to osterio.com
Internal Audit Training and Risk Management seminar
Products
Online training
support Center
The Osterio Group

Business Process Improvement








Internal Audit Training

Risk Based Auditing

Auditing Seminars

Risk Management Seminar

SUPPORT CENTER
Q&A 3rd Qtr 2003

DATE: 9/24/03

QUESTION: What is the value in joining the Institute of Internal Auditors given all the corporate failures of recent times. It seems that the IIA failed completely to stop them?

ANSWER: I am a big supporter of the IIA. They offer a lot to the professional internal auditor. In addition to the meetings, seminars and training they provide, their reference library is excellent and it is a great organization to network within. I firmly believe that your career is too important to place in anyone's hands except your own. Professional associations and qualifications are always valuable from a resume perspective.

I do need to comment on part of your statement. The recent corporate abuses were caused by a complete failure of corporate governance and oversight that failed to catch the breakdowns in ethics by the stock brokers, analysts, public accountants, lawyers and commercial bankers that should have stopped the unethical management practices in some companies. The IIA had nothing to do with this failure. There is absolutely no legal relationship between corporate America and the IIA. There is no law sanctioning the power of the IIA.

Perhaps the appropriate question is how come internal audit didn't detect the abuses that were happening. Perhaps they did and their companies refused to act on their findings. Or perhaps their way of doing auditing would never have detected the abuses. In either case, the IIA was not to blame.

DATE: 8/26/03

QUESTION: What do you think about Six Sigma and how does it tie into the RBIA approach? Is it worthwhile for auditors to have training in both approaches? Thanks.

ANSWER: I think Six Sigma is great where the risks are high enough and the limits of risk that Governance is prepared to accept are so low that almost no chance of error can be tolerated. Please remember, however, that Six Sigma does not mean zero errors.

If your company had unlimited resources and your marketplace allowed unlimited time to do things, it is an interesting intellectual exercise to apply Six Sigma to a lot of processes. The reality of life is that you do not have unlimited resources or time.

RBIA and Six Sigma are not competing methodologies. RBIA is an audit approach to look at risks. Six Sigma is a quality approach to managing risks where almost no chance of error will be tolerated by Governance. If your company is involved in very high risk/low tolerance work efforts, I think it makes a lot of sense for internal auditors to understand how Six Sigma works and how it is being applied in your company. RBIA is still the framework to audit how Six Sigma is being applied.

DATE: 8/21/03

QUESTION: The IIA standards require audit programs. I attended a recent RBIA seminar and understand, and agree with and support, why RBIA does not have audit programs. My question is how do we deal with the IIA standard from a quality review perspective.

ANSWER: We are dealing in semantics. If you define an audit program as a methodology that creates discipline, structure and rigor to the way you do an audit, then the RBIA process more than meets the requirement for an audit program. As you saw, and demonstrated yourself in the seminar case studies, the RBIA process will allow you to audit risks and business issues in a disciplined, structured manner that a "comprehensive list of standardized audit programs" will never allow you to address. RBIA more than meets the requirement for "audit programs."

However, if you define an audit program in the traditional manner as a set of tasks that are allocated by someone who sits in their office and tells junior staff what to do, the RBIA self directed team structure does not incorporate this way of doing audits since it is impossible to add any value. You can build up costs (or billable hours if you are an external organization - more profit!) but you cannot add any value. Traditional audit programs are inextricably linked to the hierarchal organization structure where the thinkers (who do planning and reporting) are disconnected from the doers (who do fieldwork.) Since RBIA works in flattened team based structures where everyone on the team is accountable for the end product, the traditional "assign tasks" audit program does not work and only drives up costs. The higher the cost of the audit, the harder it is to demonstrate value.

Public accounting firms use traditional audit programs for two reasons:

1) Since they are a true legal profession and can be sued in a court of law, audit programs are used to prove the existence of a work plan, and

2) Increase billable hours to increase profit. The audit continues until all steps in the audit program are complete, regardless of whether there is any value in doing so. Audit programs work great for outside organizations that make profit from the spread between cost rate per hour and bill rate per hour.

Please remember that, from a peer review perspective, public accounting firms are not your peers - they are after your job! The basis of public accounting is to comply with laws, not to create value. It is a serious mistake, and contradiction in terms, to have a peer review performed by a public accounting firm.

DATE: 08/14/03

QUESTION: What is your opinion of the Quality Assessment Review now being required by the IIA? Do you see an advantage to being in a reciprocal peer review arrangement?

ANSWER: If your audit department currently uses the RBIA audit approach, I see no problem in participating in the IIA's Quality Assessment Review process provided that you select peer review team members from other departments that are familiar with the RBIA process. Since RBIA is heavily focused towards value and helping vice presidents and higher to be successful in accomplishing their business objectives, selecting peer review team members from audit departments that are more "corporate cop" oriented will simply be counterproductive and could damage the relationships that you have spent so much time to cultivate.

Participating in the IIA Quality Assessment Review process is far preferable to engaging an accounting firm to do a peer review. First, accounting firms are not your peers - they are after your job! Second, they do not understand that the internal audit business model is dramatically different to their billable hours business model. Public accounting "peer" reviews are simply counterproductive to what you are trying to accomplish with RBIA.

If you need to know the names of other RBIA audit departments that may be interested in participating in your peer review process, please call me.

DATE: 08/04/03

QUESTION: I am new to internal audit from an operations background. I am perplexed as to why so many audit departments hire from public accounting when the recruits know absolutely nothing about the business world. It seems crazy to me that companies would hire people who have been associated with so much unethical behavior in recent times. Do you have a perspective on this?

ANSWER: There are several reasons:

• Over the past few years, many internal audit departments backed off auditing financial issues and deferred, rightly or wrongly, to their public accounting firm for that work. You must remember that public accounting firms have been claiming that they know everything that there is to know about internal audit and have pursued an aggressive internal audit outsourcing strategy. Accordingly, internal audit departments focused on operational, business issues.

• As we now know, the public accounting profession has failed to regulate itself and has been made, through the Sarbanes-Oxley Act of 2002, a government regulated industry. Many companies have realized that the public accounting profession cannot be trusted any more and are allocating internal audit resources to financial risks as well as business and operations risks. Just as audit groups need people like you who understand their business operations to audit those risks, they also need finance qualified people to address financial risks.

• While the overall ethics of the public accounting profession, lawyers, stock brokers, etc., have been exposed as unacceptable to the people of the United States, there are very high quality individuals in accounting firms with solid financial accounting knowledge. It makes good business sense to hire those individuals into an internal audit department.

• Public accounting firms tend to hire very smart people who work very hard. Hard working, smart people are a valuable addition to any internal audit department.

It is important that you understand that the way that public accounting does things caused the problems in corporate America, along with the way that lawyers, stock brokers, analysts and merchant bankers do things. By all means hire the smart, hard working people from public accounting but do not bring their failed way of doing things into your internal audit department.

 

 

Corporate Governance and Compliance

Process Management Consulting

Control Risk Self Assessment

The Best of the Best for 2006

RBIA Gold Medal
Ms. Martha Mimica, Florida Power & Light

RBIA Silver Medal
Mr. Bill Egan, Scotts Company

RBIA Bronze Medal
Mr. Dan Ashley, Qwest Communications

Congratulations!
prior year winners

SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE

Corporate Governance
a cost effective way
to document controls


AUDIT TEAM MANAGEMENT
SYSTEM (ATMS) SOFTWARE

Internal Audit Program
best value available for
small audit groups
SITE MAP
RBIA™ and PGRM™ Osterio, Inc. All rights reserved worldwide.

Updated: February 2, 2007