Fundamentals of GRC: What is an Audit?

Posted on October 11, 2010 by

 A funny thing happened while doing some research for a recent presentation. I could not find a definition of the term “audit”. I was looking specifically for a definition relevant to internal auditors, so I looked in the Institute of Internal Auditors International Professional Practices Framework (IPPF).

 Not only could I not find a definition, I could not find any instance where the word “audit” was even used as a noun. In every case I saw, the word “audit” was used as an adjective, as in “audit activity”, “audit report”, “audit plan”, etc. This is a good thing.

 I am a big fan of the IPPF. These standards have been carefully and thoughtfully constructed by some visionary leaders from the internal auditing profession. Most important terms and concepts are carefully explained and defined. But “audit” is not. I am sure the omission is intentional.

 What the IPPF does define is “audit activities”. These standards delineate the requirement for performing a broad range of internal audit activities and for evaluating internal audit performance. Generally, the standards allow, if not encourage, the performance of activities such as consulting, training, participation in ERM projects and other activities. The standards set out the qualities, behaviors and attributes that internal auditors are expected to bring to these activities. They do not require “audits” or define what an “audit” is. They do define and set standards for audit activities.

 I know exactly what auditors usually mean when they say they are doing an “audit”. They are usually following some sort of checklist or program, and documenting and verifying controls. The “audit” is usually manifested by a set of physical or virtual working papers. There is usually an audit report, an audit opinion and audit issues to be resolved.

 This is what Ernst & Young, in their recent paper “Unlocking the Strategic Value of Internal Audit” calls the “enablement gap”. It is a rigid fixation on traditional control and compliance processes that are so familiar and ubiquitous that we call the result an “audit” and assume that is the limit of what auditors can do, even though today’s needs and certainly today’s audit standards have moved on.

 Internal auditors have huge potential for adding value and for becoming trusted advisors in their business. All they need to do is follow their professional standards.

 Recently a very senior business executive, looking closely at the GRC professions for the first time, shared with me his view that of all the GRC professions, internal audit was the least progressive, the most entrenched and rigid.

 When many auditors spend most of their time performing, benchmarking and evaluating a task their professional standards don’t even define, I have to agree.

 The standards of the profession accommodate a variety of value adding audit activities. Tools, frameworks and technologies exist to support a wide range of audit activities.

 Anyone care to define an audit for me?  

Posted in GRC, Internal Audit | 2 Comments

Who is driving GRC? – Reflections on the nature of innovation

Posted on September 16, 2010 by

There is a great dialogue underway about GRC on a blog run by Norman Marks. See “The Institute of Internal Auditors’ Tone at the Top Defines GRC and Gets it Right.  http://www.theiia.org/blogs/marks/

My contribution is upstream in an earlier blog on this site and in a response from Norman in a blog posting that preceded the  dialogue he is hosting today.

I’d like to offer some perspective here.

One of the threads of the conversation suggests that GRC is “hype” and is an invention of consultants and software vendors. The inference is that this is a bad thing.

My affiliation with a software vendor and content provider is fully disclosed. Norman Marks of course works for SAP. Michael Rasmussen, who coined the term “GRC” was, at the time, with Forrester and currently operates a consulting practice and is a recognized thought leader. I might also mention that on September 15 IBM announced the acquisition of OpenPages, another major software vendor in the GRC space.

I believe the GRC professions are ripe for innovation. There is a reason that thought leadership is coming from consultants and solution providers. The reason is that there is little or no history of innovation, certainly no history of rapid transformational innovation from within any of the GRC professions. I do not believe most professional practices have changed significantly in decades. I don’t regard automating a working paper, as good a thing as that might be, as innovation. The end product of most GRC professions has remained unchanged for years.

I believe GRC is very much a vendor/software/consultant driven phenomenon. Call it GRC, ERM or whatever else, the GRC professions are due for significant transformation and that kind of transformation generally comes from the outside. I don’t believe the technology vendors are  there to promote the status quo.

