The Evidence is the Control

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. From a Risk Management perspective, controls are irrelevant; only the evidence of the functioning of the control is the control.

Let's consider the role of Risk Management in providing real assurance, and how to make this real.

I've posted the article on LinkedIn here

And below:

The most comprehensively documented system of internal control does not provide any assurance that the enterprise is effectively, or even adequately, controlled. We are so used to the SOX-generated idea that the system of internal controls needs to be documented, and where there are perceived to be inadequate controls, more controls need to be introduced and documented. This is limited, of course, to “controls over financial reporting”, as required by SArbanes-Oxley (SOX).  

This has resulted in probably hundreds of millions of dollars, probably billions, being spent to document controls over financial reporting, and then Internal Audit (and External Audit) testing of those control. A windfall for the Internal Audit profession and for External Audit firms. After all, well-documented controls, especially when the critical controls are tested, are the backbone of a sound system of internal controls. Or is it? 

We need to move from the paradigm that a documented system of internal controls equates to an effectively controlled entity. Nothing could be further from the truth, and this is why we have both Internal and External Audit. Internal Audit tests the controls, recommends improvements to controls and provides “assurance” to senior management and the board that the controls are functioning. External Audit places limited reliance (anything more and they couldn’t demand the level of fees they do) on the work of Internal Audit and on the controls. 

I’ve missed the “risk” word above. Of course, Internal Audit should determine the controls to test on a risk-assessed basis. Yet too frequently, Internal Audit focuses on the highest-risk areas (that is appropriate) while year after year, the non-high-risk areas effectively get a pass. There simply are not and never will be enough Internal Audit resources to test all areas.  

After all, a fire will destroy the kitchen and house, while the ants will slowly denude the pantry. So we audit the fire alarms, and make sure there is a fire extinguisher (have you checked the date on it recently), but we don’t hunt for ants unless they are right in front of our faces.  

To paraphrase Hemmingway, internal control failures happen slowly, and then all at once.  

So the classic three-year rolling Internal Audit programme never seems to get to the bottom two-thirds of the potential auditable areas. What does this mean? Fundamentally, too much of the entity will never be audited, and there will never the evidence that the controls are or are not functioning.  

And here is our problem. It will be one of those areas, probably not directly related to ‘financial reporting’ that will ‘go bad’, resulting in significant problems and costs. 

The evidence IS the control.  

Who cares if there is a full set of documented controls if operational management knows perfectly well that Internal Audit will never reach two-thirds of the entity? I.E., their function, system, or process? This means more resources that said operational manager could spend on resources, people, supplies, laptops, etc, because they know that the cost of the control can be deferred, because the chances of their every being audited are minimal. 

In some enterprises, the “Second Line” in the form of Risk Management contributes to the identification of appropriate controls, and should be monitoring the control environment. This augments and does not detract from the role of Internal Audit, whose role is to perform detailed reviews of processes, systems, or functions, confirming through testing that the stated controls are functioning.  

So what is the role of Risk Management, as 'second line', in providing assurance over the system of internal controls? Risk Management can provide the framework to ensure that controls are functioning, by providing the repository and process to enforce confirmation of the functioning of controls. So what can Risk Management do?

1. Risk Management assists management in the identification, description (including quantification) of risks, and 
2. Assists management in determining and quantifying the level of risk that is acceptable, and in gaining senior management and board endorsement of the level of acceptable risk (the Risk Appetite applicable to the risk), and 
3. Works with management to identify what ‘controls’ would provide confidence that the risk is being mitigated or otherwise managed within appetite, and 
4. Provides a framework for the regular assessment and reporting on the functioning of the identified controls, and 
5. Provides an independent repository for the collection and retention of the evidence that each control is functioning, and finally 
6. Reporting to senior management and the board on management’s reported assessment of the effectiveness of controls, to confirm that the entity is functioning within Risk Appetite, or 
7. Provide reporting and recommendations to senior management and the board on additional steps that may be required to bring the entity into appetite (which may include the explicit modification, ‘upward’ or ‘downward’ of the actual Risk Appetite. 

In this way, it is not the fact of the existence of a documented control that matters, it is the provision of evidence by management that the control is functioning This evidence is the control. Without the evidence, it must be assumed that the control may not be functioning, and, therefore must be tested by Internal Audit, something that probably will never happen for the vast majority of non-high-risk areas. 

Quite some time ago, you probably started saying, “But this isn’t the job of Risk Management”, and in a purist sense, I agree. But I also know that someone needs to do this, and that someone needs to have access to the board and to management. Relationship management across the first line is critical, as is the ability to synthesise the information provided in the evidence of functioning controls.  

Most importantly, there cannot be an adversarial relationship such as too often exists between Internal Audit and the business, and between External Audit and everyone. Note I’m saying ‘too often’, not that this should be the natural state of things. 

Risk Management has many responsibilities, and this one fits nicely. 

Where there is an ongoing demonstration of performance of the system of internal control, identification of new or evolving risks, and a risk appetite that is both detailed and macro, Risk Management should be there. As risk specialists (both ‘downside’ and ‘upside/opportunity’) with the ability to communicate potential impacts as well as provide  

So consider a framework that includes a quarterly provision of the evidence of each control, coupled with management’s assessment of the effectiveness of that control. Consider also a regular relationship meeting between Risk Management and operational managers to confirm that the range of risks is current, the rating of the risks continues to be in line with management’s understanding of the risk, and the mitigation in place, as evidenced by the provided evidence of the functioning on the controls, ensures that the entity, or at least this risk, continues to be managed within appetite.  

