Tag: Risk Management

Tip of the week— it’s the integrity

I recently watched an old video about Warren Buffett, wherein he described how he picks winners – that is people (company leaders) he will trust his investments with. It said he uses three criteria. He started with the second characteristic, which he called energy, then moved to a third which was intelligence. It was not just regular intelligence. It was what was termed adaptive intelligence. An example he gave was a person running towards a destination and on seeing a post in the way, taking measures to avoid the post or minimize its impact, so as to continue running towards the destination – rather simple but key. Now it was the first and most important criterion he cited, integrity that most impressed me. By integrity the Buffet meant knowing when to say no. Basically integrity meant knowing limits and not overcommitting. As an example he discussed how a child understands love. A child understands love to mean time, time spent. Integrity is therefore reflected in commitments made and time spend to correspond with the commitments. Saying no to things we claim are not as important and spending the resources on what we say is important.

As an auditor, I look for integrity in the budget figures and other similar governance documents. When I see no resources committed to a goal e.g. no full time staff or worse staff committed without awarding the needed resourcing or awarding unsteady (reactionary) resource levels, I immediately know and understand the business goal is not critical or prioritized.

Many leaders today regrettably pay lip service to goals around culture, compliance and internal controls, but they lack the resources to support it. Where is the culture budget, the compliance budget – how does our annual budget reflect commitment to stewardship. Particularly, in our nonprofit sectors, where the mission can become an easy cop out to making important business investments towards internal controls and compliance goals. Where stewardship is often about cutting cost rather than investing in robust cultures and infrastructure to support stewardship. Often it’s just that missing leadership quality called integrity and we should look for it our leaders and all our staff.

Endpoints are the Front Line in the Battle for Effective Cybersecurity

Endpoints are the “ends of the network” – your computer, mobile device, internet connected devices etc – we (people, devices, bad actors) interface with endpoints to connect to computing networks, the internet and cyberspace.

I like how the article below uses a comparison to the game of chess to reemphasize the important role endpoints play in effective cybersecurity. To the chess novice, pawns are many and dispensable, like endpoints are many and cost little relative to the value of information on networks. No, those endpoints and the trends in their use are foundational to your cyber defense.

One more point, data is created and transformed at endpoints, and in my view it is best to think of data as the ultimate endpoint. So really, start you cyber security plans with your knowledge of data and data governance — donors, employees, volunteers, clients (beneficiaries), partners, collaborators, vendors.

Endpoints are the Front Line in the Battle for Effective Cybersecurity

Endpoints are the Front Line in the Battle for Effective Cybersecurity


— Read on securityboulevard.com/2019/10/endpoints-are-the-front-line-in-the-battle-for-effective-cybersecurity/

Nonprofits should consider internet isolation cloud solutions in their IT security designs

Sharing below a nice article on internet isolation cloud solutions as a paradigm for implementing security.

A boundary-less IT security defense architecture (design) is definitely one that nonprofits should consider. And the reason for this is business necessity.

Nonprofit business architectures (designs) continue to require operational and even strategic collaboration and partnerships with a variety of global and local partners. These partners are all over the world and in some cases include national governments. The data nonprofits handle includes that of vulnerable and insecure populations. To operate effectively with such populations, nonprofits must maintain relationships of trust with these clients. The trust must in turn be supported by robust data stewardship and security practices, including regulatory compliance regimes. This is because for nonprofit enterprises to be effective today and looking ahead into the future, their sensitive data will need to be shared more often. They will be more exposed to partners having different IT capabilities and a amyriad IT security postures, including no security capacity.

Nonprofit IT security designs must follow the direction of their business designs or fail to be effective in business environments and relationships they must support.

Let me know what you think of the article.

securityboulevard.com/2019/09/internet-isolation-cloud-introducing-a-new-paradigm/

The Merchant of Venice & Internal Audit

Ever wondered who the first internal auditors were? What skills they applied? What enterprises solicited their services and why. Those who know me, know I’m a firm believer in the idea that there is nothing new under the sun. Finding out the history of a profession and it’s evolution often reveals a lot more about the enterprises and stakeholders to whom the profession renders service. Such discovery is the best career advice to give to young people making up their minds on what they want to do.

