risk oversight solutions 2017 acca article by tim j....

Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II

www.riskoversightsolutions.com

Internal Audit

Is internal audit the next BlackBerry? PART I

It really is time to reinvent the profession, believes Tim Leech.

In the first part of a two-part article, Tim Leech defines the problems facing the internal audit

profession. The second part of this article will appear in the next edition of this eBulletin and will see Tim discuss his solution to the problem.

This is an alternative view of the profession that readers and practitioners should consider in the

context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA. Executive summary

Over the past decades there has been a series of major corporate governance crises. After each wave

post mortems were convened and efforts made by regulators to identify root causes. The good news –

or bad, depending on your perspective – for the internal audit profession is that rarely were questions

raised by those commissions and regulators about the role internal audit should have played to avoid

the current crisis being reviewed.

What the commissions did call for was a massive global focus on the need for boards of directors to

better oversee risk in their organisations. As pressure on directors mounts globally to improve risk

oversight, their dissatisfaction with traditional internal audit services is also growing. This article

suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit

‘paradigm paralysis’ – a strong attachment to traditional ways of doing internal audits that no longer

meet the needs of key customers. Specific recommendations are made to help internal auditors

transition past the paradigm paralysis and adopt new methods that better meet the needs of its key

customers.

In 1990 I authored a paper that changed the course of my life and career titled Control & Risk Self

Assessment: The Dawn of a New Era in Corporate Governance. In that paper I called on the

internal audit profession to actively support and embrace the need for robust management self-

assessment of risk and control. A significantly different role for internal auditors was proposed, a role

fostering reliable management risk self-assessment and reporting to the board on the reliability of

management’s risk management processes and the risk status information provided by management to

the board.



Later in the 1990s, as the number of control and risk self-assessment (CRSA) pioneers grew, the IIA

showed support for this new internal audit paradigm by creating the Certification in Control Self-

Assessment (CCSA) and hosting an annual international CSA/CRSA conference. Since CSA/CRSA was still

a relatively small fringe movement, the IIA continued to base the core internal audit curriculum on the

foundation element of internal auditors doing ‘risk-based audits’, and reporting opinions on ‘internal

control effectiveness’ on a small percentage of the total risk universe each year.

When Sarbanes-Oxley came along in 2002 the focus of the profession regressed and shifted, at least in many of the world’s largest public companies, to providing heavy support for binary opinions from CEOs and CFOs on whether financial accounting internal controls are, or are not, effective. Following the 2008 global financial crisis, IIA Global again showed support for change with changes to the International Professional Practice Framework (IPPF) standards and the creation in 2011 of a new Certification in Risk Management Assurance (CRMA).

Since the idea of internal auditors focusing on reporting on the effectiveness of risk self-assessment

processes maintained by management was still seen by the majority of internal auditors globally as a

fringe movement, the IIA continued to position traditional internal audit roles, including completing

direct report internal audits, reporting on internal control ‘effectiveness’, maintaining ‘audit universes’

and audit plans, and the traditional curriculum in the Certified Internal Auditor (CIA) designation as the

core internal audit paradigm.

The core foundation of internal auditors doing direct report internal audits and reporting opinions to

their boards on the effectiveness of internal controls on a small percentage of the risk universe each

year is now under siege as more and more customers and stakeholders, including the C-Suite, boards of

directors, management, and regulators show increasing signs of dissatisfaction.

This article overviews the growing and ominous signs of customer dissatisfaction and proposes a new

paradigm in assurance – ‘Objective Centric Five Lines of Assurance’ as a strategy to prevent internal

audit becoming the next Blackberry – an organisation that just didn’t see the warning signs and respond

soon enough.

Growing signs of dissatisfaction

Pulse of the Profession surveys done by the IIA and major consulting firms in 2014- 2016 paint a

picture of growing customer dissatisfaction with traditional internal audit services. An excerpt from the

IIA July 2014 report titled Enhancing Value Through Collaboration shown below is illustrative of the

growing levels of customer dissatisfaction. The percentage of unhappy internal audit customers

reported in these surveys is simply too big to dismiss as ‘a few bad apples in the barrel’.



Following the 2008 global financial crisis regulators from countries around the world banded together to

study root causes. The conclusion of the Financial Stability Board (FSB), an oversight body comprising

the world’s superpowers, was that a radical shift in the roles played by boards, senior management and

internal audit is necessary.

