The Power of "We"

Winston Churchill once said,

"Broadly speaking, the short words are the best, and the old words best of all."

And, I can think of no better short and old word than "we".

I came to understand the power of the word as a strategic consultant to colleges and universities. You see, the president of our company understood the significance of phrasing every conversation with a client with this tiny possessive plural pronoun. He understood its importance to such a degree that he made it into a rule. No consultant shall ever use "I", we shall always use "we".

I was even told the story of how we stopped collaborating with a very experienced and senior external consultant because he could never live up to this rule. It was that important.

Why is "we" so significant, you ask?

Well, "we" has a quirky aspect. You never exactly know who is included. Which is nice, because it allows you to simultaneously mean you and yours, as well as them and theirs. It also lets you show that you are in the same boat as they are.

Any audit or consulting team that shows up and uses the divisive "us"-versus-"them" or "I"-versus-"you" phraseology is missing a huge opportunity to start a partnership.

When it is "we", then we are both in this together. When its otherwise, the client is left to assume you've got a different agenda than they. Any student of history knows that conflict arises from two groups having different agendas.

The other big reason to use "we" is that now we've engaged the power of "us". The whole firm or audit department is now standing behind you (kind of like the Verizon guys), rather than you putting all the weight on yourself. Who would pretend to argue with all of us?

Further, it means that if you've got to pull in a resource to cover an area that you don't understand, you've already telegraphed that the whole team is engaged. You look brilliant for having gotten all of us involved.

Sounds simple right? Well, it isn't. And, I've known some seriously top-notch folks who had a dickens of a hard time with "we".

The issue is that folks want to be able to make personal committments. They want to say (in lots of different ways) that, "you have my word." At least the best and the brightest do. Unfortunately, "my" and "we" are antithetical.

And it's an ego thing. We all want to put our stamp of ownership on what we do. Hard to demonstrate individual stardom using "we."

Now, it would be easy to suggest that I'm just waltzing to our new President's accordion, but I'm here to tell you that we knew about "we" before we knew about him.


--Prescott Coleman, CIA, CISA

Cause and The Last Why

One of the hardest arguments I ever got into with an auditor who worked for me regarded "cause."

No writer likes being challenged in their logic, particularly after a hard week on the ground in the offices of a unit of the company, but the organization deserves that we treat "cause" as tremendously important.

And so we did.

IIA Practice Advisory on Standard 2410-1 suggests that audit findings be comprised of the following:

• Criteria: The standards, measures, or expectations used in making an evaluation and/or verification (what should exist)
• Condition: The factual evidence that the internal auditor found in the course of the examination (what does exist).
• Cause: The reason for the difference between the expected and actual conditions (why the difference exists).
• Effect: The risk or exposure the organization and/or others encounter because the condition is not consistent with the criteria (the impact of the difference). In determining the degree of risk or exposure, internal auditors should consider the effect their engagement observations and recommendations may have on the organizations operations and financial statements.

It is also customary to add Recommendation to this list to arrive at the Five Part approach to writing audit findings.

Most auditors and consultants I've trained have little trouble with defining "what is" and comparing it to "what should be," but "why it was that way" frequently presents difficulty.

When editing audit reports and finding this section missing, I'd frequently get responses like,

• "They just weren't doing it."
• "The manager isn't very good"
• "I don't know why, I forgot to ask."

Of course, the problem with these responses is two fold.

First, if you don't know why something is or isn't taking place, it will be simple luck that your recommendation actually fixes it.

Second, without a defined cause it becomes impossible to gauge the cost-benefit of accepting the recommendation.

To illustrate, if the reason the manager didn't do something was because they weren't trained properly, then it becomes possible to assign a cost to your recommendation. Retraining the manager costs $X.XX compared with saving $X.XX in risk (or whatever).

Likewise, if the manager chose to ignore the control because of resources or a disregard for the importance of the risk, it becomes reasonable to explore whether their managerial choice was the right one. Removal of extraneous controls is as valuable a service of Internal Audit as adding new ones. An auditor would seldom go down that path, unless they had first chosen to pursue the question of "cause" with alacrity.

One of the best ways to combat lazy "cause" statements come from the Executive Vice President of Educational Marketing Group and she refers to it as The Last Why. It's a quick and dirty model for determining cause and it is as effective as it is simple.

It goes like this. You take the first "why?" and ask "why is that the case?" and then you do it again.

