by shareholders concerned with capital preservation and adherence to risk appetite. Third parties, such as regulators interested in compliance, or accepted industry practices, such as fair dealing, also can shape accepted risk practices.<br></p><p>Good governance provides the oversight to ensure behaviors, however sourced, remain within accepted risk parameters. An effective governance program sets boundaries against conduct that might cause undue risk or ethical impairment to the business strategy, and it includes measurable tools to reward conduct within the accepted culture. Just as business strategies vary, so too do governance oversight models. <br></p><p>A good starting point when evaluating the scope and efficacy of a governance program is to review the organization’s enterprise risk management (ERM) framework. Ideally, the organization will have already identified significant inherent risks in a variety of disciplines, including market, strategy, reputation, operations, technology, law and compliance, and human resources. This risk analysis provides a solid indicator as to the scope, type, and level of governance oversight required.<br></p><p>The effectiveness of a governance program is best measured in terms of the level of adherence to accepted behaviors. In making this determination, some specific areas to review include: strategy and governance alignment; focused messaging; and measurement, accountability, and consequences.<br><br><strong>Strategy and Governance Alignment</strong> A first step in examining the effectiveness of governance is to review the fundamental alignment of the organization’s business strategy and culture with the governance oversight model and framework. The type, level, nature (such as proactive or reactive), and scope of the overall governance program should be commensurate with the business strategy and culture. For example, organizations with hard-driving business strategies often require cultures that “push the envelope” on risk taking. What behaviors does the organization require and reward to accomplish its business strategy? High sales levels? Rapid revenue growth? Continuous product introduction? This type of aggressive strategy and culture can result in a substantial level of organizational risk. In such a case, the internal auditor would expect to see a high level of proactive governance oversight in terms of structures, regular reporting on the quality and effectiveness of internal controls, multiple communication channels and issue-escalation paths, scenario-based staff training, and a robust reporting structure to capture potentially adverse behaviors and risks.<br></p><p>Consider an example in financial services. Wells Fargo’s high-risk business strategy was based on rapid and substantial customer fee growth and tied staff compensation to numbers of accounts created. This strategy carried the obvious inherent risk of bogus account creation, which, indeed, occurred. Employees created an estimated 3.5 million false customer accounts. From the outset, this high-risk strategy should have demanded proactive attention to protect the organization and its customers. Ultimately, the lack of a targeted level of governance oversight had dramatic, negative consequences.<br><br><strong>Focused Messaging</strong> Sound governance requires a clear articulation of the acceptable (and unacceptable) behaviors necessary for accomplishing the business strategy. Senior management is responsible for clearly articulating expected behaviors and verifying the governance structures that effectively carry this message throughout the organization.<br></p><p>For this reason, the content, level, and quality of the messaging should be reviewed. The messaging should speak to the inherent high-risk areas identified in the ERM framework and provide direction for issue identification, escalation, and resolution. The internal auditor should determine how the messaging is communicated throughout the organization. The auditor also should consider the size and scope of the organization as, especially in the case of large organizations, it is important that the message resonates across wide geographic boundaries, languages, and customs. <br><br><strong>Measurement, Accountability, and Consequences</strong> While the determination of the business strategy and culture, the governance framework, and the articulated message of acceptable behaviors come from the top down, the determination of the effectiveness of the governance program is best seen in the measurement of behaviors. In other words, measuring effectiveness is a “bottom-up” exercise.<br></p><p>Behavior measurement is not as difficult as one might expect. Behaviors that result in adverse risk taking, lawsuits, fines and penalties, fraudulent or illegal actions, or a wide range of discriminatory or unethical practices generally are tracked and reported. Issues involved in job performance often are tracked in the organization’s performance evaluation system. The reviewer should determine whether the organization has compared the adverse events that are reported to the criteria of acceptable risk and ethical behaviors to improve the governance platform. Questions to consider include:<br></p><ul><li>Has the organization determined where gaps and vulnerabilities have occurred?</li><li>Has the organization used the results to determine how proactive the governance system has been?