SUPPORT CENTER

Q&A 2ND QTR 2005

Date 6/15/2005

Question: We have a question that we are all struggling with. You encourage us to support the Institute of Internal Auditors but we are seeing less and less value from doing so. Most of the internal audit departments in our chapter have been outsourced and the auditors in those firms appear only interested in selling more services. It seems to us that doing things the IIA way is only leading to more internal audit departments disappearing. We do not see what the IIA is doing for our job security. Why should we continue our membership?

Answer: Traditional auditing will not help you with job security. Only by continuing to provide value greater than cost as perceived by your executives will keep you from being outsourced. The IIA does provide an excellent education resource and networking resource, although I understand how networking with outsourced audit departments does not make you feel comfortable about your job security.

The IIA does not have any legal force in your company. I suggest that you put all your energies into providing outstanding value greater than your cost to your executives.

Date 6/2/2005

Question: Our department went through internal controls training from our public accounting firm before I read your Practical Governance and Risk Management book. The training we received did not cover any governance or management concepts that you discuss and did not break processes down into the cradles and graves that you suggest. Further, the control categories that the accounting firms use seem simpler to apply that what you are suggesting. While not doubting the validity of your approach, why is yours so complex compared to theirs? Thanking you in advance for your reply.

Answer: Thank you for taking the time to read the Practical Governance and Risk Management book.

You are correct. The public accounting approach to internal controls is simple, but it does not work with business processes. The public accounting mission is based, by law, around verifying account balances in a general ledger within a materiality, or error rate, of 5%. The public accounting mission is not related to the successful operation of business processes, nor their efficiency or effectiveness, nor the quality of products and services that you deliver, nor the satisfaction of customers. Further, public accounting is focused on compliance with Generally Accepted Accounting Principles (GAAP), not the success of your processes. Hence their control concepts (we call them Account Balance control concepts) can be simple. The 5% materiality limit can cover a lot of errors and mistakes in assessing control adequacy.

Using Account Balance control concepts in complex business processes will get you into trouble in a hurry. Are the executives (Governance) in an airline company prepared to acccept a 5% failure of airplane engines? Are the executives of a bank prepared to accept a 5% error rate on loan balance calculations? In the real world, the amount of control that you build into processes must be realted to the amount of business risk that your executives (Governance) are prepared to accept. Further, since managers of any part of your business are responsible for controls in their area, we need a way to break processes down into managable chunks - hence our Cradle and Grave concepts. We call the Governance, Management and Performance concepts, described in the book that you read, Business Process control concepts.

Two completely different approaches to internal control based on the objectives thet you are trying to accomplish. We see many instances of broken processes that have been "blessed" by the public accounting firms as "well controlled" using their Account Balance control concepts. Management knows that the processes are broken because they have to live with the consequences of such. Auditors who use Account Balance control concepts from public accounting will look silly when applying them to complex business processes.

Date: 4/24/2005

Question: We heard you make claim SOX 404 is control for control sake, I think. What you mean by that?

Answer: Being fully compliant with SOX 404 will not prevent your company from going out of business. It will not ensure that you meet your business objectives, are competitive in the business world, can operate efficiently or have the right resources doing the right things. It will not ensure that you are managing risks effectively.

Part of the answer is that the COSO control framework which is the basis of most SOX 404 signoffs is a flawed methodology and adds no value to the business world. Proof of this statement is that no one really adopted COSO until it became law under the Sarbanes Oxley Act, and, secondly, it does not address delivering on business objectives or economy and efficiency (cost reduction) of operations. Implementing COSO adds tremendous costs to US businesses at a time when we desperately need to reduce costs to compete in the global marketplace. Hence it is control for control sake. It gives the illusion of doing something without really accomplishing anything except to richen lawyers and accountants pockets and alienate most of corporate America. (Note the Canadian COCO control framework is much more focused on accomplishing business objectives. The above comments do not apply to COCO).

Our Governance, Management and Performance concepts go much further. In addition to meeting COSO objectives they are foucused on being successful in accomplishing business objectives. Unlike COSO, we link the concept of a control to the concept of risk, to Governace approved limits of risk to business objectives. Unlike COSO we can improve control and reduce costs at the same time.

Date: 4/22/2005

Question: Will RBIA work without Team Success Objectives? For some strange reason, our internal audit department does not see the need to hold auditors accountable for delivering on specific objectives and has decided to omit them. What is the downside?

Answer: You are not alone. Traditional auditing doesn't hold anyone accountable for anything. Audits go on forever since no one is calling the audit department complaining about their audit reports being late. Costs are never considered since they are usually distributed in an overall allocation.

Accountability is one of the critical success factors to make teams work. The others are Objectives, Responsibilities, Control and Authority. Team Success Objectives (TSO's) are the RBIA definition of the Objectives component. Refusing to hold auditors accontable for failing to deliver on the TSOs nullifies their effect and denigrates it to a form filling exercise. In one swoop, this decision effectively removes the Objectives and Accountability critical success factors to make teams work.

RBIA has so many strong value generating components that you may still get some results. However, the central key to value and productivity are gone with the removal of TSOs. Without accountability for TSOs you will never move out of rigid hierarchies and teams will have no chance of succeeding (as opposed to a workgroup where auditors of different disciplines do their own thing in a georgraphical location). Auditors will take no personal risks and wait to be assigned tasks as in traditional auditing.

Date: 4/12/2005

Question: Our audit group attended your presentation at the Albany TCTC and we are implementing RBIA. The problem is that our audit managers are not liked by senior executives in the company. They are having trouble securing meeting appointments with the senior managers. What can we do to overcome this?

Answer: Thank you for attending TCTC and supporting the IIA,. ISACA and the Association of Government Accountants.

Our presentation at TCTC was a one day overview of RBIA. In a one day overview it is impossible to provide the knowledge that you need to do RBIA audits let alone implement the approach. Implementation requires a lot of prework in terms of conditioning the Audit Committee and the senior executives of your company (refer "Implemeting RBIA" book on this web site). If you have not done this prework it is almost impossible to make the approach work.

Assuming that you have done this implementation prework, you have to face the possibility that your audit managers may not be capable of transitioning to the RBIA audit executive role. Audit managers manage audits. RBIA assumes that the smart, intelligent people that we hire into internal audit are entirely capable of doing that themselves in their teams. Audit executives manage relationships. Different skills. Your audit managers may simply not have the people skills necessary (refer our upcoming Audit Executive Development seminar). The main reason why you cannot get on executives' calendars is that they do not want to see you!

Audit managers may also be tainted by association with the traditional "gottcha - run to the audit committee" mode of doing audits. Our business thrives from such situations where the business executives cannot stand that way of doing internal audit and welcome RBIA which is focused on helping them be successful in accomplishing their objectives. They may not want to see your audit managers since they associate them with the old way of doing audits. In either case, this is an issue for your General Auditor to address.

Date: 4/10/05

Question: What do you think about showing auditees our Team Success Objectives?

Answer: I would not. They are internal measurements for the audit departmnet. Disclosing them outside the department will cause more problems than it is worth. You do have to communicate their value, time and cost information in whatever format the audit executive and the vice president have agreed on.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007