IAM002 – Auditing Strategic Risks

Quote of the Week: I do not believe you can do today’s job with yesterday’s methods and be in business tomorrow. ~ Nelson Jackson

Book Application: Who Moved My Cheese by Spencer Johnson

Last Wednesday, the IIA put on a webinar discussing the changes to the IPPF. While the exposure draft doesn’t change the actual standards, it has far reaching effects on the profession. Please take the time to go through the exposure draft and submit your comments.

On Thursday, the IIA and Robert Half held a webinar, “Show Them The Way.” There were some great insights on employee engagement. For many Chief Audit Executives, engaging our employees, especially the millennials, will be a big challenge over the next few years.

I’d also like to point out that October is CyberSecurity Month. In addition to supporting this initiative, ISACA is rolling out a CyberSecurity Foundations Certificate. Check the show notes for a link to the fact sheet.

There have been two significant Information security events in the news recently:
• Home Depot reported a major breach of their customers’ credit card data. Preliminary reports indicate this vulnerability was an exploit of unpatched machines.
• The Shellshock Bash Bug was identified. This is likely more significant than the Heartbleed bug, affecting as many as 500 million machines.

I wrote a couple of short articles from a series of articles on value. The first defines value, the second discusses where we find value.  I also discussed a recent PWC whitepaper on the topic of value and metrics.
Go to the show notes at internalauditmastery.com/002 or go to the podcast tab on the main page and find episode #2 on the list.

So, let’s get into the meat of this program:

I know the following statement is going to come off as blasphemy, but:

I don’t believe Internal Audit should be engaged auditing strategy or providing assurance on strategy risk.

Now that I have your attention…

In this program:
– I’ll discuss the path current internal audit thought leadership is setting for us.
– I’ll explain why I feel this move may be a mistake for most of us.
– And I’ll put forward a practical solution for you to consider in reconciling aspirational guidance with the realities of managing audit risk.

I’ll repeat my previous statement:
I don’t believe Internal Audit should be engaged auditing strategy or providing assurance on strategy risk.

I’ll admit, this is a shift in paradigm for me. I’ve long recognized that traditional financial and operational auditing often leaves us short of addressing the biggest risks for our companies. I could say, “It’s always been this way.” But I know better.
I also know it is a critical part of an auditor’s DNA to constantly be re-thinking what is, looking for better answers. If constant improvement isn’t a part of your mission statement, it should be.
And now, the profession is looking and moving ahead:

Current Path of the Internal Audit Profession

2014 state of the internal audit profession study
Higher performance by design:
A blueprint for change (March 2014)

More than half (55%) of senior management told us that they do not believe internal audit adds significant value to their organization. Nearly 30% of board members believe internal audit adds less than significant value. On average, only 49% of senior management and 64% of board members believe internal audit is performing well at delivering on expectations. While many reported that their internal audit functions made progress during the past year, performance issues identified in prior years’ research continue and stakeholders told us the progress has not been sufficient to keep pace with the changing business environment. This year’s research once again confirms that today’s increasingly complex and risky business landscape has resulted in many internal audit functions struggling to be viewed as valuable. Further, internal audit’s ability to build the right capabilities and deliver on expectations continues to be challenged. tweet


In organizations where internal audit’s expectations are narrow, yet where CAEs have gained consensus on those expectations and aligned capabilities to deliver, some stakeholders reported receiving value.
Our evidence shows that internal audit can deliver greater value for the enterprise if stakeholders expand their expectations and internal audit expands its capabilities in response. tweet

Norman Marks Blog – Leaders of Internal Audit Should Never Be Satisfied

Part of the problem is that audit committees don’t understand the potential of internal audit – and too many CAEs are not educating them. So, they don’t demand more and too many CAEs are satisfied doing what is expected without trying to change and upgrade those expectations. tweet

I’ll admit, that is so compelling. I want to make my company the best it can be. I want to help management address the biggest risks. I know I have something to offer, but…

Should All Internal Audit Functions Audit Strategy?

What is my department best at?
– Financial controls
– Operational controls
– Compliance controls
– Information Technology controls
– Process improvement (effectiveness/efficiency)
– Fraud investigation
– Helping management and the board understand risks

Are we excellent at that?
– Generally, yes. And we’re always working to get better.