Finally, the evidence provided by management and monitored by Risk Management also enables Risk Management to provide greater confidence in their reporting of the current risk status of the entity, improving the quality of assurance provided.

After all, documented controls by themselves are worthless. The Evidence of the functioning of the control is the Control. 

#Risk #InternalAudit #SOX

Three Lines of Defence - A useful framework, or a crutch for the incompetent? (Both?)

The following was told to me by a person who was in the room. We were debating Three Lines of Defence (TLD) when he told me this story. I’ve reconstructed as much as possible, and confirmed the content with my source(s).

TLD can be an effective framework, or it can be a millstone dragging effective governance to the bottom of the pond. While the concepts behind the framework are sound, it only works as a framework; it is not a management system, nor does it provide a rigid demarcation of control activity. Most certainly, it fails as a model for the provision of assurance to senior executives and the Board.  TLD does not ensure or provide even a patina of confidence that those responsible for the effective implementation of the framework actually have the skill or competence to use the framework effectively.

This is a story of incompetence and a warning that the strength of the TLDs is only as strong as the least competent practitioner in any of the Lines of Defence, especially the Third Line.

TLD in the Company

The company espoused the TLD as a core part of its governance framework. Applied carefully, TLD (or 3LoD) is a framework that is easily understood at the executive and board level, and equally easily understood by line management.

The company trained managers in the concept of the TLD. This made it ‘easier’ for Risk Management and Internal Audit (IA) to gain management buy-in to ownership of risks and controls and to ensure management took ownership of reporting on the effectiveness of controls and processes. It also provided the common language that enabled people across the business to discuss risks and control, and understand the importance of, and different roles of, the operating monitoring functions.

The classic distributions were made between the Lines, with “First Line” defined to include all operational functions and processes, and anything that was directly customer-facing. Customer set up, ordering, fulfilment, and billing were all included in the First Line, as were customer complaints, etc.

“Second Line” was defined equally conventionally, to include Finance and Financial Reporting, MI (Management Information), Compliance, Risk Management, Governance (including Company Secretariate) and HR.

“Third Line”, following the IIA’s interpretation, comprises Internal Audit and is listed as the provider of assurance to the Audit Committee and the Board. 

The Audit Committee was well versed in TLD, and annually read and endorsed the IA Plan and the Risk Management Framework. TLD was so well embedded that at times it became a crutch and not a framework, something to fall back on when questioned, or when the obvious answers did not fit the problem.

The problem was that, TLD or not, business processes were inefficient, errors were being missed or discovered by accident (or by customers, which was worse), and staff were overworked due to inefficiencies. Management reporting was inadequate, and financial reporting was cumbersome and slow. The monthly close took weeks, with some critical financial information not available for up to a full month after the month-end. This financial information was critical not only for operations but to satisfy regulatory reporting requirements. Something needed to be done.

The company decided to review all its critical business processes, confirm controls were in place, and identify process improvement opportunities where possible.

Internal Audit

Internal Audit took the lead on the project, with support from specialists and Risk Management. The project fell outside the normal IA work programme, but this was accepted as process inefficiencies and failures had already impacted the company.

A list of those processes was made, and reviews of each process scheduled.

Of course, IA still needed to identify critical processes and potential areas of higher risk and to develop and deliver an IA programme based on reviews of those processes. This was done through an annual planning process that included input from the external auditors, but little or no input from within the business.

In this case, the senior Internal Audit Manager had alienated too much of the business, and was seen not as a value-adding or even confirming control effectiveness. IA had developed a reputation of being pedantic and measuring success by the number of findings, no matter how petty (or inaccurate), that were included in reports. Further, IA was known to demand that a recommendation be implemented, even if there was no budget or if the recommendation would not address the issue.

So the first lesson we should take is: Where Internal Audit has an adversarial relationship with functions across the business, maybe it is time to look at IA’s effectiveness. IA, especially when poorly lead, can establish a fiefdom and use TLD to protect its position and access to leadership.

In the case of the review of business processes, this leads to one of the most bizarre moments that has ever been recounted to me.

The list of business processes to be reviewed was developed and presented to the steering group, including the CEO. Someone from the Risk Management team asked why the month-end close process was not included.

“There are no critical processes in Finance” was the statement from Internal Audit.

“How can there be no critical processes? The CEO does not know the financial position for up to a month after the month-end. What about billing, payments or debt collection?”

Internal Audit persisted “Billing and debt are not financial processes. Those are operational processes and are part of the First Line.”

“Excuse me?”

“Finance is Second Line. Second Line only reports and supports First Line, so Second Line cannot have any critical processes.”

The room was quiet. People looked at each other, and then at the CEO.

He paused, obviously thinking about how to engage.

He then said, “can I suggest an offline review of the list of processes? I would expect to see more of the MI supporting and Financial processes included, because they are critical to my ability to achieve our plan.”

The second lesson we should take from this is that TLD, when used as a crutch, can embed ineffective governance, and provide a shield for incompetence.