So, when the auditor says, "they just weren't doing it," the response to that is a simple, "really, why?" Then keep silent. Perhaps the answer will then be, "because they didn't know about it." To which, the response is again, "really, why?" And so on, until you get to the "last why."

The Last Why is the actionable answer. You know you've arrived at it when you've finally got something that can be done. For example, perhaps the "last why" in the above scenario is that trainings of this kind only take place twice a year and this manager was hired right after the last one.

Now, we've got something we can work with.

If the risk is great enough, you can recommend that the training cycle be changed or that interim briefings take place for new managers, or a dozen other things - most of which you'd be guessing at if you'd stopped at an earlier why.

--Prescott Coleman, CIA, CISA

Getting paid by the insight

When breaking in new consultants (or new auditors for that matter), I have always found it most difficult to teach the business of insight.

It is even difficult to describe it here. So,I tend to fall back on quoting the dictionary definition.

Insight is...

• The clear (and often sudden) understanding of a complex situation.
• The capacity to discern the true nature of a situation; penetration.
• The act or outcome of grasping the inward or hidden nature of things or of perceiving in an intuitive manner.

I like the last one best because it rests responsibility for insight on intuition. However, in the consulting and analysis profession the definition is even more expansive. Indeed, the term takes on a product-like definition.

You see, to a huge extent (and possibly unlike the auditing profession) our clients pay us by the insight. They pay us to evaluate the situation, data, and people involved -- with the intended outcome that we share with them a grasp of truth that they never previously considered. No insights, no value, no revenue.

When I would work with new consultants and auditors, it was this last bit they found hardest to absorb. To identify a stunningly useful thing that your client has not previously considered, of course, requires that you have the intuition and background to anticipate what they already have considered. It also requires that you sort through dozens of lesser insights to arrive at the ones that can most move the organization ahead and provide competitive advantage.

A couple of interesting examples of actionable insights from my recent work with universities come to mind as illustration:

1. The university that concluded it could never attract students from the eastern part of the state, because the mountain range that divides them was an unassailable cultural and mental barrier. Yet, an analysis of competitor schools indicated that one other, of no greater quality, was getting 23% of its students from the eastern urban areas. They'd had this data in-house, but highlighting the insight shattered the barrier notion and opened up their market space.
   


2. The university system that wanted to grow its online programs and needed to understand the constraints. Initially believing the issue to be a problem of marketing, thorough interviews and data analysis showed that, to a huge extent, there wasn't enough capacity (courses, professors, classrooms) to support substantial growth. Capacity itself was being constrained by the financial reward structure. One key insight was that the reward system for routing revenue to Deans for developing online courses was too temporary. While money could be made, no Dean was willing to hire academic staff one year, only to let them go the next. The organization began moving immediately to address this issue.
   


3. The university, whose admit-to-enrolled yield rate was substantially lower than its aspirational peers at a time when it was vying for a top-tier market position. The admit-to-enroll yield rate describes the percentage of students who receive an invite to enroll, who actually do. A low yield here indicates that after doing significant work to get the student to be aware of the university, consider it, and apply; they lost them to some other institution. When this insight was coupled with data that indicated that the number of students for whom they were the 1st choice was dropping (and the number marking them as 3rd choice was rising) it became clear that the university was slipping into a “safety-valve” market position. Immediate action was taken.

The point, whether you are a consultant, data analyst, or auditor is that it isn't enough to present the results.

I have found this statement to be most difficult for internal auditors to accept because they tend to be stuck in a compliance mindset. Without a doubt, auditors have an obligation to declare things to be “out-of-spec.” It is in the job description. However, to be really worth your salt, you've got to provide insight. And this insight has to be actionable.

Tom Peters, the renowned management guru, coined a phrase a number of years ago that frames this nicely. He described it as, “work worth paying for.”

-- Prescott Coleman, CIA, CISA

Annual Audit Planning - Part Three

I'd like to make the Three-Month Rolling Plan approach complicated, but I can't.

Scheduling may be intricate, but it isn't really that complicated. You'll need to know vacations, holidays, trainings, new hires/retirements, but you should know all that anyway.

In the first two posts on Annual Audit Planning, we walked through the Audit Universe, Coverage Targets, Risk Analysis, and the Audit Bin. We got very close to scheduling and stopped.

Lets pick it up from there.

So you've got an Audit Bin. It has about 120% of the audits you might do in a year. You've determined through the risk analysis that each one should be done - and you'd do them all if you had the resources.

It's time now to build the schedule. The first thing you do is talk to your audit clients.

