Friday, November 28, 2008

Did you know...

Ever since I worked with an IT partner in India to build a proprietary workpapers system, I've been a believer in Thomas L. Friedman's Flat World.

We'd send our requirements and revisions to the team, overnight they'd work on the problems, and in the morning the changes were made. Now, at that time, the folks in India were primarily order takers. They had a difficult time suggesting solutions and helping us visualize ways it could be better. Even though they were a CMM Level 5 company then, I'm guessing that team is much better now.

I had this opportunity because RSA was a global company and, frankly, the price of admission to the Indian insurance market was setting up this kind of partnership. However, in my work with colleges and universities, I found that, international business programs notwithstanding, most had only a passing relationship with the flat world.

In response, in seminars and presentations, we began using the below video to jump start the sense of urgency and to begin to build, "the business case for change."



What does this have to do with auditing, you ask?

I think it makes a pretty good case for innovating the practice of audit so that it can function in a world with a high degree of change.

Prescott Coleman, CIA, CISA

Thursday, November 27, 2008

Reports in Ten Days

When I tell people that at RSA we produced audit reports within 10 days, the reaction is usually disbelief.

Why and how?

The "why" is pretty simple. Audit work is perishable. The longer it takes to deliver a report, the less valuable that report becomes. In an environment experiencing a high degree of change, even 10 days can be too long. Staff or management may turnover, serious control break-downs may occur, and leadership will lose interest if reports take a long time.

The question of "how" is probably more interesting. Some of the key points are:
  1. Reports have to be short. We set a standard of no more than 10 pages.
  2. Reports have to be easy to write. If the report is a creative writing exercise, it will take too long to write and too long to quality control (QC).
  3. Audit work should be front-loaded as much as possible. For example, we'd get insurance claim files sent to us in advance. That way when we hit the ground on-site, we spent our time talking to people and tracking errors back to their source.
  4. Workpapers should back up the findings and no more.
  5. Brief the management as soon as you have your findings, if they challenge your findings you'd rather have that happen before you write the report.
We used other techniques as well, and I welcome comments on others that will help increase speed of delivery.

Prescott Coleman, CIA, CISA

Global Consultative Audit - E&Y Survey

When we built the Business Control Consulting (BCC) team in 2001 within Internal Audit at Royal & SunAlliance, we didn't know how far ahead of the curve we were.

Just released yesterday from Ernst & Young, a new study of global internal audit practices finds:
"Difficult economic conditions and heightened shareholder expectations have put pressure on executive management and audit committees to improve risk management and deliver greater value.

As a result, internal audit’s role is clearly evolving and becoming more consultative. Regulatory compliance continues to be important, but management now expects performance improvement recommendations and insights into emerging risks, in addition to coverage of a much broader range of risks."

- Neil Aaron, Global Leader for Internal Audit at Ernst & Young.

Indeed, according to the study of 348 internal audit executives in 35 countries, reported on finchannel.com, greater focus on operational risks will be needed over the next two years, with 75% of respondents citing focus on IT, 61% on mergers and acquisitions, 53% on major capital programs, 45% on performance improvement, 44% on information security, and 39% on fraud.

Prescott Coleman, CIA, CISA

Tuesday, November 25, 2008

Presidents have five fingers (on one hand)

Among the most powerful lessons I learned as consultant to higher education presidents is that they only have five fingers.

Right now you're thinking that I probably should have known this already, but I assure you that this piece of intel is critical and not to be taken for granted.

I came upon this realization working with a extraordinarily distinguished president of a well known medical school. You see, we had some tough news to tell him and he wasn't necessarily the person who had advocated for our hire.

He was a striking individual. To begin with, he was British through and through (Welsh, specifically) -- with the demeanor of a London barrister. Second, he was the spitting image of George Washington. I kid you not. Intimidating to say the least.

But I digress.

We had some tough news to tell him about his school and it largely regarded the significant investment he had just made with another firm who, in our opinion, messed it all up. We thought we'd better discuss it with him in advance of it appearing in our report, so we arranged a telecon. The day before, my colleague and I began strategizing about how we would go about delivering the news.