The poor quality of MI and the speed of the financial close combined to undermine management’s ability to more efficiently manage the company, apply resources where they were needed, and provide assurance to the Board about the company’s status in relation to the strategic and tactical plans.

Unfortunately, the TLD model, as hijacked by the Internal Audit profession, reserves the provision of assurance to the Board as a Third Line function. Admittedly the IIA’s new “Three Lines of Defence” model conjoins the Senior Management and the Governance groups, while retaining the mythology of an independent Internal Audit. This is not the place to discuss if Internal Audit can ever actually be “independent”, but it is the place to reinforce the concept of the provision of assurance.

 

Real Assurance

All management provides assurance. That is what MI and reporting are all about. The information provided in management reports is compiled and provided to give assurance to the receiver that the status or situation reported is accurately reported. As information is reported upward (and summarised in almost all cases as it moves upward) there is an underlying assumption that the information is, to the best professional knowledge and experience of the information provider, accurate, and provides assurance that such information may be used for further decision-making.

Furthermore, IA is an overhead, and as such, the cost of the provision of IA will always be constrained. That constrained resource inevitably results in narrowing IA’s potential span of attention. IA will need to focus its limited resources on this highest risk business processes, systems or functions, and will not be able to provide the breadth of coverage required for real assurance to Executives and the Board, beyond the very narrow assurance over the limited areas of their attention.

This leads to our third lesson; that Assurance must be provided by all management, not only by the Third Line, and reliance on the Third Line for assurance, will undermine the quality of assurance that is being, or can be, provided to Executives and the Board.

So bringing our three lessons together we can see a recipe for disaster. An adversarial IA, using TLD as a crutch, claiming that only the Third Line (IA) is able to provide assurance. Bring these three together and the potential damage is huge.

Had IA prevailed, critical processes would have been ignored in the review, and fundamentally inefficient, yet critical, processes would have been ignored. Indeed, the Board would have been given “assurance” that all critical processes had been reviewed and were being improved (from a control and efficiency perspective), when it was clear that this was not the case, and that the CEO was missing critical business decision-making information, or that information was too old to enable effective and agile response, whether reactive or proactive.

 

The SEC will take ESG seriously

Combined with a Final Rule Change in November, the announcement of Allison Herren Lee as Acting Chair of the SEC is excellent news from an ESG (Environmental, Social, Governance) and Sustainability reporting perspective. Rest assured, the new US administration’s acceptance of the science of Climate Change and stated understanding that there are already major impacts on the environment, are going to result in a major shake-up in corporate reporting.

For too many years the SEC has paid lip service to the need for ESG reporting.

No rule change will be needed

This means, finally, there will be real movement in requiring companies to provide ESG reporting. Way back in 2009, I wrote to the SEC in support of the Social Investment Forum (SIF) vision of what mandatory Environmental, Social and Governance (ESG) disclosure should look like. I pointed out there than the existing Reg S-K already mandated reporting on ESG in the MD&A.

Companies listed on the US markets are required to file various forms with the SEC, with the most notable being the Form 10-K, the annual filing that includes both financial information, and significant additional information included in the "Management Discussion and Analysis" (MD&A) section. The content of the Form 10-K is controlled by Regulation S-K, and there is some specific wording that applies to ESG and Sustainability reporting. However, it does not explicitly state ESG or Sustainability. 

I argued then, and still believe, that the "known trends" and "uncertainties" requirement was enough.

There is already the requirement under §229.303 for companies to "Describe any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations."

I believe that Climate Change and the wide range of potential negative impacts, raises to the standard of a "known trend", or at a minimum, based on the overwhelming amount of scientific research undertaken to date, an "uncertainty". Equally, Social and Governance issues have a significant impact on liquidity and operations, and therefore should rise to the level of "known trends" or "uncertainties".

The SEC has acted on the "known trend" or "uncertainty" clause before, when Y2K reporting was mandated. At that time the SEC also took the bold step of stating that boilerplate reporting would not be acceptable, and that filers had to provide detailed discussion of their plans, including potential impact on customers, and the cost to address. “No net impact” was not an acceptable response. The SEC's actions in relation to Y2K could form the basis for similar action in relation to Climate Change and ESG reporting.

Allison Herren Lee's appointment as Acting Chair of the agency will bring about a sea change in ESG reporting.

“During my time as Commissioner, I have focused on climate and sustainability, and those issues will continue to be a priority for me,”

Read those words again “those issues will continue to be a priority”. Finally, we will have some real reporting on ESG and sustainability in annual filings, and hopefully not the boilerplate. Investors and the public should begin to see what companies really think are the risks (and opportunities), and will need to say exactly what they plan to do to address the potential impact of Climate Change.

The Rules have changed

In November 2020, a Final Rule from the SEC strengthened the reporting requirement. In their Final Rule, they discuss the change from "will" have a material impact, to "reasonably likely" to have a material impact. 

"Item 303(a)(3)(ii) currently requires a registrant to describe any known trends or uncertainties that have had or that the registrant reasonably expects will have a material impact (favorable or unfavorable) on net sales or revenues or income from continuing operations".

The Commission's final Rule says:

"We are adopting Item 303(b)(2)(ii) with these amendments substantially as proposed, but with slight modifications to clarify that the “reasonably likely” threshold applies throughout Item 303. Furthermore, our amendments to Item 303(a) state that, as part of MD&A’s objectives, whether a matter is “reasonably likely” to have a material impact on future operations is based on “management’s assessment.”

