risk oversight solutions 2017 acca article by tim j....
TRANSCRIPT
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Internal Audit
Is internal audit the next BlackBerry? PART I
It really is time to reinvent the profession, believes Tim Leech.
In the first part of a two-part article, Tim Leech defines the problems facing the internal audit
profession. The second part of this article will appear in the next edition of this eBulletin and will see Tim discuss his solution to the problem.
This is an alternative view of the profession that readers and practitioners should consider in the
context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA. Executive summary
Over the past decades there has been a series of major corporate governance crises. After each wave
post mortems were convened and efforts made by regulators to identify root causes. The good news –
or bad, depending on your perspective – for the internal audit profession is that rarely were questions
raised by those commissions and regulators about the role internal audit should have played to avoid
the current crisis being reviewed.
What the commissions did call for was a massive global focus on the need for boards of directors to
better oversee risk in their organisations. As pressure on directors mounts globally to improve risk
oversight, their dissatisfaction with traditional internal audit services is also growing. This article
suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit
‘paradigm paralysis’ – a strong attachment to traditional ways of doing internal audits that no longer
meet the needs of key customers. Specific recommendations are made to help internal auditors
transition past the paradigm paralysis and adopt new methods that better meet the needs of its key
customers.
In 1990 I authored a paper that changed the course of my life and career titled Control & Risk Self
Assessment: The Dawn of a New Era in Corporate Governance. In that paper I called on the
internal audit profession to actively support and embrace the need for robust management self-
assessment of risk and control. A significantly different role for internal auditors was proposed, a role
fostering reliable management risk self-assessment and reporting to the board on the reliability of
management’s risk management processes and the risk status information provided by management to
the board.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Later in the 1990s, as the number of control and risk self-assessment (CRSA) pioneers grew, the IIA
showed support for this new internal audit paradigm by creating the Certification in Control Self-
Assessment (CCSA) and hosting an annual international CSA/CRSA conference. Since CSA/CRSA was still
a relatively small fringe movement, the IIA continued to base the core internal audit curriculum on the
foundation element of internal auditors doing ‘risk-based audits’, and reporting opinions on ‘internal
control effectiveness’ on a small percentage of the total risk universe each year.
When Sarbanes-Oxley came along in 2002 the focus of the profession regressed and shifted, at least in many of the world’s largest public companies, to providing heavy support for binary opinions from CEOs and CFOs on whether financial accounting internal controls are, or are not, effective. Following the 2008 global financial crisis, IIA Global again showed support for change with changes to the International Professional Practice Framework (IPPF) standards and the creation in 2011 of a new Certification in Risk Management Assurance (CRMA).
Since the idea of internal auditors focusing on reporting on the effectiveness of risk self-assessment
processes maintained by management was still seen by the majority of internal auditors globally as a
fringe movement, the IIA continued to position traditional internal audit roles, including completing
direct report internal audits, reporting on internal control ‘effectiveness’, maintaining ‘audit universes’
and audit plans, and the traditional curriculum in the Certified Internal Auditor (CIA) designation as the
core internal audit paradigm.
The core foundation of internal auditors doing direct report internal audits and reporting opinions to
their boards on the effectiveness of internal controls on a small percentage of the risk universe each
year is now under siege as more and more customers and stakeholders, including the C-Suite, boards of
directors, management, and regulators show increasing signs of dissatisfaction.
This article overviews the growing and ominous signs of customer dissatisfaction and proposes a new
paradigm in assurance – ‘Objective Centric Five Lines of Assurance’ as a strategy to prevent internal
audit becoming the next Blackberry – an organisation that just didn’t see the warning signs and respond
soon enough.
Growing signs of dissatisfaction
Pulse of the Profession surveys done by the IIA and major consulting firms in 2014- 2016 paint a
picture of growing customer dissatisfaction with traditional internal audit services. An excerpt from the
IIA July 2014 report titled Enhancing Value Through Collaboration shown below is illustrative of the
growing levels of customer dissatisfaction. The percentage of unhappy internal audit customers
reported in these surveys is simply too big to dismiss as ‘a few bad apples in the barrel’.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Following the 2008 global financial crisis regulators from countries around the world banded together to
study root causes. The conclusion of the Financial Stability Board (FSB), an oversight body comprising
the world’s superpowers, was that a radical shift in the roles played by boards, senior management and
internal audit is necessary.
