Accountability and responsibility – a follow-up

Firstly, asking for feedback and not enabling comments is a pretty basic error – sorry about that.

Second, one of my colleagues from the UK has provided a really interesting comment on LinkedIn:

“My industry has the concept of a “RACI”. Accountability: the person with whom the buck stops and ususally the decision authority; Responsibility: the person that does the work (usually reports to the Accountable party); Consultee: individuals who need to be involved prior to decisions being taken (advisors or stakeholders); and Information Recipients: those impacted by the decisions – they need to be told, but have no say. In this way a Director may be accountable but a manager responsible for delivery.”

It strikes me that this might provide a really useful model for thinking about the role of Chief Audit Executive. I shall ponder further on this.

Very interesting. Should internal auditors be considering the community and moral aspects of risks? Is this part of what is meant by the public interest of our profession?

chiefauditexecutive

I have been struck by all of the Titanic centenary memorials and programmes, much like the ship itself, out of my compartmentalised risk management thinking. It is not man’s natural state to risk manage, but have we really progressed so little that scenes from the Costa Concordia in 2012 could be quite happily spliced into footage of the Titanic film relating to 1912? Would I, if they had had internal audit in 1910-14 have raised the question about lifeboats and an effective ‘plan B’ if I were White Star or Harland and Woolff’s auditors?

Well I could do the internal auditor’s ‘told you so dance’ (one of the few and secret pleasures an internal auditor can take when clients do not act on advice), but this is not helpful. I would far rather see companies, organisations and leaders take a more risk managed approach to life and their businesses.

In…

View original post 445 more words

Rentokil & KPMG: NOT IA provided by EA

On 31 July 2009 a UK listed company, Rentokil Initial plc, included in its half year reporting a statement that it had contracted with accounting firm, KPMG, to provide its external, statutory audit and its internal audit services. This turned out to be a problematic statement.

For a start, KPMG was NOT providing all of Rentokil’s internal audit services. The head of internal audit and her team remained in place, undertaking the majority of the internal audit work. What KPMG had agreed to do was to undertake extra testing of internal financial controls. The work was to be done in conjunction with external audit visits but providing extra assurance specifically to the Rentokil board.

In addition and lasting to this day, the statement started a huge debate about whether accounting firms should provide internal audit services to their external audit clients. Personally, I still think it is better to have a different entity providing internal audit services to the board from that providing an external audit opinion to the shareholders. I think that gives a better chance of challenge and better protection from group-think.

But, putting that aside, one key lesson to learn is that the KPMG-Rentokil case is *not* an example of all external and internal audit services being provided by the same firm.

Extract from 31 July 2012 statement:
“The Company has conducted a review of audit provision to obtain better value from the external and internal audit processes by seeking to improve the effectiveness of the processes and reducing costs overall. The Company invited its existing auditors PricewaterhouseCoopers LLP as well as KPMG Audit Plc to submit proposals for a more integrated financial assurance process extending external audit coverage to some work undertaken by internal audit. The board has decided to proceed with KPMG, who will be appointed to undertake the 2009 audit. Combined internal and external audit costs will reduce by approximately 30%.”
Find the statement here.

The Bribery Act – those tickets for Wimbledon should land you in jail

Thought provoking article in London’s Evening Standard last night. Those tickets for Wimbledon may land you in jail says Chris Blackhurst, City Editor, explaining that “the new Bribery Act will criminalise acts of hospitality and place another bureaucratic burden on business”.

Got me thinking – and, quick caveat here, I do understand that some businesses and managers of them will be worried and concerned and I don’t want to belittle their efforts, but I have a couple of thoughts to consider. Firstly, maybe now’s the time to start demonstrating our support for principles-based legislation and regulation. Secondly, what is the purpose of all this corporate entertaining: does it provide value to stakeholders through improved relationships with customers and suppliers or through providing perks to the senior employees who do the entertaining and does it provide any value to stakeholders at all?

Over the last twenty years I’ve heard a lot of people in the UK argue in favour of principles-based legislation and regulation and explain why it is better than rules-based regulation, used “over there”, with dismissive wave of hand towards the East or the West, depending on the context. One way to look at the Bribery Act is as principles-based legislation. So, welcome to a world where you’ve got what you asked for!

