to osterio.com
Internal Audit Training and Risk Management seminar
Products
Online training
support Center
The Osterio Group

Business Process Improvement








Internal Audit Training

Risk Based Auditing

Auditing Seminars

Risk Management Seminar

SUPPORT CENTER
Q&A 1st Qtr 2001

DATE:  02/02/01

QUESTION: We are planning the move to RBIA. We have almost completed addressing all the issues in your "Implementing RBIA" guide. What is the number one showstopper that will prevent the success of an implementation?

ANSWER: General Auditor not committed. This usually manifests itself in three critical areas. First, the General Auditor is not prepared to raise difficult issues with executives and is not prepared to tackle the real business risk/control issues in the company. Call it job security or personality traits, this is a fact of life and will kill any RBIA implementation.

Secondly, the General Auditor refuses to mandate RBIA as the standard audit approach for the internal audit department and leaves it up to the auditors’ discretion. This lack of leadership will only lead to mass confusion. Some will want to do it and others won’t. In the absence of clear leadership, people will always resort to the path of less personal risk which is the one that they will not be held accountable for, i.e., the traditional, audit program driven, "tell me what to do" approach.

The third way that the General Auditor’s lack of commitment will materialize is their refusal to hold auditors accountable for delivering on commitments in return for their salary. The basis of RBIA is to make commitments (value deliverables, dates and costs) to vice presidents in the company. RBIA team members make similar commitments to each other. If the General Auditor will not remove people who consistently refuse to deliver on the commitments that they make, RBIA will not work.

DATE:   02/15/01

Question: I am an IT auditor and attended one of your recent IIA chapter dinner speeches. We struggle in how we would quantify the value of our detailed technical level IT audits at the vice president level. Any ideas?

Answer: The premise of your question is that, under RBIA, your scarce audit resources would still be allocated to detailed technical IT audits. This would only occur under RBIA if the vice president and the Audit Executive both agree that this is where valuable scarce audit resources should be allocated. Given all the technology implementation issues that companies face, you have to face the prospect that your detailed, technical audits just may not get done with the resources that you have available.

Assuming that the voice president and the audit executive agree to perform a detailed technical level audit, the standard RBIA Team Success Objectives concept is the way that the value created would be measured.

DATE:  02/19/01

Question: Should recommendations be assigned a priority rating by audit?

Answer: The way the recommendations are presented, especially the "so what" (business risk impact) component, should make it evident as to which recommendations are of the highest priority.

If the Vice President would like audit’s thoughts on which recommendations should be implemented first, then by all means assign a priority. However, I would not assume that every vice president would welcome such input. Remember that RBIA tailors the way that you present your findings to suit the requirements of each vice president.

DATE:  03/20/01

QUESTION:  I attended your Continuous Monitoring seminar in Albany NY last week. Our IT auditors are not interested in helping us develop Continuous monitoring models and say that they have to follow the standards of the ISACA organization. Can you please give us some thoughts on how to address this issue.

ANSWER: We come across this "I just want to play in the technology playpen" issue a lot. While this may come as a surprise to your IT auditors, they actually work for your company - not ISACA. For all the tremendous benefits and assistance that professional organizations provide, they do not pay your salary, nor do they underwrite the success of your company and its stock price. Your General Auditor determines the direction, philosophy, focus and scope of the audit department’s activities in accordance with the internal audit charter signed by the chair of your audit committee. Professional internal audit organizations provide excellent guidance and assistance but they have absolutely no legal force of law to dictate what you must and must not do.

My guess is that the ISACA standards are used as an excuse. Your IT auditors simply don’t want to do continuous monitoring. This now becomes a "who’s running this department" management issue for your General Auditor to resolve.

The irony is that, in a small audit department, the area where IT auditors can add the most value is in building continuous monitoring models. Please bear in mind that we have encountered numerous IT auditors who claim to know technology auditing but have never actually built any technology based system. You may be asking them to build something that they simply don’t have the skills to accomplish.

DATE:  03/27/01

QUESTION:  How does RBIA and PGRM relate to the Control Self-Assessment movement? I have spoken to a lot of Internal Audit groups that have been focusing on CSA vs. "traditional auditing" since CSA reinforces that management has responsibility for controls--also, CSA puts Audit in the role of partnering with management through facilitation techniques. The big difference seems to be that CSA starts with used of a control framework such as COCO or COSO where RBIA starts with management's concerns... What are your thoughts on CSA vs RBIA and can they both be used by an audit department at the same time?

ANSWER:  The RBIA tools of Governance, Management and Performance are often used for CSA type projects.  The driver behind the RBIA tools is to make audit customers (executives) successful in accomplishing their business objectives - not to comply with outside studies.  

A lot depends on the context of how you approach the issue.  We know that you will get better cooperation from management using tools focused on helping them be successful in accomplishing their objectives.  Complex external studies tend to confuse them, make them wonder why they are doing it and, more importantly, ask the question of "what's in it for me?"

While all the outside control studies and guidance materials contain excellent information, and we encourage your reference to them, we are extremely reluctant to apply them, in a CSA or any other context, from an audit perspective.  Doing so re-enforces the concept that audit is "theoretical", disconnected from the business and, since audit is pushing the outside studies, responsible for control simply because COSO, etc are derived from audit organizations.  Culture plays a big role in this!

Doing any kind of CSA because it is "required by audit" will result in lip service to risk/control thinking.  You will get lots of form filling and checklist completion.   Do your CSA based on business tools focused on helping the managers that you are working with be successful in accomplishing their business objectives - the driving force behind the whole RBIA concept!"

 

 

Corporate Governance and Compliance

Process Management Consulting

Control Risk Self Assessment

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE

Corporate Governance
a cost effective way
to document controls


AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE

Internal Audit Program
best value available for
small audit groups
SITE MAP
RBIA™ and PGRM™ Osterio, Inc. All rights reserved worldwide.

Updated: February 2, 2007