SUPPORT CENTER
Q&A 2nd Qtr 2000

DATE: 06/14/00

QUESTION: At our company, we have a small audit staff made up of three staff auditors, two seniors, and one audit manager with 12 VPs. We all design and implement our own audits. Also, each staff or senior auditor is assigned to be the contact for a number of VPs. Should staff auditors be assigned as direct contacts for VPs or should it be at the senior level and above?

ANSWER: You don’t mention whether you are using the RBIA audit approach or not. The "direct contact" role with a Vice President under RBIA (Audit Executive) varies significantly from contact roles in other audit approaches.

The level of the contact is largely irrelevant. What is important is the ability to build an effective working relationship with the particular Vice President. That relationship must evolve to one of considerable trust and confidence. If the trust and confidence is not present, the relationship will not be effective. Obviously, experienced Vice Presidents will be very reluctant to confide in very junior people.

More importantly, traditional audit practices put barriers up to building this trust, i.e., copying audit reports all over the company. If you implement RBIA the way it is designed, i.e., you have eliminated the traditional barriers that adversely impact the building of an effective working relationship, you can assign staff to work with Vice Presidents based on their ability to obtain the confidence and trust of the Vice Presidents.

Assigning junior staff as contacts with Vice Presidents without implementing RBIA as designed may be setting the junior auditors up to fail.

DATE: 06/14/00

QUESTION: I'm perplexed about the auditor's changing role to that of consultant. At the same time, we are not suppose to "do management's job for them." I used to be in a consulting firm where we did whatever the client didn't have the time, expertise, or desire to do themselves. This sure sounds like "doing the job for them." Where do we draw the line on how much we do? Do we just give advice on what they should do and how they should do it, without actually doing the work? What if they don't have the expertise and we do? Should we do it then? It seems to me that we would be "moving the ball forward" and providing value if we do the work for them.

ANSWER: I agree. Executives want the problems solved and have little time for philosophical arguments about the theoretical roles of auditing. Consulting is good. It builds instant credibility. It positions you as someone committed to moving the ball forward. It is good for auditors careers. No one has time for "pontificators" who sit on the sidelines and criticize!

I suggest that the percentage of auditing (risk/control assessment activities on the stockholder’s nickel) and consulting (help fix problems by partnering with managers on teams) should not exceed a 50/50 percentage mix. On all consulting projects that auditors are assigned to, I suggest that you adopt the following concepts:

• Bill the auditor’s time back to the budget of the department that requested the assistance. This will avoid the "I’ve blown my budget so I’ll get free resources from audit by framing it as a control issue" games. Audit management may decide, obviously, to waive consulting charges if appropriate.
• Establish some kind of "mini-governance" in the audit department to provide oversight over the auditors while they are involved in the consulting project. This is necessary to prevent allegations of lack of independence (see latest issue of "Inside RBIA" newsletter).
• Make absolutely sure that Vice Presidents and audit committee risk/control assessment activities are not negatively impacted by the allocation of audit resources to consulting projects.

DATE:    06/02/00

QUESTION:  I am a manager in charge of a major new project. I have not been given specific guidelines or deliverables for this project by my boss. Do I have a responsibility to demand that my boss step up to the plate and perform her governance duties by outlining some requirements for the project? She and I have talked about this issue several times, and she tells me to "use my best judgement."

ANSWER: I assume that your boss is a Vice President and, therefore, responsible for performing Governance on your project.

It is not appropriate to place "demands" on Vice Presidents, but if they are negligent or reticent in stepping up to their governance responsibilities, it is incumbent upon you to "manage upwards". I suggest that you do use your best judgement and come up with some goals that you think may be appropriate to accomplish the overall mission of the company and are in accordance with the business strategy. Work through the Governance concepts that you learned in our seminars for each goal and pay particular attention to laying out the risks and limits of risk associated with each goal.

Present these options to your boss. Guide her through the process and "manage her" towards a decision that she must make as a Vice President.

Do not make this decision yourself. You can make recommendations and suggestions, but she must make the governance decisions. I also suggest that you keep a good documentation trail over this process. Some Vice Presidents do have selective memory when things start going wrong!

DATE:  06/01/00

QUESTION: Our Vice President will not accept any level of risk on any project we are working on. We have been told that, as managers, we are empowered to take any action but nothing had better go wrong otherwise it is our fault. Any suggestions?

ANSWER: Quit. You are being set up to fail. Your Vice President lives in a fantasy world. Things will go wrong (risks). You cannot control the real world - it is too uncertain. You will be blamed no matter what happens. Quit now while the employment situation is so much in your favor.

DATE:   05/05/00

QUESTION:  What is internal audit's best role in the context of a planned or proposed merger or acquisition?  How does internal audit use RBIA in the M&A context?  Thanks!

ANSWER: Due diligence, due diligence, and more due diligence! Mergers are loaded with politics. When senior executives make a decision to acquire a company, there is tremendous pressure on the teams performing the due diligence to confirm that the "deal" really is as good as it sounds. Anyone who uncovers information to the contrary will likely encounter resistance communicating this message up the line.