You may have noticed that, in my opinion, talking to your clients is always the first step. While you aren't really in the business of making audits convenient; if you can, why not? These kinds of conversations, where you show you are really listening to your audit clients, are just one of a hundred techniques for building strong business-to-audit and business-to-analyst partnerships.

For example, it is probably a poor idea to schedule an underwriting audit (the guys who write insurance policies) for a month when large portions of them come up for renewal. You probably won't get the kind of time you'd like with the Underwriting Executive and, perhaps more importantly, you'll be looking at last year's policies. Your testing of the files could very well reveal a horrible control environment that is actually a year old. No one will pin medals on your chest for determining that kind of old news. Not in this kind of change environment.

Now, mark each audit in the Bin with a preferred fiscal quarter. That makes sure you don't forget when the ideal time is to do that underwriting audit for example.

And with your Audit Bin marked with the basic idea of when to do each audit, you can use a Gantt Chart tool like the one below to lay out the actual audit work for the next three (maybe four) months. Much beyond this and the level of uncertainty makes maintaining the schedule more work than it's worth. You'll just be redoing it when things change.

Audit Schedule Example

Publish at Scribd or explore others:

Here is the trick. You will do this again in 30 days.

Each month, you'll select audits from the bin and place them on the schedule. We always did this as a team effort. You'll also have a look at your progress against your coverage targets. For example, if you do a bunch of IT audits in the first quarter, you may be done for the year. This will depend on the coverage target mix you agreed with the Audit Committee. Conversely, it may be June and you can see that you are behind and it is time to focus on financial audits.

I recommend an official quarterly written update against plan, with coverage target metrics.

With this reconciliation you'll be able to go in front of your Audit Committee and show them how you are executing your audit plan against the targets they approved. You'll have metrics and you'll be able to demonstrate an audit process in control.


-- Prescott B. Coleman, CIA, CISA

Inventory theory and financial planning

Sometimes the best innovations come from taking common concepts in one discipline and applying them to another.

So it was with the Moving Wave Theory of Investment Planning.

Not that I'm in love with the name, but we needed one and it stuck.

The Moving Wave came out of a sudden need and opportunity. You see, at the City we had just lost our Investment Officer. She'd been in the role for more than 30 years and had made it her own.

The issue was that the Finance Director; essentially the CFO of an organization serving 250,000 citizens, with revenues of $305 million, and assets of $3 billion; was unwilling to allow the investment portfolio to extend any significant length of time. And by "significant", he meant more than one or two months. As he put it, he wasn't able to trust that we'd have cash on hand when it came time to pay the bills. I know it sounds surprising.

About that time, he asked me to take over as Investment Officer. So I became the steward of a portfolio of $200+ million, mostly in Corporate Paper, Agencies, Corporate Notes, and US Treasuries. My having to answer questions from Denver Post and Rocky Mountain News about the recent collapse of Orange County California notwithstanding, we had a pretty safe portfolio.

The problem was that the portfolio had an average duration (as I recall) of around 22 days and as a result, the returns are much weaker than they could have been. At that time at least, extending the portfolio could yield several hundred additional basis points, but the Finance Director wouldn't have it. The risk of failing to meet a debt service payment or having to rapidly liquidate a security, unplanned, was too great.

In the City, we collected essentially one-twelfth of our annual revenue each month, mostly from sales and use tax. We got other revenues from time-to-time (property tax) but the lion's share was sales and use tax. This means that, like most household budgets, we got new cash by the end of each month. County governments, for example, are are on an entirely different schedule. Because they rely on Property Tax mostly, they get new cash twice a year.

The solution to give him confidence, came not from the finance world, but from manufacturing.

You see, there is a tremendous cost to a production line if inventory isn't available when it is needed. If a "widget" reaches Assembly Point X and finds no "therbligs" to be attached to its side (or top, or underside, or whatever), the line shuts down and widgets don't get made. Widgets, being exceptionally profitable, must keep rolling off the line!

To ensure this doesn't happen, several forms of "safety stock" calculations exist, starting with the simplest form, basically, "when the pile of therbligs drops below this line on the bin, order more."

The same principle was true here. If cash wasn't available on such-and-such a date to make an important payment, heads would roll. So we created a cash-based safety stock process and called it The Moving Wave.

Here are the basics.

First, figure out the revenue cycle. In our case, it was monthly.

