Internal Auditing Program, Risk Based Business Process Audit Seminar & Consulting

BUSINESS MANAGEMENT

Practical Gov/Risk Management

Internal Controls

Four STAR Certification

INTERNAL AUDIT

Risk Based Integrated Auditing

Audit Fundamentals

Audit Executive Development

Governance Auditing

Integrating IT Audit

Continuous Monitoring

Self-Directed Work Teams

IN-HOUSE TRAINING

PROF. ORGANIZATIONS

CANCELLATION POLICY

TRAVEL INFORMATION

NASBA CPE

BUSINESS MANAGEMENT

BOOKS

Practical Gov/Risk Management

Exec Overview Gov/Mgt/Perf

Quick Reference Cards

SOFTWARE

Business Case Manager

Risk Control Manager

CDs

Forms/Documentation

INTERNAL AUDIT

BOOKS

Is RBIA Right for Us?

Quick Reference Cards

SOFTWARE

Audit Team Mgt System

CDs

Forms/Documentation

Audit Fundamentals

RBIA Analyzer

BUSINESS MANAGEMENT

INTERNAL AUDIT

Support Center

Site Map

Links


	SUPPORT CENTER Q&A 4th Qtr 2000 Date: 12/27/2000 Question: When will your RBIA Management System software be available? Answer: RBIAMS is in Beta test mode now. We plan to release it in 2^nd quarter. We will post the status of RBIAMS on this web site. Date: 12/10/2000 Question: What can you do to change auditors who simply do not want to use RBIA? Answer: Nothing. You cannot change anyone. The only one who can change you is you. There are a lot of reasons why people do not want to change to RBIA. The main ones being that they cannot handle the concept of personal accountability for producing value greater than cost and/or they cannot overcome their traditional ways of auditing. Once the General Auditor has decided to move to RBIA, a "stake in the ground" should be set - a date from which all audits will be performed the RBIA way. Since existing staff may have signed on to the audit department with the expectation of a traditional, non accountable way of doing audits, it is fair to do what you can to help those auditors move on. For more information regarding this issue refer our guide "Implementing RBIA". Don’t try to change anyone - you are wasting your time and theirs. Show them the benefits to their career and job enjoyment that RBIA results in and let them make their own minds up. Most will embrace RBIA. Some never will. Date: 12/02/2000 Question: Is there any way to calculate exactly how long an RBIA audit will take? Answer: No. RBIA is a heuristic (or scientific) audit approach. There are no audit programs which define every step in advance. The audit team decides on their next step based on the results of the prior step. You may encounter a very strong Management Control Structure and decide to stop the audit very early. Alternatively, you may "lift a rock and find a canyon". RBIA is based on business problem solving concepts. You cannot calculate exactly how long it will take to solve business problems. Accordingly, you cannot calculate exactly how long it will take to do an RBIA audit. Our experience is that if you scope the audit small enough, you should bring then in for 300 hours or less. If they start taking over 300 hours, break them into smaller components. It is easier to be successful in meeting your Team Success Objectives if the audits are under 300 hours. DATE: 11/14/2000 QUESTION: We're doing RBIA in our HR department to develop action plans for process reengineering. The HR department has experienced a tremendous amount of turnover, including the VP of HR. Most of the turnover has happened since we began the RBIA. We do not have a HR subject matter expert in our department, and we're struggling with developing action plans on our own. The interim VP of HR is supportive of our efforts, but the problem is getting all the information we'll need to design the action plans. We're investigating the possibility of engaging former employees as consultants on the project. What else do you suggest? ANSWER: "First I would look at Governance over the reengineering effort. What goals have they set for reengineering of the HR department? Unless you know what the goals of the reengineering project for HR are, it will be difficult to make much progress. If you are helping the HR group develop action plans, it sounds to me that you are involved in more of a consulting project to help them develop the action plans. If this is the case, you definitely need HR subject matter expertise. I strongly suggest that you engage/hire HR subject matter expertise to help you. You need strategic HR SME to do this - the type with experience in executive development, succession planning, staffing projections, etc. Don't fall into the trap of hiring HR transaction subject matter expertise - the form filers" , for example. Strategic HR people are hard to find. I would be careful about hiring a former employee to help with reengineering action plans. Reengineering, by definition, requires radical, drastic change. It is doubtful that a retired HR person will have a radical change outlook. Another option is to invest some time and start researching on the web. There is a host of magazines, books, articles written on HR reengineering. Start by referencing articles from the professional HR magazines. While this approach may take some time, you can share the knowledge with the HR people that you are working with. It will also add HR expertise in the audit group." DATE: 11/14/2000 Question: In a multinational corporation, with multiple audit locations in different countries, does every office need to adapt RBIA in order to make it work? Answer: No. Each location can work with RBIA independently as long as you do not rotate staff between the different locations. In other words, it is possible for say, the New York audit office, to adopt RBIA and for, say, the Hong Kong audit office to use another methodology. There are, however, two problems associated with this approach. The first is that you cannot effectively use the audit skills interchangeably. If you need subject matter expertise from the Hong Kong office to work on a New York office based audit, you will create inefficiencies and confusion in understanding the differing audit approaches. Most importantly, the company’s audit management team is not sending a consistent message as to direction for the audit function. It is not providing leadership. This leads to confusion and disillusionment at the auditor level. RBIA has enough options in it to adapt to the unique cultures of differing audit locations. DATE: 10/17/2000 QUESTION: Do we need to go through the exercise of identifying cradles and graves if our charge is to do an end to end audit of the entire process? It is a large process and I suspect that it will take a long time to identify all the cradles and graves. Answer: Let me answer this question in two parts. Firstly, why are you even doing an "end to end" audit of the process in the first place. To do it properly will take forever, will likely be out of date as soon as