Marks on Governance No Description Blogo Thu, 24 Apr 2014 07:01:28 GMT en-us Tim Leech David: My apologies for not addressing your post.  By all means join the debate.  An "attestation" audit, using contemporary standards requires the auditor to first assess and form an opinion on the reliability of the process used by the responsible party making the representation.   If the conclusion of the auditor is that the process used by the responsible party making the representation is highly reliable, the amount of substantive testing to confirm reliability of the representation is reduced.  The same principle would be used in cases where management makes a representation on the state of risk and risk treatments to the board.  Internal audit would first assess and report their conclusion on the reliability of the process used by management to self-assess. This is now required by IIA IPPF 2110 but is often ignored right now.   If IA's assessment was that management's process was non-existent or low reliability, they are forced to form an opinion on the subject matter directly. This isn't possible at an entity level. Unfortunately, in many companies, management makes no representation on the state or risk and risk treatments at an entity level to the board.  Often boards receive no formal representations on the full range of risks that impact the achievement of an entity's objective. Law makers may have to pass a law that requires management provide a consolidated report on risk to boards if boards don't demand one themselves and require IA provide an opinion to them on its reliability and report their conclusions to the board.  I believe board satisfaction would increase dramatically.

]]> Wed, 23 Apr 2014 13:00:09 GMT
Tim Leech Norman:  I am a big believer in using simple language that is widely used - when possible.  Although control and risk self-assessment made some progress in the 90s supported by the IIA, the vast majority of training offered by the IIA today assumes that management has no serious self-assessment process in place and internal auditors will continue to the be primary risk/control analyst/reporters  Students of SOX regulatory evolution will know that the original SOX 404 proposal considered having external auditors assess the effectiveness and reliability of management's representation on the effectiveness of control to meet the requirements of 404(b) This was rejected, in part because the IIA, the AICPA and other auditor associations did not want external auditors to prepare an "attestation" report on management's representation on internal control.  In the end, SOX 404(b) as interpreted by the SEC/PCAOB calls for a "direct report" on internal control effectiveness from external audit independent of management's 404(a) direct report on control effectiveness.  This was a major missed opportunity to embed serious self-assessment in organizations. I continue to believe that  if regulators are seriously interested in better risk governance, they will mandate representations on risk status from management to boards and require internal audit provide an "attestation" report on the reliability of that report.  The FSB is calling for exactly that around the world in the financial sector.  I believe the SEC should follow the lead of FSB and call for an internal audit report on management's report to the board on risk status. (i.e. an attestation engagement)

]]> Wed, 23 Apr 2014 12:30:32 GMT
Norman Marks Tim, thank you for the thought. My thought is that we should use internal audit and business language, not the language of external auditors - whether international, Canadian, US, or from Timbuktu. The CICA is for external auditors.

Standard 2120: The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

I do not support the idea that internal audit should "report on the state or risk and control directly". Even when risk management reports to the CAE, IA should only act as facilitator and reporter of management's assessment.

]]> Wed, 23 Apr 2014 00:14:03 GMT
Tim Leech Norman;  As long as you agree with and champion the idea of and need for management to provide robust reports on the risk, the status of risk, residual risk status, areas of high retained risk, areas outside of risk appetite, or any other term you and other like along those lines, I'm a happy guy.  The IIA could make a real difference it simply stated that organizations where management does not currently provide robust entity level/consolidated reports on risk to the board hence internal audit has no choice but to report on the state or risk and control directly should be considered "high risk" regardless of how many traditional/ "direct report" audits internal audit performs.  

By the way, the CICA used the term "direct report engagements specifically to cover situations where an auditors is retained by a client, internal or external, to do a control assessment, whether they be acting in an internal audit or external audit role. International audit standard setters regularly refer to the difference between "attestation" engagements and "direct engagements".  Perhaps its you not me that needs to adopt language that all auditors understand - just a thought.

]]> Tue, 22 Apr 2014 22:59:07 GMT
Norman Marks  Tim, I finished my ten year sentence in external auditing at about the time you started. In those days, an audit was an audit. Management was required to provide a letter that included assertions, but that was always required and we didn't have to talk about direct report audirs.

That being said, we are not talking about external auditing so why even think of using terms that don't apply?

As for retained risk, how many risk practitioners use such a term? They use the term "risk". They may say "current risk" or "residual risk", but not retained risk. Of course, I know what the term is, but when you add unnecessary verbiage it does not make messaging clearer.

I agree that "management should assess and report to boards on the state of retained risk", although I would have them report on risk (the same thing).

As for risk and control self-assessment, I implemented that while you were working with Bruce and was part of the CSA Center at the IIA.

Let's use language that everybody understands and is relevant to their practice: assurance, risk, and so on.

]]> Tue, 22 Apr 2014 22:13:54 GMT
Tim Leech Norman: I am very surprised with your training and decades of experience you have not come across what I believe are generally accepted audit terms. I have pasted a link below to International Auditing and Assurance Standards Board ("IAASB") where they use the same "attestation" and "direct" reporting to explain different types of assurance, as well as a paragraph on that page that references "attestation engagements" and "direct engagements".  As the terms are also referenced in IAASB guidance issued for scores of countries that use them I have to assume there is at least one other person that wrote the IAASB guidance that also understands them. Perhaps he is also a Canadian and Canadians are the only nationality in the world  that use them much like "eh".