I’m very often called on to provide introductory primers to audiences of nonprofit implementers on what internal audit is and even on “how to pass the audit”. I love doing it. I reveal novel insides like “auditors are people” and “don’t upset the auditors”. As I do, I sit back in my mind and marvel at audience reactions. You will be surprised how many people don’t know internal auditors are people. I also love giving insides on how to pass audit. It helps me dispel the fallacy that we auditors are some sadist evaluators looking to fail people, on job exams of sorts. All of that wrong on many levels.

One story I often invoke, in part to spice the conversation but equally to remind people of the organic basis for auditing is Shakespeare’s the Merchant of Venice. Imagine it. The people signed up for an internal audit introduction and then get to hear about Shakespeare’s work. So what‘s the connection? If you are like me and had to read the play in middle school, I hope you were as fascinated by “all that glitters is not gold” revelation in Act II, after all, is that not one lesson we all continue to learn in our adult lives and in the practice of audit? We call it professional skepticism today. But that was just the first digression. The play opens with a sad merchant, worried by the faith of his big bet investments. He has in effect placed all his eggs in one basket, in his case, vessels at sea. Another lesson on risk management and a second digression on my part.

The real lesson to draw in my view is what is missing from the merchant’s enterprise – an internal auditor. Many have questioned why Antonio (the merchant) was sad in the opening act of the play, filled with “melancholy”. Was it for his friend embarking on the consuming enterprise of marriage, that would take him away from their time together? Was it for parting away from his goods on vessels at sea? Was it for the unsavory feeling of making exorbitant profits like Shylock, the Semite he abhorred? I say Antonio was faced with a corporate governance challenge, impacting many stakeholders. An internal auditor could have helped him to examine the governance, risk management and control framework for his enterprise and activities. Consider the issues, financial risks of too much debt or loss due to pirates, market/demand risks if he invested in the wrong goods, operational risk if his ship captains failed to navigate safely, hazard risks from the seas, the social scorn from executive remuneration etc. His friends and collaborators tried, in their ways to be auditors of sorts, hinting at risks. He was sad and did not know why because the internal audit profession had not yet been created. Everyone paid dearly for not having auditors.

How google is slowing innovation – a lesson for auditors

Read this very interesting article: “How Google is slowing innovation” by Aytekin Tank https://link.medium.com/e4EYifNJNR

One lesson is that auditors should not shy from pressing management on strategic risks.

I recently wrote an article about blockchain and its implications for the audit profession. Interestingly Google and other social media giants should be thought of as also being in the cross hair of the blockchain technology.  Google’s quest to execute the Microsoft’s strategy: embrace, expand, extinguish has led them to try to stop innovation or to be an innovation bottleneck. Here is how I summarize Google’s rather potent strategy:

  • Embrace the internet (give things for free e.g. email accounts, search)
  • Expand (develop and market our data using surveillance methodologies and analytics – the worrisome part)
  • Extinguish (the internet’s traffic is now going through google, including by the way our brains as we “google everything”)

But again, for fellow auditors, perhaps there is also an important lesson to draw. Strategy and its execution remain the most important factors to examine. Many of us focus on financial risks and in fact others constraint us to think and work mostly on financial risks and in the “numbers realm”.

Its the strategic risks and its management (e.g. Social distrust of Google’s slick intermediation role) that we should train our attention to. More precisely,  we should challenge management to have more robust risk identification and mitigation efforts. We are uniquely qualified to do so because of our mandate to be independent and objective. The risks with google and its good old “bait and switch” approach remains the enormous potential backlash (privacy concerns, power concentration, mistrust).

Bait and switch is not another phrase for innovation

checkmate-1511866_1920

Do you think auditors are focusing enough on strategic risks? Do auditors have the capacity to do so in a credible way? Do auditors have the mandate? How can auditors become better at it – what will it take? Your thoughts?