It's Time to Move Beyond the Finger-pointing ... and Start Identifying Solutions

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

One of the most predictable consequences of corporate financial failures is the inevitable finger-pointing that follows. There was plenty of finger-pointing following the Enron, WorldCom, and other failures of the early 2000s, and it was sure to happen again following the financial failures of the past two years. Lately, however, I have noticed that the accusations are literally “going global.” As important as it is to understand the contributing factors, I believe it’s time to move forward with the design and implementation of corrective measures in corporate governance and risk management that will effectively mitigate the risks of calamities of this magnitude in the future.

It seems to me that regulatory bodies and thought leaders are trying to outdo one another in assessing blame for the current global financial crisis. In its publication “Corporate Governance and the Financial Crisis” (PDF), the Organisation for Economic Co-operation and Development (OECD) has suggested that perhaps one of the revelations of the financial crisis was the widespread failure of risk management. The report indicates that in many cases, risk wasn’t managed on an enterprise basis, nor incorporated into corporate strategy. Risk managers were often kept separate from management and disregarded when implementing company strategy. Moreover, the OECD suggests that many boards were oblivious to the company's risks. Others have been less reflective in assessing blame for the corporate failures, and have merely cited greed, negligence, fraud, corruption, and so on.

During my recent global travels, I learned that the accusations are not merely aimed at the corporate sector. Instead, there was an unsettling consistency of accusations that ineffective corporate governance in the United States was largely to blame. As one noted South African corporate governance expert recently observed, “… it is worth remembering that the U.S. is the primary source of the current financial crisis. SOX — with all of its statutory requirements for rigorous internal controls — has not prevented the collapse of many of the leading names in U.S. banking and finance.” Even the U.S.-based National Association of Corporate Directors has acknowledged (PDF) that the current crisis “has eroded public and investor confidence in corporate governance.”

We are almost a year into the worst of the current crisis. As tempting as it is to continue assessing blame, I am not sure there is much value to be gained. Instead, I believe it is time to identify and implement long-term solutions that will strengthen corporate governance and risk management. There are currently a number of regulatory and statutory proposals pending in the United States to advance that objective. I personally prefer principles-based solutions such as those developed over the past 20 years by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). However, whether we subscribe to principles-based solutions, or implement a litany of new laws and rules, there are three key objectives that I believe need to be achieved if we are to strengthen corporate governance and risk management:

  • Corporate boards must begin to effectively oversee their organizations’ enterprisewide risk management (COSO has just issued some excellent guidance (PDF) on this topic).
  • Management must design and implement effective enterprisewide risk management frameworks and engage the board at key steps such as setting the company’s risk appetite.
  • Internal auditing must develop the capability to assess the effectiveness of risk management and provide related assurance to management and the board.

I recognize that the issues related to this topic are far too complex to adequately address in a single blog. I look forward to exploring these topics further in the coming weeks. I also welcome your feedback on my views.


Posted on Nov 5, 2009 by Richard Chambers

Share This Article:    

  1. Richard:

    Norman Marks raised a query in his Twitter posts about the COSO guidance you reference above. (i.e where you state." COSO has just issued some excellent guidance on this top." 

    Norman's question, and mine as well, is why does this COSO document not once reference the role a good audit department can play helping boards oversee the adequacy of risk management processes generally and how it can contribute to each of the major strategies discussed?  

     As a member of COSO does the IIA have input to the drafting of these documents, or is the content largely controlled by volunteer authors drawn from academia and/or external audit firms that volunteer their time for free?  

    While the document does raise some very good points I think it was/is a major opportunity missed for the Internal Audit profession.

    Why isn't the contribution IA can make included in this document? 

  1. I can not avoid having the strong impression that risk management has been, as a whole, largely missing in a number of cases. I very often observe situations where, while the label reads 'risk', the essence of the controls is really 'compliance'. It does not matter compliance with what. From the failed SOX experience to the most hidden and cumbersome of the internal rules companies create, auditors are called to use a codified set of 'risks', which normally translate in norms, that invariably translate in checklists.

    I guess we have learned that to be compliant does not mean to be OK... Now it is time to do some real risk management.

