Norman Marks, CPA, CRMA is a retired senior executive. He works with individuals and organizations around the world, advising them on risk management, internal audit, corporate governance, enterprise performance, and the value of information. Norman was the chief audit executive of major global corporations for twenty years and is a globally recognized thought leader in the professions of internal auditing and risk management. In addition, he served as chief risk officer, compliance officer, and ethics officer, and led what would now be called the IT governance function (information security, contingency planning, methodologies, standards, and more). He managed the Sarbanes-Oxley Section 404 (SOX) programs and fraud investigation units at several companies. Norman is a retired member of the review boards of several audit and risk management publications (including the magazines of ISACA and the IIA), a frequent speaker internationally, the author of multiple award-winning articles (receiving the IIA’s Thurston award in 2004 and 2014), and a prolific blogger.
In a recent interview with CXO Magazine, Norman Marks discussed his experience with risk management and internal audit. He shared his views on the efficiency and effectiveness of internal audit processes, modern business environments, and many more.
What role does internal audit play in ensuring organizational integrity and compliance?
This is an interesting question. Management, with oversight from the board, is responsible for “organizational integrity and compliance”. They put processes, systems, and internal controls in place that should provide reasonable assurance that operational integrity and compliance are achieved.
Internal audit has a valuable role. Those processes, systems, and internal controls may not function as well as management believes. There are many reasons that may happen, including inexperienced people or system changes that don’t perform as desired.
What internal audit does is provide assurance that the systems of internal control and risk management are functioning as they should. They also provide their professional insight and advice on how those systems can be upgraded if needed.
How to approach developing an internal audit plan tailored to an organization’s specific risks and objectives?
If internal audit is going to optimize the value it provides to the organization’s leadership in management and on the board, it should focus its work on the issues that will matter most to those customers: the more significant sources of risk to the achievement of enterprise objectives.
It starts by understanding those objectives, most of which will appear in the annual and strategic business plans but some of which (such as compliance with applicable laws and regulations) are understood even if not formally included.
Then internal audit works, if possible with management and their risk assessment processes, to understand and then design audit projects to address the more significant sources of risk to those objectives.
What technologies or tools someone can leverage to enhance the efficiency and effectiveness of internal audit processes?
The most important tool is the intelligence, curiosity, and judgment of the auditor. But there are also technologies that can help.
Artificial intelligence is a new tool that auditors are starting to use, but business analytics have been used extensively by audit functions for decades.
What methodologies can be used to identify, assess, and mitigate risks across different business functions?
Before talking about methodologies, I want to suggest a correction to the question. Risks are not always to be “mitigated”. The ISO 31000:2017 global risk management standard defines risk as “the effect of uncertainty on objectives”. That effect can be positive as well as negative, and COSO agrees in its Enterprise Risk Management Framework.
Coming back to the question, I prefer the methodologies in the ISO standard over that in COSO, but more people like to tailor their program to the specific needs of their organization. That is often a blend of the two, ISO and COSO.
In my books, I have recommended a focus on what might happen that might affect, positively or negatively, the achievement of enterprise objectives. Rather than saying a risk is high or low, talk about how it might affect the likelihood of achieving those goals. That enables management to see the “big picture”, all the risks and opportunities relevant to any business decision.
Some popular methodologies, such as the NIST and ISO guidance on cyber risk, address those sources of risk in a silo. I prefer to recognize that every business decision has to consider multiple risks, not one at a time.
How to ensure that risk management practices align with the organization’s strategic objectives?
As I said above, risk management needs to focus on the achievement of enterprise objectives. Rather than trying to avoid disasters and becoming an impediment to entrepreneurship, rapid decision-making, business agility, and taking risk, I should instead be a way to help the organization succeed.
Effective risk management helps people make the informed and intelligent decisions necessary for success, which means that they are taking the right level of the right risks.
How do you define and measure enterprise performance within the context of modern business environments?
Everyone wants to achieve their objectives. I believe and have described in my books how risk management reporting can and should be fully integrated with performance reporting. Reports should indicate for each objective:
- Progress to date
- What is anticipated (considering all the relevant risks and opportunities)
- The likelihood of achieving goals by the end of the period (usually a year)
- Whether that is acceptable
This reporting should enable to understand what is needed, what risks need to be addressed and which opportunities need to be optimized, for success.
Why is information considered a valuable asset for organizations, and how does it contribute to decision-making and performance improvement?
Without reliable, timely, complete, accurate, and actionable information you are guessing when you make business decisions.
How should organizations balance the need for data-driven decision-making with data privacy and security concerns?
Organizations need to comply with privacy laws in every jurisdiction in which they operate. Where that might be a challenge because access to data needed for a business decision is restricted, organizations will have to find creative ways to get the intelligence they need – within the law.
What emerging trends or technologies do you believe will have a significant impact on how organizations manage and derive value from information for performance optimization?
Today, we are talking, experimenting, and starting to use AI. Who knows what tomorrow will bring?