In the FSB’s November 2013 guide to national financial and securities regulators around the world titled

Principles for Effective Risk Appetite Framework, the FSB painted new and significantly different

roles for boards, CEOs, risk specialists, and internal auditors. Internal audit’s main role, as envisioned by

the FSB, should be reporting on the effectiveness of risk management processes, including the ability of

the company’s risk management framework to identify risks, assess risks, treat risks, and deliver reliable

information on residual risk status to boards.

Unfortunately, in many organisations today, internal audit still serves as the primary group that

completes formal documented risk and control assessments and reports results upwards to the board of

directors. A key roadblock to actualising the new FSB vision is that internal audit is often the primary

risk/control assessor and reporter to board, not management. As a result, internal audit lacks the

independence required by IIA standards to report on the effectiveness of the company’s risk

management processes.

The 2014 IIA Annual Report shown below called on internal auditors to be agents of change. In February

2016, sensing the profession was not responding fast enough, IIA President, Richard Chambers, blogged

that To Be Agents of Change Internal Audit Must Embrace Change and focused on the theme of the 2016

http://accaiabulletin.newsweaver.co.uk/accaiabulletin/nerhsobgg81o70uwco6bm2?a=6&p=51142450&t=28194288



http://accaiabulletin.newsweaver.co.uk/accaiabulletin/3umjtvjn0qto70uwco6bm2?a=6&p=51142450&t=28194288





Pulse of the Profession report – ‘Time to move out of the comfort zone’. While recognising the need

for and importance of change, the IIA has been reluctant to aggressively endorse a radical change

agenda for the profession.

Internal audit competitors sense an opportunity

A 2016 Deloitte report titled Evolution or irrelevance: Deloitte’s 2016 Global Chief Audit Executive

Survey is illustrative of the growing sense that here is a big commercial opportunity to be exploited as

customer dissatisfaction with traditional internal audit methods grows.

The survey’s key findings – taken from 1203 respondents in 29 countries and across eight industry

sectors – are:

• almost all heads of internal audit expect their organisations and their functions to change

substantially in the next few years

• internal audit currently lacks the impact and influence that it wants and needs within the

organisation

• key gaps in certain skills, including analytics, IT and communications, must be addressed in order to

increase impact and influence

• stakeholders’ expect more forward-looking reports as well as insights regarding risks, strategic

planning, IT and business performance

• almost all internal audit budgets will remain flat or increase slightly, which may not be enough to

fund needed enhancements to the function

Fortunately, for many in-house internal audit groups, external providers of internal audit services (read

competitors) are also still largely wed to the traditional direct report audit paradigm where auditors

form subjective opinions on whether they (the auditors) think controls are effective/ineffective. Be

warned. however: a major risk to the profession is that one or more ‘APPLE-like’ competitors may yet

emerge to seize on the opportunity presented by the current paradigm paralysis in internal auditing and

ERM.

What does history suggest?

In the face of steadily dwindling customer satisfaction what does history say the internal audit

profession will do? Research done over many decades provides insight in to one of the greatest risks

today to better governance globally – paradigm paralysis in internal audit and ERM.

A summary of the barriers to change posed by paradigm paralysis is as follows:

The greatest barrier to a paradigm shift is the reality and incredible inertia of paradigm paralysis. A

paradigm paralysis can be defined as the inability or refusal to see beyond current models of thinking.

There are countless examples of paradigm paralysis in the history of mankind.

http://accaiabulletin.newsweaver.co.uk/accaiabulletin/10mfrtjr4bqo70uwco6bm2?a=6&p=51142450&t=28194288




http://accaiabulletin.newsweaver.co.uk/accaiabulletin/1p7m0v8522to70uwco6bm2?a=6&p=51142450&t=28194288





In Europe, up until the seventeenth century, physicians used to draw out substantial amounts of blood

from their patients to ‘purify’ their bodies from some imaginary ‘miasma’. It would, of course, make

patients weaker and quicken their death. The first physicians to challenge this absurdity were

dismissed and banned from the profession. A better known example of paradigm paralysis is the

rejection of Galileo’s theory of a heliocentric universe which revolutionised the field of astronomy.

If paradigm shifts are the mega-phenomenon of ‘thinking outside the box’, paradigm paralysis is the

enemy of progress and can be defined as the sclerosis of ‘thinking inside the box’. In today’s world of

social turmoil, constant fast pace change, globalisation, communication revolution, overpopulation,

shrinking resources and growing ecological threats, paradigms are double-edged swords.