    The way I see it is that we need to revisit the typical audit role. At this time, in most companies auditors are entry level, young professionals at the beginning of their career journey. Armed with academic knowledge, very little experience, a long list of controls and constrained by procedural roadblocks, they audit according to what the company believes are effective controls.

    We must raise the bar. I want to see auditors as exactly the opposite, senior professionals with plenty of experience, truly free to act in their role without 'career' impediments, looking at risks in an autonomous, really independent way.

    And I want to see a reduction of the mass of rules governing risk management. Put simply, rules do not work well in a dynamic world, as the rules do not cope well with the current level of risk change.

    As long as we keep playing around rules and regulations, best practices and similar interesting but fairly useless theories, ignoring one of the sources of the issue, the audit community will continue to suffer from inferiority complex.

    Just a few thoughts on a book long string of ideas.

    Kind regards

    Francesco Metalli

  1. Richard, I agree that the “issues related to this topic are far too complex to adequately address in a single blog”.   I will, however, provide some points that you should strongly consider in whatever deliberations ensue.

    The 1992 COSO material was good for its time and added some useful concepts such as linking objectives, risks and controls.  However, it has never been re-assessed to advance the thinking, e.g. the Canadian CoCo (1995) was considered by many to be conceptually superior but COSO has stagnated and not benefitted from further thinking.  Ergo, COSO 1992 needs a serious rethink and updating.

    Unfortunately SOX enshrined COSO as the ONLY framework ever adopted, warts and all, and has driven out thoughts of any better models being used by major listed companies.

    COSO 2004 was way too long, cumbersome and unusable.  Surveys indicate few use it or give up in frustration.  Examples of just some problems are its:
    •    62 word definition
    •    Primary focus on the downside or risk (seemingly ignoring the upside)
    •    125 page length excluding a similar in length application guide
    •    120 or so principles
    •    Presentation of 50 different cases with none of  them linked to one comprehensive case
    •    Over abundance of “what to do” and a strong absence of “how to do it”



  1.  It completely ignored AS/NZ 4360 and now its excellent companion guides of HB 436, HB 158 and HB 254.  Hopefully with the issuance of ISO 31000 just announced for release today, COSO will do a serious rethink/rewrite and issue something more usable. ISO 31000 is simply outstanding and easy to work with. I think that the three objectives you articulate in your blog will be achievable through embracing this framework.

    SOX sucked far too much out of internal auditing over the last few years with nary a protest from the IIA that major risks were being ignored as internal auditors were driven/encouraged to ignore the real risks in companies and focus on tick and bop audit work of no added value.  Internal auditors doing real auditing instead of SOX would have helped with managing the real risks over the last few years. There is a price to pay for this since no one will get up to speed on risk management overnight and the skill sets garnered from SOX unfortunately do not enhance the thinking that is needed for risk management. There is a comprehensive body of risk management knowledge residing in the marketplace from the different risk management frameworks, the academic programs, the risk thinkers from the fifteen or so other professional groups outside the IIA and other leading thinkers from around the globe such as Drs. Lo, Ariely, Mandelbrot, Taleb, Shiller, Kahneman, etc.


  1. The latest COSO publication “Strengthening Enterprise Risk Management for Strategic Advantage” is far from “excellent guidance”.  It is not a very helpful document.  Many pages were merely re-hashed bumpf from the original COSO.  Some examples of inaccuracies or weaknesses:
    •    After several pages COSO is still unable to clearly explain the difference between risk tolerances and appetite, with the examples being interchangeable.
    •    The examples of KRIs they provide are actually “risks” not KRIs (e.g. Page 17 a vendor strike is not a risk indicator – it is a source of “risk”).
    •    Page 1: “…better informed about emerging risk exposures, particularly those impacting strategy.” Question: Can there be “risks” if they don’t impact strategy?
    •    Page 5:  “Regular updating by management (at all levels of the organization) of key risk indicators…” Question:  “updating”??? – KRIs are metrics (e.g. staff turnover), not something that management “updates…”
    •    Page 6: “Some entities struggle with defining levels of risk they are willing to accept in the pursuit of stakeholder value.”  Observation:  Yes, but unfortunately that is the essence of ERM.