There is very little evidence, and you’d have to look hard to find it, that the GRC professions on the whole are adding sustained significant value. There are individual exceptions, but few. Has the rate or size of corporate failures declined in the last 50 years? Have catastrophic losses declined?  Has the cost of assurance declined? Is anyone even measuring?  Are the customers of GRC service delighted? Have the GRC professions stepped up to the plate on these issues?

As I recall, and I was not quite around at the time, the automobile was not invented by the blacksmith profession. It came from the outside. The iPod was not invented by the record industry. The ball point pen did not come from the fountain pen manufacturers. The photocopy machine was not invented or developed by printers. These were all technological innovations from the outside in response to a huge unmet need.

I think the same conditions exist now in the GRC professions.

Technology providers and service providers are up to their ears in the GRC business and getting more involved every day. Radical change is coming, ready or not and if it looks anything like what GRC, or whatever you want to call it, promises, I am all for it. The sooner the better, and let me know how I can help.

As always, comments are welcome.

Posted in GRC | Tagged , , | 2 Comments

GRC and the internal control effectiveness paradigm

Posted on September 7, 2010 by

I imagine GRC as the beginning of a valuable, powerful and disciplined profession. My last two posts were on the need to better define and state a compelling outcome for GRC professionals to pursue. I thought I’d continue to add to my wish list.

One major task for turning GRC into a true profession is the need to begin to manage internal control strategically. Without the ability to think strategically about internal control, we will not have the tools to drive down corporate failure, assuming of course that the will to do so exists.

While control effectiveness opinions can be useful, I consider managing internal control through  audits and certifications to be the opposite of managing and reporting on  internal control as a strategic dimension of the business. I think as part of a GRC profession, internal auditors in particular can add far more value.

To get a snapshot of the state of things today, type the following phrase, exactly as I have written it, into a search engine of your choice: “internal control management strategies”. If that doesn’t get results, try “managing internal control strategically”. Be sure to use the quotation marks because I want you to see how many times the words “managing, internal control and strategies” appear sequentially in a phrase. In my searches, it seems there is no such thing as managing internal control strategically.

But try the same search, quotation marks and all, with the phrase “risk management strategies” or “managing risk strategically”. Note the difference in the results. We can apparently manage risk strategically, or at least we have a lot of thoughts on the subject, but managing risk strategically does not require managing controls strategically.

To me, an example of managing internal control strategically would be a deliberate decision by an enterprise to invest in the overall improvement of the entity’s Control Environment as defined by COSO, or possibly a decision to improve Monitoring across the organization in order to increase shareholder value or drive business performance.

Of course it would then be necessary to measure the level of and change in Control Environment or Monitoring and to compare the results within different parts of the organization.

It would be necessary for auditors and SOX people, the primary internal control experts to report their controls, findings, issues or deficiencies by the COSO category they related to, and to identify the deficient COSO element at the root cause of the problem.

I have actually done that as a Chief audit executive and reported the results to a rapt audience of my senior executives and audit committee members. I didn’t use COSO, because it was before COSO was published. Our success led to the extensive use of control self-assessment and a number of other innovations thanks to my colleagues Tim Leech and Paul Makosz. My CEO compared the elements of the control model that I used to the pistons in an engine. Some elements were high, others were low, and that was the way the business was driven.

Today auditors and others opine on “control effectiveness” with little or no explanation of what that is. Historically, my guess is that about 20% of internal control effectiveness opinions are wrong. (I derive this from SOX statistics, based on material weaknesses discovered after positive internal control effectiveness opinions were reported. It is a matter of concern, that there is no formal tracking of faulty internal control effectiveness opinions).

I know the files of auditors and other control professionals contain rich details of controls that were identified and tested. But that information is usually locked in the files and minds of the auditors and we get just a “control effectiveness opinion” based on their judgment and verification. Worse yet, I have found in practice that “effective control” is almost entirely in the mind of the person making the judgment. In my work around the world I have found that the same set of facts will lead to different design and effectiveness conclusions by different control experts. I want to see a depiction of the controls.

Take your car to your dealership for a scheduled maintenance visit. You will get, if you ask and often if you don’t, a list of the specific “criteria” the mechanic considered in evaluating your vehicle. Want to know the wear on your tire treads? Looking for an assessment of how much brake pad you have left? It is all there and more.