</li><li>Have potentially damaging issues been escalated for remediation?</li><li>Have certain categories of adverse behavior decreased?</li><li>Have new controls or training been implemented in significant areas of risk and conduct?</li><li>Has the organization identified geographic areas in which the governance program operates better than others?</li><li>Have the risk issues correlated to those delineated in the organization’s ERM framework?</li></ul><p></p><p>In assessing the sustainability of a governance framework, internal audit should look for two ingredients: accountability and consequence. Were instances of adverse behavior subject to both personal accountability and appropriate consequence? Employees quickly know when adverse behavior goes unpunished or when responsibility for such behavior is not acknowledged. Adverse behavior for which there is no accountability results in lack of confidence in the integrity of the governance program, and, ultimately, it impairs program sustainability.<br>Internal audit also should evaluate the reward framework: Does the governance program reinforce appropriate behavior via a reward system? Organizations in which exemplary behaviors are rewarded are characterized by a governance framework that shows strength and sustainability.<br>Every business has its own culture and goals and, therefore, its own risk comfort levels. All businesses can benefit from a strong governance oversight program, with an assessment led by internal audit. An evaluation of governance effectiveness should address not only structure, but also the alignment among strategy, culture, and measurable behaviors. <br> <br>Dawnella J. Johnson is a partner at Crowe Horwath LLP and the global leader of its internal audit practice in New York. <br>Gary E. Peterson is a managing director at Crowe Horwath in New York. </p>Dawnella J. Johnson1
What Are the Biggest Risks for Internal Audit This Year and Next Year?https://iaonline.theiia.org/blogs/marks/2017/Pages/What-are-the-biggest-risks-for-internal-audit-this-and-next-year.aspxWhat Are the Biggest Risks for Internal Audit This Year and Next Year?<p>​There's an interesting article by the consultants at Barclay Simpson on the topic of "<a href="http://www.barclaysimpson.com/news/what-are-6-of-the-biggest-risks-for-internal-auditors-in-2018-news-801840783" target="_blank">What Are 6 of the Biggest Risks for Internal Auditors in 2018?</a>"</p><p>It is not clear to me whether they are answering the question of "What are the biggest risks for internal auditors?" or whether it is an attempt to answer "What are the biggest risks that should be on the audit plan?"</p><p>If it is the first, there's nothing new here and a lot is missing. If it is the second, they have totally missed the mark.</p><p>So what are the biggest risks for internal auditors in 2018? Here are eight things for you to consider.</p><p><strong>1. Auditing risks that don't matter to the board and top executives.</strong></p><p>If internal audit continues to audit risks to processes and business units rather than risks to the achievement of <em>enterprise</em> objectives, it will remain a staff function that costs money rather than delivers critical value.</p><p>If you want <a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank">auditing that matters</a>, audit <em>what</em> matters.</p><p><strong>2. Failing to communicate what matters when it matters.</strong></p><p>The traditional way of communicating audit results is a formal written report issued weeks if not months after issues are identified. The report says what internal audit wants to say rather than what management and the board need to know.</p><p>We need to deliver the information leadership needs, when they need it, in an easy-to-consume and actionable form.</p><p>There should be more talking and less writing.</p><p><strong>3. An inability to change direction as risks change.</strong></p><p>How agile is internal audit? If you don't have the ability to modify the audit plan rapidly and frequently, what assurance is there that you are auditing what matters today and tomorrow?</p><p>Can you provide the information management needs in time to affect their decisions?</p><p><strong>4. A lack of the resources necessary to address the risks that matter.</strong></p><p>Some internal audit departments shy away from sources of risk because, they say, they don't have the ability to audit them. My response to that is that if they are important to the organization, you have to find a way.</p><p><strong>5. Wasting precious time and resources.</strong></p><p>We may start each audit with a focus on enterprise risks that matter. But the work often extends to include risks of concern to local management — or the internal audit staff. Extending the audit work has a cost — the opportunity to perform another audit, one that is focused on another enterprise risk. Consider <a href="http://www.dictionary.com/browse/work-expands-to-fill-the-time-available-for-its-completion" target="_blank">Parkinson's Law</a>: don't keep auditing just because the time has been scheduled. Once you have an opinion and agreed with management on the necessary corrective actions, STOP.</p><p><strong>6. Auditing the past and not the future.</strong></p><p>There's a reason that the core principles for internal auditing talk about being forward-looking. Richard Chambers talks about foresight vs. hindsight, and I talk about auditing forward.