Thursday, June 30, 2011

ERM-BC-COOP: Audits & auditors

Updated July 3, 2011

Auditing functions and processes - versus auditing just financial statements - has become a hot topic in many areas.

Enterprise risk management is one of those "many areas."

This raises three questions:

  1. Who audits the program - internal auditor or external auditor?
  2. How in-depth the audit?
  3. What qualifications should an auditor possess?

As with most things in the risk management world, there is more than one "correct" answer because "it depends."

Inside, Outside

Should the risk management audit be conduced by an internal auditor or should it be jobbed out to an outside person or firm?

If an in-house auditor is used, there must always be a suspicion that the auditor will be less than totally candid; after all , the auditor's job is on the line.

Will the internal auditor check with Very Senior Management to determine what the audit is expected to convey? Will the auditor "adjust" the report to present something in a better, of lesser, light than reality demands?

One other thing: An internal audit is easier for management to quash, brush under a convenient rug, than an outside auditor's report.

While an independent outside auditor may have less to fear from an upset client, the auditor will need to be privy to sensitive client information; information that could damage the client - or the client's clients - if it fell into the wrong hands.

Even with an iron-clad Non-Disclosure Agreement (NDA), with the right enticement, an external auditor might be convinced to share client information.

Of course that also holds true for an internal auditor, especially one who feels his or her work is in vain.

Drilling down

Just how deep should an auditor investigate?

Is the auditor expected to gloss over the organization at "20,000 feet," the altitude at which some managers expect their risk managers to operate? Or, should the auditor drill down to the process level? The real question is: what does management want from the audit?

Does management want the auditor to provide a cursory check-list comparison of plan vs. reality or does management want the auditor to delve into each of the plan's statements - maybe even call for, and observe, an exercise?

It was not so long ago that a financial auditing firm - one of the once "Big Five" - found itself spurned because it glossed over a client's weaknesses.

The thoroughness of an audit may be tempered by sensitivity of information or driven by regulation or "Generally Accepted Auditing Standards," a/k/a GAAS, as well as management's mandate to the practitioner. The effectiveness of the audit depends solely on management's commitment to, acceptance of, and implementation of audit recommendations.

Who should audit

Once what should be audited and at what depth is determined, the next logical question is: What should be the auditor's qualifications?

I have worked with auditors who knew the field in which they were working and I have worked with people who are innocents in the field they were asked to audit.

The former can be either like the risk management practitioner who is in love with that he or she does and approaches it enthusiastically or like the risk management practitioner who creates programs according to a checklist. (Check lists are valuable, but must only be a starting point to assure all bases are considered.)

The enthusiastic auditor approaches the job as an opportunity to help everyone improve the organization. The risk management practitioner's work is vetted by an outsider who may only know enough about risk management to ask questions: "What if . . . " and "Why was this recommended?"

My long-time mantra was, and continues to be, "No plan is perfect the first time out." If early exercises fail to turn up something to address, something is wrong with the exercise. Auditors could find a "got'cha" missed during an exercise just by challenging the pracitioner's notions.

Auditors thrown into audits of areas in which they have little or no knowledge need to have a network of people who can give them direction; suggest things to examine closely for each unique client.

It helps if the auditor, with or without knowledge of the audit subject, has good interview skills. An audit that is limited to document examination is, in most cases, an incomplete audit. If a document is the basis of the audit - as it normally would be with a risk management audit - the auditor needs to assure that what is documented can be accomplished and it being accomplished.

Change auditors

Parting shot: Change auditors frequently.

The same admonishment applies to risk management practitioners as well. (If the risk management is an in-house operation, consider hiring a consultant once every "n" years just to get a new perspective.)

Regardless of what is being audited, the auditor or auditing firm should be replaced, "rotated out," every few years - perhaps every three years, perhaps every five years.

Auditors have a vested interest in keeping the business, be it as a staff auditor or as a consultant. A less than totally honest auditor could "hide" a previous year's mistake year and year - or until a new auditor (from a different firm) is invited to perform a new, "from the ground up" audit.

Even a totally honest auditor may fail to see a situation that needs attention that was ignored in a previous audit.

Auditors are our friends

I am absolutely convinced that a good auditor can be a valuable asset to any risk management program; I welcome auditors who care about their work to critique my programs.

It's good for me.

It's good for my client.

Friday, June 24, 2011

Got it right - almost


I'm currently looking for a new opportunity - have passport / will travel - so once again I'm lurking on the major job boards, e.g., Careerbuilder, Monster, DRII, and DRJ.