it is finished, cost a lot of money, consume a lot of resources that cannot be allocated to other high risk areas and may not give you any results for the effort expanded. End to end audits are at the Performance level. Instead, focus on the Governance and Management levels. Start by asking the Management level (the ones responsible for controls in processes) the two following questions: "How do you know that your controls, that you are responsible for, are working, and if they stopped working, how would you know about it?" You may be able to help them establish a monitoring process. This is a lot more efficient process than doing an end to end audit of processes that are constantly changing. Also, assuming that you are "politically forced" to audit down at the Performance level, don’t do it alone. Partner with the management of the areas involved and treat it as a control consulting project. This has several benefits. First, it will give you the process subject matter expertise that you need. Second, it will project audit as part of the solution, and not part of the problem. Third, it will have less resource drain on the audit group. Fourth and most importantly, it will prevent the Management level from culturally "turning off" to their responsibility for control in their processes. By partnering with them on a consulting project to improve process controls, you will make the whole implementation process considerably easier. Turning to the second part of my answer, I am going to assume that you have on your team the subject matter expertise to understand the business issues associated with the process. Yes, you must break the process down into cradles and graves in accordance with the methodology taught in our seminars. If you do not, I guarantee that two things will happen. One, your project will result in massive scope creep...it will go one and on and on. Secondly, you will miss the key control issues that you need to address. In every case where the "cradles and graves" step is bypassed, the resulting control product is half baked, full of omissions and low quality. In addition, no one has unlimited time or budget. The cradles and graves exercise will help you understand exactly what your team can accomplish within your time and cost constraints. As soon as you have identified cradles and graves, have your Governance group buy off on your team’s project scope. This will avoid confusion and disappointment at a later date. DATE: 10/12/2000 Question: What would be your advice to some one who will be starting a one man show of Internal Audit function in a large construction company which never had an Internal Audit before. Do you advise him to use RBIA, CSA, or what. and if either, how he has to go about it? THANK YOU Answer: In a one man, start up audit group, the most important thing that you need to do is to find out the number one issue in the company that has resulted in the creation of your position. Growing companies just don’t create an internal audit function because "everyone else has one". Some event has occurred, or issue arisen that points to an internal audit operation as a possible solution or "preventer" of future occurrences. Find out what this is. Talk to the vice presidents in your company and see what they see as the hot issues. RBIA is based on this concept. Your vice presidents are your customers. They are the ones that determine your value. Establish a solid working relationship with them and focus your energies on the issues that are critical to them accomplishing their business objectives. RBIA works just fine in one person audit groups. A past issue of the "Inside RBIA" newsletter featured a one man RBIA audit department and how he resolved several of the issues that you will face. Request a copy. It will be helpful to you. Our "Implementing RBIA" guide will also be helpful to you. It is available though this web site. Good luck in your new endeavor. Date: 10/04/2000 Question: How many risks should we address in each RBIA audit? Answer: There is no hard and fast rule. If the risks are very similar, and the same subject matter expert auditors can address them, it makes sense to address multiple risks in the one audit. If the risks are very different, require different subject matter expertise to address them, it makes sense to break it down into multiple small audits. Remember to always keep your audits in the 200 to 300 hour range. Your customer, the vice president, doesn’t care about how we categorize our work. They are just interested in the results. You can always present a series of separate audits as comprising one big "project" with several status reports for each phase. Date: 10/04/2000 Question: Our vice presidents, having been through your Practical Governance and Risk Management seminar, are now claiming that they are too busy to implement the concepts. Any ideas on how we can engage them? Answer: Interesting. By definition, this means that they are too busy to perform Governance over their area, too busy to exercise their fiduciary duty to the stockholders and too busy to ensure that their management team is appropriately allocating the resources for which they are legally liable for. I wonder how this position will go down in a court of law! Seriously, there is no additional work involved in PGRM concepts beyond what your vice presidents are legally required to do in the first place. It simply presents them in a structured manner with some tools to help them do their job. It sounds that you perceive that your vice presidents still do not understand their role, or do not want to be held accountable for it. If the problem is the former, it can only really be solved on a one on one basis and this is best performed by the Audit Executive in their ongoing interactions with each vice president that they are assigned to. If the problem is the latter, i.e., your vice presidents do not want to be held accountable for their fiduciary responsibilities to the stockholders, you have a far bigger problem than we can help you with. The premise of this position raises major ethics, integrity and leadership issues that can only be solved at the board level. Please contact me off line to discuss this issue in more depth. I am assuming that you are in an audit position so the answer to your dilemma is embedded in the role of the Audit Executive.	The Best of the Best for 2006 RBIA Gold Medal Ms. Martha Mimica, Florida Power & Light RBIA Silver Medal Mr. Bill Egan, Scotts Company RBIA Bronze Medal Mr. Dan Ashley, Qwest Communications *Congratulations!* prior year winners SOX 404 RISK CONTROL MANAGER 2.1 SOFTWARE a cost effective way to document controls AUDIT TEAM MANAGEMENT SYSTEM (ATMS) SOFTWARE best value available for small audit groups

SITE MAP	RBIA™ and PGRM™ Osterio, Inc. All rights reserved worldwide.	Updated: February 2, 2007

The Best of the Best for 2006