In the FSB’s November 2013 guide to national financial and securities regulators around the world titled
Principles for Effective Risk Appetite Framework, the FSB painted new and significantly different
roles for boards, CEOs, risk specialists, and internal auditors. Internal audit’s main role, as envisioned by
the FSB, should be reporting on the effectiveness of risk management processes, including the ability of
the company’s risk management framework to identify risks, assess risks, treat risks, and deliver reliable
information on residual risk status to boards.
Unfortunately, in many organisations today, internal audit still serves as the primary group that
completes formal documented risk and control assessments and reports results upwards to the board of
directors. A key roadblock to actualising the new FSB vision is that internal audit is often the primary
risk/control assessor and reporter to board, not management. As a result, internal audit lacks the
independence required by IIA standards to report on the effectiveness of the company’s risk
management processes.
The 2014 IIA Annual Report shown below called on internal auditors to be agents of change. In February
2016, sensing the profession was not responding fast enough, IIA President, Richard Chambers, blogged
that To Be Agents of Change Internal Audit Must Embrace Change and focused on the theme of the 2016
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Pulse of the Profession report – ‘Time to move out of the comfort zone’. While recognising the need
for and importance of change, the IIA has been reluctant to aggressively endorse a radical change
agenda for the profession.
Internal audit competitors sense an opportunity
A 2016 Deloitte report titled Evolution or irrelevance: Deloitte’s 2016 Global Chief Audit Executive
Survey is illustrative of the growing sense that here is a big commercial opportunity to be exploited as
customer dissatisfaction with traditional internal audit methods grows.
The survey’s key findings – taken from 1203 respondents in 29 countries and across eight industry
sectors – are:
• almost all heads of internal audit expect their organisations and their functions to change
substantially in the next few years
• internal audit currently lacks the impact and influence that it wants and needs within the
organisation
• key gaps in certain skills, including analytics, IT and communications, must be addressed in order to
increase impact and influence
• stakeholders’ expect more forward-looking reports as well as insights regarding risks, strategic
planning, IT and business performance
• almost all internal audit budgets will remain flat or increase slightly, which may not be enough to
fund needed enhancements to the function
Fortunately, for many in-house internal audit groups, external providers of internal audit services (read
competitors) are also still largely wed to the traditional direct report audit paradigm where auditors
form subjective opinions on whether they (the auditors) think controls are effective/ineffective. Be
warned. however: a major risk to the profession is that one or more ‘APPLE-like’ competitors may yet
emerge to seize on the opportunity presented by the current paradigm paralysis in internal auditing and
ERM.
What does history suggest?
In the face of steadily dwindling customer satisfaction what does history say the internal audit
profession will do? Research done over many decades provides insight in to one of the greatest risks
today to better governance globally – paradigm paralysis in internal audit and ERM.
A summary of the barriers to change posed by paradigm paralysis is as follows:
The greatest barrier to a paradigm shift is the reality and incredible inertia of paradigm paralysis. A
paradigm paralysis can be defined as the inability or refusal to see beyond current models of thinking.
There are countless examples of paradigm paralysis in the history of mankind.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
In Europe, up until the seventeenth century, physicians used to draw out substantial amounts of blood
from their patients to ‘purify’ their bodies from some imaginary ‘miasma’. It would, of course, make
patients weaker and quicken their death. The first physicians to challenge this absurdity were
dismissed and banned from the profession. A better known example of paradigm paralysis is the
rejection of Galileo’s theory of a heliocentric universe which revolutionised the field of astronomy.
If paradigm shifts are the mega-phenomenon of ‘thinking outside the box’, paradigm paralysis is the
enemy of progress and can be defined as the sclerosis of ‘thinking inside the box’. In today’s world of
social turmoil, constant fast pace change, globalisation, communication revolution, overpopulation,
shrinking resources and growing ecological threats, paradigms are double-edged swords.
On one hand, they give us a structure and the illusion of permanence, which is a false sense of security.