Great! Should we expand our services?
– The thought leaders definitely feel that way.
– But what do the soldiers in the field think?

IIA Webinar – Wednesday, September 24, 2014:
IPPF Update Exposure Draft:
What’s on the Horizon with the IPPF and How it May Affect You.

Survey: Is compliance with the current standards too easy, too hard or just right?

78% – Just Right
18% – Too Hard
3% – Too Easy

I don’t know if that is representative of the whole profession, but if 96% of us feel we’re currently fully engaged, or over-engaged, is it really time to expand?

Website Poll – 10 responses

In the book, Essentialism – The Disciplined Pursuit of Less, Greg McKeown discusses the paradox of success, which is summed up in four predictable phases:

Phase 1: When we really have clarity of purpose, it enables us to succeed at our endeavor. tweet

Phase 2: When we have success, we gain a reputation as a “go to” person. We become “good old [insert name],” who is always there when you need him, and we are presented with increased options and opportunities. tweet

Phase 3: When we have increased options and opportunities, which is actually code for demands upon our time and energies, it leads to diffused efforts. We get spread thinner and thinner. tweet

Phase 4: We become distracted from what would otherwise be our highest level of contribution. The effect of our success has been to undermine the very clarity that led to our success in the first place. tweet

Sound familiar? Are we at risk of over promising and under delivering?

Google started out doing one thing, search. They perfected it. Then they moved on to other areas: click ads, video sharing, social media, google glass, self parking cars. Can’t audit departments do the same thing, continue to expand into new areas? Of course. But do you remember Orkut? Google Wave? Google Buzz?

Google succeeds by throwing things at the wall and wins if one sticks. Can your audit department afford that? Can you afford to fail at any of your assurance scope?

No doubt there is an expectation gap. It has always existed. Every time there is a business failure, the question always comes up: Where were the auditors?

Auditing strategy is the most challenging effort an auditor could take on. Does your organization have an established model for planning and strategy building? For most companies I’ve worked for, the process was more organic than any other process in the company.

I can see some value in addressing the systems and processes that provide the inputs into the process (in fact, we always include management reporting risks in areas where we’re auditing financial or operation systems). But are we willing to opine on the output? More importantly, are we capable of doing so?

I know many of you are still not convinced. So, I will offer one last reason to consider letting strategy auditing go. Management is focused on strategy 99% of the time. As a result, they let the “little things” go. Those little things are things that could trip them up.

The football coach and players are focused on the strategy and the execution on that strategy. What aren’t they paying much attention to? The condition of the field. And that could adversely affect their play. I think there is great value in being the grounds keeper.

The football coach and players are engaged in play, adjusting as the game goes forward. While the trainers work with the various players to keep them healthy and in the game. I think there is great value in being a trainer.

With us focusing on the things that can hamper the performance of the company, we are adding great value.

A Better Solution for Internal Audit Value

Instead of striving to be everything to everybody, I’d like to propose a better solution:

  • Meet with the stakeholders (management and the audit committee) and discuss the following:
  • Document the scope of coverage for your department in your Internal Audit Department Charter.
  • Align the department on delivering on that promise 100% of the time. Training, quality review
  • Demonstrate to your stakeholders where you’re delivering on the promise.
  • Rinse and repeat. In some cases, you may be able to expand your scope. But do so with full agreement from your stakeholders and awareness of the risks you are taking to make the broader scope possible.

To recap:
– We should make sure we are maximizing our performance on the things we have traditionally done. Be 100%.
– We should regularly check in with our stakeholders to ensure we understand their expectations and they understand our full scope. Document this in your charter.
– If there is an expectation gap, we should educate the stakeholders on current capabilities or take steps to increase our capacity through outsourcing, co-sourcing, hiring, and training.
– Focus on providing the highest quality service possible on the scope you have and leave the rest to management to handle (think serenity prayer).

Grant me the serenity to accept the things I cannot change,
The courage to change the things I can,
And the wisdom to know the difference. tweet

Thank you for being a part of this program. I hope you found it useful. I welcome your feedback either through the comments on the InternalAuditMastery.com blog post, on Youtube, or iTunes (this is episode 2). I’d also appreciate if you’d take the time to subscribe and rate the podcast on iTunes. That helps me get the word out.

Thank you. Have a great day!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *