Marks on Governance No Description Blogo Wed, 30 Jul 2014 21:13:58 GMT en-us Antero Kuuluvainen Norman,

it is absolutely time for Internal Audit to Graduate the way you described. Besides you and among others Doctor Mervyn King has also proposed IA to report direct to full board of risk management and other topics outside the scope of AC. This might lead to two assesment reports, one for AC and one for board.

Independency should be enhanced by proper procedure to appoint CAE by shareholders. This is still quite modern and untested (as far as I know) idea. 

Well upkept Quality Assurance and Improvement Program is vital to IA-function to fullfill the graduation.
Best regards


]]> Sat, 26 Jul 2014 10:20:51 GMT
John Byrd Clock speed is critical and how fast the company has to respond and how they do it.  Do it wrong and you have at least one other mess to clean-up as the situation becomes critical.  Internal Audit needs to address that when reporting on risks.

]]> Thu, 24 Jul 2014 13:06:43 GMT
Karl Hutchinson Norman,

I agree that risk management needs to do a better job of putting the risk event into a meaningful context. I've found that it's most useful to start with the underlying principles of the entity's strategic plan and shape your determination of "acceptable risk" around this.

There's no sense (as an auditor) in telling senior management that a particular risk is too high when the company needs that level of risk to achieve strategic goals. It seems counter-intuitive, as most auditors tend to have the mindset that risk always needs to be lower, but it's not the case. Risk management is about the right amount of risk to maximize one's strategic goals.

]]> Tue, 22 Jul 2014 19:44:41 GMT
Steve Katzman I agree that high, medium and low similar to the Stop Light reporting that executives seem to like provide a limited view of risks.

Even when I worked in IT we tried to provide a trend analysis of where the value was and where it was going as part of our capacity planning.  Similarly, if the level of Risk is currently in an acceptable (low) range, I am more interested in whether the trend is dormant, moving up or moving down.

I worry more about a Green or low risk moving towards yellow and red than a red (high risk) moving towards yellow or green.

Of course all risk assessments scores should be based on acceptable risks and organizational risk tolerances.


]]> Tue, 22 Jul 2014 14:53:24 GMT
Rajarshi Ghosh Risk is a dynamic element and the acceptable level as part of risk management strategy, there shall be a consensus on the acceptable level of risk at different levels of management process.

]]> Mon, 21 Jul 2014 11:56:27 GMT
Agbenya  Hello Mark,

In my little experience i think continuous risk monitoring and evaluation of the potential impact will give us a more realistic view of the it's actualisation and therefore how quickly we respond to it based upon the set risk tolerance level and appetite

]]> Mon, 21 Jul 2014 11:43:32 GMT
tayyab Aren't the "compliance risks, operational effectiveness" already part of the definition of internal control. A control review would be incomplete without examining compliance and effecitiveness?



]]> Sat, 19 Jul 2014 09:58:41 GMT
Norman Marks Richard, I worked with audit committees and boards for more than 20 years. Issues relating to compliance are not passed on to that committee, and our customer for our assessment of ERM will be the risk committee if there is such. The report by the audit committee to the board, which I usually wrote for them, is very brief.

With respect to independence, I don't see how that is compromised by attending meetings and providing reports to other committees. After all, we are not directors and not members of those committees.

]]> Thu, 17 Jul 2014 14:47:33 GMT
SBP Mr. Fowler makes a good point.  As auditors, independence is the cornerstone of our work. Organizations rely on us for independent and objective analysis of its programs.  If we start to blur the line between audit and management by participating in other committees, then there is a risk that we lose our independence.

I think it 's a good thought.  However, there should be proper controls in place so that we do not lose our independence.

]]> Thu, 17 Jul 2014 13:30:35 GMT
Richard Fowler Norman,

That's an interesting concept, but I'm not sure I agree.  If Internal Audit is reporting to the Audit Committee and is effective in doing so, the necessary information will be passed along to the Board and thus to the other committees.  The Board's role is to guide the company and provide strategic direction to executive management -- if Internal Audit becomes increasingly involved in the Board and Committee activities that determine this guidance, then surely independence will be compromised with regards to any strategic audits being conducted and, to a lesser extent, most financial and compliance reviews.

It just seems to me that, for most Internal Audit groups, the colelge degree level is quite sufficient.



]]> Tue, 15 Jul 2014 19:14:07 GMT
Graham Joscelyne Norman:

Sarah makes a good point about jurisdictional 'difference' which must be taken into account.

