SUPPORT CENTER
Q&A 3rd Qtr 2000

DATE:  09/19/00

QUESTION:  Should we share the details of the value TSO with our audit customer?

ANSWER: The TSOs are an INTERNAL document for the audit department. Please do not copy them and forward them to anyone outside the audit department. You can guarantee that they will be copied and spread all over the department that you are auditing. You will spend way too much time explaining them, especially to people who do not understand objective driven team work. If the TSO’s relate to the Accomplish Objectives or Economy and Efficiency scopes of work, you will waste additional time explaining to middle managers what is the role of audit.

If you are new to the RBIA process, there is a good chance that you will not meet the TSOs until you sort out your teamwork issues. Why broadcast your internal team work issues to the rest of the company?

You MUST communicate to the Vice President the content of the value TSO, the date that you are committing to deliver and the cost that you are committing to manage the audit to. This information must be communicated in whatever format that the Audit Executive and the Vice President have agreed to communicate (e-mail, voice mail, formal letter, etc.) This is important to ensure that there is no miscommunication between the Audit Executive and the Vice President.

I strongly suggest that you use different wording than the exact words in the TSO and do not share your proposed rating criteria.

DATE:  09/12/00

QUESTION:  Our director has asked a few of us to propose a packet of report examples. The examples should be in form of an executive summary, audit report, and presentation. We are looking for a new format and look. Are there any RBIA audit departments willing to share their report/presentation formats?

ANSWER:  In your RBIA seminar handouts there is a sample of a report format.  Be very careful of attempting to create a "standard" audit report format.  Vice
Presidents (your customers) should be able to receive their audit results in
a format that suits them, not the audit group.  I would suggest that you ask
them directly for the format that they prefer.  It should be the format that
will help them to "move the ball forward" in fixing the problems that you
find. 

DATE:  09/06/00

QUESTION:  Governance is becoming a buzz word at our company. It seems that more and more emphasis is being placed on governance at the corporate, as well as at the management, level. We're meeting today with a VP to discuss governance. I have my RBIA laminated "cheat sheets" but I am confused about the VP's role. The RBIA training manual states that the VP establishes the strategy/goals, but not objectives. However, the VP is responsible for approving Risks and Limits to Risks. How does he approve limits to risks if he doesn't set the objectives? Can you clarify the role between strategy, objectives and approving risks? Thanks.

ANSWER:  The fact that governance is becoming a buzz word is an indication that you are starting to tackle the key issues in your company. Congratulations.

The response to your question is a timing issue. VP’s establish high level goals and strategy. At this point, there is no way that they could know all the risks since they are not close enough to the actual resource deployment issues to figure out the best processes to set up to execute the strategy to accomplish their goals.

The Management level then takes those high level goals and strategy and figures out, given the resources that they have to deploy (and other constraints that they have), very specific objectives that they believe they can accomplish in order to make the goal happen (execute the strategy). They define specific deliverables, due dates and budgets for each objective.  It is only when Management figures out the detailed objectives will they be in a position to know what the actual risks are.

Management then has a first stab at the limits of risk which are then placed in front of the VP (Governance) for approval.  Expect this process to go back and forward somewhat.

"Hands on" VP's may be more aware of the risks than "hands off" VP's.  However, it is very important that management comes up with the specific objectives (measurable deliverables, dates and budgets) before you discuss limits of risk.

By trying to discuss risks at the goal/strategy level, you are working on incomplete information and making the exercise much more difficult.

DATE:  09/05/00

QUESTION:    We are working with one of our VP's in a consulting mode to help with process redesign. We facilitated a meeting with the VP and some of his key managers. During the meeting, they outlined their objectives and together we identified key risks. Once we identified key risks, we asked the group to focus on and identify limits of risk. We expected to come out of that discussion with limits of risk set in terms of numbers. Instead, in most cases, the limits of risk were stated more in terms of standards and expectations. For example, one risk identified was the potential failure to adequately describe vendor responsibilities in contracts with outsource partners. The limits of risk that came out of the discussion included things like always routing contracts to Legal before signing and including service levels in every vendor contract. We're new at RBIA and concerned that we didn't get what we needed out of that meeting in terms of limits of risk. Are we on the right track? Do limits of risk always have to be stated in terms of numbers? Thanks!

ANSWER:  You are making a good start. Congratulations on being involved in facilitating the meeting with V.P.’s on risk. Engaging V.P.’s in a discussion about risk and starting them thinking about how much risk they will accept is a huge step forward for any audit department.

Ideally you should be coaching them along the lines of identifying "the number of contracts they would be prepared to live with that do not have a legal review" ("zero" may be an appropriate limit) or the "dollar amount of claims/refunds, etc., arising from inadequately defined vendor responsibilities". We have encountered many instances where the V.P.’s simply do not know a number and do not have a quantitative feel for the issue. The RBIA auditors are the first ones to have approached them with this thought process! In such cases it makes sense to focus first on establishing key metrics (RBIA’s Management Control Structure) to establish a baseline as to where you currently are. For example, if you start monitoring money losses arising from the lack of defined responsibilities in outsourced contracts (including people’s time to sort out the problems that arise), you will have a basis on which to engage V.P.’s in a further discussion around quantifying their limits of risk.

Again, congratulations on your accomplishment in facilitating this discussion.

DATE:  08/24/00

QUESTION:    We've had our first team meeting and done a first stab at identifying the TSO's and completing the risk matrix for our audit. So we have our hypothesis and some tasks related to proving it out. How much effort should we put into completing those tasks before we send an engagement memo to and get buy-in from our audit customer? Should we get that buy-in before we move forward with tasks? Before we move on to our second meeting? Thanks!

ANSWER:  None.  There is always the possibility that the Audit Executive and the Vice President have disconnected.  The mode of "buy in" and the speed at which it occurs is a function of the relationship between the Audit Executive and the Vice President.  A voice mail or E-mail may suffice, in which case you could start fairly quickly.  This is another reason to avoid formal "letters of announcement" if you possibly can.  It slows you down too much.  "Buy in" also assumes that you are not, and , of course, should not, be asking middle managers to "approve" what you plan to do in the audit.

DATE: 08/09/00

QUESTION: I attended one of your recent PGRM seminars. Can we apply these concepts without the full support of our vice president?

ANSWER:  We discuss a lot of concepts covering the Governance, Management and Performance levels of processes in the three day seminar. As a manager (I am assuming that you manage a part of your company’s business) you are personally responsible for establishing the appropriate level of control in your processes and operations. There are many components of the PGRM seminar that you can apply at the Management and Performance levels to help you be successful.

For a vice president to not support the PGRM concepts is to admit that they do not see their fiduciary responsibility to manage risks to the stockholder’s assets that they are accountable for. I tend to look at this from two perspectives:

Education and awareness. With everything that vice presidents have on their plate, they do not see the PGRM concepts in the same light that you do. The solution is to "manage upwards". Present the concepts and the specific actions that they must take (risk/limits approval) in the context of "protecting them".

There are some vice presidents who want to distance themselves from their fiduciary responsibilities and play political games. This is a serious situation with ramifications much wider than the success of the processes that affect your area. There is not a lot that you can do in this situation, other than question the ethics of the company that allows such behavior to continue. I suggest that you have a confidential discussion with the General Auditor of your company.

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE


a cost effective way
to document controls

AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE


best value available for
small audit groups

Updated: February 2, 2007