    You are quick to criticize the regulatory bodies and thought leaders out there. I suggest to you the hypothesis that there are real thought leaders out there that the IIA because of its silo approach does not come in contact with.


  1. There are also the charlatan wannabee thought leaders- the ones who show up with the PowerPoint ERM presentations purporting to understand this field well or the myriad of software vendors claiming to have a novel ERM solution or those professionals that try to wow you with their ERM knowledge by sharing minutiae related ERM surveys that add no value.

    If you want to be introduced to the best thinkers in ERM from around the globe, just let me know and I will be pleased to share the names and contact information with you. I think that you will be amazed at the amount of risk management knowledge in existence among the other fifteen or so professional risk organizations that seemingly the IIA does not network with.

    So in general there is a lot to be done both for the IIA which has been asleep for several years and for the world of risk and internal control.  I am always prepared to help. I currently serve on your Editorial Advisory Board and am a CIA and hold five other professional certifications, memberships in a dozen other risk organizations, membership in a risk think tank, and adjunct at a major university in the Northeast with plans to have an ERM Center of Excellence in the not too distant future.

    On a final note, there is a new book on ERM soon to hit the market through the publisher John Wiley & Sons.(authors Fraser and Simkins) Professor Robert Kaplan of the Harvard Business School says in the Foreward to the book. “The events of 2007-2009 have made the gaps in knowledge, training, and attention to risk management abundantly clear, albeit in a highly costly and tragic manner.


  1. ... Businesses, business schools, regulators and the public are now scrambling to catch up with the emerging field of enterprise risk management.”  I have reviewed the outline to this book and several chapters. I will tell you without getting into any of the details that this is the most outstanding/ comprehensive and value added book on enterprise risk management that I have ever read and I have read in excess of 50 books on this subject matter already. The members of the IIA will benefit tremendously from this book. It is a book rich with practical examples on “how to do ERM” versus “what to do.


    First, thank you for putting yourself out there to be critiqued. The first step to being a driving force in defining the future is to observe the current state. I personally appreciate your efforts to make this happen. I have spent the last 12 years in Internal Audit. I am a believer in its bright future. Over the last 5 years I have sought to become intimately familiar with professional guidance that impacts internal auditors. I see great strides in the 2009 IIA IPPF. However there is much to still do. Einstein noted the following:
    “Any fool can make things bigger, more complex, and more violent.  It takes a touch of genius — and a lot of courage — to move in the opposite direction.” — Albert Einstein
  1. I believe in a simple future. I think the first 7 pages of ISO 31000, a 24 page document, take an enormous step in simplifying the definition of risk and risk management. As we look to the definition of internal audit we exist to assist the organization accomplish its objectives through improving governance, risk management and internal control. That is also simple.
    I believe a viable, value-adding future will be based on how effectively we build on simple definitions of risk and risk management. It will be based on how we define and assess good governance, good management, good risk management and appropriate controls.
  1. Indeed, it is Time to Move Beyond the Finger-pointing … and Start Identifying Forward-Looking, Practicable Solutions in Strategic Collaboration with Other Standard-setting Professional Associations.