What we need are not “control effectiveness” opinions but an assessment against the criteria we are using to come to a “control effectiveness” opinion.

For those looking for a set of control criteria, check out the OCEG “Red Book”. A simpler ser but a very good one was the CICA Criteria of Control (CoCo) model issued shortly after COSO.

Financial statement auditors don’t give an opinion on the “effectiveness” of financial management. The financial statements provide the numbers and you can come to your own conclusio onh the financialm affairs of the business. The auditor’s job is to provide assurance on consistency and conformity of accounting policies.

I want a summary of the controls in place, categorized in a useful way along with some information about the business performance they are supporting. If a process or a business has no documented Monitoring or Control Environment controls, I want to know. If there is an exclusive reliance on Control Activities, I’ll sell my shares.

One argument to be made in favor of “control effectiveness” opinions is the fact that they are expert judgments that can’t be reduced to a set of consistent criteria. For me, that is a very scary, self serving and quite patronizing thought. If we do not understand the criteria of control, we will never have reliable control effectiveness opinions. If we do understand the criteria of control we can begin to manage control strategically without them. We will be on our way to a GRC profession.

But whatever the criteria, driving down corporate failure will require strategic management of internal control.  And control effectivehness opinions will not do that.

My blogs last week drew some great responses, not all of them supportive, but all of them informative and thoughtful. I’d like to hear your thoughts on this.

Posted in GRC, Internal Audit, Risk Management, Sarbanes-Oxley | Tagged , | Leave a comment

In Search of a Compelling Reason for GRC

Posted on September 1, 2010 by

 A few days ago in my last blog I recounted a personal incident that made me believe that GRC would never reach its promise unless the movement could find a compelling reason to exist. My personal experience was watching the intense collaboration of diverse medical professionals in dealing with my medical emergency.

 Some commenters believed I had missed the point. They believed that the major obstacles to GRC convergence were the siloed structures of participants, failure to share best practices, lack of common tools and so on.

 I shared those beliefs until recently. I thought if only GRC professionals would collaborate, share tools, use a common language, etc. etc., we would achieve the vision of GRC.

 My medical made me realize these just symptoms and were not the problem.

 The medical professionals who saved my life didn’t collaborate because they had the tools. They had the tools because they had a reason to collaborate. That reason was a shared, compelling goal to cure illness and restore health. The goal drove collaboration. Collaboration did not drive the goal. The goal drove the innovations in medical science we have seen since the discovery that viruses cause illness and infection could be prevented and cured. Health professionals are committed to that goal. I am on the board of a health care organization and they are the most committed people I have ever worked with.

 GRC professionals have no common goal and are committed largely to their particular practice.  Worse, GRC professional frameworks are perfectly designed to maintain the status quo and prevent innovation. GRC professionals are some of the finest, most capable people I have ever met. They are dedicated and competent. They lack a compelling shared vision.

 Look at the goal definition of any GRC profession or group and ask yourself if it is inspiring, let alone sharable.

Here is a starter from COSO… “COSO’s Mission is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations”.

Bad? Of course not. Compelling? Don’t give it to my surgeon.

 Compare COSO’s statement to the goal of the US National Transportation Safety Board

   NTSB – SAVING LIVES

“…investigate transportation accidents, find out what happened, and issue safety recommendations to make sure that similar accidents don’t happen in the future.”

 Years ago, we accepted unsafe automobiles as a fact of life until auto safety became a cause, thanks to Ralph Nader. We used to think that drunk driving was a joke until Candy Lightner took up the cause and created MADD. Workplace injuries, pollution, harassment, discrimination were all things we felt we had to live with.

 I don’t think GRC is going anywhere without a compelling goal. It will struggle and eventually fall flat.  I believe the only reason for pursuing GRC is to drive down avoidable corporate failures. There may be better ways to state it. There may be other goals. But right now GRC is a great idea without a compelling reason.

 Please share your comments with me.