I found one this morning for a Business Continuity Manager that looked really good from an enterprise business continuity perspective. A lot of the "right" words.


  • Capitalize on business opportunities to refine and optimize business processes to mitigate exposure during disruptions of service, and, possibly, improve day-to-day operations.

I really like this. It shows someone understands that "process improvement" is an integral part of business continuity - IF the client allows the practitioner to consider, and recommend, possible improvements.


  • Establish business continuity and disaster recovery testing methodologies; assure recovery procedures are effective for the restoration of critical business processes and key personnel. Ensure all components of the Business Continuity Plan are successfully tested at least annually, or whenever significant changes are made to those components. Plan and coordinate at least one simulation exercise a year, involving all critical business units and functional areas.

Everything looked really good until the third bullet from the bottom (of the advertisement).


  • Working knowledge of data processing and telecommunications in order to assist in the preparation of recovery procedures in this area.

Why a "working knowledge of data processing and telecommunications?" Why not a "working knowledge of HR" or Facilities or Finance or Shipping or . . . ?

In this instance HR and Facilities probably are more important than data processing. Telecom for this advertiser is a toss-up.

Certainly data processing and telecom must be restored, but WHY only the requirement for these functions?

There was one bullet under the ESSENTIAL DUTIES & RESPONSIBILITIES heading that caught my eye. I have mixed emotions about it. The bulleted paragraph reads:

  • Lead the development of Business Continuity Plan and procedures in a disaster situation; provide 7x24 on-call support for any emergency which may require activation of all or part of the Business Continuity Plans. In the event that activation is required, serve as liaison between the senior management and the Business Continuity Teams.

"Lead the development of Business Continuity Plan and procedures in a disaster situation" is a pretty broad statement. Besides, what if the practitioner is off in Timbuktu and can't return home until who-knows-when? That's why even the practitioner must have an alternate. Beyond that, developing a plan and procedures "in a disaster situation" is akin to closing the barn door after the livestock escaped.

The selected candidate also will "provide 7x24 on-call support for any emergency which may require activation of all or part of the Business Continuity Plans." That is broadly phrased so it can be read - as I would interrupt it - to mean either the practitioner or an alternate would be on call.

What I did like was the final sentence: "In the event that activation is required, serve as liaison between the senior management and the Business Continuity Teams." This sentence clearly defines the practitioners primary role: "serve as liaison between the senior management and the Business Continuity Teams." That statement, however, seems to contradict the requirement for the practitioner to have a "working knowledge of data processing and telecommunications."

I wonder if the job requisition/description wasn't cobbled together by a committee.

Obviously someone understands business continuity, and just as obviously, someone (else) thinks business continuity is just another name for IT disaster recovery.

Thursday, June 23, 2011

Risk is recognized,
but not controlled?


In December 2010 the Economist Intelligence Unit * conducted a SAP-sponsored worldwide survey of 385 senior executives from finance, risk, compliance and legal functions. All respondents were executives in one of the following industries:

  • financial services

  • healthcare

  • energy and utilities

  • logistics and manufacturing

  • public sector

Outside the public sector, 63% of respondents work for companies with annual revenue of over US$500m or the equivalent, and 25% work for firms with over US$5bn in annual revenue. The average annual company revenue was around US$4bn. One-third of the respondents are employed in Western Europe, 28% in the Asia-Pacific region and 27% in North America.

The full report is found at; it is summarized at

For many respondents the high scores from self assessments fail to match reality as determined by the Economist Intelligence Unit.

One interesting statistic was the result of asking the responders "How do the risk and compliance practices of your organization rate relative to the rest of your industry?"

Responses were broken down between those organizations that had suffered an event and those that were - so far - unscathed.

Executives of those organizations that had survived an event were far more conservative in their thinking (see graphic, below).

While the report may not be an eye-opener to most risk management practitioners, it does provide useful information.



* The Economist Intelligence Unit is the business-to-business arm of The Economist Group, which publishes The Economist Newspaper. Like The Economist, we are known for our global perspective, accurate analysis, objective thinking, business acumen and influential opinions. We pride ourselves as the world’s foremost provider of country, industry and management analysis. For nearly 65 years, the Economist Intelligence Unit has delivered vital business intelligence to influential decision-makers around the world. Our extensive international reach and unfettered independence make us the most trusted and valuable resource for international companies, financial institutions, universities and government agencies. Today we have over 150 full-time country specialists and economists supported by an unparalleled global network of 650+ contributing analysts and editors