"Limiting the ISAE within the context of attestation engagements only, rather than both attestation engagements and direct engagements, but allowing its use in direct engagements. Consideration of direct engagements may be the subject of a future project"

As I have spent a large % of my life promoting the idea that management should assess and report to boards on the state of retained risk I am afraid I will have to continue to use these terms in spite of your discomfort.  I understand why traditional internal auditors that haven't had much experience with companies that have implemented entity level risk and control self-assessment in a robust way wouldn't be very comfortable with the terminology.


]]> Tue, 22 Apr 2014 21:59:46 GMT
Norman Marks Thanks for joining in, David.

If management doesn't understand their risks, then one option is to stop right there and communicate the deficiency (which is important) to management and the board. The other is to continue based on your own assessment of risks - a more traditional and easier approach. But, I would not take on a continuing role as the identifer and assessor of risks. 

]]> Tue, 22 Apr 2014 17:44:32 GMT
Norman Marks Tim, thanks for the explanation. Even though I worked in public accounting in the UK (FCA) and US (CPA), and internal auditing (global companies), I have never heard anybody but you use that term. 

May I suggest that if I have never heard it, most of the people you speak to have not either.

In addition, as you say, the term does not apply to internal audit.

So why continue to use it? Would it not be better to talk about traditional controls auditing, which is what I think you are talking about?

]]> Tue, 22 Apr 2014 17:41:35 GMT
David Griffiths Norman & Tim. Is this a private argument or can anybody join in? I see a risk-based audit as having two purposes: to report to the board that, in the area being audited, management have carried out sufficient procedures to properly determine the risks present and; that the controls introduced are operating to bring these risks to below the board's risk appetite. So I suppose the first part of the audit is 'attestation' and the second part is 'direct reporting'. The problem arises where the management have not carried out a proper risk assessment. Do the auditors pack their bags and issue a very short report, or do they stay and assist management to properly identify their risks? The answer to that question must come from the board.

]]> Tue, 22 Apr 2014 17:28:48 GMT
Tim Leech Norman: I suspect we are not all that far apart.  With respect to the term "direct report audit" it was part of the training/body of knowledge I covered to become a CA in Canada in 1981.  The distinction comes from external audit profession and is intended to distinguish an "attestation" engagement from a "direct report" engagement.  A link to a standard learning module from one of the accounting/audit professions in Canada is below.  I learned the terminology in the late 70s from what was then the "CICA handbook". As far as I know it is generally accepted audit terminology around the world.

The key is that in "attestation" auditing the responsible party makes the primary representation and the auditors express an independent opinion on the representation.  In "direct report" audit the auditor themselves form an opinion on the subject matte directly. The majority of the IIA curriculum and training assumes internal auditors perform "direct report" audits", not attestation audits, because management in the majority of companies does not provide a consolidated report on the state of retained risk to the board.  (i.e. the company has no serious risk self-assessment process) If there is no representation from a responsible party  an auditor cannot complete an "attestation" audit.

]]> Tue, 22 Apr 2014 15:50:57 GMT
Norman Marks  Tim, I do not champion and do not want you to champion "traditional direct report auditing where auditors are the primary risk/risk treatment assessors and reporters". That is not what I asked at all.

First, the term "traditional direct report auditing" is a term you have created but not explained.

Secondly, I believe we both think that internal audit should assess and provide assurance on how management addresses uncertaintyt (risk).

I do not want internal audit to audit and assess a point-in-time risk assessment. That means that we are second-guessing management's assessment rather than assessing whether they have the right people, processes, and systems to provide reliable risk information.

I think that we both want internal audit to focus, with a dynamic plan, on the risks that matter - the ones that might affect the strategies and objectives of the organization. You use different language (objective-based auditing) to describe the same approach.

Finally, what I am asking is that rather than using thge language of one (even he the one is Tim Leech), you try to adopt the language that the rest of us are using.

]]> Tue, 22 Apr 2014 15:09:40 GMT
Tim Leech Norman: If you want me to join you in continuing to champion traditional direct report auditing where auditors are the primary risk/risk treatment assessors and reporters, my answer is the same as it has been since the mid 80s, I won't be joining you.   To improve risk governance management needs to have primary responsibility to assess and report upwards on the state or retained risk. Internal audit should foster and promote management driven risk self-assessment and provide independent reports on the reliability of management's risk self-assessment process and the consolidated report on the state of retained risk management provides to the board. My conclusion is that traditional direct report internal auditing does not provide robust support to boards that are now expected to oversee management's risk appetite and tolerance.  IMHO, real sustained success will only come from getting CEOs and senior management to acknowledge accountability to the board to routinely assess and report upwards on the state of retained/residual risk.  That is the missing foundation building block for better global risk governance.  If Internal Audit attempts to apply the same traditional direct report spot-in-time assessment methods on a wider universe that includes an organization's top strategic objectives, my belief, from having watched the "comprehensive audit/operational audit movement" in the 80s crash and burn, is that the results and response from key customers will not be positive for the profession. 