On the other hand, current paradigms, which often fall into the category of paradigm paralysis, prevent
us from tackling challenges and major problems to keep life sustainable on this planet for future
generations. In other words, we need to step out of the ‘illusion box’, both individually and collectively,
of established thought paradigms, and jump courageously and resolutely into an uncharted and
unknown reality unfolding each time a significant paradigm shift takes place.
Source: http://newsjunkiepost.com/2011/09/04/will-we-have-a-global-paradigm-shift-away-from-obsoleteideologies/
The second part of this article, in which Tim discusses his solution to the problems identified,
will appear in the next edition of this eBulletin.
Tim J. Leech, FCPA CIA CRMA CCSA CFE is managing director at Risk Oversight Solutions
Inc., based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of
experience in the risk governance, internal audit, IT, and forensic accounting/litigation support fields.
Leech has provided training for tens of thousands of public and private sector board members,
senior executives, professional accountants, auditors and risk management specialists in
Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has
received worldwide recognition as a pioneer, thought leader and trainer. His article ‘Reinventing
Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Is Internal Audit the Next Blackberry? It Really Is Time
to Reinvent the Profession – PART II
Tim J. Leech
In the first part of this article in the November edition of ACCA UK’s
Internal Audit e-bulletin, Tim Leech defined the problems facing the
internal audit profession. In the second part of his article, Tim discusses
his solution to the problem. This is an alternative view of the profession
that readers and practitioners should consider in the context of their
own approach and behaviours. The views expressed in this article are
the author’s and may not reflect those of ACCA.
EXECUTIVE SUMMARY:
Over the past decades there have been a series of major corporate governance crises. After each wave post-mortems were convened and efforts made by regulators to identify root causes. The good news, or the bad news depending on your perspective, for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to avoid the current crisis being reviewed. What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organizations. As pressure on directors mounts globally to improve risk oversight their dissatisfaction with traditional internal audit services is also growing. This paper suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit “paradigm paralysis” – a strong attachment to traditional ways of doing internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers.
The Way Forward: Objective Centric Five Lines of Assurance
If you are willing to consider the central thesis of the article that the internal audit profession is at, what
is sometimes called, a “tipping point”; and agree the profession is being crippled or at least seriously
negatively impacted by paradigm paralysis, including a strong attachment to traditional point-in-time
direct report audits of internal control effectiveness covering a small percentage of the risk universe
each year; a logical question has to be:
WHAT CAN BE DONE TO PREVENT THE INTERNAL AUDIT PROFESSION BECOMING THE NEXT
BLACKBERRY?
The first step in an ideal world would be for the internal audit profession, including IIA global, to
candidly acknowledge the failings of the current direct report internal audit paradigm and aggressively
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
call for management to self-assess risk and risk treatments linked to key value creation and value
preservation objectives1 and embark on a radical paradigm shift change strategy.
Unfortunately, if we accept the premise that IIA Global is simply too invested in the current direct
report internal audit paradigm to be the one to drive the changes necessary fast enough, it suggests
change must come from what Joel Barker, a noted futurist and paradigm paralysis expert, called “the
fringes”2. When Apple was created in 1976 the founders of that company were often referred to as
“hippies and nerds”, or “the fringes” in Joel Barker’s taxonomy. ACCA’s internal audit membership who
have sponsored this article; the Institute of Chartered Internal Auditors in UK who have published
ground-breaking guidance for members particularly in the financial services sector; blogs and
presentations calling for change by Norman Marks3 and Paul Sobel; IIA Canada members who led the
CRSA/CSA movement in the 90s and have consistently recognized work designed to drive radical
change, IIA CCSA and CRSA certificate holders, and other “fringe” participants are all candidates to lead
change in the profession.
It is important to note that in an ideal world change would be driven by the customers of internal audit
services. For a variety of reasons, this is not likely to happen. Boards and the C-Suite simply have bigger
things to worry and think about. Unfortunately, excepting the FSB guidance on effective risk appetite
frameworks, the majority of national regulators continue to show strong attachment to having internal
auditors play the role of “controls police”, while at the same time calling on companies to implement
more effective risk management frameworks. The views of regulators are a key element of the current
internal audit paradigm paralysis.