</p><p>The challenges for the organization in the current and future periods should be where we spend our time, assess related controls, and share our insights.</p><p>Telling people what they did wrong in the past only has value it if is relevant to how they will do things in the future.</p><p><strong>7. Losing key members of the audit department.</strong></p><p>Hiring, retaining, and getting the most out of personnel is not only an issue for the organization as a whole, it is always an issue for internal audit.</p><p>If CAEs fail to pay attention, fail to be effective leaders and managers of their own team, the quality of work will suffer — and the value of internal audit decline along with it.</p><p><strong>8. Failing to attain and retain the confidence of management.</strong></p><p>If management does not believe we are helping them succeed, why should they support us?</p><p>One area I frequently pick on is the percentage of internal audit "findings" and recommendations that are embraced and implemented by management. Some internal auditors blame management when their recommendations are not acted on promptly, when perhaps they should be questioning whether their recommendations were the right ones. Managers are not stupid. If they don't see the reason for a change, they won't make it. Auditors need to listen actively to ensure they understand management's perspective and whether suggested corrective actions make business sense. They also need to ensure that they have communicated their concerns effectively. Putting issues in writing is not the same as being persuasive.</p><p>Internal audit can and should be perceived as helping management and the organization as a whole succeed. When 90 percent of their recommendations are embraced (i.e., not just passively implemented because "internal audit said so"), that is an unacceptable 10 percent failure rate.</p><p>Our focus should 100 percent be on helping the organization succeed. We are at risk ourselves if we are seen as irrelevant to that task.</p><p>I welcome your comments and perspectives.​</p><p><br></p>Norman Marks0
COSO ERM: Getting Risk Management Righthttps://iaonline.theiia.org/2017/Pages/COSO-ERM-Getting-Risk-Management-Right.aspxCOSO ERM: Getting Risk Management Right<p>​As enterprise risk management (ERM) has become popular in the past two decades, organizations have been trying to implement a program that makes all stakeholders satisfied that they are “doing risk management right.” The problem is ERM is not a program. In fact, it is not a department nor a process, either. ERM — or more generically “risk management” — is an integral component of decision-making. It is a set of skills, approaches, competencies, tools, culture, and more that do not stand alone, but are part of all that an organization does. Unfortunately, many organizations don’t execute risk management well and suffer the consequences.<br></p><p>The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently published an update to its 2004 COSO ERM framework. The name of the 2017 version says it all: <em>Enterprise Risk Management–Integrating With Strategy and Performance</em>. Risk management is all about strategy and performance.<br></p><h2>Making Better Decisions</h2><p>Risk management is an integral part of decision-making. What does this mean? Consider two different situations. <br></p><p>Acme Co. is implementing a new software package to support its core processes such as accounting, logistics, and customer management. As part of its planning, Acme lays out all the steps in the implementation process and then considers what may not go as planned. Some things could go wrong; some could go better than expected. Identifying these possibilities, assessing their importance to the project, taking preparatory actions, and watching how the project progresses are part of how Acme manages its software implementation. This is all done using various monitoring and reporting tools, within the culture of how Acme operates. Acme uses the fundamental aspects of good risk management, even though it may not recognize them as such. <br></p><p>Beta Co. is repainting the exterior of its headquarters buildings. The company turns to its normal painter to get the job done. There also were risks related to this project, but it is less obvious how Beta managed the risks.<br></p><p>Both Acme and Beta made decisions (multiple ones, in fact). Risk management was an integral part of both organizations’ decisions. While the risk management may have looked different in the two situations, it was still risk management. Acme took a more formalized approach, outlining its path forward while considering what deviations from this path might occur because of unexpected events (i.e., risks) and planning accordingly. Beta was not nearly as formal, but relied on past habits to try to accomplish its objectives. The questions for both organizations are how good was the risk management and did they use the right approach? <br></p><p>Risk management does not need to look the same for every organization and every decision. It should be fit for purpose, having the level of sophistication, formality, and transparency that is necessary for the importance of the objectives and risks. Both Acme and Beta may have done a great job or a poor job of risk management. It is not the specific activities and formality of the program that matters. What matters is whether management is handling risks the way it should in the situation.