I could contend that it will be the very brave, or very disconnected, company executive who, in "management's assessment", determines that Climate Change cannot be considered "reasonably likely" to have an impact on "continuing operations".

Preparing for the change

So with this change and increased reporting, what should reporting companies be doing?

First, consider a complete review of your CRS reporting. CSR has too frequently been seen as something owned by or shared with Marketing and Communications. The greater the ‘power’ in Marketing for the production of CRS reporting, the greater the risk that what you are reporting does not fully map to the reality of your operations or strategic expectations.

There is a risk of shareholder, regulator or customer sanction if your CSR reporting is not in sync with your internal strategic plans and the assumptions used to create those plans and, more importantly, with what you have been reporting in SEC other regulated filings. If there is a disconnect, then there is a risk to reputation and a risk that a regulator (or the markets) will respond punitively to a belief that the company has been ‘hiding’ information, or spinning and ‘greenwashing’.

CRS and Sustainability have just jumped to the top, or near the top, of the Internal Audit risk universe. What controls are in place over the production of the CSR report? What processes are in place to validate the information that is reported? Does management override play a part in the production of such reporting?

Instead of repeating myself, I’ll just point you to my post on the subject from all the way back in 2015; Why CSR is an important part of your risk universe.

Pick a Standard

There are several ‘competing’ CSR and Sustainability reporting standards. Do your research. Each has its strength, but so far we do not know which one will be the ‘one true standard’ the way COSO became the presumptive standard for internal control following SOX.

My own betting would be on either (or both) the SASB and the GRI standards. Both are comprehensive and established. SASB is modelled on the need for rules-based reporting and standards used in corporate financial reporting, and the very name pays homage to the FASB. The GRI standard, however, is global and has been around for close to 20 years. There may be some flaws, but it is a comprehensive standard for wider ESG reporting.

Plan ahead

Expect ESG reporting to expand, and expect scrutiny of reported information to increase. Mismatches between current and historical CSR and Sustainability reporting and corporate communications will come to light, so be prepared if you are concerned that there may have been mismatches.

With Climate Change on the agenda (finally) and with a new SEC Chair nominated (with clear views on ESG) there can be little doubt that ESG and Sustainability reporting will no longer be something for the marketing people; it is now center stage for regulatory reporting.

AI and External Audit: Not until the Business Model Changes

I’ve just read an article on AI and Audit, asking when (or if) Artificial Intelligence will take over the Auditing of companies financial statements. (“Distinguishing Hype from Reality about the Future of Automated Audits” By Gregory P. Shields, CPA, CA  http://thinktwenty20.com/images/Issues/Winter_2020.pdf)

While the article provides a fine survey of the technical issues and impediments, it misses one key element; AI is a threat to the Auditing and consulting firms' business model. Until they can determine how they incorporate this without erosion of fees and profit, there will be limited uptake.

It is an interesting article, if you are into this kind of thing, and considers three scenarios.

 

Arguably, predictions fall into three overall categories:   1. AI will soon displace human auditors. Clairvoyants in this category might be referred to as chicken littles, predicting the auditing sky will soon fall on human auditors. 2. AI will complement the work of human auditors, but never entirely displace them. These clairvoyants might be referred to as eternal optimists, looking at the future of human auditors through rose-coloured glasses. 3. AI will ultimately displace human auditors. These clairvoyants may be the realists. But, what does “ultimately” mean and what are the implications for decisions that have to be made now? (Gregory is a member of the board of directors of the University of Waterloo Centre for Information Integrity and Information Systems Assurance (UWCISA). He is also a member of CPA Canada’s Audit Data Analytics Committee. Before his retirement, he was CPA Canada Director, Auditing and Assurance Standards. His recent projects include developing non-authoritative auditing guidance on data analytics, cryptocurrencies, and accounting estimates.)

The conclusion is not surprising; that AI still has a long way to go, that regulators will take convincing, and that there remain too many cognitive processes that cannot yet be replicated by AI. These are the “value-added” that the human accounting specialist brings to the audit.

But what is missing from the article is the change required in the economics of audit to allow AI to play a meaningful role in disintermediating the human auditor.

The Accounting profession and Auditing firms exist in and rely on an economic model that will delay the introduction of full AI support for the audit. Auditing firms are highly profitable ‘consulting’ companies with a market niche that they will exploit and protect from competitors, and AI is, even if used as an ‘internal’ tool, a competitor.

Almost all major accounting firms are partnerships. While this is mostly a structural and governance mythology, they are bodies of self-feeding units that rely on a “Borg” like assimilation into a greater single entity which looks out for the collective interests. Let’s break that down. Auditing firms are like ant hives, all working together, but ready to cull the non-performing elements, and perfectly happy to jettison worker ants to protect the hive.

Each Partner owns a number of shares in the company, and those shares pay a dividend to the partners. The more shares, the greater the percentage of profits. Junior Partners “buy” a starter set of shares, and as they progress in profitability and seniority, they are allocated more shares. There are no external shareholders, and therefore no wider investor community to answer to. Certainly they talk stakeholders, but what they means are those that can impact their business model for the better or worse.

