Marks on Governance No Description Blogo Tue, 22 Jul 2014 13:26:03 GMT en-us Rajarshi Ghosh Risk is a dynamic element and the acceptable level as part of risk management strategy, there shall be a consensus on the acceptable level of risk at different levels of management process.

]]> Mon, 21 Jul 2014 11:56:27 GMT
Agbenya  Hello Mark,

In my little experience i think continuous risk monitoring and evaluation of the potential impact will give us a more realistic view of the it's actualisation and therefore how quickly we respond to it based upon the set risk tolerance level and appetite

]]> Mon, 21 Jul 2014 11:43:32 GMT
tayyab Aren't the "compliance risks, operational effectiveness" already part of the definition of internal control. A control review would be incomplete without examining compliance and effecitiveness?



]]> Sat, 19 Jul 2014 09:58:41 GMT
Norman Marks Richard, I worked with audit committees and boards for more than 20 years. Issues relating to compliance are not passed on to that committee, and our customer for our assessment of ERM will be the risk committee if there is such. The report by the audit committee to the board, which I usually wrote for them, is very brief.

With respect to independence, I don't see how that is compromised by attending meetings and providing reports to other committees. After all, we are not directors and not members of those committees.

]]> Thu, 17 Jul 2014 14:47:33 GMT
SBP Mr. Fowler makes a good point.  As auditors, independence is the cornerstone of our work. Organizations rely on us for independent and objective analysis of its programs.  If we start to blur the line between audit and management by participating in other committees, then there is a risk that we lose our independence.

I think it 's a good thought.  However, there should be proper controls in place so that we do not lose our independence.

]]> Thu, 17 Jul 2014 13:30:35 GMT
Richard Fowler Norman,

That's an interesting concept, but I'm not sure I agree.  If Internal Audit is reporting to the Audit Committee and is effective in doing so, the necessary information will be passed along to the Board and thus to the other committees.  The Board's role is to guide the company and provide strategic direction to executive management -- if Internal Audit becomes increasingly involved in the Board and Committee activities that determine this guidance, then surely independence will be compromised with regards to any strategic audits being conducted and, to a lesser extent, most financial and compliance reviews.

It just seems to me that, for most Internal Audit groups, the colelge degree level is quite sufficient.



]]> Tue, 15 Jul 2014 19:14:07 GMT
Graham Joscelyne Norman:

Sarah makes a good point about jurisdictional 'difference' which must be taken into account.

You suggest a need for IA to 'graduate'. While many may still need to do this, here's the challenge it often faces if it 'graduates':

Even if IA takes a broad view of its duty to give assurance on all key risks - and does, it is often stymied because either/both management and the Board have not 'graduated' to the same extent as IA. It/they are not well enough structured to properly receive IA's key messages and deal with them efficiently and effectively.

How often has IA carefully constructed its argument and delivered powerful messages to management only to find that management parcels out the problem - piecemeal - among its managers? It is then left to IA to reassemble the pieces and decide whether or not the issue has been dealt with properly?

Even if management is structured in such a way that IA's overarching key issues are received and handled properly, Board sub-committees (because of division of oversight responsibilities) often exacerbates the problem by further fragmentation. So, a key IA issue could be handled by more than one Board sub-committee - none of whom takes overall responsibility to make sure that each committee has done its job or what the overall result is.  By the way, this is most often a key finding when the governance structure is evaluated by IA.

Yes, IA must always find ways to enhance its impact. One way is to take the IIA Standards seriously and review organizational governance arrangements to help management and the Board also 'graduate'.

Thanks for a thoughtful question.





]]> Tue, 15 Jul 2014 18:44:42 GMT
Sarah Blackburn  Norman,

I read your post and realised that the scope of the Audit Committee varies widely by jurisdiction. As an Audit Committee chairmen in the UK I would expect us to oversee all risks - although the assurance over those in some specialist areas would be derived from the reports made by them to the Board and the independent assurance from internal audit. To use the 3LOD model, the AC would have the 3rd LOD assurance over the 1st and 2nd LOD assurance which may go to various executive committees or, in some cases, to another non exec committee and/or the Board.
Interestingly in one organisation where I am on the Board not the AC, they have adopted their own FOUR LOD framework, making the committees the 3rd line and IA the 4th. Since I am aware that others have sought to increase the LsOD even more, at least I know this organisation is thinking about it.
All the best,
]]> Mon, 14 Jul 2014 15:15:02 GMT
john oboh  dear Norman,

i am relatively new internal audit would appear it is bit different from external audit exam i took urig my aca finals.

i have a start up situation in my hand,please advice on how i can go about settin

g up a value added internal audit department?

i have had of COSO internal control frawework,how do i go about using it to design the company internal control system or using it to access the internal control system of a company?