Second, multiply it by three. We did this based on a strategically chosen level of risk. Three months became the duration of the "Wave". In a County, it would have been 18 months. We could have made it 4-times, but the risk-reward balance would have been out of whack.

Third, mine the accounts, debt service schedules, payroll records, and budgets of the entire organization and identify *all* cash outflows. Then set up specific relationships with key individuals in each of these areas so you can feel comfortable that if someone generates a new cash payout obligation in the future, you'll know about it.

Four, create a schedule of the maturity dates of every security you currently own and overlay it on the outflow schedule.

Five, when any cash comes in (either new or from a maturing security), invest it so that it matures one day before the cash outflow obligation is due. Each expected outflow for three months from the current day is considered a "hole" in the "wave." When all holes are filled, you are authorized to invest in securities with durations greater than the length of the wave. Tomorrow the wave rolls one day forward and we look to ensure that all holes remain filled.

The result of this approach is to quickly extend the portfolio's average duration to something greater than 30 days, and to provide opportunities for investment with much longer durations. At the City, by the time we'd completed a full year, we were able to invest out to about 3 years. The portfolio's average duration grew to three months and then longer and our returns went up.

There was a great deal more analysis that went into understanding the behavior of the wave, such as examing the cost-benefit of filling a hole 2.5 months in the future at one rate versus another hole closer in time at another, but you get the picture.

While driving returns up was important, more important was the ability to show the Finance Director a single spreadsheet, with all the holes filled to the leading edge of the wave, and give him confidence.

It was also a happy outcome that two major regional governmental groups (GFOA- Governmental Finance Officers Association and DRCOG- Denver Regional Council of Government) found the concept so exciting that they, along with the City itself, gave it awards.

-- Prescott Coleman, CIA, CISA

Tis the Season (for admitting your Frauds)

There goes another one.

In what many across the globe are calling "the Indian Enron," the CMMI Level 5 software services company Satyam Computer Services LTD. confessed to perpetrating a massive fraud. According to their chairman, B. Ramalinga Raju, they've been inflating their earnings for several years to the tune of $1.6 billion.

I know, I know, this story is two days old.

However, the bit that may have passed unnoticed is the breaking news from The Times of India that Satyam recieved the ROC (Recognition of Committment) Award from the Institute of Internal Auditors USA (IIA) in 2006. And, the company is listed on the New York Stock Exchange (NYSE) and audited by PricewaterhouseCoopers (PWC).

Now, the ROC award was sunsetted by the IIA on January 1, 2006 so it isn't entirely clear how this worked, but it isn't exactly the reputation-building news I would liked to have heard as a Certified Internal Auditor.

The effect on the Indian economy is expected to be significant, but the effect on the $50 billion offshore outsourcing industry is likely to be even greater, according to the New York Times. The good news, evidently, for Americans is that US firms like Accenture and IBM stand to profit as companies struggle to find replacement service providers. Thomas L. Friedman will be up late this week assessing the impacts on the Flat World.

It also bothers me on a personal level. At RSA, we worked with Satyam, as well as Cognizant Technology Solutions. They both, particularly Cognizant because of their in-country representatives, did a good job.

Being a glass half-full kind of person, I choose to see this unfortunate news as a form of reveille for management, the audit committee, and the audit profession. It is time to get up, time to adequately fund the audit function, and time to let it actually operate in a risk-based and independent fashion.

I know I have Philip Ratcliffe's vote.

Mr. Ratcliffe is president of the Institute of Internal Auditors (UK and Ireland). He wrote a piece today (January 8) in the UK's Accountancy Age, urging the same. Having spent some time in the communications and public relations business, it is not surprising to me that his comments come at this time. Damage control is a worthy endeavor, but it doesn't make him wrong.

-- Prescott B. Coleman, CIA, CISA

Annual Audit Planning – Part Two

So, the earlier post on planning took us from the Audit Universe through the Coverage Targets and dropped us off at the door in front of the Audit Bin.

Lets knock.

The Audit Bin is not your Audit Plan. The Bin is like a box full of apples or spare parts. It is the inventory stockpile of audits that you know meet your coverage target goals. There should be about 20% more audits in your Bin than can be done in a given year.

The Bin is built by looking through the risk analysis you built into your Audit Universe and selecting those areas that scored the highest. In my view, a risk analysis should have at least the following bits of intel (both objective and subjective).

• Financial Exposure – how much money/resource/whatever could this area lose the company of things went horribly wrong -or- (on a more optimistic note) how much could it fail to achieve?