Each Partner has a team (or shares a team with other partners for efficiency) and ‘sells’ those resources to clients on specific engagements. Basically, people-hours for an agreed person-hour rate, frequently merged into a single overall rate or price for the job. At the core is that simple economics of the cost of inputs and the income generated by those inputs. Technology helps those inputs (people hours) be more productive and increases the potential price of that input on an hourly basis – because fundamentally, hours are the product.

Just as a metal stamping business many (does) use percentage utilisation of metal stamping machines as a measure of productivity, the accounting firms carefully monitor individual human utilisation rates as the core to determining productivity and potential profitability. People-hours utilised (billable) is the core of the Auditing (and associated consulting services) profession's productivity and profitability.

All other functions within the Auditing and consulting firms are paid for by the numbers of hours of human time that are sold and can be seen by the client as being delivered. The cost of delivering those hours if high. Premises, technology, HR services, and ongoing training of staff are significant costs. But there is another cost; the cost of ensuring that the profession continues to exert control over companies and their financial supply chains. After all, without a ‘clean’ audit, most companies cannot access capital at economic rates.

As an aside, brothels work in much the same way; the fundamental product is people-time, and the more time your product can spend ‘billing’ the more profitable the enterprise. Just like the brothels, if the young ones are not producing enough revenue, the young ones and the madams suffer.

A non-profitable partner or business unit within an Audit and consulting firm will be culled, and quickly. This means that a major element of the Senior Manager through Partner ranks, and especially anyone aspiring to Partner rank, is the selling of new business and the protection of and ideally expansion of fees with existing clients.

Unlike the brothels, Auditing and consulting firms have the additional costs of sustaining an industry body whose purpose is to ensure that they retain their dominance in the financial supply chain. (although I guess one could equate this to the cost of bribes to police and local officials?)

Audit firms carry the additional costs of lobbying at the international, national and state level, and through ‘ownership’ (capture is probably a better word) of the process for standards-setting. And standards that will threaten their business model will be managed. The International Accounting Standards Board (as one example) would find itself significantly less effective without the ongoing support from the major Auditing and accounting firms. The accountants and auditors provide much of the technical resources required to draft and review standards, and technical resources are frequently ‘seconded’ at no cost from the firms. And for a good reason; such secondments ensure that their people contribute to the development of the standards, it also ensures that the firms have resources with in-depth knowledge to trot out to their clients.

An AI-heavy audit is a threat to their business model. It is difficult to add a premium to the audit fee for a reduction in the amount of work that will be performed by humans. After all, if the human time is the primary cost factor, when a reduction in the total human inputs should translate into a reduction in the audit fee. Firms have been down this road before. Audit automation and through automated work-papers contributed to a reduction of the audit fee, but was offset by increases in the costs of labour and the total amount of effort required.

Sarbanes-Oxley section 404 was an excellent example. Following the Enron and Worldcom frauds, the additional requirement for a CEO/CFO certification statement resulted in a windfall to the Auditing and consulting firms, boosting total numbers of hours on audits, and the cost-per-hour of now scarce resources. First year accounting graduates were suddenly seeing offer letters at 15% to 20% higher than their friends received the year before. Internal Audit consulting firms found that they were able to raise their rates by more than 50% to 70% in a year, with that particular gravy train lasting almost a decade. It took that long to build a population of internal auditors sufficient to service the new need, in order to once again begin to push rates down.  

This is after ignoring the fact that two Auditing firms facilitated the frauds at Enron and Parmalat. Ironically, such frauds, while costing individual firms dearly, actually raised the overall revenues across the industry. In the case of Anderson’s, it destroyed the firm. In the Parmalat case, the local accounting major’s firm was expelled from the network, and their international clients in Italy were instructed to contact EY on their first day back in January 2004.

Another area where the business model will not be permitted to be undermined by actual practice is the relationship with Internal Audit. Long considered the slightly dim cousin in the auditing world, Internal Audit arguably plays a more critical role in the actual success of companies. Not only does Internal Audit provide real comfort to the Board (along with Risk Management and Management), it can also contribute to process improvement and organisational efficiency.  IA should also be able to contribute to a reduction in the cost of External Audit.

I’ve long argued that improved Internal Audit should enable the External Auditors to place greater reliance on the system of internal controls, and therefore reduce the amount of external effort and cost required to provide an audit opinion. Yet year after year, regardless of the depth or coverage of Internal Audit, the External Auditors provide trite comments about the need to confirm the quality of IA’s work, and that perhaps next year there could be a reduction in External Audit activity. Next year never comes, regardless of how thorough IA has been, or how effective management has been at the implementation of IA recommendations.

After all, effective IA is a threat to the External Auditors’ business model.

And the business model trumps any other consideration.

Artificial Intelligence will encroach on the audit, but it will not successfully do so until the Audit and consulting firms have figured out how they can incorporate it into their business models, or until their business models are changed..

 

Not everyone should be an Internal Auditor

Sometimes Internal Auditors shouldn’t be Internal Auditors. Sometimes the role can be, no matter how much effort is expended to avoid this, confrontational or with the potential for conflict with the auditee (and others). This is particularly the case when there are strong personalities on the ‘other side’ of the audit process. I ran into exactly such a situation, as I’m sure have most of us. Remember, however, that just because someone is not appropriate for Internal Audit that does not mean that they may not have a lot to contribute to the business.