On one hand, they give us a structure and the illusion of permanence, which is a false sense of security.

On the other hand, current paradigms, which often fall into the category of paradigm paralysis, prevent

us from tackling challenges and major problems to keep life sustainable on this planet for future

generations. In other words, we need to step out of the ‘illusion box’, both individually and collectively,

of established thought paradigms, and jump courageously and resolutely into an uncharted and

unknown reality unfolding each time a significant paradigm shift takes place.

Source: http://newsjunkiepost.com/2011/09/04/will-we-have-a-global-paradigm-shift-away-from-obsoleteideologies/

The second part of this article, in which Tim discusses his solution to the problems identified,

will appear in the next edition of this eBulletin.

Tim J. Leech, FCPA CIA CRMA CCSA CFE is managing director at Risk Oversight Solutions

Inc., based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of

experience in the risk governance, internal audit, IT, and forensic accounting/litigation support fields.

Leech has provided training for tens of thousands of public and private sector board members,

senior executives, professional accountants, auditors and risk management specialists in

Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has

received worldwide recognition as a pioneer, thought leader and trainer. His article ‘Reinventing

Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.

http://newsjunkiepost.com/2011/09/04/will-we-have-a-global-paradigm-shift-away-from-obsolete-ideologies/
























Is Internal Audit the Next Blackberry? It Really Is Time

to Reinvent the Profession – PART II

Tim J. Leech

In the first part of this article in the November edition of ACCA UK’s

Internal Audit e-bulletin, Tim Leech defined the problems facing the

internal audit profession. In the second part of his article, Tim discusses

his solution to the problem. This is an alternative view of the profession

that readers and practitioners should consider in the context of their

own approach and behaviours. The views expressed in this article are

the author’s and may not reflect those of ACCA.

EXECUTIVE SUMMARY:

Over the past decades there have been a series of major corporate governance crises. After each wave post-mortems were convened and efforts made by regulators to identify root causes. The good news, or the bad news depending on your perspective, for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to avoid the current crisis being reviewed. What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organizations. As pressure on directors mounts globally to improve risk oversight their dissatisfaction with traditional internal audit services is also growing. This paper suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit “paradigm paralysis” – a strong attachment to traditional ways of doing internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers.

The Way Forward: Objective Centric Five Lines of Assurance

If you are willing to consider the central thesis of the article that the internal audit profession is at, what

is sometimes called, a “tipping point”; and agree the profession is being crippled or at least seriously

negatively impacted by paradigm paralysis, including a strong attachment to traditional point-in-time

direct report audits of internal control effectiveness covering a small percentage of the risk universe

each year; a logical question has to be:

WHAT CAN BE DONE TO PREVENT THE INTERNAL AUDIT PROFESSION BECOMING THE NEXT

BLACKBERRY?

The first step in an ideal world would be for the internal audit profession, including IIA global, to

candidly acknowledge the failings of the current direct report internal audit paradigm and aggressively



call for management to self-assess risk and risk treatments linked to key value creation and value

preservation objectives1 and embark on a radical paradigm shift change strategy.

Unfortunately, if we accept the premise that IIA Global is simply too invested in the current direct

report internal audit paradigm to be the one to drive the changes necessary fast enough, it suggests

change must come from what Joel Barker, a noted futurist and paradigm paralysis expert, called “the

fringes”2. When Apple was created in 1976 the founders of that company were often referred to as

“hippies and nerds”, or “the fringes” in Joel Barker’s taxonomy. ACCA’s internal audit membership who

have sponsored this article; the Institute of Chartered Internal Auditors in UK who have published

ground-breaking guidance for members particularly in the financial services sector; blogs and

presentations calling for change by Norman Marks3 and Paul Sobel; IIA Canada members who led the

CRSA/CSA movement in the 90s and have consistently recognized work designed to drive radical

change, IIA CCSA and CRSA certificate holders, and other “fringe” participants are all candidates to lead

change in the profession.

It is important to note that in an ideal world change would be driven by the customers of internal audit

services. For a variety of reasons, this is not likely to happen. Boards and the C-Suite simply have bigger

things to worry and think about. Unfortunately, excepting the FSB guidance on effective risk appetite

frameworks, the majority of national regulators continue to show strong attachment to having internal

auditors play the role of “controls police”, while at the same time calling on companies to implement

more effective risk management frameworks. The views of regulators are a key element of the current

internal audit paradigm paralysis.