This is exactly the area when internal auditors can add the most value in working on due diligence teams. Unfortunately, most mergers do not turn out to be as rosy as promised. Solid, objective, skeptical audit participation can be invaluable in negotiating the final acquisition price.

It is unlikely that audit will be doing a due diligence audit by itself. More than likely, you will be one member of the due diligence team, which will not be applying the RBIA approach per se. You should, however, apply the RBIA Evidence to the Standard of Proof concepts in the review and test phases of the work.

DATE:     04/26/2000

QUESTION:  I am looking for an audit plan that could be used for an internal audit of Fixed Assets. What controls should I be looking for in particular? Thanks for your help.

ANSWER: You are looking for a canned set of controls to apply to fixed assets. This is the checklist approach. All you will end up doing is either under controlling or over controlling your company’s assets operations. RBIA does not work this way.

Controls should never be considered in isolation of the concept of risk. Risk should never be considered in isolation of the concept of limits of risk. How much risk we are prepared to take (limits) should never be considered in isolation of the business objectives.

Using the RBIA approach, you should first identify who is accountable for managing fixed assets in your company. Identify the specific objectives that they must accomplish in managing the fixed assets in order for them to be successful. Next, in discussions with them, identify the specific risks (and limits) that threaten those assets and which impact that manager’s ability to be successful. Governance must then approve those risk limits. Once you know this information, you can then start to identify and determine whether the controls in place are adequate to keep those risks within the Governance approved limits so that the fixed assets manger will be successful.

This is a very high level overview of how the RBIA approach works. RBIA is focused on helping people be successful - not on applying canned control checklists. I suggest that you request additional information on RBIA in order to understand the full context of the above outline.

DATE:   04/14/00

QUESTION:  My husband has accepted a transfer.  I've been through your RBIA training and we apply the RBIA approach in our audit group.  Can you help me in finding an audit department who may be interested in recruiting me?

ANSWER:  Happy to.   Please send us your resume (and where you are moving to) and we will circulate it to RBIA audit departments in that area.

DATE:   04/10/00

QUESTION:   Can we apply RBIA and self-directed work teams in just one part of the audit group?

ANSWER:  No.   You will fail.  Without the full support and commitment of the General Auditor, you are setting yourself up to fail.  Please do not try.  Having said this, there are many simple, value enhancing ideas that you can adopt from RBIA without fully implementing the concept.

DATE:   04/07/00

QUESTION:   We are struggling in our audit teams.  Is there any one key thing to address that will help us?

ANSWER:  The number one reason why any team will struggle is that they do not know what they are trying to accomplish.  Focus on your Team Success Objectives and make sure that they define, very clearly, the value you are going to create, the date, and the cost.

If people are held accountable and they understand what the end product should look like, they will make it happen (I am assuming that you are holding your auditors accountable for meeting their objectives).

QUESTION:   What is your suggested ideal team size for self-directed work teams?

ANSWER:  Two to three.

DATE:  04/06/00

QUESTION:   What do you think about the concept of a super auditor - an auditor with the right training and skills who can tackle any audit?

ANSWER:  The business world is simply too complex for this to be a reality.  You can get away with detailed Performance level process audits if you use a lot of canned checklists.   However, it is impossible to demonstrate any value at executive levels with this approach.  You won't be able to tackle the critical issues in your company with checklists.  It makes more sense to get the skills you need to address the business risks that your company is facing.

DATE:   04/05/00

QUESTION:  Recently, we have struggled with the "measurable" component of SMART for value TSO's. The following example is from a new audit where we know from the VP customer that agent compensation payments were not timely. In terms of accuracy for the old, manual system; we were told that there was zero tolerance for fraud and a 5% tolerance for errors. Would you please comment on this as a value statement (both good and bad) with particular focus on its "measurability".

VP XXX will accept audit's accuracy and timeliness assessments of previous agent compensation payments. Additionally, VP XXX will accept audit's recommendations regarding accuracy and timeliness controls being designed into YYY (the new automated system).

ANSWER: Good to see that you are applying the S.M.A.R.T. test to your TSOs.

I would suggest that you delete the first part about the Vice President accepting your assessment since it is redundant. Since the VP knows that the agent commissions are not timely, and is looking for recommendations to fix it, giving an assessment doesn’t add any value. You may be telling the VP stuff they already know.

The value TSO "VP accepts audit’s recommendations regarding the accuracy and timeliness of controls being designed into the YYY (the new automated system)" is appropriately worded. You can measure this as soon as you scale the EXCEED, MEET, ALMOST and FAIL criteria. I would need to know a lot more about the politics involved, relationship that your Audit Executive has with the Vice President, etc, before I could give you any help on the appropriateness of the EXCEED, MEET, ALMOST, FAIL criteria.

This TSO does beg the following issues: What about the Completeness of Input, Completeness of Update, Continuity, General Controls over Manual Procedures and General Controls over Programmed Procedures of the new automated system? Sounds like there may be other potential audits involved with the new system.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007