Recognizing that presidents, as a general rule, have three things in common, we crafted a strategy that worked brilliantly with him and a half-dozen presidents since.

You see, all chief executives share the following, they...

  1. Have limited time
  2. Have about 300 other things to think about that day
  3. Don't necessarily regard your work as the most important of the 300.
So, the technique at hand (pardon the pun) is to package the information so they can assign one issue to one finger. Now, I don't suppose they actually do this literally, but in terms of digesting information you just can't exceed five points. Regardless of how extraordinary your audit or analysis work may be, I have found that even the sharpest senior executives will stop listening after five items.

While most critical in a verbal briefing, I have found it wise to consider this unassailable fact when structuring report recommendations too.

Prescott Coleman, CIA, CISA

Monday, November 24, 2008

Speed of Change

Usually when you're trying to sell an idea to your management, it helps to give it a name. Not being horribly inventive at the time I tossed the two most important words together with an "of" in the center and called the idea the Speed of Change auditing model.

As simple as the name is, the concept is even simpler. It is founded on the idea that the value of an audit decreases every day after the audit work is completed. How quickly it decreases is governed by how quickly the environment, you just audited, changes.

Many internal audit plans and programs are built assuming that change is minimal, but in today's environment that assumption is seldom valid.

The truth of these principles began to take shape for me when I realized that the active membership of the IIA in Charlotte, NC was made up principally of governmental entities, utilities, banks, consultants, and other financial services companies. Notwithstanding recent events, at the time these organizations were considered pretty slow change outfits. Missing were high tech companies, Internet businesses, software companies (even though Microsoft had quite a large campus there) and other organizations known for their rapid rates of change. By the way, at one point to test this hunch I had a look at the membership directories of a couple of other Chapters and the same trend was evident.

Now, admittedly, this is not a valid statistical sample, but it got me thinking.

Why do companies that thrive in high-change markets seem to place less value on internal audit? I considered the possibility that maybe they were moving so fast they just couldn't come to the meetings. However, their CIAs and CISAs (if they had any) would need CPE too, so I dismissed that idea.

After discussing this with lots of my IIA and ISACA colleagues, the conclusion to which I came was kind of troubling. The consensus was that these organizations didn't see much value in the classic internal audit approach; one defined by lots of discovery testing, long engagements, huge reports, and a healthy appetite of workpaper preparation. Apparently, it was just too slow.

As a team at Royal & SunAlliance, we realized that an audit approach for the 21st century had to deal with change in a way that one for most of the 20th did not.

Interestingly, we were providing assurance services for a 300 year-old British insurance company. By some definitions, this is the epitome of a low change organization. However, this one was on a rapid growth vector. They were buying companies all over the world, connecting them together, and trying to drag their systems and processes into the current epoch. Over what had become a seriously fast moving organization, we had to somehow provide an opinion to the Audit Committee that meant something.

In response, the we began to evolve the Speed of Change model. Given the subject with which it deals, I suppose it will always be evolving. As it took shape, we found that it had something like five pillars, they are:
  • Audit work is perishable. Reports must be issued very quickly after the audit work is completed.
  • Brevity is valuable. Reports should be short, outfits experiencing lots of change can only work on so many things at once anyway.
  • Risk and change go hand-in-hand. Risk profiles and audit plans must include a variable for the likelihood that things will stay the same. We'll be back soon if it is in flux, not so soon if its stable.
  • Drilling exploratory wells wastes valuable resources. Plopping down in an area and testing till we find some deviation is not a good use of people or time. Other ways are better.
  • Effective business-audit partnerships are crucial. You've got to know the management of each unit well and they need to see your role as valuable.

Over the coming weeks and months, I think I'll explore this concept and others through this blog. I invite healthy debate and discussion.

How do your organizations audit in a world that shows no signs of slowing down?

How do you ensure your audit functions are providing work-worth-paying-for?

Prescott Coleman, CIA, CISA