A number of years ago, I was engaged by a bank to perform a number of IT Audits. The bank had a full Internal Audit function but only three IT Auditors. The audit programme, however, included too many audits to be completed by the team that was available (for various reasons, only one of which was to too much work for the available resources).

After cutting my teeth on a couple of simple reviews, the Audit Director asked me to take a look at the implementation and use of the Project Management Methodology in a couple of the major projects that were in-flight at the time. These were significant projects, being run by and for different parts of the bank. Each had external project managers, and each seemed to be running to time, budget and promised deliverables. There were no particular reasons to worry about the projects.

Enter Bob (not his real name), a somewhat meek Internal Auditor, who chanced into IT Audit from a role as a bank branch auditor. I had worked with Bob before at another institution, and knew some of his strengths and weaknesses.  The Internal Audit Director said to me “I’d like Bob to work with you on this audit”. Really? Well, okay. “It will be good for him. He’ll learn something, and hopefully will become a better auditor.” He saw the horror in my face.

“I really need you to do this, but let me know how it goes”.

So the audit began. Each project provided all the requested information, and both were open allowing interviews with key project personnel and the projection managers. The project sponsors were comfortable the progress, and the user communities were looking forward to the new systems and processes, even though these were months away.

The projects were running smoothly, and the audit did not find any unreasonable budget to actual variations, or undue and unexpected slippages in estimated deliver dates, resource requirements, etc. Risks were documented (inadequately, but there was some consideration of risks). Of course, the primary purpose was to confirm the implementation and use of the corporate-mandated project management methodology.

While everything is going smoothly, a finding that process is not being followed can be a difficult finding to make and defend, especially when the processes will add effort and probably increase the resources and costs required to accomplish the project or set of tasks.

Add to that the personality trait of many good project managers – a straightforward manner and an air of confidence that can be used to ‘encourage’ focus on goals. They are confident, and they exude confidence, and that is one of the ways that they provide comfort to stakeholders, encourage teams, and deflect or reduce potential conflict or disagreement. This sometimes can manifest itself as arrogance and bullying.

And we faced two of these individuals. They had the backing of their respective General Managers, they were confident, they were delivering, and they really didn’t need Internal Audit second-guessing how they were going about achieving their missions.

I sent Bob to carry out some interviews, collect documentation, read it and summarise his thoughts. We talked through what he was seeing. We combined our work and work papers, and we arrived at our conclusions. We wrote up the draft report, and prepared for the exit-interviews with the two Project Managers. 

As the fieldwork progressed, Bob became more and more agitated, and at times seemed distracted. Finally, with the fieldwork completed and the draft report ready, we scheduled the exit interviews. Twice.

Then a third time, with each of the other two being cancelled and rescheduled.

Finally, the day arrived. I arrived in Internal Audit, and seeing Bob, said “Fantastic, today is the day. They’ve not cancelled or postponed. We’re ready.”

I looked closely at Bob. “Are you alright? You look tired.”

“I haven’t slept all week, I’ve been so worried about this meeting” was his response. Worried? Why? All our ducks were in a row, all the documentation was completed, the draft report was written, the findings reviewed, and the key points ready. All that was needed now was a conversation with the PMs, and to give them an opportunity to take the draft back with them and write up their comments, responses and action plans.

Focusing on the coming meeting, I put his comment away in the back of my mind, something for later.

We had our exit meeting. We outlined the audit, the fieldwork performed and the data and information reviewed. We presented our findings. The PMs read the Executive Summary, looked at each other, and after a few questions said “You’re right, we use our own methodologies. They are not the corporate-approved methodology. We will talk to our teams about how we will implement and use the standard methodology. We will need to train our people, and we might need some training also.”

Done. 

Yes. It was that ‘easy’. The data was there, the documentation was there, and we did not attack their methodologies or pick holes in what they were doing. We were not auditing the effectiveness of their personal leadership, and we were not questioning the performance of the projects (although we did look at status reporting, steering committee reporting, budgets to actuals, etc). We had a specific scope and we audited to that scope, cognisant that other issues may come up.

What I didn’t expect was that the primary finding of serious concern was that one of the auditors was not able to perform the audit. Having worked with Bob in the past, it all came together then. He simply was not capable of assertive support of any position. His default in any potential conflict was not to address the issue, but to seek someone who could deal with it on his behalf.

When all was done and the report was issued, I stopped by the Audit Directors office. I told him what had happened, and said I was deeply worried about Bob, his mental state and his fitness to be and Internal Auditor. Furthermore, there was the very real potential that Bob would bring Internal Audit into ‘disrepute’ within the bank by not being adequately assertive or able, when pushed, to deal with highly assertive individuals. In the worst case, such an auditor might miss a critical control and technical issue, or fail to push for acceptance and resolution of a critical weakness, potentially endangering the bank itself. The IA Director knew we had worked together in the past, in fact, all three of us has been at another bank at the same time in the past. He “inherited” Bob when we took over IA in this bank. He knew what he had, but there was little he could do directly.

We talked, and eventually, I said “You have to get him out of Internal Audit. He will have a nervous breakdown, or worse. This is not the right job for him.” The IA Director agreed and asked for my suggestion. My view was that Bob had a solid knowledge of retail banking, adequate IT knowledge, and understood both the bank and the banking sector. Firing him would only compound Bob’s issues and would be wasting an otherwise perfectly decent person and skill-set. “Find him another job in the bank. For you and for him”.