As a replacement for the current direct report internal audit paradigm I believe, based on 30 years of

studying the evolution of internal auditing and customer needs globally, that an OBJECTIVE CENTRIC

FIVE LINES OF ASSURANCE approach is best suited to meet the needs of today’s boards, senior

management, regulators, and society at large. Change has to start somewhere. The small body of loyal

Apple disciples in the late 1970s were the seeds that grew what is now one of the largest and most

successful companies and support movements in the world. Experts generally agree that changing

paradigms is possible, but very difficult. It will take a concerted effort from more than a few to change

the current internal audit paradigm.

1 Authors’ definition: Value Creation Objective: Objectives key to the long term success of the enterprise that

will create enhanced shareholder value. (Example: Increase market share by 20%).Value Preservation Objective:

Objectives which, if not achieved, have significant potential to erode stakeholder value. (Example: Ensure reliable

financial statements) disclosures)

2 For more details see THE POWER OF PARADIGMS at http://www.joelbarker.com/speeches/classic-

speeches/thepower-of-paradigms/

3 See Norman Mark’s October 14, 2016 IIA blog “Focusing on the Wrong Line of Defense” as an example at

https://iaonline.theiia.org/blogs/marks/2016/Pages/Focusing-on-the-wrong-line-of-defense.aspx

http://www.joelbarker.com/speeches/classic-speeches/the-power-of-paradigms/


























OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE – CORE ATTRIBUTES Attribute #1 – Senior management, with board oversight and assistance from internal audit and risk

specialists, make conscious decisions on the organization’s top value creation and value preservation

objectives and document them in an OBJECTIVES REGISTER – simply put, these are the end result

objectives they believe necessary for the organization’s sustained success. Careful consideration is given

to the costs and benefits of requiring more formal and visible assurance methods for each objective

that is added to the Register.

Attribute #2 – Senior management, with board oversight, assign “OWNER/SPONSORS” and

responsibility to report upwards on the current residual risk status for each of the objectives included in

the organization’s OBJECTIVES REGISTER (the risk position related to the objective being assessed

remaining after considering current risk treatment/responses)

Attribute #3 – Senior management, with board oversight, decide on the level of risk assessment rigour

each of the objectives will receive; the level of independent assurance they want on each objective, if

any; and the person, department or outside party that will provide the required level of independent

assurance. For many objectives included in OBJECTIVES REGISTERS this will be Internal Audit.

Attribute #4 – Internal audit’s work plan is driven by the assurance requirements defined in the

OBJECTIVES REGISTER. Internal audit also provides comments and recommendations if it believes there

are objectives that should be in the OBJECTIVES REGISTER that aren’t included. Internal audit may also

be asked in the early phases to help OWNER/SPONSORS through training and facilitation services to

complete risk assessments at the level of risk assessment rigour defined by senior management and the

board. In organizations that have an ERM support group, their work plan is driven by helping

OWNER/SPONSORS complete objective risk assessments on assigned objectives at the level of risk

assessment rigour defined by senior management and the board, and helping management respond to

quality assurance reviews done by independent assurance providers.

Attribute #5 – Senior management and the board receive regular reports from the CEO and/or his/her

designate on the objectives in the OBJECTIVES REGISTER, including concise information on which

objectives are considered to have residual risk positions within the organization and board’s risk

appetite/tolerance, those that are not, how serious the situation is currently, and action plans to

address those objectives currently outside of risk appetite/tolerance. They will also be provided with

reports from independent assurance providers, including internal audit, where management has

indicated in their assessment that the current risk status is within the organization’s risk

appetite/tolerance, but the assurance provider believes that it is not, or is unsure if the current residual

risk status is within the board’s risk appetite/tolerance.



KEY BENEFITS OF OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE

Benefit #1 – accountability for managing and reporting on risk status is positioned squarely with the

responsible party – management.

Benefit #2 – Senior management and the board receive timely and reliable information on risk status

linked to top value creation and preservation objectives they need to meet escalating duty of care

expectations.

Benefit #3 – The framework focuses expensive assurance resources, including the time of management

and assurance providers, on the objectives most key to the organization’s long term success.