    What is The IIA doing to coordinate its Risk-related efforts & updates with the (AICPA's) Auditing Standards Board's (ASB's) January 2009 release of Exposure Drafts on Risk Assessment StandardsThis ASB effort is similar to the International Auditing and Assurance Standards Board (IAASB) project that aims to clarify its International Standards on Auditing (ISAs), … and the ASB has developed a plan to converge U.S. GAAS with the ISAs while (hopefully) avoiding unnecessary conflict with PCAOB standards.?   The AICPA's Risk Assessment Standards are being re-written as part of its efforts for Improving the Clarity of ASB Standards – i.e., the Clarity Project.  
  1. Intuition suggests that The IIA and its designated representatives on the PCAOB and the COSO Committees have strategic and vested interests in positively ensuring more coordination and more of a common language concerning ‘Risk’, ‘Risk Assessment’, and ‘Risk Assessment Standards’ that have heretofore been put to work for the benefit of entities internal and external users of such information.
    I agree “that the issues related to this topic are far too complex to adequately address in a single blog”; with Norm & Tim concerning the COSO doc’s conspicuous absence of The IIA’s contribution; and with Dan regarding the material and relevant contribution of ISO/IEC 3100.
    That stated; does it make sense to you and others(?) for The IIA to publish a Statement of Strategic Intent (Position Paper?) that would be effective in widely disseminating The IIA’s Intentions and Efforts in regard to the forthcoming Risk Assessment Standards ?
    While I also agree with Arnold’s observations concerning select group of highly-regarded Professors – e.g., Lo (MIT Sloan), Ariely (Duke Fuqua), Shiller (Yale), Thaler (U of Chicago), Kahneman (Princeton), et al., I know from graduate studies of such research that they and their ground-breaking contributions are best submitted to the IIARF for their consideration as part of an integrated & integrative ‘applied research’.
  1. To Dan Clayton and his commentary on Albert Einstein, I would add that I believe Albert Einstein coined the expression “insanity is doing the same thing over and over again and expecting different results."


  1. To Thomas Heller: You discuss the various associations that The IIA has (all public accounting), but what about the 15 or so organizations that it is not networked with?

    You also indicate that the titans of intellectual thought should submit to the IIARF. Really? As if the world of intellectual thought/risk management revolves around The IIA. I think not.

    My opinion of what is needed for The IIA to move itself forward rigorously in the area of risk management is repeated:

    * Identify all the major risk organizations from around the globe.
    * Then identify the Presidents of such organizations and start some dialogue on breaking down silos re ERM.
    * Then identify all of the risk material, frameworks put out by these organizations.
    * Then identify all of the major thought leaders in risk from around the globe.
    * Then put a process together to start having interdisciplinary sessions with each organization.
    * Then bury COSO or at least put it far back on the bookshelf. But do buy and read ISO 31000. Forget about the AICPA standards on risk for now. It is more public accounting oriented than risk management oriented.     

    I would say that these are just starting points of what The IIA needs to do, but there are many more things as well such as increasing the dues substantially so that can pay properly for substantial thought leadership in risk management.

  1. Thanks to all for the spirited discussion.  One of the things I treasure about our profession is the passion that it often engenders.  The COSO internal controls and ERM frameworks are certainly not perfect, but I am confident that they have added immeasurably to effective systems of internal controls and risk management.  The fact that they are lightening rods for those who have different points of view speaks to their global stature and relevance.  I appreciate the feedback you offer me on my views as well as the COSO frameworks themselves.  I look forward to future discussions on these topics with each of you. 

  1. Let's take a look at what caused the big banks to fail and see why ERM is unlikely to make a big difference if these issues are not resolved:

    1) Badly designed incentives:  In theory, executives should be compensated based on performance relative to peer companies; balancing short-term and long-term objectives; using measures related to shareholder value (primarily NOPAT, which is cash flow available for dividends and some ROI measure to avoid growth/acqusition bias); and adjusted for the leverage or risk taken, among other factors.  In this crisis, few or none of these principles were followed.  Short-term profits ruled the day and leverage was ignored.

    2) Bets with borrowed money:   The big five investment banks plus Fannie & Freddie went under during 2008.  The investment banks increased their leverage from 20:1 to 30:1 from 2003 - 2007, meaning a mere 3.3% decline in the value of their assets wiped them out.  The Economist had a cover story in 2005 warning about the housing bubble - A  COVER STORY.  Consequence for the firm going under?  A big golden parachute and a job at a smaller bank happy to have them, with a big signing bonus.  Nice.

    3) Conflicts of interest:  As long as board seats are treated like patronage jobs in politics, they will be ineffective guardians of the shareholder.  We must have independent boards with CEO and Board Chair separation.  Board chairs should be required to be certified corporate governance professionals.  They should not be prior CEOs of the company.

    We can talk frameworks all day, but the key issues aren't about process or the risk assessment component of COSO.  They are about the control environment.

Leave a Reply