• Rate of Change – How likely is the control environment to remain stable in the coming year -or- how much did it change in the last period?


• Opinion of Management – in our travels, if we look for opportunities to reach out, we encounter all kinds of leaders in our organizations. I think it is valid to include a confidential risk factor based on our opinion of the strength of their leadership. We'd never rely on this for our audit opinion, but I think it is fair game in a risk analysis.


• Operational Complexity – it is simple, paying claims or managing fixed assets isn't usually as complicated and prone to failure as underwriting or application development. I often take a page from the old Total Quality Management (TQM) book here. The more points in the process where someone has to make a judgment, the greater the likelihood error will be introduced.


• Last Audit Result – You can't ignore an area that continually fails in its efforts at establishing controls.


• Time Since Last Audit – If it's been awhile, you may want to go have a look.


• Special Requests – Your risk radar may not be as informed as that Senior VP's when she asked you to do a certain review.

We gave these factors points and weights to approximate their importance.

There are probably others. An interesting one in a multinational audit environment is including something like Country Risk. I can recall pointing out to our CIO that Pakistani bombs had just gone off in a city near where our Indian partners were hurriedly working on a couple of our key systems.

As well, all of us engaged in Audit Planning have to recognize that on some level, we're making subjective assessments about the above. However, that (as my last boss used to say) is why we make the “big buck.”

So, now we have a set of areas (more than we can do) that we are going audit. Again, its time to touch base with our Audit Committee and senior leadership. This contact can be less formal, but it is intended to, step-by-step, build support for what we're doing. No surprises is a major part of credibility.

When that's done, it is time to schedule. We usually allowed six weeks for any audit. The first four weeks were for testing work and the last two were for finalizing the report. Sometimes we'd make a visit at the beginning and sometimes closer to the end. We'd use a Gantt Chart to lay them all out and manage them. Basically, the business of scheduling is not that hard, thought it can be complex with a large team.

The point, though, is that scheduling and risk assessment have very little to do with each other. A lot of audit planning processes I've encountered fail to recognize this, which is why the Audit Bin concept is so valuable. It allows you to disconnect risk from timing, to a large extent. And, it keeps the Audit Committee out of the details of managing your team's resources. Very important in some organizations.

And, with an Audit Bin, you can now reach out to your leadership team and tell them what you intend to audit, very early, probably before the year starts. You can get their input on when would be the best times to conduct the audit, and you haven't wasted any time with the intricate business of vacations, travel, availability of key team members, or the other 50 or so complexities of scheduling people.

Well, now that you've finished Scheduling, you have an Audit Plan... one of 12 you'll have throughout the year.

Flexibility *and* structure are the goals here, remember.

-- Next Time... The Three Month Rolling Plan

Prescott Coleman, CIA, CISA

Honest and Respectful

You know, one of the greatest compliments I can recall receiving came from a man who was about 5 foot 5 inches tall.

Not that his height had alot to do with it, I'm not tall myself, but it does add color when you realize that this unassuming fellow founded an entire national-level, top-tier university in 2002. The story only gets more interesting when you learn that as of the beginning of the 2008-2009 academic year it had grown to 5,500 enrollees.

It would be silly to suggest he did it all on his own, but there can be no doubt that it was hugely due to his tremendous force of personality that this institution came into being. He is Canadian and so founding a university is a not just a matter of influencing academics, finding funding, and setting curriculum - it is a supremely difficult political act involving the provincial government.

The compliment he paid me resulted from a major report I'd written. As the President of this university he hired our firm in 2005 (about 2 years into its operating life) to have a data-driven look at how it was going, how the new institution was being percieved, and how it was structured internally. It was a good time for this and we interviewed some 60-70 people on campus individually and in groups. We poured through data on admissions and fundraising, and I wrote about an 80 page report detailing the situation and providing a set of recommendations.

Now, I tend to think 80 page reports are much too long. And, they certainly are in a corporate environment - probably too long by 10 times. Indeed, when I was doing strategic auditing for RSA, our rule was no more than 10 pages, delivered no more than 10 days after completion of fieldwork. No one would read more than that anyway and after two weeks the findings and recommendations get stale.

But, in higher education (even Canadian higher ed) there is value to demonstrating the completeness of the analysis. To some degree, the more like a dissertation, the better.

So we were in his car speeding to the train station... you begin to get the picture of how dynamic this man in his middle 60's was, when you realize he'd paid to have us come all the way from Denver and this was the best time slot available to go over the report... when he turned to us and said, "well, I've read it." It was clear from the way he said it that he was rather picky about what he chooses to read.

