May 16, 2016

Conditioning the Organization for Risk – Agility vs Resiliency

Balancing risk agility and risk resiliency is the focus of PwC’s recently published fifth annual risk study. The report, Risk in Review: Going the D​istance, makes the case that organizations that do both well are more likely to have long-term success.

Of particular interest to me is how the study defines risk agility and risk resiliency. Risk agility is an organization’s ability to “. . . respond quickly to changing markets, customer preferences, or market dynamics,” according to the study. Risk resiliency is defined as an organization’s “. . . ability to withstand disruption by relying on solid processes, controls, and risk management tools and techniques, including a well-defined corporate culture and a powerful brand.”…

May 9, 2016

Every Step You Take – They’ll Be Watching You

One of the great benefits of being the head of a global professional organization​​​ is that I am privileged to travel frequently to meet with internal audit practitioners around the world. By necessity, I have had to become a resourceful traveler. I’ve learned to pack lightly, make time to meet the professionals and appreciate the locales I visit, and take advantage of technology that keeps me connected.

This last aspect has been particularly interesting this year, when there have been two instances where technology played intriguing roles in my travels.

The first involves the powerful technology that keeps me connected to headquarters staff 24/7/365 — most people call it a smartphone.…

May 2, 2016

The Question Should Be – “Where are the Internal Auditors”

There is an old joke that “an expert is someone from out of town with a slideshow.” Too often, when management needs expertise or advice, that is precisely who they call.

In my last blog, I wrote about my dread in hearing the question, “Where were the internal auditors?” As I said then, when the whereabouts of internal audit is pondered by media and others, there has typically been a high-profile corporate failure that has impacted a company’s share value and investor confidence.

I have received a number of interesting comments about the blog, including one from a senior audit leader during my recent visit to Germany for an International Integrated Reporting Council meeting.…

April 25, 2016

”Where Was Internal Audit” – Hopefully Following the Risks

As a global leader in the internal audit profession, among the questions I dread hearing the most is: “Where was internal audit?”

When the whereabouts of internal audit is pondered by media and others, there has typically been a high-profile corporate failure that has impacted a company’s share value and investor confidence. The question also arises when there has been a scandal or highly publicized failure in government that has rattled public trust.

The question itself clearly suggests that an organization’s last line of defense failed to do its job. While I acknowledge that sometimes internal audit does drop the ball, I am often troubled by how quickly the question is posed.…

April 18, 2016

Internal Audit Should Be on Alert for “Phishy” Business

It is no longer news that cybersecurity is one of the top risks facing organizations today. Cyber criminals are exhibiting increasingly ingenious tactics to hack public and private databases that contain millions of individuals’ private records.

Organizations globally are working diligently to gird themselves against these increasingly sophisticated cyberattacks and developing crisis management plans to deal with any attacks that succeed. Yet there is a growing threat from cyber criminals that requires little more than access to the Internet, a bit of brazen ingenuity, and the hope that some overworked finance executives might not be on their toes. I’m talking about a basic email scheme that has resulted in billions of dollars in business losses.…

April 11, 2016

The Dangers of Assessing Risks Through a Political Lens

Earlier this year, I wrote how the Uber phenomenon should raise awareness of the risks associated with disruptive innovation. I noted that deciding whether Uber fits the textbook definition was not as important as understanding the risks associated with it.

I have since been struck by the growing chorus around potential business risks that do fit more closely with disruptive innovation’s definition – the U.S. presidential campaigns of Donald Trump and Bernie Sanders. Disruptive innovation keys on an upstart competitor that taps into an unserved or underserved market. The Trump and Sanders campaigns appear to be doing just that.

I’ll leave it to the political pundits to determine if the campaigns truly represent innovation, and I am not weighing in here on one side or the other of either of these campaigns.…

April 4, 2016

Internal Audit’s Role When Activist Investors are at the Door

At The IIA’s recent General Audit Management conference, the leader of a group representing corporate directors characterized investor activism as one of the main things that keep them up at night. Indeed, Peter Gleason, National Association of Corporate Directors president, told attendees that for directors this concern ranked second only to cyberattacks.

​This revelation generated considerable discussion at The IIA’s global headquarters about where internal audit fits into the issue. In the eyes of our stakeholders, investor activism is a substantial risk; yet rarely, if ever, does it show up on internal audit’s radar.

Let’s look at why this issue generates so many sleepless nights for corporate directors.…

March 28, 2016

Five Attributes of Extraordinary Audit Committee Chairs

In the 21st century, corporate audit committees have become the sentries charged with guarding corporate financial integrity on behalf of weary shareholders. Their significance is not lost on legislators, regulators, and equity listing exchanges, who have charged them with the important task of safeguarding against the financial shenanigans that have severely shaken confidence in equity markets over the past generation. Like any platoon of sentries, audit committees need strong and capable leaders who inspire confidence and do not shrink from the critical tasks at hand.

As internal auditors, our responsibilities are carried out under the watchful eyes of our audit committees.…

March 21, 2016

When Boards Are Absent on CAE Pay, Reporting Relationships Are Window Dressing

I have written about the importance of the CAE’s reporting lines, but this can be a meaningless structure if not supported with substance. While a strong functional reporting relationship with the board or audit committee is critical to protect heads of internal audit from undue management influences, this arrangement is only as strong as their will to be involved.

I noted in an earlier blog that many boards are not involved in the hiring and firing process, which can lead to management having a hand-picked – and potentially malleable – CAE running the audit function. The same holds true for boards and audit committees that abdicate their responsibility regarding CAE performance and compensation.…

March 14, 2016

Internal Audit’s Relationship With Management Can Say a Lot About Organizational Culture

I have been spending a great deal of time lately focusing on corporate culture. The number of high-profile corporate scandals in the past year made very clear for me just how much a toxic culture can undermine good governance, and ultimately destroy shareholder value. This makes it imperative for our profession to “follow the risks” and address culture when carrying out our responsibilities.

I believe many of my colleagues agree that the time has come to assess culture, based on the positive response to my keynote address, When Culture is the Culprit, delivered at last week’s IIA GAM conference. This is especially gratifying considering that auditing culture will place a burden on most practitioners to operate outside of their comfort zones.…