<br></p><p>The new COSO ERM lays out a framework for improving risk management so better decisions are made, helping an organization accomplish its objectives. The framework is not another process to be sent to the ERM team or even to a committee of the board. It needs to be incorporated into the fabric of the organization, providing guidance, tools, processes, and many other elements to improve risk management, regardless of the decision being made. The updated framework’s executive summary discusses five interrelated components:<br></p><p>Governance and Culture. Governance sets the organization’s tone, reinforcing the importance of, and establishing oversight responsibilities for, ERM. Culture pertains to ethical values, desired behaviors, and understanding of risk in the entity.<br></p><ul><li><strong>Strategy and Objective Setting.</strong> ERM, strategy, and objective setting work together in the strategic planning process. A risk appetite is established and aligned with strategy. Business objectives put strategy into practice while serving as a basis for identifying, assessing, and responding to risk.<br></li><li><strong>Performance.</strong> Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritized by severity in the context of risk appetite. The organization then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.<br></li><li><strong>Review and Revision.</strong> By reviewing entity performance, an organization can consider how well the ERM components are functioning over time and in light of substantial changes, and what revisions are needed.</li><li><strong>Information, Communication, and Reporting.</strong> ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down, and across the organization.<br></li></ul><h2>Clearing Up Misconceptions</h2><p>Although the new COSO ERM framework is fairly straightforward, a few key points often are missing in ERM as practiced today.<br><br><strong>Risk Is Not the Focus</strong> The approach to risk management should not focus on the risks in isolation. The focus should be on those events that can affect the achievement of strategy and business objectives. When the focus is on the risks, and not the strategies and objectives, ERM becomes a program. To add value, ERM always must be about accomplishing strategies and objectives. Management does not think first about risk, but about delivering performance and what can impact that performance.<br><br><strong>Risk Is Not an Evil to Be Eliminated</strong> Every organization takes risks because the world is not perfectly predictable. Every time an organization takes an action, it takes the risk that its expectations are not correct. Sometimes the events that occur have a positive impact, and sometimes they are negative. Risk is a fundamental part of every organization, but it needs to be managed.<br><br><strong>There Are Many Ways to Respond to Risk</strong> The framework outlines five basic responses to risk: accept, avoid, pursue, reduce, and share. Internal auditors frequently assume the right response to risk is the fourth option — reduce. This reduction is frequently in the form of implementing internal controls to reduce the likelihood or impact of a risk event. However, this is not the only option and other options may be better.<br><br><strong>Risk Management Is More a Skill and Mindset Than a Process</strong> When risk management turns into a department, team, or process, it can easily become something separate from management decision-making. Doing risk management right improves decision-making. While many experienced managers intuitively incorporate aspects of good risk management into their normal thinking, almost anyone can benefit from the guidance laid out in the framework. There are clear skills, tools, and mindsets the framework supplies that managers need to learn. Don’t relegate them to a few select people who never influence decision-makers.<br><br><strong>All of the Framework Is Important</strong> What most internal auditors and risk managers would think of as risk management is in the Performance component of the framework, but that would fail to see all five components as critical. All five are interrelated. One can’t set risk appetite without an understanding of culture; one can’t select risk responses without communicating about risks within the organization; one can’t have a great risk assessment approach without the feedback loop to review and improve the process based on learning.<br></p><p><strong>ERM Does Not Compete With Internal Controls</strong> The framework eliminates any confusion as to how ERM interacts with internal controls. ERM addresses risks as part of decision-making. In managing some risks, a desire to reduce the risks could be accomplished through internal controls. If this is the direction, then organizations should look to the COSO <em>Internal Control–Integrated Framework</em> for guidance on how to implement internal controls effectively. <br></p><h2>An Opportunity for Internal Audit</h2><p>Some internal auditors have responsibility for their organization’s ERM approach, some provide facilitation, and some perform assessments of management’s design and execution of ERM. The IIA Position Paper, The Role of Internal Auditing in Enterprise-wide Risk Management, provides useful guidance on the options, and limitations, for internal audit’s involvement with ERM. <br></p><p>Internal auditors who have a more engaged role in ERM through facilitation, training, etc., will work through the new COSO ERM framework in a fair amount of detail. However, there is a wealth of information in the framework for every internal auditor.<br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>ISO 31000 Update Coming Soon</strong><br><br>The International Organization for Standardization’s Technical Committee 262 is updating its ISO 31000 risk management standard. The revision to the 2009 standard is expected to be issued in early 2018. While different in structure, the core aspects of ISO 31000 are consistent with COSO ERM. The standard asserts that risk management is an integral part of decision-making, and creating value for the organization is the primary reason for risk management.</td></tr></tbody></table><p>Indeed, the framework is a fabulous opportunity for internal auditors who are not intimately involved in ERM. The increased attention to risk management that will come about through the release of the updated framework — and the expected release of an updated version of the International Organization for Standardization’s ISO 31000: Risk Management Principles and Guidelines — provides internal auditors with the ability to reorient their work, messaging, and reporting around the way management thinks (See “ISO 31000 Update Coming Soon” at right). As internal audit strives to create and protect value for organizations, understanding the principles of risk management better and incorporating them into the practice of internal auditing can pay large dividends. Here are some suggested next steps for every internal auditor.<br></p><p>First, internal auditors should become conversant with the fundamentals of the framework. At its core, internal auditing is all about risk. While most internal auditors focus on the adequacy of internal controls, internal controls should be viewed as a method to implement the “reduce” response to risk. Risk is central and comes first, however. Internal auditors should master the concepts of risk — how it is identified, assessed, analyzed, responded to, reviewed, and reported. Without this context, it is not possible to effectively address internal controls.<br></p><p>Second, auditors can do themselves a favor if they talk less about the adequacy of internal controls and talk more about risk, managing risk, and reducing risk where advised. Management thinks of the world through the perspective of setting out objectives and accomplishing them — all with the goal of delivering performance. The more internal auditors talk about those objectives and the events that can impact delivering performance, the more management would understand how internal audit delivers value. Auditors are not here to be naysayers or add bureaucracy with more controls. They are here to help management deliver on its objectives. This requires auditors to think and talk in terms of risk, potential impact, and response.<br></p><p>Third, internal auditors should not only evaluate internal controls, but also management’s choice and implementation of risk responses. Internal controls are but one potential risk response. Internal auditors should be considering all five risk responses in assessing whether management has selected the optimal way to address a risk.<br></p><p>Fourth, internal auditors should not focus blindly on always trying to reduce risk. Risk responses should be designed to improve performance. This involves not only ideas to reduce the impact from negative risk events, but also the cost of risk responses and the possibility of a risk that positively impacts performance. When internal auditors’ orientation is toward decision-making and how risks impact performance, they may conclude more risk is appropriate or the cost of current risk responses is not justified by the benefits.<br></p><p>Internal auditors are some of the best in understanding the theory regarding risk. The revised COSO ERM framework provides auditors the opportunity to become even more expert in the material so they can help their organization navigate how best to implement it. Not everyone will see the framework as something worth their attention, providing an opportunity for internal auditors. </p><p><em>To download the IIA position paper, The Role of Internal Auditing in Enterprise-wide Risk Management, visit </em><a class="vglnk" href="http://bit.ly/2vIU6Mt" rel="nofollow"><span><em>http</em></span><span><em>://</em></span><span><em>bit</em></span><span><em>.</em></span><span><em>ly</em></span><span><em>/</em></span><span><em>2vIU6Mt</em></span></a><br></p>Doug Anderson1
The Auditor of the Futurehttps://iaonline.theiia.org/blogs/marks/2017/Pages/The-auditor-of-the-future.aspxThe Auditor of the Future<p>​The concept of the "future" auditor was introduced by Protiviti three years ago.</p><p>Brian Christensen and Jim DeLoach have returned to the topic in <a href="http://www.corporatecomplianceinsights.com/internal-auditors-want-ensure-value-relevance-raise-bar-within-profession/?utm_campaign=2017%20Newsletters&utm_source=hs_email&utm_medium=email&utm_content=57290794&_hsenc=p2ANqtz--u8-OjOO7OZS_AsbzGrNldgXcUramApzrgAq0EsfLuyx7wjQWdNzpt1pf8U2ugXoPRElWCFTO4047qk-X-h5L10UeTnA&_hsmi=57290794" target="_blank">Internal Auditors: Want To Ensure Your Value And Relevance? Raise The Bar Within Your Profession</a>.</p><p>This is a useful piece that merits our attention.</p><p>Let me first share and then comment on the primary points from 2014, reprised in Jim and Brian's piece:</p><p><span class="ms-rteStyle-BQ">[The future auditor]:</span></p><ul><li><p><span class="ms-rteStyle-BQ">Is positioned to be objective with regard to the enterprise's operating units, business processes and shared functions and is vested with a direct reporting line to the board of directors or a committee of the board;</span></p></li><li><p><span class="ms-rteStyle-BQ">Understands the organization's business objectives and strategy and identifies risks that create barriers to the organization's achieving its objectives and executing its strategy successfully;</span></p></li><li><p><span class="ms-rteStyle-BQ">Is authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management and internal control processes that address its critical risks and creates value by making recommendations to strengthen those processes and keeping the appropriate executives and directors informed regarding open matters;</span></p></li><li><p><span class="ms-rteStyle-BQ">Uses a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;</span></p></li><li><p><span class="ms-rteStyle-BQ">Articulates the value contributed by a risk-based audit plan to the organization, providing an assurance perspective that the board and executive management can understand;</span></p></li><li><p><span class="ms-rteStyle-BQ">Maximizes the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and</span></p></li><li><p><span class="ms-rteStyle-BQ">Possesses escalation authority and proactively exercises that authority to bring important matters to the attention of executive management and the board on a timely basis.</span></p></li></ul><p>Each of these points is important, but:</p><ul><li>It is critical for <span style="text-decoration:underline;">the people running the business</span> to understand the objectives and related risks. Internal audit should determine whether that is the case and, if not, bring that serious matter to the attention of leadership. <em>It is not internal audit's job to identify and assess risk</em> — that's a management function and one of the most important responsibilities they have.<br></li><li>Internal audit should seek to rely on management's identification and assessment of risks. If that is not reliable, <em>teach them to fish</em>.<br></li><li>Internal audit should not only be "authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management, and internal control processes that address its critical risks." They should actually <em>evaluate those processes and share their assessment with leadership</em>.<br></li><li>While technology can be a great tool, emphasizing it instead of other points like having a deep understanding of the business seems more like a marketing point for Protiviti's services.</li></ul><p><br></p><p>The rest of the Protiviti points are very good and I won't comment further — please read and consider them.</p><p>However, there is an important omission. We addressed this when we (The IIA's task force) developed the core principles for effective internal auditing.</p><p>The principles talk about "<em>foresight</em>." I like to talk about "<em>auditing forward</em>."</p><p>In other words, worry about the risks that like ahead of us rather than those in our past. Does the organization have the capability to anticipate what might happen and take appropriate action?</p><p>Let's not audit history — let's provide advice and insight that helps the organization navigate its way forward to its objectives.</p><p>I welcome your comments and observations.</p><p> </p>Norman Marks0
<IR> Makes Progresshttps://iaonline.theiia.org/2017/Pages/IR-Makes-Progress.aspx<IR> Makes Progress<h2>​​As integrated reporting <IR> gains traction globally, what role can internal auditors play? </h2><p>Internal audit professionals’ expertise puts them in a prime position to provide guidance to management on ways to protect and create value. The role of internal auditors is becoming more strategic as they identify key risks and provide assurance over increasingly broad value drivers. Internal auditors are key to effective integrated thinking, already having a sound understanding of the business and close relationships with the key players in the reporting process. The IIA has been a driving force behind <IR>. </p><p>However, <IR> is not yet well known enough in the U.S. There are big advocates of <IR> within the U.S. — General Electric, PepsiCo, JLL, and Prudential Financial are among the 25 organizations producing integrated reports. The largest U.S. public pension fund, CalPERS, has called on boards to provide an integrated report, and Black Rock CEO Larry Fink has called on businesses to set out a strategic framework for long-term value creation.</p>Staff0
