SUPPORT CENTER
Q&A 1st Qtr 2003

DATE: 3/18/03

QUESTION: How many risks should be monitored for each event? Also, how many risks should each management group be monitoring?

ANSWER: There is no fixed number. It can be as small as one to quite a few. It all depends on how the company is structured. If the entity that you are reviewing is very complex, it will likely have many business objectives. All our concepts focus on only those risks that directly impact the ability of your executives to be successful in meeting their business objectives since most companies have little time or money to manage any more. With multiple business objectives, you will have multiple risks.

DATE: 3/17/03

QUESTION: Does your company have any support products for Sarbanes Oxley 404 work?

ANSWER: Yes. Click on the Sarbanes-Oxley 404 White Paper link. We will soon have our SOX404 software product ready. Check this site for a release date. Call us direct if you need additional information.

DATE: 3/14/03

QUESTION: Is there always a direct link between the risk monitoring graph at the Management level and specific controls at the Performance level of a process?

ANSWER: Maybe. Some risks may have a specific linkage. For example, you may be monitoring the number of checks in a payroll system that are sent out late. That relates specifically to the Timeliness Control Objective at the Performance level.

If you are monitoring at the Management level, say, risks associated with errors in revenue bookings to a general ledger, or finished goods quality reject errors for a production line assembly process, there are multiple real world events involved and almost all of the Performance level control objectives.

I wish that there was a perfect algorithmic relationship, but there isn't. Sorry.

DATE: 3/7/03

QUESTION: Can you provide any references to audit management that has successfully implemented RBIA in a large company? Our company is $25B annual sales.

ANSWER: Yes, we can (see our Preferred Customer List.) All companies make modifications to RBIA in order to suite their unique structural, geographical, and organizational issues, so I would need to know more about your company in order to connect you with someone appropriate. Please call me directly for specific references.

DATE: 2/26/03

QUESTION: Do you have a copy of the Canadian COCO study on internal control or know where on the web I could get access to it?

ANSWER: CoCo stands for the Canadian Criteria of Control Board. Contact the Canadian Institute of Chartered Accountants in Toronto Canada on 1-416-977-3222 or visit their web site at www.cica.ca.

DATE: 2/21/03

QUESTION: Your company's concepts and tools around governance do not seem to address the board of director governance issues that the IIA and other organizations are very vocal about. Why is that?

ANSWER: The IIA is doing a good job at helping draw attention to the corporate governance failures in corporate America. We support their efforts.

The Risk Based Integrated Auditing™ and Practical Governance and Risk Management™ concepts all address governance from the perspective of vice presidents and officers in their day to day role of running departments or performing on Executive Sponsoring Committees of various projects. We have designed specific tools that you can use in your day to day audit or process management roles.

We don't believe that the average internal auditor is going to receive a phone call and be asked to perform a review of how well their board members are performing their governance duties. So we have not developed any tools for this purpose. Our governance tools apply in your day to day work.

DATE: 2/13/2003

QUESTION: What is your stance on the Sarbanes Oxley bill and its impact on audit groups?

ANSWER: We are producing a detailed White Paper covering this issue. It will be available shortly and can be downloaded as a pdf file. Please check back soon and download a copy.

DATE: 2/3/2003

QUESTION: Since our customers are executive level and do not typically see the amount of fieldwork that goes into an audit, we attempt to write reports and action plans that demonstrate our value and competency. Is there a benchmark for a percentage of time that should be spent on the report and action plan writing and editing? Does RBIA have a different benchmark than the traditional audit methodology? How does the scope of the audit affect that benchmark? Is there a golden-rule "minimum: and "maximum" number of hour(s)?

ANSWER: There is no benchmark for a percentage of time that should be spent on a report.

RBIA's process is heuristic and the first drafts of the bullet points that will end up in the final report (or presentation - whatever the customer prefers) - are formed very early on in the audit. They are constantly refined every time the audit team meets. Since there is no benchmark, the scope does not affect it. Under RBIA, if the risk is well controlled and there are no findings, the report or presentation will be very brief. But so will the cost. There are no minimum and maximum golden rules for the time to write an audit report.