]]> Tue, 22 Apr 2014 14:50:42 GMT
David Griffiths Norman, you asked two questions. Looking back at my career. Q1: Yes - particularly overseas subsidiaries and the staff social club accounts. Although not material, problems in the small overseas subsidiaries worried the board, we should probably have pressed harder for their exclusion. They did represent good training though and assisted recruitment. The staff social club was given to junior staff as part of their training!. Q2: Yes - I think we failed to address specialist areas such as manufacturing and treasury (although we did carry out a treasury audit). In these circumstances we should have co-opted staff from specialist departments, or used external staff. One group of audits we did manage to move out, were regular audits (e.g of supplier accounts). These, and continuous audits, are the responsibility of management.


]]> Tue, 22 Apr 2014 11:54:13 GMT
Brian Robb Great blog Norman. I totally agree that Internal audit as a profession (and as a resource) has to operate with a more strategic focus i.e. that which is key to the sucess of our organisations should be key to what Internal Audit aligns it delivery of services to. This would include providing assurance around the key strategic risks of the organisation that you allude to. In my thinking we should be helping our organisations to attain and continue "sustainable performance".

]]> Tue, 22 Apr 2014 03:06:39 GMT
Norman Marks Tim, I don't think the solution requires massive study. My view is that if internal auditors are able to maintain a dynamic audit plan that focuses on the risks that matter today, and provide the assurance that our stakeholders need to direct and manage the enterprise, the level of stakeholder satisfaction will leap to the stars.

The more thought leaders can send the same message, which I believe Richard, Paul, and I are doing, the more we can influence change. 
I invite you to join us.
]]> Tue, 22 Apr 2014 01:14:24 GMT
Tim Leech Norman; Really great post. It has a similar overall theme to Richard's Chambers April 7 2014 post Changing Times, Changing Priorities: Are We Passing the Test?.  Paul Sobel has been raising similar questions on his world tour this year as IIA Chairman. My question to you is whether you think it's time the IIA convened the equivalent of U.S. Senate hearings to get to the bottom of why so many internal audit departments are failing to deliver what customers need/want?   The presentation I will be delivering to internal auditors in London next month references your blog post and Richard Chamber's post with the slide heading "INTERNAL AUDIT - IT'S TIME TO SELF-ASSESS".   A more radical headline might read something like "INTERNAL AUDIT - TIME TO AUDIT THE INTERNAL AUDIT PROFESSION???"  

]]> Mon, 21 Apr 2014 21:08:12 GMT
Tim Leech Norman:   Unfortunately, I expect a large percentage of U.S. listed companies are/will soon be busy mapping controls to COSO principles diverting valuable resources away from rigorous assessment of the statistically probable risks that threaten the objective of reliable financial reporting.  The SEC and PCAOB, not Congress, decided to require registrants opine against a "suitable control model".   Unfortunately the current guidance is vague on when the  COSO "mapping" exercise recommended in the recent IIA Compass report discloses deficiencies to the point they can no longer claim to have "effective" controls in accordance with COSO 2013.   The article my daughter and I authored titled Preventing the Next Wave of Unreliable Financial Reporting: Why US Congress Should Amend Section 404 of the Sarbanes-  Oxley Act  describes what we think US. Congress should do if the real goal is improving the reliability of  U.S. listed financial statements.  It can be accessed with a simple Google search.   I fear the SEC and PCAOB will sit on the sideline for a couple of years to see how many companies and auditors do, in fact, treat SOX 404 like a checklist/mapping exercise, at least in part.  A number of excellent white papers have recently postulated that there is a human tendency to want to audit what is easy, not what is really key to high certainty an objective will be achieved.  Time will tell how many decide "mapping" controls to principles is easier than actually identifying and assessing the real risks to reliable financial reporting.

]]> Wed, 16 Apr 2014 20:11:45 GMT
Norman Marks  Thanks, Dan. This is an excellent opportunity (a risk assessment of the principles) to understand where the financial reporting risks lie and to remove from scope some of the 'old' and unnecessary entity-level controls we had in the past.

]]> Tue, 15 Apr 2014 23:16:16 GMT
Dan Gaffney  Norman-I do agree on SOX scope to include only those key controls relied upon to either prevent or detect a material misstatement.

I see your point and in my approach, the mapping exercise would show that achieving some COSO principles in one organization may not be applicable but in other organizations with a different control structure, the failure to achieve the same principle may represent a financial reporting risk.

]]> Tue, 15 Apr 2014 23:05:26 GMT
Norman Marks  Dan, would you agree that the SOX scope should include only those key controls relied upon to either prevent or detect a material misstatement?

If so, why include controls where a failure to achieve a COSO principle would not, directly or indirectly, represent a financial reporting risk?

]]> Tue, 15 Apr 2014 21:12:00 GMT