Posted in GRC | Tagged | 10 Comments

The Real Definition of GRC Convergence

Posted on August 27, 2010 by

 Like a number of others with a similar vision I have spent a lot of time in recent years evangelizing the concept of GRC Convergence. The definition of what we mean by GRC convergence varies by practitioner and changes over time, but it generally goes something like this…

 GRC convergence is the integration and classification of siloed management assurance information into a unified framework”.

 What a mouthful. It may be technically correct, but it misses the point by a mile.

 I’ll illustrate the problems and the promise of GRC Convergence with a personal story.

 Three months ago I woke up on a Sunday morning, and literally between sips of coffee I was struck with a sudden, overwhelming pain in my stomach. I could barely stand and I could barely speak.

 Twenty minutes later, after my wife had driven me to the emergency department of a nearby hospital, I found myself on a gurney, hooked up to an intravenous drip. I had been quickly assessed by an emergency admissions clerk, sent directly to an emergency admitting nurse who took my vital signs and asked a few questions, shuttled on a wheel chair to a ward, examined by an emergency room physician and injected with morphine. I provided a blood sample which was quickly sent to the hospital lab and I was then wheeled in for an MRI image and an x-ray.  Within an hour I was told I had a ruptured appendix. Following three hours of surgery, attended by a surgeon, a surgical nurse or two and an anesthetist I was resting comfortably with three tiny scars in my abdomen and some slight discomfort.

 The medical profession is a perfect example of “convergence” at work.

 If the medical professionals followed the standard behaviors and practices of GRC professionals I would be dead.

 In fact, if we consider corporations to be the “patients” of GRC professionals, it is difficult to believe that the GRC professions do much to keep their “patients” alive or even particularly healthy. Corporations “die” or suffer disabling “illness” regularly. None of the GRC professions even keep track of those “deaths and “illnesses”. That’s because they don’t consider the health and survival of their patients to be their job.

 Here is my new definition of GRC Convergence: “GRC professionals dedicated to working together to achieve a common goal”.

 I encountered 8-10 different medical professionals representing as many medical specialties in my little emergency. They were all united in the common goal of keeping me alive and making me well.

 I know of no GRC profession with the goal of maintaining let alone improving the general “health” of corporations.

 The goal of auditors, internal or external is to do audits. If there was ever any connection between the performance of an audit and the “health” and survival of a corporation, it has been lost long ago. Just look at the number of corporations that fail after receiving clean audit opinions.

 The goal of SOX professionals is not to improve the reliability of financial reporting. Their job is to test controls and report deficiencies. There is no requirement whatsoever for SOX professionals to track the performance of financial processes.

 The goal of risk professionals is to understand risk and provide for sufficient reserves to protect the corporation if the risk occurs. The ongoing financial crisis is a good measure of their success.

 The goal of compliance people is to promote, if not ensure compliance. It is hard to tell if they are succeeding.

 Because GRC professionals do not have a common goal, they seldom talk to each other. In fact, in my experience they often avoid each other. Without a common goal, there is nothing to discuss.

 GRC professionals rarely collaborate. No need to. They practice their professions on their patient, not for their patient.

 Read the new PCAOB Audit Standards on Auditor Risk Assessment. They have virtually nothing to do with the “health” of the “patient”. They are designed for the benefit of the auditor.

 I didn’t want my surgeon to promise me he would follow the best surgical standards. That is the lowest possible standard. I demand it as a starting point. I wanted my surgeon to make me well. With the help of his team, many of whom I never even saw, he was successful. My situation was no different than dozens of others they see every day. It is standard practice.

 I know how important it is for GRC professionals to be “independent”. But when I seek medical advice and medical treatment, I don’t want someone who is just dedicated to following their professional standards. I want someone who cares if I live or die and is willing to work with others to achieve that goal.

 When that is true, we will have GRC convergence.

Posted in GRC | Tagged | 8 Comments

Principles of ERM: A Common Risk Language is Good; But Grammar Comes First

Posted on June 22, 2010 by

We hear time and time again about the importance of a “common language of risk” as an essential element of risk management. It is certainly true that people need to express their thoughts and concerns about risk and to communicate properly.

My experience with risk management is that what is needed is really more grammar and syntax. Grammar is what gives language meaning. We have the language. We don’t have the grammar.

