This is a guest post by Harry Hall. He is a Project Management Professional (PMP) and a Risk Management Professional (PMI-RMP). See his blog at ProjectRiskCoach.com.
Some auditors perform the same procedures year after year. These individuals know the drill. Their thought is: been there; done that. But, before we start the engagement, we need to identify the audit stakeholders.
Imagine a partner or an in-charge (i.e., project manager) with this attitude. He does little analysis and makes some costly stakeholder mistakes. As the audit team starts the audit, they encounter surprises:
Changes in the client stakeholders – accounting personnel and management
Changes in accounting systems and reporting
Changes in business processes
Changes in third-party vendors
Changes in the client’s external stakeholders
Furthermore, imagine the team returning to your office after the initial work is done. The team has every intention of continuing the audit; however, some members are being pulled for urgent work on a different audit.
These changes create audit risks–both the risk that the team will issue an unmodified opinion when it’s not merited and the risk that engagement profit will diminish. Given these unanticipated factors, the audit will likely take longer and cost more than planned. And here’s another potential wrinkle: Powerful, influential stakeholders may insist on new deliverables late in the project.
So how can you mitigate these risks early in your audit?
Perform a stakeholder analysis.
“Prior Proper Planning Prevents Poor Performance.” – Brian Tracy
Today’s article comes from my twin brother, Harry Hall. He is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).
Many organizations do not have an enterprise risk management (ERM) program. Therefore, these entities lack the policies and procedures to manage enterprise risks (i.e., threats and opportunities) and achieve their objectives. In this article, we’ll look at how CPAs can suggest an ERM program to their clients.
Imagine that you’ve completed an audit of an organization. One way you can help your client is to provide a management letter that provides ideas to make the organization better. And one of the suggestions you can make is for them to implement an ERM program, or you can provide ways to improve the existing program. (Of course, as the auditor, you can’t make management decisions, but you can make suggestions.)
Think about it. Has one of your clients encountered a surprise event or condition in the last few years? Imagine if the client had identified and managed the risk better. That single failure may have caused your client to miss their annual objectives, resulting in weaker financial and operating positions. It’s even possible they no longer exist.
A sound ERM program can improve–and even save–your client.
What is ERM?
First, let’s define ERM. It is a program whereby an organization identifies and manages all of its risks in order to achieve its objectives.
How does ERM differ from traditional risk management? Well, traditional risk management focuses on pure risks. These are risks where there is the possibility of loss or no loss, but no chance of gain. Hazard or insurable risks are pure risks.
ERM includes pure risks, but also includes speculative risks. Speculative risks are risks where there is a chance of loss, no loss, or gain. So, speculative risks have the potential for gain. Examples of speculative risks include financial risks, strategic risks, and some operational risks.
So, let’s see how ERM helps businesses.
Four Benefits of ERM
There are several ways that an organization may benefit from ERM. The benefits include, but are not limited to, the following:
First, an ERM Champion can help their organization implement strategic risk management, a component of ERM. Here, we can clarify enterprise objectives and improve strategic planning, analysis, and alignment.
Second, ERM helps organizations identify risks between departments. Many departments live in siloes. And most people think solely about their department’s risk. But the actions taken by one department may impact other parts of the organization.
Third, ERM can boost collaboration. As risk owners from different departments focus on enterprise objectives together, these individuals begin to better understand other departmental processes. And these can be analyzed and improved to realize greater enterprise benefits.
Fourth, organizations with ERM programs are in a better position to meet the demands from external parties such as investors, rating agencies, and regulators.
To make this work, your client needs to leverage an ERM framework.
ERM programs include risk management processes that are used throughout the enterprise. Some organizations use a framework like COSO or the ISO 31000. Others develop their own framework. In general, here are the ERM processes, regardless of the framework.
Plan risk management. Define an ERM policy that guides the behavior of individuals in the organization. The ERM policy includes elements such as the risk governance structure, risk categories, ERM methodology, roles and responsibilities, risk appetite, risk tolerance, risk limits, ERM activities, ERM reports, and a glossary. This policy should be reviewed and updated each year. And the Board should approve the revisions.
Identify risks. Determine the risk identification tools and techniques that will be used. For example, these could include brainstorming, interviews, checklists, and cause-and-effect diagrams.
Evaluate risks. Once risks are identified, ERM stakeholders should assess the risks. Risk owners may perform qualitative and quantitative risk assessments. The risk assessments result in a prioritized risk list. The benefit: you know which risks matter most.
Respond to risks. Next, risk owners develop and implement risk response plans to lessen these risks.
Monitor risks. Of course, risks change over time. Threats and opportunities may (and probably will) increase or decrease. Therefore, client’s must monitor risks. Are the risks managed according to the risk appetite and risk tolerance? Are the ERM processes providing value? Are the processes economical and efficient?
As a CPA, have you ever wondered how ERM and Internal Audit differ?
ERM vs. Internal Audit
Organizations may have an ERM department or group led by an ERM Champion or Chief Risk Officer (CRO). This group facilitates the development of an ERM policy, trains employees on ERM processes, and facilitates periodic risk reviews.