Your question implies that there is a standard way to do audits and that there is a standard amount of time to spend on each part of the audit. If you do audits like public accounting, where every audit is pretty much the same and value does not drive the end product, there is a lot of cost to justify. If you don't find anything, you have this massive cost and nothing to show for it. So auditors try to make a report value added in some way to justify the massive cost.

This will never happen under RBIA's value enhancing methodology since you stop the audit very early if the Management Control Structure is in place and functioning. There is no need to spend any more time and you can move your scarce audit resources onto other higher risks.

To be honest, the preferable situation for any executive IS a low cost, fast audit that comes to the conclusion that everything is OK. If you want to learn how RBIA can make this happen, sign up for one of our RBIA seminars on this web site.

DATE: 1/23/2003

QUESTION: I recently went through your process management seminar. I liked the governance and management parts but got a bit lost in the performance part. My job is down in that performance part. My question is that if the executives don't do the governance part, and managers don't do the management part, what value is there to me grappling with and trying to understand the complex performance stuff?

ANSWER: Good question. The direct answer is the satisfaction of attempting to do the right thing and the best job that you can do. The problem is that you will inevitably end up either under controlled or over controlled since the Governance and Management pieces are missing to determine the appropriate levels of control.

Both situations are bad for you. Under control means that too much is going wrong. You may be blamed. Over control means that nothing ever goes wrong. You may be seen as redundant when cost cutting initiatives start. This is what I am referring to when I make the statement that the Governance, Management and Performance concepts create a structure where "controls protect people".

You didn't mention why the Governance and Management levels are not discharging their responsibilities. The most common reason that I find is that they simply don't want the spot light put on what they are doing and how they are doing it, i.e., they don't want to be accountable. A lot of people talk about accountability but don't want any accountability focused on themselves. I suggest that you look at the ethics and integrity of the leadership team of your company. If they are "challenged" in that area, there is a very good chance that you will be hung out to dry when things start going wrong.

DATE: 1/17/03

QUESTION: I have just started in audit. We are doing an audit in a remote location. There are 3 on the team. One is a CPA, another is a technology auditor and myself, an engineer. I do not have a formal audit background, but I was told during the recruiting process that we work very closely in teams and value different skill sets.

This is the third audit that I have been on where my fellow "team members" do their own thing. They follow their own audit procedures. They are really buried in the details and have no interest in addressing the major issues that I can see.

Is this normal in the audit world? Any suggestions going forward?

ANSWER: I'm sorry that you were misled during your job interviews, but you haven't told me what the operating philosophy of the audit group is. There are many audit groups that operate down in details simply because they don't know any other way of auditing. In addition, it is safe. You don't have to take accountability for your actions and judgement and can hide behind all kinds of things like audit programs, independence, sampling, etc. You will never address the really important issues while you are down in the details so if something goes wrong, you are never held accountable.

Your comments indicate to me that this is not the environment that you were expecting when you moved into the audit world. The only advice that I can give you is to have a discussion with your manager and see whether the behavior that you are seeing is really the operating philosophy of the department. If it is, the recruiting talk was all sales jargon to get you on board. You can then make the appropriate decisions for your career. Alternatively, the behavior that you are seeing is not the operating philosophy and your manager can take the corrective action necessary.

DATE: 1/3/03

QUESTION: I think that the vice presidents and other executives in our company believe that they are doing a great job. I think that they are ethical. I say this because their individual areas seem to be ok. But overall, we are not doing too well. We have raised the Governance issues but to their mind, they already believe that they have goals, etc. The goals they state, however, are vague and not specific. They claim that they are managing their own risks just fine. How do we solve this problem?

ANSWER: You have not indicated to me exactly who "we" are. The answer to your question is different depending on whether you are a vice president, internal audit group, middle management team, or other group in the company.

The common thread through your question is that while the executives believe that they are doing good governance, in reality, they are not. The problem is that they probably see themselves as the leader of their own hierarchical organization structure as their first priority. Instead, their first priority as an executive is to be a member of the company's overall management team with their fellow executives. Their second priority is to be the leader of their own hierarchical organization.

It seems to me that you have an overall leadership problem from the very top of the company. A top priority of every leader should be to pull the executives together in a team to focus on overall company goals. This is called Governance. This then drives what each executive does in their own areas. Not the other way around. Until I know more about where you are in your organization, I cannot offer any more thoughts to help you. Sorry.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007