Should Internal Audit Have a Seat at the Table?https://iaonline.theiia.org/blogs/marks/2017/Pages/Should-internal-audit-have-a-seat-at-the-table.aspxShould Internal Audit Have a Seat at the Table?<p>​<span class="ms-rteThemeForeColor-9-0">**Warning** The comments in this post do not reflect those of The IIA!</span></p><p> </p><p>Having a "seat at the table" seems to be the goal of many internal auditors.</p><p>Do they deserve a seat alongside senior executives at the top management table? Or do they deserve a seat with other support personnel, at a table designated for leaders of a business unit, or one where middle management sits?</p><p>The goal seems to be to sit among people like the CEO, chief financial officer, chief operating officer, general counsel, and the executive vice presidents. In practice, that is rarely achieved. Why?</p><p>It's because title and position (such as reporting to the board or CEO) matter much less than what you can contribute to the discussion at the top table.</p><p>When board members and CEOs share the views of <a href="http://ecap.co.nz/blog/insights/internal-audit-and-its-enhanced-role-in-the-future/" target="_blank">Drew Stein</a> (a board member and former CEO in New Zealand), internal audit will sit somewhere closer to the kitchen than to the CEO. He considers internal audit today and asserts:</p><ul style="list-style-type:disc;"><li>Almost all of internal audit findings are mundane operational compliance issues, which management, when notified, can attend to and rectify in an immediate sense. While important to ensuring operational integrity, these issues are not earth-shattering.</li><li>The majority of operational compliance issues and minor financial irregularities are in the first instance identified by management during their normal duties and not by the internal audit group.</li></ul><p><strong><br></strong></p><p><strong>If internal audit is to earn a place at the top table, they have to:</strong></p><ul><li><strong>Audit what matters, and</strong></li><li><strong>Communicate assurance, advice, and insights that matter.</strong></li></ul><p> </p><p>What they do has to <em>matter</em> to the people at the top table, so they are <span style="text-decoration:underline;">eager</span> to listen to what internal audit has to say. </p><p>Why? Because it matters to the achievement of their personal and enterprise goals. It helps them run the organization successfully.</p><p><a href="https://www.amazon.com/Auditing-that-matters-Norman-Marks/dp/1537662023/ref=asap_bc?ie=UTF8" target="_blank"><em>Auditing That Matters</em></a> is my attempt to guide those seeking a seat at the top table by accomplishing these two objectives. It challenges CAEs to understand and address risks to <em>enterprise</em> objectives, then to tell those at the top table <em>what they need to know</em> instead of what we traditionally like to report: what they need to know to be successful.</p><p>I thought people were coming along with me in this direction, but then I saw a new Practice Guide from The IIA: <a href="https://global.theiia.org/news/Pages/New-PG-A-Practice-Guide-to-Engagement-Planning-Establishing-Objectives-and-Scope.aspx" target="_blank">Engagement Planning: Establishing Objectives and Scope</a>. The underlying IIA <em>Standards</em>, the 2200 series, talk about identifying the risks "relevant to the activity under review." This <em>should</em> mean understanding where what happens at that location, department, or unit is a <em>source of risk</em> to an <span style="text-decoration:underline;"><em>enterprise</em></span> objective. In other words, the audit should still focus on <em>enterprise</em> risk, though limited to how it is affected by local operations, rather than risk to local objectives.</p><p>However, when the Practice Guide talks about performing a "preliminary engagement-level risk assessment" by mapping local business processes and brainstorming, I fear that the result will be audits of what matters <em>to that location</em> but not necessarily what matters to the enterprise as a whole.</p><p><strong>It shouldn't be necessary to perform a detailed engagement-level risk assessment</strong>. The location, unit, or process should be on the audit plan because it has already been identified as a potential source of risk to one or more enterprise objectives.</p><p>An audit should not be put on the audit plan because it has a lot of revenue, assets, people, or even complex systems. </p><p><strong>It should be there because it is seen as </strong><strong><em>a source of risk to enterprise objectives</em></strong><strong>.</strong></p><p>All you need to do at the engagement level is focus a little (not a lot) deeper on those potential sources of risk and decide how to assess and audit related controls. Recommending detailed process and control mapping is more often than not unnecessary and a waste of our most valuable resource — time.</p><p><strong>The goal should be to provide assurance, advice, and insights that matter to the board and top management because it will help them navigate risks to the achievement of the objectives that matter to them — enterprise objectives.</strong></p><p>If what you have to say matters to the people at the top table, because it includes advice, assurance, and insights that are actionable and help leaders run the organization as a whole, you will be welcome! If what you have to say only really matters to middle management, there is where you will sit. If what you have to say is seen as a police report, you will sit by the kitchen.</p><p>Does your internal audit function assess, audit, and provide assurance, advice, and insight on what matters to the top table?</p><p>I welcome your comments.</p><p><br></p><p>Please join the discussion by clicking the Subscribe button.</p><p>​ </p>Norman Marks0

  • MNP_Nov 2017_Prem 1
  • IIA Bookstore_Nov 2017_Prem 2
  • IIA EndOfYear CPE_Nov2017_Prem 3



Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z