As a replacement for the current direct report internal audit paradigm I believe, based on 30 years of
studying the evolution of internal auditing and customer needs globally, that an OBJECTIVE CENTRIC
FIVE LINES OF ASSURANCE approach is best suited to meet the needs of today’s boards, senior
management, regulators, and society at large. Change has to start somewhere. The small body of loyal
Apple disciples in the late 1970s were the seeds that grew what is now one of the largest and most
successful companies and support movements in the world. Experts generally agree that changing
paradigms is possible, but very difficult. It will take a concerted effort from more than a few to change
the current internal audit paradigm.
1 Authors’ definition: Value Creation Objective: Objectives key to the long term success of the enterprise that
will create enhanced shareholder value. (Example: Increase market share by 20%).Value Preservation Objective:
Objectives which, if not achieved, have significant potential to erode stakeholder value. (Example: Ensure reliable
financial statements) disclosures)
2 For more details see THE POWER OF PARADIGMS at http://www.joelbarker.com/speeches/classic-
speeches/thepower-of-paradigms/
3 See Norman Mark’s October 14, 2016 IIA blog “Focusing on the Wrong Line of Defense” as an example at
https://iaonline.theiia.org/blogs/marks/2016/Pages/Focusing-on-the-wrong-line-of-defense.aspx
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE – CORE ATTRIBUTES Attribute #1 – Senior management, with board oversight and assistance from internal audit and risk
specialists, make conscious decisions on the organization’s top value creation and value preservation
objectives and document them in an OBJECTIVES REGISTER – simply put, these are the end result
objectives they believe necessary for the organization’s sustained success. Careful consideration is given
to the costs and benefits of requiring more formal and visible assurance methods for each objective
that is added to the Register.
Attribute #2 – Senior management, with board oversight, assign “OWNER/SPONSORS” and
responsibility to report upwards on the current residual risk status for each of the objectives included in
the organization’s OBJECTIVES REGISTER (the risk position related to the objective being assessed
remaining after considering current risk treatment/responses)
Attribute #3 – Senior management, with board oversight, decide on the level of risk assessment rigour
each of the objectives will receive; the level of independent assurance they want on each objective, if
any; and the person, department or outside party that will provide the required level of independent
assurance. For many objectives included in OBJECTIVES REGISTERS this will be Internal Audit.
Attribute #4 – Internal audit’s work plan is driven by the assurance requirements defined in the
OBJECTIVES REGISTER. Internal audit also provides comments and recommendations if it believes there
are objectives that should be in the OBJECTIVES REGISTER that aren’t included. Internal audit may also
be asked in the early phases to help OWNER/SPONSORS through training and facilitation services to
complete risk assessments at the level of risk assessment rigour defined by senior management and the
board. In organizations that have an ERM support group, their work plan is driven by helping
OWNER/SPONSORS complete objective risk assessments on assigned objectives at the level of risk
assessment rigour defined by senior management and the board, and helping management respond to
quality assurance reviews done by independent assurance providers.
Attribute #5 – Senior management and the board receive regular reports from the CEO and/or his/her
designate on the objectives in the OBJECTIVES REGISTER, including concise information on which
objectives are considered to have residual risk positions within the organization and board’s risk
appetite/tolerance, those that are not, how serious the situation is currently, and action plans to
address those objectives currently outside of risk appetite/tolerance. They will also be provided with
reports from independent assurance providers, including internal audit, where management has
indicated in their assessment that the current risk status is within the organization’s risk
appetite/tolerance, but the assurance provider believes that it is not, or is unsure if the current residual
risk status is within the board’s risk appetite/tolerance.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
KEY BENEFITS OF OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE
Benefit #1 – accountability for managing and reporting on risk status is positioned squarely with the
responsible party – management.
Benefit #2 – Senior management and the board receive timely and reliable information on risk status
linked to top value creation and preservation objectives they need to meet escalating duty of care
expectations.
Benefit #3 – The framework focuses expensive assurance resources, including the time of management
and assurance providers, on the objectives most key to the organization’s long term success.
Benefit #4 – The recommended RiskStatusline® risk assessment approach (see Attachment 1) focuses
on creating reliable information on the true state of residual risk linked to specific objectives, as well as
“optimizing” the risk treatment strategy (i.e. the lowest cost possible combination of risk treatments
capable of producing an acceptable level of residual risk) This helps drive continuous improvement and
innovation.