]]> Mon, 14 Jul 2014 14:07:03 GMT
Jeff Sun, 13 Jul 2014 20:54:05 GMT Jeff Sun, 13 Jul 2014 02:14:20 GMT zay As I have found one of the unique featured post about why everyone really wants it. It's really one of the knowledgeable contents for me. Thanks for sharing some of exclusive contents in the same source.

]]> Fri, 11 Jul 2014 18:03:00 GMT
zay This is very educational content and written well for a change. It's nice to see that some people still understand how to write a quality post.

]]> Fri, 11 Jul 2014 18:01:16 GMT
Judy Anne  is there issues results from internal audit concerning risk management process?



]]> Fri, 11 Jul 2014 10:10:23 GMT
Garrett Arnold  To me the issue is 3 fold,

1)      Whistleblower laws are shamefully inadequate when it comes to those who retaliated, as it is not treated as a criminal offense.

2)      Ethics appears to be a punch line than something to be valued. When the metal meets the meat, people often chose to sacrifice the whistleblower than the colleague or an executive.

3)      Social support for the whistleblower is almost zero over all, for both government agency and even more so for private industry.

Until we fundamentally change how we react to whistleblowers and how we ensure their safety things will not change. If we really think about it after all the lectures, books, articles and CPE’s based on ethics what has that really accomplished; personally I believe very little.

]]> Wed, 09 Jul 2014 06:52:17 GMT
Garrett Arnold  For those of us who have investigated frauds we have seen our share of those noble (and not so noble) whistleblowers being retaliated against.  The two most common retaliatory tactics I have seen all too often is “Job performance takes a nose dive” and or the whistleblower is placed under a microscope for any “infraction of a vague policy”. Pretty soon they are out on administrative leave, and then terminated. They are then left to defend their good name against a giant machine that has both the time and the resources to quash the whistleblower.  As employment goes we all know the industry circles are small and if you are that whistleblower good luck in finding employment.  Most companies will reach out informally to the applicant’s former employer and will find out why they are no longer with that entity.  Companies espouse they love ethical people however they still perceive whistleblowers to be a “NON TEAM PLAYERS” and thus pass on them for the opportunity  no matter how qualified they are for that position.  So the majority of the whistleblowers are left with all or some of the following: 1 Loss of employment income,2 Mounting bills, 3 Credit damage, 4 Marital damage due to mounting income pressures and other stressors , 5 Massive legal fees (approximately 250k to take retaliation cases to court),  6 Bankruptcy, 7 Career change.

]]> Wed, 09 Jul 2014 06:51:43 GMT
Sean Chen Tue, 08 Jul 2014 05:48:39 GMT neha shelot I think that the focus needs to be on residual risks. This implicitly recognizes the inherent risk without getting into unproductive debate about the pure level of unabated risk. I also agree that reports must enable better decisions by understanding the cost and benefit of specific mitigation strategies (controls). Using earthquake risk as an example, it is fine to know that your operations are in a high risk earthquake zone (inherent risk) and also good to know that you have structural supports and a business continuity plan (the controls) but what is most interesting is how this affects ongoing business decisions such as whether or not you should expand operations at this site and what level of insurance you need. I think that unfortunately much of the valuable information gathered by auditors sits dormant after an audit report is filed and that few organizations have established processes to link audit work regarding risk assessment and control recommendations back to the business operations. This creates an opportunity for others in ERM or serving a similar risk role to gather and use data to help drive better business results.

]]> Mon, 07 Jul 2014 14:40:32 GMT
arnold schanfield  Norman:

Your comments are on the mark and I hope several things


First that you continue to write these blogs with this intensity and even more intensity

Second that you continue to embarass the c--p out of the Big 4 and other service providers for really putting silly material into the marketplace


Last- that all internal auditors think carefully before they spend their hard earned training dollars about which organizations they should take training from. I say that these problems exist because of leadership issues at the helm of the IIA and other organizations that do not step up to the plate. It is not the responsibility of internal auditors to step up to the plate if the leadership of the organizations that guide them does not provide them with the tools to do so. Therefore, I would rather bank my money on attending one of your training sessions before investing a dime with the IIA or with COSO

]]> Thu, 03 Jul 2014 16:55:34 GMT
Norman Marks  Richard, we are close to agreement. A risk-based approach focuses on whether risks that matter are being managed at acceptable/desired levels. That includes whether the controls relied upon to manage those risks are adequately designed and operating effectively.

We need to both assess the adequacy of risk management in general, and also how specific risks are managed.

A focus on controls assurance runs the risk (pun intended) of saying a control is effective when it is not necessary (for example, when it is redundant or the risk it is intended to address has disappeared).

]]> Thu, 03 Jul 2014 16:49:12 GMT