Here is an example of what I mean: The example below contains 4 distinct pieces of data about risk. Yet time and time again, all of this data is gathered and lumped into a risk library as if it was all the same. All of this information is about risk, but not all of the data describes what the risk is.

Diagram - Principles of ERM - 06.22.2010

My argument is that the risk event that needs to be managed above is the “trip and fall”. We need to understand the root causes of trips and falls (and there are many more than broken shoelaces) and we need to understand the direct and indirect consequences of trips and falls. This is the grammar of risk management – the study of cause/effect relationships. Risk language without structure does not create information or knowledge.

Root Cause/Control
Control models such as COSO or CobIT (or many others) do a good job of classifying what controls should exist. Controls are the inverse of root causes. COSO Integrated Control came about through an analysis of causal factors of the bank failures in the late 1980′s.

Risk Event
The best risk event taxonomy I have seen is the Standard & Poor’s sample risk types contained in their 2007 paper proposing the evaluation of ERM practices as part of the credit rating process.

Consequences
Risk taxonomies help us classify the risk events into logical groups so we can manage them better. By classifying risks as Strategic, Operational, Reporting or Compliance, COSO ERM is recognizing areas of consequence (or business objective) of enterprise risks.

If we don’t structure our risk information, we will never understand cause/effect relationships. If we don’t understand cause/effect relationships, risk management will not link to business performance. If risk management does not improve performance, or reduce avoidable losses, it has no value.

Risk management really isn’t that complicated. It just requires thoughtful approaches, sound tools and consistency.

All comments are appreciated.

Posted in GRC, Risk Management | Tagged | 5 Comments

Risk Rating the Audit Universe: Focus on Economic Value

Posted on May 21, 2010 by

 It will soon be time for most Chief Audit Executives to prepare another version of the Risk Based Audit Plan.

As a CAE, I encouraged the use of a risk based approach to allocate resources to the annual work plan. Looking back with the benefit of many years of hindsight, I realize now that the factors I considered were completely wrong.

Most risk models use risk factors such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.

I’ll come back to those variables in a moment. But the first thing a CAE must determine is what constitutes the audit universe. Usually that begins with a copy of the organization chart and a copy of the financial statements or chart of accounts. That is a mistake.

I often use an anecdote to illustrate how wrong I got it as a CAE. As Chief Auditor of an upstream oil and gas company, my audit plan consisted of the usual audits of capital expenditures, computer systems and business activities. Never in my years as CAE did I direct my staff to  audit the company’s oil and gas reserves.

 I made the mistake of looking at the financial assets of the business and the organization structure when considering my audit plan. I should have been building my audit universe based on the economic value of the business and the activities that created that value. That would have led me straight to the oil and gas reserve booking process and a review of the complex engineering, geological and economic factors involved. It would have led me to the land acquisition process and an evaluation of geological and seismic activity. I looked at none of those things. I’m sure other people did, but I was the one reporting to the board audit committee on the state of internal control. And I was examining internal control over some relatively trivial activities.

As for the risk models that give weight to such things as liquidity, complexity, degree of change or stability etc. they are probably equally wrong as well. I have found that the risk factors whose presence or absence is most predictive of success or failure are these;

1. Control Environment as defined by COSO: Look for Capability, Integrity and Accountability.

2. Monitoring business performance. COSO Monitoring focuses on control monitoring. Business performance is a good indicator of effective control.

3. Risk assessment. Look for the quality of the risk assessment processes management has in place.

In my view an audit universe that focuses on the economic value and value adding processes and uses these three criteria to allocate resources is the key to risk based planning. The economic value may not lie on the balance sheet. It could lie in  intellectual propert, contracts, or other things that are not represented on the balance sheet. And the value adding processes may not be the financial processes defined in SOX.

I spoke recently with an IT audit executive who wanted to build an audit universe  and 5 year audit plan based on his company’s 4,000 servers.  A few years ago I may have considered such an approach. Today I believe it is fundamentally wrong.

Most companies seem to have their own version of a risk based approach and have developed or use their own risk rating criteria. I’d love to hear what you consider to be best practices in this area.

Posted in Internal Audit, Risk Management | 3 Comments