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Benefit #5 – The level of internal audit resources required is defined by senior management and the
board when they decide how many objectives will be included in the OBJECTIVES REGISTER, the level of
risk assessment rigour required, and the level of independent assurance. Without clearly defined end
results there is no defensible way to define whether a company has an “effective” internal audit
function. Simply stating the company has an internal audit function, has an audit plan, and completes
audits, an element that is currently expected by the FRC via the UK Governance Code, serves little
purpose beyond creating the illusion of assurance. This risk was recently commented on by Richard
Chambers in an October 2016 blog post.4
Benefit #6 – The work of all assurance providers, including internal audit, external audit, safety,
compliance, environment, quality, insurance, legal services and others is integrated.
Benefit #7 – the framework is designed to integrate directly with the organization’s strategic planning
process. New strategic objectives being considered can be risk assessed on a proforma basis to
determine if they are likely to be achieved operating within the organization’s risk appetite/tolerance.
Independent assurance providers can review and report on those assessments if management and/or
the board believe it will add value.
Benefit #8 – the approach integrates with core elements of ISO 31000, the global risk management
standard and the intent described in the executive summary of the 2016 COSO ERM exposure draft.
Benefit #9 – the curriculum necessary to train internal auditors to meet their defined role will be able to
focus internal audit efforts on better meeting the needs of customers who are increasingly indicating
they are unhappy with traditional direct report internal audit methods (i.e. where internal is the
primary risk assessor/reporter). In the approach proposed in this article customers define what they
want and internal audit focuses its works to meet customer defined assurance requirements. It is a
“demand driven” not “supply driven” model.
Benefit #10 – Internal audit’s appeal as a profession will be substantially increased and salaries adjusted
to reflect internal audit’s increased stature as a profession focused on helping organizations manage
uncertainty linked to their organizations most important objectives.
ARE SMALL STEPS POSSIBLE?
For many organizations the new paradigm described in this paper will, quite simply, be too radical and
not a good fit with the existing corporate culture. My suggestion for those that are in that situation is
to start by completing all internal audit and ERM work using the objective centric risk assessment
methodology described in Attachment 1. Over time this will lead to the evolution of a board and
management driven corporate Objective Register and a slow transfer of responsibility for completing
risk assessments to those most directly responsible for the objective(s) being assessed – management.
4 For more on the illusion of assurance see Richard Chambers IIA CEO October 24, 2016 blog post “No Internal
Audit: It Could Be Worse” https://iaonline.theiia.org/blogs/chambers/2016/Pages/No-Internal-Audit-It-Could-BeWorse.aspx
Risk Oversight Solutions 2017 ACCA Article by Tim J. Leech Is Internal Audit the Next BlackBerry? It Really Is Time to Reinvent the Profession – Part I & II
www.riskoversightsolutions.com
Can the Internal Audit Profession Change or Will Internal Audit Become the
Next Blackberry?
My honest answer after decades of studying the evolution of the internal audit profession is “I’m not
sure”. There are many examples of organizations that have been able to reinvent themselves and go
on to even greater levels of success. My sincere hope, particularly as a parent who has a daughter in
the internal audit profession, is that the profession can change and go on to even greater levels of
success in the years ahead. The “fringes” described earlier in this paper will need to play key roles and
be doggedly persistent and effective as important paradigm paralysis change agents.
Tim J. Leech FCPA CIA CCSA CRMA is Managing Director at Risk Oversight Solutions Inc. Risk
Oversight Solutions focuses on helping companies more effectively manage risk and assurance to
meet escalating board risk oversight expectations and add real value. He has over 30 years of
experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including
expert witness testimony in civil and criminal proceedings, and global experience helping public and
private sector organizations with ERM and internal audit transformation initiatives. Leech has
provided training for tens of thousands of public and private sector board members, senior
executives, professional accountants, auditors and risk management specialists in Canada, the U.S.,
the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide
recognition as a pioneer, thought leader and trainer. His article “Reinventing Internal Audit” featured
in the April 2015 issue of Internal Audit received the Outstanding Contributor award from the IIA.