Principles-based legislation and regulation brings with it a need to exercise judgment. This is by definition a situation of uncertainty because one person’s common-sense answer is another’s bright white line that they would not cross. Even more so, one person’s ex ante decision is often subject to savage ridicule after the event.  In this case, it’s really down to the senior people in organisations to buckle down to the responsibilities of great office and exercise some judgment. That’s what they are paid the big bucks to do!

That brings me to the second point – maybe it is a good time for corporates and others to take a hard look at their entertaining and what its purpose is. Building relationships with customers and suppliers has long been seen as a legitimate activity for the organisation – and yet it is fraught with dangers of stepping over the line to undue influence. What we are learning in the risk management world is that we humans are – unconsciously – biased towards what we know. That makes it more likely that privileged access to events, places, nice meals and drink – and time out of the office – will tend to bias the recipient in favour of the giver, whatever justification we use. Is that bribery? Well, maybe it is, in the definition of the Act.

There is another aspect to all of this. Let’s not forget the personal incentive to the entertaining organisation’s management to justify the activity. It gives them the opportunity to network – and networking is good for all of us personally – but it also gives them privileged access to events, places, food, drink and time out of the office. It’s a perk. And, everyone fights hard to keep perks!

This is a blog about internal audit making things better. So, how can internal audit help? Firstly, play a role in informing the management team about what the Act says – and what it doesn’t say – and also what the Ministry of Justice guidance says; secondly, inspire the management to focus on its responsibilities and not waste time and energy on railing against the machine. Champion the purpose of all this – to reduce bribery and corruption in the world – and look across the profession to learn from the public sector where practices that seem normal to private sector managers have been verboten for years; provide an independent and objective challenge to managers as they seek to justify the reasonableness of what they have been doing, acting as a critical friend before the organisation comes to the attention of an unfriendly critic; and seek to catalyse real change to ensure that adult conversations take place across the levels of the organisation to help people decide what is reasonable. And, of course, provide management and the board with independent and objective assurance on the organisation’s procedures – are they really adequate to prevent bribery?

This is getting rather long but one last thought – there could be some serious consequences for organisations that depend for much of their revenue, particularly their premium high-margin revenue, on corporate entertaining and marketing budgets. Arts and sports organisations must be looking at this risk – so, of course, that’s another area where internal audit in those organisations can help.

What do you think? Is this a case of be careful when you wish for principles-based legislation because you might have to make a judgement? Is a ticket to the first Andy Murray Wimbledon final a bribe? Is part of the outrage a measure of the perks that employees enjoy? And, do public sector people wonder what all the fuss is about and mark it up as yet another example of how corporate people don’t know they are born?

Smartphones, email and double-touch!

Yes, I did mean “double-touch”, not double-dutch.  This is not a post about the infinite capacity of an iPhone to create often humorous misspellings.  This is the scenario:

You have email, at home or at work. You have a smartphone.  You have email delivered to your smartphone.  Your main repository of history and filing is the main server/computer at home or work so your settings leave the email on that main repository and just send a copy to the smartphone.

The smartphone is great when you are on the move.  You look at your email as it arrives at your smartphone.  Some is junk: you delete.  Some is information for filing: you delete from the smartphone.  Some is information for reading: you delete or leave, depends on your preference for where you’ll read it.  Some requires or can have an immediate response, so you send it and perhaps delete the email.  Sending the email can result in another email if you automatically copy yourself.  Some needs more thinking about so you leave for the moment.

Then you go back to your office or home computer.  Now, here comes the double-touch.  All those emails that you’ve already scanned are in your in-box.  So, you have to go through them again, deleting, filing, retaining for reading, remembering not to respond to the ones you’ve already dealt with, planning to respond to those that need more work.

The question is: what strategies have people tried out to avoid or to handle this problem?  Particularly GTD people: how do you deal with this?

All and any suggestions gratefully received.

I’m NOT posting every week in 2011

Well, a pretty obvious title really when you see my blog on LinkedIn. It’s clear that I am posting less than once a week.