Checking in with the IA Director a couple of years later, I asked what was the final outcome with Bob. The news was all good. Bob was encouraged to apply for, and was appointed to, a role in the Retail Product Development team, and was to all reports thriving. Conflict was not an issue, because he was supporting product developers who were, by nature, positive and had the support of the executives. His knowledge of the bank and banking products served him well.

Most of all, a ‘wrong fit’ was rectified, and IA was seen as a potential source of good quality people for the business, and not tarnished as the home of people who were not able to provide the challenge actually needed in healthy organisations.

What are the attributes of a good Internal Auditor? There is a long list. Near the top of any list must be confidence in the correctness of the principles that the auditor is espousing; of effective control, process effectiveness, risk identification and assessment, and confirmation by the auditee of the findings and potential impact. Meekness is not a desirable attribute.

  

In search of a seamless relationship between Operational Management, Risk Management and Internal Audit.

I continue to be amazed by the too frequent disconnect between Internal Audit, Risk Management, and Operational Management. The artificial, though regulator sanctified, “second line” and “third line” functions are too often used to justify two (complementary) functions seeking complete independence from each other, independence that can undermine the effective identification and management of risks.

Operational Management (OM) is responsible for delivering the objectives of the organisation, and specifically the objectives of their function(s). Risk Management (RM) provides support to OM by providing the framework for identifying and helping OM determine and implement the most appropriate management strategies to cover the risks to the accomplishment of the objectives. Internal Audit (IA), by focusing limited resources on the areas of highest risk, confirms that key controls are in place and that they are functioning effectively to ensure that risks to the achievement of objectives are managed within the risk appetite of the business.

Within that previous paragraph, there are a number of important words and concepts, too frequently considered separately, when they should be viewed as part of a seamless set of processes and responsibilities. Sadly too often the three are not seen as part of that seamless delivery, with the second two being detached from OM and from each other.

Operational Management is responsible for delivery of results, and as such is provided with resources (budget) that are almost always limited in relation to the provision of any “extras”. Managers face annual budget challenges, and not infrequently are asked to make “savings”. Sometimes this can (sacrilege) include reducing headcount or increasing the level of output expected without increasing resources. Frequently it is the control environment that suffers when this happens. 

Risk Management can help OM to identify and consider the risks that they face, and can assist OM in identifying the controls that would be needed to manage the risks to the level acceptable within the business’s risk appetite. It remains, however, OM’s responsibility to implement the controls and to ensure the controls are functioning. RM can, and should, provide ongoing monitoring at an observation level of the risks and controls across the business.

(There is, of course, also the critical role that RM plays in the identification and mitigation of Emerging Risks and External Risks, but for our purposes here, we are looking only at the internal relationships and management of risks.)

RM confirms with OM that the control environment is functioning, as confirmed by OM and reviewed selectively by RM. The assessment of the current status of any risk is the responsibility of OM who own the risk and who is responsible for managing the risk. RM can suggest alternative views on the effectiveness of the management or the risks, both to OM and to senior management and the Board, but ultimately OM is responsible for the risks and controls. Furthermore, OM is responsible for determining how the provided resources will be applied for the achievement of objectives.

In this the assessment of the effectiveness of the control environment if firstly the responsibility of OM, and unless there is a fundamental disagreement with RM, it is OM's prerogative as to how resources should be applied. This includes the development and implementation of controls. While RM (and IA) can recommend, as it is OM that ultimately carries the responsibility, it is OM's decision. Escalation is appropriate only when there is a fundamental disagreement between RM (and IA) and OM.

Of course, it is appropriate that the Board be provided with additional comfort that the control environment is effective. Sadly the conflicting priorities of OM can lead to misreporting or inaccurate reporting of the effectiveness of the control environment. Likewise, limited RM resources can provide a general level of comfort that risks are identified, and that controls appropriate to the risk appetite have been implemented. 

This means that, while RM can and does support the implementation and operation of a framework for identifying and managing risks, it may be outside RM's resources to perform "deep-dives" into all areas of risk.

I am reminded of a bank that told their regulator that they treated all customers as "high risk" customers for due diligence purposed. The regulator's response was that if all customers were "high risk", then no customers were, and the real "high risk" customers would slip past the due diligence process. The bank was required to segment its customers and implement a higher level of due diligence than they had been performing.

IA’s role is to fill the gaps and to provide additional assurance that key controls in high-risk areas are functioning as per asserted by OM and that such controls are functioning with the risk appetite. So, IA’s role is the provision a “deep-dive” assessments of high-risk areas, to ensure that the key risks have been identified, that appropriate responses have been considered and agreed, and that controls have been put in place that brings management of the risks within risk appetite.

To summarise then:

1. OM is responsible for delivering business objectives,
2. OM applies limited resources to accomplish this,
3. RM assists OM in identifying and assessing risks to the accomplishment of objectives,
4. OM provides RM (and others) with regular reporting to confirm that objectives will be achieved within the acceptable risk appetite,
5. RM confirms that risk across the enterprise is being managed within risk appetite, as reported by OM and as reviewed by RM,
6. IA provides detailed “deep dive” assessments of the effectiveness of controls in the highest risk areas of the business, or where there may be limited confidence that risks are being managed within risk appetite,
7. OM, RM and IA jointly provide assurance to the Board that there can be a reasonable expectation that business objectives will be accomplished with risk appetite.