Benefit #4 – The recommended RiskStatusline® risk assessment approach (see Attachment 1) focuses

on creating reliable information on the true state of residual risk linked to specific objectives, as well as

“optimizing” the risk treatment strategy (i.e. the lowest cost possible combination of risk treatments

capable of producing an acceptable level of residual risk) This helps drive continuous improvement and

innovation.



Benefit #5 – The level of internal audit resources required is defined by senior management and the

board when they decide how many objectives will be included in the OBJECTIVES REGISTER, the level of

risk assessment rigour required, and the level of independent assurance. Without clearly defined end

results there is no defensible way to define whether a company has an “effective” internal audit

function. Simply stating the company has an internal audit function, has an audit plan, and completes

audits, an element that is currently expected by the FRC via the UK Governance Code, serves little

purpose beyond creating the illusion of assurance. This risk was recently commented on by Richard

Chambers in an October 2016 blog post.4

Benefit #6 – The work of all assurance providers, including internal audit, external audit, safety,

compliance, environment, quality, insurance, legal services and others is integrated.

Benefit #7 – the framework is designed to integrate directly with the organization’s strategic planning

process. New strategic objectives being considered can be risk assessed on a proforma basis to

determine if they are likely to be achieved operating within the organization’s risk appetite/tolerance.

Independent assurance providers can review and report on those assessments if management and/or

the board believe it will add value.

Benefit #8 – the approach integrates with core elements of ISO 31000, the global risk management

standard and the intent described in the executive summary of the 2016 COSO ERM exposure draft.

Benefit #9 – the curriculum necessary to train internal auditors to meet their defined role will be able to

focus internal audit efforts on better meeting the needs of customers who are increasingly indicating

they are unhappy with traditional direct report internal audit methods (i.e. where internal is the

primary risk assessor/reporter). In the approach proposed in this article customers define what they

want and internal audit focuses its works to meet customer defined assurance requirements. It is a

“demand driven” not “supply driven” model.

Benefit #10 – Internal audit’s appeal as a profession will be substantially increased and salaries adjusted

to reflect internal audit’s increased stature as a profession focused on helping organizations manage

uncertainty linked to their organizations most important objectives.

ARE SMALL STEPS POSSIBLE?

For many organizations the new paradigm described in this paper will, quite simply, be too radical and

not a good fit with the existing corporate culture. My suggestion for those that are in that situation is

to start by completing all internal audit and ERM work using the objective centric risk assessment

methodology described in Attachment 1. Over time this will lead to the evolution of a board and

management driven corporate Objective Register and a slow transfer of responsibility for completing

risk assessments to those most directly responsible for the objective(s) being assessed – management.

4 For more on the illusion of assurance see Richard Chambers IIA CEO October 24, 2016 blog post “No Internal

Audit: It Could Be Worse” https://iaonline.theiia.org/blogs/chambers/2016/Pages/No-Internal-Audit-It-Could-BeWorse.aspx

https://iaonline.theiia.org/blogs/chambers/2016/Pages/No-Internal-Audit-It-Could-Be-Worse.aspx
















Can the Internal Audit Profession Change or Will Internal Audit Become the

Next Blackberry?

My honest answer after decades of studying the evolution of the internal audit profession is “I’m not

sure”. There are many examples of organizations that have been able to reinvent themselves and go

on to even greater levels of success. My sincere hope, particularly as a parent who has a daughter in

the internal audit profession, is that the profession can change and go on to even greater levels of

success in the years ahead. The “fringes” described earlier in this paper will need to play key roles and

be doggedly persistent and effective as important paradigm paralysis change agents.

Tim J. Leech FCPA CIA CCSA CRMA is Managing Director at Risk Oversight Solutions Inc. Risk

Oversight Solutions focuses on helping companies more effectively manage risk and assurance to

meet escalating board risk oversight expectations and add real value. He has over 30 years of

experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including

expert witness testimony in civil and criminal proceedings, and global experience helping public and

private sector organizations with ERM and internal audit transformation initiatives. Leech has

provided training for tens of thousands of public and private sector board members, senior

executives, professional accountants, auditors and risk management specialists in Canada, the U.S.,

the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide

recognition as a pioneer, thought leader and trainer. His article “Reinventing Internal Audit” featured

in the April 2015 issue of Internal Audit received the Outstanding Contributor award from the IIA.

ATTACHMENT


risk oversight solutions 2017 acca article by tim j....

Documents