Internal Audit ensures that the risk controls are working as designed within the organization and makes recommendations for improvement where there are internal control deficiencies. (Traditionally, internal auditors have focused on accounting processes. Their role is expanding into other areas such as ERM.)
So, how does ERM and Internal Audit work together? First, the ERM Champion engages Internal Audit when developing the ERM policy. Second, Internal Audit uses the ERM risk register as input into the annual audit plan. Think about it – wouldn’t it be great to see the most significant enterprise threats and opportunities as Internal Audit develops the audit plan? Third, Internal Audit inspects the ERM processes, in addition to other organizational processes, to ensure they are efficient and economical.
Audit Management Letter Suggestion: ERM Program
In your next audit, think about the risk management practices in the organization.
Does your client have a written ERM policy? Are the risk processes being performed consistently throughout the enterprise? How are risks being identified and assessed? Does the enterprise risk register include financial risks, strategic risks, operational risks, and other risks? Has the risk appetite and risk tolerance been defined and communicated to the Board, management, and risk owners?
At the conclusion of your audit, consider including ERM recommendations in your management letter. Doing so might save your client a great deal of pain–and you’ll add value to your audit.
Harry Hall, the Project Risk Coach, is a speaker, teacher, author, and blogger. He has implemented project management offices (PMOs) and enterprise risk management (ERM) programs in the financial, healthcare, and agricultural industries. Harry is a graduate of the University of Georgia and is a certified PMP®, PMI-RMP®, and has his Associate in Risk Management (ARM-E).
[callout]This is a guest post by Harry Hall, the Project Risk Coach. Harry is a speaker, teacher, and blogger who helps leaders and project managers get results. Harry has managed projects–mainly for insurance companies–for more than 17 years. He also teaches project management courses to CPA firms. Harry lives in Macon, Georgia with his wife Sherri. He can be found on LinkedIn.[/callout]
Are you wondering how to create new accounting products and services? In this post, I’ll explain how.
Imagine an accounting firm (we’ll call it Premier CPAs) that has struggled in recent years. Revenue is down, and the firm has lost several top clients. To make matters worse, the firm recently received a fail report in its peer review.
The partners recently met and were brutally honest with one another. Something has to change.
Premier CPAs has a great team of auditors. However, they are failing to understand their client’s needs, and they are not changing their business model accordingly. Over time, competing CPA firms have created superior products and services.
The partners selected a team to go offsite and develop a strategic plan. The group was challenged to perform an assessment of where the firm is and where it needs to go.
The top strategies identified were to:
Implement a more modern auditing software solution
Map and re-engineer Premier CPAs’ audit processes
Implement a small customer service center
How to Make Your Dreams Come True
Great ideas, but how do we make them a reality? It’s easy to talk about things, but it’s another matter to plan and execute new ideas.
Well, you could do this like many lack-luster firms. Just do the projects willy-nilly. Do it as you have time. Find a few warm bodies who are not busy to do the work. Maybe assign the activities to the IT guy.
Will you get there? Maybe, but how long will it take? How much further will you fall behind your competition?
Take a different approach. Focus on your goals and strategies. Be intentional.
How to Create New Accounting Products and Services
The following steps can put you on a fast track to greater success:
Define your projects. In the initiation of your projects, define them with project charters. Spell out the problems you are attacking, your goals, what you will deliver, the assumptions of the project, the constraints of the project, key stakeholders, top risks, and who will serve on the project team.
Assign project sponsors. Select partners and senior management who will define and cast the vision for the projects. These leaders should have the authority to provide resources and money to complete the projects. While the project team does most of the work, the sponsors are ultimately responsible for ensuring success (and should be held accountable).
Create project teams. One of the most important things you can do for your projects is to staff the teams. Carefully select individuals who have the knowledge and skills to deliver the project in a timely manner. There will likely be some opportunity cost in this equation. You may have to assign some audit personnel to perform the project work.
Kick off projects. Get your project team and key stakeholders together for the project kick-off. The sponsors should share their vision for the project. The individual leading the project (i.e., project manager) should review the project charter, ensuring that everyone understands the project and their roles.
Monitor progress. The project managers should periodically meet with their team members to check the status of the project and to plan their next steps. The project managers report to the sponsors, and in some firms, the sponsors report to senior management and partners. Doing so provides transparency throughout the firm’s leadership.
Celebrate success. Create a robust project culture by celebrating when teams hit milestones or complete projects on time and under budget. Thank your teams.
Perform benefits realization. How do we ensure that the projects produce the desired results? Measure your results at designated times (e.g., six months and twelve months after the completion of each project).
Parting Words…This Is NOT Easy
These steps may require a significant transformation in the firm’s culture. Changing what people believe, their attitudes, and their behavior is the toughest part of creating a productive project culture.
First, leadership is required, not optional. Without a firm hand, people will fall back into old bad habits. The senior leadership team of the firm must consistently communicate their expectations and lead by example. Make sure there is a high level of accountability with appropriate rewards and recognition for high performing teams.
Second, train your teams in project management. At a minimum, identify and train individuals who will serve as project managers. You may want to get a project coach to work with your firm. Many progressive firms require their project managers to get project management certifications.
Lastly, all of these actions must be performed with an eye on your firm’s strategic goals and objectives. Make sure the changes align and support your vision, mission, and goals.