You suggest a need for IA to 'graduate'. While many may still need to do this, here's the challenge it often faces if it 'graduates':

Even if IA takes a broad view of its duty to give assurance on all key risks - and does, it is often stymied because either/both management and the Board have not 'graduated' to the same extent as IA. It/they are not well enough structured to properly receive IA's key messages and deal with them efficiently and effectively.

How often has IA carefully constructed its argument and delivered powerful messages to management only to find that management parcels out the problem - piecemeal - among its managers? It is then left to IA to reassemble the pieces and decide whether or not the issue has been dealt with properly?

Even if management is structured in such a way that IA's overarching key issues are received and handled properly, Board sub-committees (because of division of oversight responsibilities) often exacerbates the problem by further fragmentation. So, a key IA issue could be handled by more than one Board sub-committee - none of whom takes overall responsibility to make sure that each committee has done its job or what the overall result is.  By the way, this is most often a key finding when the governance structure is evaluated by IA.

Yes, IA must always find ways to enhance its impact. One way is to take the IIA Standards seriously and review organizational governance arrangements to help management and the Board also 'graduate'.

Thanks for a thoughtful question.





]]> Tue, 15 Jul 2014 18:44:42 GMT
Sarah Blackburn  Norman,

I read your post and realised that the scope of the Audit Committee varies widely by jurisdiction. As an Audit Committee chairmen in the UK I would expect us to oversee all risks - although the assurance over those in some specialist areas would be derived from the reports made by them to the Board and the independent assurance from internal audit. To use the 3LOD model, the AC would have the 3rd LOD assurance over the 1st and 2nd LOD assurance which may go to various executive committees or, in some cases, to another non exec committee and/or the Board.
Interestingly in one organisation where I am on the Board not the AC, they have adopted their own FOUR LOD framework, making the committees the 3rd line and IA the 4th. Since I am aware that others have sought to increase the LsOD even more, at least I know this organisation is thinking about it.
All the best,
]]> Mon, 14 Jul 2014 15:15:02 GMT
john oboh  dear Norman,

i am relatively new internal audit would appear it is bit different from external audit exam i took urig my aca finals.

i have a start up situation in my hand,please advice on how i can go about settin

g up a value added internal audit department?

i have had of COSO internal control frawework,how do i go about using it to design the company internal control system or using it to access the internal control system of a company?




]]> Mon, 14 Jul 2014 14:07:03 GMT
Jeff Sun, 13 Jul 2014 20:54:05 GMT Jeff Sun, 13 Jul 2014 02:14:20 GMT zay As I have found one of the unique featured post about why everyone really wants it. It's really one of the knowledgeable contents for me. Thanks for sharing some of exclusive contents in the same source.

]]> Fri, 11 Jul 2014 18:03:00 GMT
zay This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post.

]]> Fri, 11 Jul 2014 18:01:16 GMT
Judy Anne  is there issues results from internal audit concerning risk management process?



]]> Fri, 11 Jul 2014 10:10:23 GMT
Garrett Arnold  To me the issue is 3 fold,

1)      Whistleblower laws are shamefully inadequate when it comes to those who retaliated, as it is not treated as a criminal offense.

2)      Ethics appears to be a punch line than something to be valued. When the metal meets the meat, people often chose to sacrifice the whistleblower than the colleague or an executive.

3)      Social support for the whistleblower is almost zero over all, for both government agency and even more so for private industry.

Until we fundamentally change how we react to whistleblowers and how we ensure their safety things will not change. If we really think about it after all the lectures, books, articles and CPE’s based on ethics what has that really accomplished; personally I believe very little.

]]> Wed, 09 Jul 2014 06:52:17 GMT
Garrett Arnold  For those of us who have investigated frauds we have seen our share of those noble (and not so noble) whistleblowers being retaliated against.  The two most common retaliatory tactics I have seen all too often is “Job performance takes a nose dive” and or the whistleblower is placed under a microscope for any “infraction of a vague policy”. Pretty soon they are out on administrative leave, and then terminated. They are then left to defend their good name against a giant machine that has both the time and the resources to quash the whistleblower.  As employment goes we all know the industry circles are small and if you are that whistleblower good luck in finding employment.  Most companies will reach out informally to the applicant’s former employer and will find out why they are no longer with that entity.  Companies espouse they love ethical people however they still perceive whistleblowers to be a “NON TEAM PLAYERS” and thus pass on them for the opportunity  no matter how qualified they are for that position.  So the majority of the whistleblowers are left with all or some of the following: 1 Loss of employment income,2 Mounting bills, 3 Credit damage, 4 Marital damage due to mounting income pressures and other stressors , 5 Massive legal fees (approximately 250k to take retaliation cases to court),  6 Bankruptcy, 7 Career change.

]]> Wed, 09 Jul 2014 06:51:43 GMT