I started with best intentions but I haven’t yet found the rhythm to post more often.  Anyone out there have any suggestions how to fit blogging into an already over-full life, particularly when it isn’t part of my job responsibilities?

In total, I seem to be blogging about once a month but that is all.  One barrier is my unfamiliarity with the medium and the techniques.  So, I thought I’d post this relatively content-less piece as the single step on the path to future blogging bliss!

I’ll be back!

Greatest accomplishment of 2010

Now that’s a brainteaser!

I think that in the internal auditing world in 2010, the greatest accomplishment was being granted Chartered status.

The Institute of Internal Auditors – UK and Ireland is now the Chartered Institute of Internal Auditors, abbreviated to IIA for trademark reasons. Bravi to all the volunteers, staff and contractors – present and past – who worked so hard to make that happen. (For avoidance of doubt, I did play a small part in the early stages but did little in the last year.)

From a personal note, I think that stepping out into social media was a great accomplishment for me!

So, what does that all mean for 2011?

The Chartered IIA is committed to continue to develop the influence of the internal auditing profession and to provide internal auditors with the knowledge they need to meet the demands put on them. I’d like to play my part in making that happen.

I want to make use of the networking opportunities afforded by social media to share ideas and develop my thinking. So that means being active, listening and reading, contemplating and contributing, writing and speaking out. No pressure there then!

tag postaweek2011

I am posting every week in 2011

I started my blog in 2010 but didn’t make many posts. I decided I wanted to blog more in 2011. Now, WordPress has helped me along by starting a campaign. So, I’m signing up: I will be posting on this blog once a week for all of 2011.

It may be a bit of a stretch but I think it will be good to have the discipline and I’m promising to make use of The DailyPost, and the community of other bloggers with similar goals, to help me along the way, including asking for help when I need it and encouraging others when I can.

If you already read my blog, I hope you’ll encourage me with comments and likes, and goodwill along the way.

Signed,

Jackie Cain

The risks of the business model

Catching up as I am on my reading, I’ve just read two very good reports from Grant Thornton and the Economist Intelligence Unit.  The first, published in March, is about business models and how many businesses are reassessing theirs in the light of the downturn in the economy.  The second then looks at how valuable risk management processes have been at protecting the business model. 

I recommend them both highly.  Firstly, they give a good working explanation of the components of a business model.  These can help directors, managers and internal auditors alike to find ways to apply risk management techniques to the business model.  Secondly, they provide a timely reminder that risk management is not a specialist add-on.  It is an essential part of management; as such, it must happen at the same time as the rest of management.

So, when you are discussing strategy, you are not doing a proper job unless you are discussing risk!

If we could all get this message across, it would go a long way to improving the quality of organisations’ governance and management of risk.

You can find the reports on the Grant Thornton web site.  The first on the business models is here

the second on risks and business models is here

Psychology, internal audit and taboos

Psychology seems to spend a lot of time demonstrating how people are not at all rational. That throws a spanner in the works when talking of the “system of internal control” and “governance processes” and “values at risk” and everything else in the internal audit world that reeks of rationality.

Last night, James Paterson took those of us sitting round the Internal Audit Round Table* through some of the research and led a discussion into its implications for internal auditors. Clearly, these are pervasive. After all, internal auditors are people; the directors, managers and workers with whom they interact are people; so there is a great deal of scope for psychological factors to affect what we do.

Amongst other things, we talked about taking psychology into account when presenting findings and finalising reports. The idea that more facts and “evidence” will persuade the reader of the findings and make them act is widespread – and not just in internal auditors. But, of course, facts are not neutral. Different people perceive even the same facts as “proving” different conclusions. So, perceptions, points of view, biases, etc are all important.

What is nagging at me though is something even more fundamental – how do we acknowledge the “messy” nature of the real world and yet still provide a service that is valuable to our organisations? We market the profession as providing a well-defined product – assurance – to enhance the reliability of a rational, organised system of internal control. Is it a taboo to ask: is the ideal of a sound system of internal control a mirage, created in hope from a rational, accounting perspective and studiously ignoring the insights of a psychological perspective?

Mmm, well, I’ll be thinking about that for a while!

*jointly sponsored by Chartered IIA and Cass Business School, London, who host the meetings. See the IIA’s website for more information.