Sunday, June 19, 2011
Meeting minutes
Often the biggest challenge of audit is gathering the necessary information and gaining the necessary understanding. Meetings are a good source of this, but it's often hard to note down all the relevant information (speed of handwriting). One thing I have found that makes it easier is to prepare a set of slides for the meeting, to print these out, and then to annotate during the meeting. Then I dont' have to write some of the heading type information to support the notes.
Auditing an organisation's policies and policy framework
In my experience, I have seen an organisation's policies in two forms: standalone documents (in Word, PDF or [rarely] Excel format); or on the intranet as inter-linked documents. There are advantages to both: the former is more portable and archivable; the latter allows an understanding of the interrelationships between policy. On balance, I would prefer the latter, particularly where there is a robust mechanism to create a portable offline copy using website downloading tools (if these are permitted by your organisation's IT team!).
Some criteria for assessing policies and the policy framework:
Some criteria for assessing policies and the policy framework:
- Is it complete? Does it cover every eventuality?
- Is is up-to-date? All policy documents should note a last review date.
- Is there ownership in place? All policy documents should note an owner (which should be up-to-date)
- Are archived copies kept when (major) changes are made?
- Does the policy comply with the relevant legislation?
- Is the policy strong enough to address the risk?
- Is the policy understandable? Is there only one possible interpretation?
- Are all hyperlinks current?
Saturday, June 11, 2011
Interrelationships between preventive, corrective, directive and detective controls
Both detective and corrective controls are preventive in the sense that they can enable the prevention further events or the continuation of the detected event. For example, a control that detects fraud by an employee will prevent further frauds by that employee and will reduce the likelihood of fraud by other employees through deterrence.
Directive controls (i.e. policy and procedures) support controls at all stages.
It may be helpful to visualise the action of different controls on a timeline:
[Definition of corrective controls: act to reduce the impact of a detected event]
Directive controls (i.e. policy and procedures) support controls at all stages.
It may be helpful to visualise the action of different controls on a timeline:
[Definition of corrective controls: act to reduce the impact of a detected event]
Not one, but two definitions of risk
I think two definitions of risk are necessary to successfully explain risk management:
a risk - countable abstract noun - an event, occurence, circumstance, situation or outcome that may occur and would impact on the achievement of objectives (either positively or negatively)
risk - uncountable abstract noun - the likelihood and impact of an event, occurrence, circumstance, situation or outcome. In some cases the word may be used to refer to just the likelihood e.g. "what is the risk of dying in plane crash?" (the impact is defined, therefore the risk reflects the likelihood) or just the impact "what is the risk associated with touching this wire?" (the probability is ignored and therefore risk reflects just the impact.
a risk - countable abstract noun - an event, occurence, circumstance, situation or outcome that may occur and would impact on the achievement of objectives (either positively or negatively)
risk - uncountable abstract noun - the likelihood and impact of an event, occurrence, circumstance, situation or outcome. In some cases the word may be used to refer to just the likelihood e.g. "what is the risk of dying in plane crash?" (the impact is defined, therefore the risk reflects the likelihood) or just the impact "what is the risk associated with touching this wire?" (the probability is ignored and therefore risk reflects just the impact.
Monday, June 6, 2011
Adding risk management to job descriptions
In addition to cooperating with audit, risk management should be included in the job descriptions of all people of manager grade and above (and possibly for all employees for some organisations). The responsibilities should include risk identification and reporting upwards, and developing/maintaining control response (where this has been assigned to the person).
Strategy audit
I've not seen much in the way of strategy audit, but it seems an interesting area (particularly for the auditor). Perhaps the reason that it is not subject to frequent audit is that it tends to be the domain of senior management, that don't want audit sniffing around.
Some questions I'd want to ask:
Some questions I'd want to ask:
- Is the strategy formation (and update) process documented?
- Is there an up-to-date organisational strategy?
- Has the strategy been communicated to the right people?
- Are all the necessary inputs to strategy formation in place (market information, competitor information, technology information, internal information)? (this would use PESTLE, Porters 5 Forces, 9Ms, etc)
- Are the right people involved in strategy formation? (sales, marketing, finance, risk management, technology, research & development)
- Do the strategy formers have the right qualifications, experience and skill?
- Are there any training requirements? Are these being met?
- Does the strategy flow through from the single-line mission statement to more detailed objectives, and right down to individual performance objectives?
- Is there a feedback loop on performance that allows validation of the strategy?
- Is there a process to accommodate significant events into the strategy?
Subscribe to:
Posts (Atom)