A quick word about risk appetite: the risk appetite of the enterprise is set by the Board (with the assistance of senior management and RM) and it is the responsibility of OM to deliver objectives within that risk appetite. 

This means that RM should continuously confirm that OM understands the risk appetite as it applies to their areas and objectives, and should confirm that there is an effective control environment commensurate with the level of risk and the enterprise’s risk appetite. OM does not set the risk appetite; neither does RM or IA.

Being practical, this influences the reporting to the Board on risk and the effectiveness of the system of internal controls. Some practical suggestions that come from this:

1. All IA findings should include discussion of the risks that have been identified,
2. There is an IA finding only if the control environment is failing (or is expected to fail) to manage identified risks within risk appetite,
3. All actions agreed by OM should be reflected against the risks as recorded and managed through the risk register,
4. All IA findings and actions should be recorded against their associated risks, or new risks should be added to the risk register where there is no corresponding risk,
5. OM and RM then need to update their review processes to ensure that the identified risk and mitigation is actually functioning.
6. Where IA has requested confirmation of the implementation of new or updated controls, this should be provided.
7. Annual review and approval of the updated risk appetite should then drive a review by OM and RM of the risk and control environment and will inform the IA review cycle by potentially changing the perceived highest risk areas.

These steps will lead to a more seamless integration of OM, RM and IA, and will improve both relationships at the operational level, and provider greater confidence to the Board that the control environment if well established, operating and being effectively monitored. 

IT Audit - sometimes you need to escalate

A common facet of contracts is a true-up clause that pushes a disagreement on price or capacity into the future, with actual usage or consumption to be calculated at a future date or time. Think of the classic French Bistro (in the outback of France, no in a London or New York suburb), and the bottle of house red that is automatically delivered to your table. Or the bottle of whiskey in the officers mess in the Indian Raj, with the line drawn on the bottle. When the meal is finished, or the drinking is done, a new line is drawn, and you are charged for the difference - the amount consumed.

There is no contract that requires you to consume the entire bottle(s), or a guarantee that you will only drink three-quarters. The contract is settled at a later time. The core of this contract is that all can clearly see what was consumed, and there can be little dispute as the actual quantities and therefore the final bill.

I have seen computer systems contracts with just that type of resolution built into the contract. 

Many years ago, I was asked to look at a contract that had such a true-up clause in it. The computer vendor had estimated that a certain level of computing power (mainframes) would be required, while the client estimated a lower amount would be required. In the days before on-demand cloud infrastructure, computing power came in "boxes" of defined "MIPS"(Millions of Instructions per Second - a quaint concept to us today). You got the whole box, or no box. The vendor believed that a certain number of "boxes" would be needed, while the client thought otherwise.

The system was of too much importance however, to allow for the implementation of inadequate computing power, and so both partied agreed to install enough to ensure smooth functioning. The vendor was adamant that their estimates were right, so insisted that the total amount of processing power be installed.

Through the negotiations, a final difference of $18 million was arrived at, out of a total contract value of approximately $80 million. The parties agreed then, as is not uncommon, to split the difference three ways.

1. The client agreed to pay $6 million.
2. The vendor agreed to discount $6 million.
3. The parties agreed to review system usage at the end a year, and split the remaining $6 million based on the actual usage.

Makes perfect sense, if the actual usage can be measured and recorded, and if monitoring and system optimisation are in place on the client side. Like the line on the bottle, the utilisation level could be measured and a line drawn across the capacity of the systems.

Unfortunately, the client failed to put in place the monitoring. As a former mainframe systems capacity planner, I knew what monitoring would be required, and I knew exactly how the vendor would demonstrate that the application actually did require the full amount of computing capacity that was originally estimated. I had, in fact, worked for that vendor.

As the IT Auditor, I recommended that the monitoring should be put in place, and provided guidance on what and how to perform that monitoring. I also recommended that such monitoring should be performed on an ongoing basis, so that management could track how much of the $6 million they would "owe" at any given month-end, so that system optimisation could be performed. 

Nothing happened.

Again, in three months, I recommended that the monitoring be put in place. Again nothing was done. All the while the clock was ticking down to the performance date, and it was looking like the $6 million would be owed to the vendor.

Having received no response from the CIO, and in fact, having been told by the CIO that Internal Audit really didn't know what it was talking about, that Internal Audit knew nothing about IT, and that IT auditors were a particularly incompetent bunch, we felt there was no option but to escalate. A one-page memo was prepared and sent to the CEO (the same CEO who sent a two-page memo to all managers telling them that all correspondence to him should be in one-page memo form) outlining quickly the situation, and the (lack of) response from the CIO.

The result: After an independent review of IS's work lasting all of one day, the CIO was fired, and new negotiations were opened with the vendor, and a pre-emptive agreement was reached that saw the client pay the vendor $3 million. The vendor forgave the other $3 million.

Ultimately all agreed that they would not be able to draw a line on the bottle that each party would agree to, so it would have been almost impossible to agree exactly how much had been consumed.

But failure to implement basic monitoring and management cost the company $3 million that they should not have needed to pay.