Then he said, "I was very impressed. I only found two typos."

And then the compliment came. He said, "I found it honest and respectful." He went on to describe that it had just the right balance of solid analysis, hard-hitting recommendations, and respectful tone that would help him use the report to effect significant change on his campus.

You see, in higher education, for as impressive a fellow as he is (he has recently retired), President's don't wield the power they do in corporations. Universities operate a "shared governance" model, that requires Presidents to be influencers, never autocrats.

He was saying, with that one phrase, that we had given him an invaluable tool to influence his organization.

I have never forgotten that compliment, because it sums up in three words what a great audit, analysis, or study MUST be to effect meaningful change.

- Prescott Coleman, CIA, CISA

Annual Audit Planning – Part One

A new year means it's a great time to talk about annual audit planning.

Acknowledging that audit planning is an oft-reinvented wheel, the process we developed at RSA has some nice innovations that I've not seen or heard of elsewhere. Still feeling the lingering effects of the holiday spirit, I thought I'd share them.

This post begins a several part overview on interesting and useful annual planning techniques. The below diagram lays it out visually.



I'm a big believer in operating a well-controlled audit function. That means, like everyone else, being able to establish goals, work toward those goals, and, at various points, being able to report on how well the goals are being achieved. However, if you've paid any attention to this blog, you'll also know I'm a big believer in matching the audit process to the organization's rate of change.

Accomplishing both objectives requires techniques that demonstrate stability while encouraging flexibility.

Not a new concept. Indeed President and Supreme Allied Commander, Dwight Eisenhower said it best when he declared,

“In preparing for battle I have always found that plans are useless, but planning is indispensable.”

Keeping President Eisenhower's point in mind, our process had the following components:

Audit Universe with Risk Factors – On a massive spreadsheet, and using Excel's database management tools, we listed every significant business unit, function, key project/initiative, and core system. We also mined CobiT, ISO, and other ISACA sources for IT-specific components like change management, disaster recovery, information security, and networking. Using our prior knowledge of these area's control environments, as well as direct interviews, we rated each element in the Universe in terms of it's pure business risk, rate of change, perceived quality of leadership, and other risk factors. This was our first line of risk assessment.

We also coded each potential audit.

Coverage Targets – There are always more audits to be done than resources allow. So, it's crucial to find a way to balance competing priorities and to understand the implicit choices being made. The Coverage Target concept addresses this need by explicitly defining, before the audit plan is built, the degree of resource we intend to focus on various areas and risks. For example, at RSA we used five sets of targets (you can certainly use more, but the complexity increases).

1. Key Risk Themes (this is good stuff and I'll probably blog about it on it's own later)
2. Organizational Unit
3. Approach Types (described more fully in my post on Audit Approaches - The Speed of Change Model)
4. Financial, Operational, or IT (probably the most classic)
5. Group Risk Category (this was a requirement of our World Group Office and won't mean much to anyone outside of RSA – so I'm not going to talk about it.)

We'd establish, beforehand, the mix of audit resource that would be devoted to servicing the components of each of these areas. Using the codes that were applied to each potential audit, this created a multi-dimensional guide for our audit plan.

It is probably easiest to use the Organizational Unit coverage target to illustrate. You see, based on all the things we knew about the organization, informed by regular and direct conversations with senior leadership, we'd establish something like the table below.

It is instantly obvious that for this planning year we intended to focus most heavily on the Business Insurance unit. The exact balance was a strategic choice and the use of these kinds of planning tools allowed us to execute against this choice.

Another example might be:

With a well-rounded set of coverage targets in place, selecting areas to audit from the Audit Universe goes further than just adding up risk points or some other calculation.

And, once we'd defined these set of targets, before choosing even one audit for the actual plan, we'd get the Audit Committee's approval and management's agreement.

With these authorizations, we'd have both structure *and* flexibility.

As long as we used our resources to match these targets, we could adjust the specific audits to handle on-the-ground changes. We could also be very frank, very early, with management about the kind of attention their areas would receive. We didn't have to be overly specific, but we could tell them, with a fairly high degree of certainty, the number of audits we'd be conducting in their areas.

Finally, using the coverage target approach, we take a process frequently criticized for it's subjectivity and give it a level of objectivity. This can be extraordinarily helpful when building partnerships with your business units.


--Next time... the Audit Bin (disconnecting the risk analysis from the scheduling)