Suchen und Finden
The Big Picture of Business and Principled Performance
The Big Picture of Business and Principled Performance
Organizations are created to meet specific objectives or meet identified needs. For many organizations a major objective is to earn money and make a profit for its owners and investors. Even public sector and nonprofit entities are concerned about staying within financial budgets and providing a net contribution, after expenses, the organization can use for providing those services. Other objectives often relate to strategic, operational, customer, or processes. We will discuss objectives in more detail later in the book.
Regardless of the type of organization, a group of concerned individuals came together seeing some opportunities or needs in the marketplace. They created a business model to meet those objectives. Business models include strategy, processes, technology and infrastructure that help organizations meet their objectives.
Along the road to meeting objectives, uncertainty happens; uncertainty that invariably has an impact on whether or not the organization will meet its objectives. This uncertainty comes in the form of opportunities and threats, which we will discuss in more detail later in the book. This uncertainty creates obstacles the organization must navigate around on the way to meeting its objectives.
In addition to navigating around the obstacles, an organization must also stay within certain mandatory and voluntary boundaries. Mandatory boundaries include those requirements imposed on an organization by an external party: for example, laws and regulations. Voluntary boundaries are values, policies, procedures, processes, contracts and promises the organization has voluntarily chosen to follow. Often these voluntary promises are made in public statements expressed to its stakeholders or are in the form of agreements with its business partners.
A stakeholder is a person, group, or organization that has direct or indirect stake in an organization because it can affect or be affected by the organization's actions, objectives, and policies. This is a very broad definition, but in today’s inter-connected world it means almost anyone can be a stakeholder of your organization.
To summarize, organizations are trying to achieve certain objectives, while navigating around obstacles and staying within boundaries. Principled Performance2 is the reliable achievement of objectives while addressing uncertainty and acting with integrity. In order for an organization to reliably achieve its objectives, it must ensure it addresses opportunities, threats and requirements.
We can put all of these concepts together into a graphical representation like this:
Graphic: The Big Picture of Business
But if we are here to discuss risk-based auditing, you may be asking why are we spending time discussing this “Big Picture” of business?
Managers are concerned with meeting the organization’s objectives. They have implemented actions and controls to help ensure they meet organizational objectives and are not stopped by the obstacles they face. They also create processes and policies to help ensure they remain in compliance with the boundaries within which they are expected to remain. Risk-based internal auditing is concerned with focusing on objectives, not controls, which is also management’s concern.
Often internal audit activities jump straight to internal controls. They document and test controls. They eat, sleep and breathe controls. So much so, that I believe they often lose sight of helping the organization achieve its objectives. It is like we are standing, staring directly at the tree in front of us and completely forget we are in a forest.
In my opinion, much of the reason many internal audit stakeholders do not see the same level of value in what their internal audit activities are providing is they fail to see the direct connection with what internal audit does and how the organization meets its objective. I believe this disconnect is observed in many, if not most organizations.
So how can we as internal auditors think about this differently and improve the value we are providing to our organizations? By performing risk based internal audits. Focusing on helping the organization meet its objectives instead of trying to over-control the organization.
The Institute of Internal Auditors often uses the analogy of a table to describe good corporate governance3.
The four legs they advocate are:
- Board of Directors
- Internal Audit
- External Audit
While this is a valuable analog, it is very heavily focused on audit, having two of the four legs related to assurance. This analogy makes it seem as if one half of an organization’s governance is dependent on assurance. Not only is this inaccurate, but it can also seem very narrow and even negative to non-auditors. While the assurance functions do play an important role in corporate governance, there are other ways to describe our role. A better way to describe good governance is using the following graphic:
Graphic: The Three Functions of Performance, Risk and Compliance
This graphic represents a balanced or principled approach with efforts from the governance, management and assurance functions focusing on performance, risk and compliance. When all three groups in an organization are working in harmony, that organization is much better prepared to meet its objectives. When all of these components are working in harmony, an organization can achieve Principled Performance, the reliable achievement of objectives while addressing uncertainty and acting with integrity.
We will now examine each aspect of this graphic in more detail.
In every organization there is some governance function. For most organizations this is the organization’s board of directors: a group of external and internal individuals charged with representing the interests of the organizations owners, shareholders and/or stakeholders depending on its legal status and organizational structure.
The governance group provides guidelines and direction to management on what it expects in the management of performance, risk and compliance in the organization. It also sets, or approves the objectives, strategy and risk analysis criteria of the organization.
The management function of any organization is responsible for ensuring performance, risk and compliance activities are addressed and managed properly. Management creates actions and controls to help it “manage” the achievement of the organization’s objectives. Processes, policies and procedures are developed as a form of actions and controls. Performance targets and indicators are developed to track and help management ensure they are on track to meeting organizational objectives. Risk management activities and indicators are developed to reduce the impact of uncertainty and identify threats.
An assurance function is an independent, objective function charged with auditing management’s actions and controls, and reporting the results of their audits back to the governance group. In most organizations this work is performed mainly by an internal audit activity. It could also be provided by an external auditor. The internal audit activity uses the guidelines and direction provided to management by the governance group as the main criteria upon which it performs the audits.
Performance is what management uses to help it meet its objectives. Management sees opportunities, which are calculated in terms of reward. It creates strategies, hires people, develops and implements processes, purchases technology and infrastructure to help it take advantage of these opportunities helping it meet the organization’s objectives. This is what constitutes performance management.
Performance indicators are developed and monitored by management to ensure they are progressing down the path towards meeting the organization’s objectives. They then track key performance indicators (KPIs) to see if they are meeting the desired level of performance. KPIs are those key metrics management monitors regularly to help it ensure it is on track to meet its objectives.
As previously mentioned, on the way to meeting objectives, uncertainty happens. Threats to meeting objectives arise, creating obstacles around which the organization must navigate. Navigating around these threats, that are calculated in terms of risk, is the basic duty of risk management. Risk management is concerned with identifying potential threats, quantifying their potential impact to the organization (risk), and selecting an appropriate risk response to reduce the impact of the threat. Reducing risk to an acceptable level helps ensure the organization is able to meet its objectives.
As we discussed earlier when talking about the concept of the “big picture,” organizations are compelled to follow mandatory boundaries from sources outside the organization. Many of these come in the form of laws and regulations. In addition to the mandatory boundaries, organizations often enter into voluntary boundaries by creating policies and procedures, entering into contracts, or making public promises, to name a few. Maintaining the desired level of conformance to these mandatory and voluntary boundaries or requirements is compliance.
Organizations exist to...