No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Outrageous Compliance, Part 2

by James Bone
April 8, 2016
in Compliance
Audit could avoid huge operational losses by automating key internal controls

This series of articles is an irreverent, tongue-in-cheek look at the serious business of risk management and compliance and the lack of scientific rigor dressed up in charts and graphs, which have an appearance of legitimacy, but tell us little about risks.

First of all, let me say that risk management and compliance are important functions and deserve to be taken as seriously as any other discipline in business and government to ensure efficient operational outcomes. My point in these articles is to point out where many firms diverge from serious risk management into the realm of mystery cloaked as rigor.

Victim #2: Internal Controls vs. Risk Management

If you work in risk management, you may be familiar with the “nerd debate” between audit and compliance about the importance of risk management and internal controls. At one point in my career, I was responsible for both risk and compliance, so I won the argument with myself but continued to debate with audit over the risks in internal controls.

Here is a typical scenario: Audit performs a review of internal controls, policy and procedures or monitoring processes designed to prevent, correct and/or detect weakness. Depending on the audit department’s designated range of severity (e.g., significant, moderate or minor), a final audit report is sent to management for corrective action and a debate ensues regarding the significance of the finding.

The audit process is an important part of the control environment at all firms and is frequently cited as a key “line of defense” function in the Three Lines of Defense mantra in internal controls design. Audit’s review with management is oftentimes a very frustrating experience from both the auditor’s and management’s perspective.

However, any push back by management is often viewed by auditors as resistance to the findings. On the other hand, management frequently feels that auditors do not understand or have not taken into account secondary or tertiary mitigating controls in the event primary controls fail. Inevitably, the following questions may be asked of auditors:

  • “What is the risk?”
  • “May I accept the risk?”

Another option (my favorite) is “I disagree with the risk, and here are my counterpoints.” This often leads to a stalemate that may never get a complete resolution. Sound familiar?

As everyone knows, auditors have some leverage in the argument, as these findings are part of the reports to senior management and are selectively presented to directors on the Board’s audit committee. Management, on the other hand, does have a valid point in arguing for context from a risk perspective and does not want to be perceived as uncooperative or, worse, deficient in managing their operations. These debates happen in many organizations at all levels of the firm, yet the process for fully addressing internal controls design has not changed in decades. What is the problem?

Several factors contribute to poor internal control design, resulting in a perpetual nerd debate that is never fully resolved. Needless to say, there is a lot to unpack on this topic, but I will offer a few relevant observations. To fully understand the problem, we should look at the opportunities from the auditor’s perspective first, then take on management.

Auditor Observations

Each year, auditors develop an audit plan based on current issues, past year’s findings and new regulatory mandates determined to be most relevant. The audit plan is packed with initiatives, some driven by management, the Board or external auditor collaboration. Many internal audit functions are so busy much of the work must be subbed out to external audit or consultants who subsidize the audit work, not the costs.

Busy audit functions appear to add value from this work, but in truth, it’s hard to quantify the cost benefit and the real reductions in the total cost of risk or compliance (hereinafter TCoR and TCoC). The TCoR/TCoC is a concept from the insurance industry, but it is equally relevant for all risk professionals to understand and measure their work against. The TCoR/TCoC is a measurable calculation that should be the yardstick for improvement of any risk management program. How you measure TCoR or TCoC is up to you, but there should be a number associated with risk and compliance. Otherwise how do you evaluate the ever-increasing costs of audit, risk and compliance functions?

Next, auditors should create two tiers of audits:

Tier I should focus on internal control design primarily. Rarely will you find a core focus on internal control design at the level I am describing. Basically, auditors should “recommend” opportunities to automate internal controls to relieve operations personnel of the expanding cognitive load that comes with “yet another policy or procedure” requiring a manual process.[i]

Firms spend the bulk of their capital on customer-facing technology while short-changing operations to work out the details on the back end. In my unscientific research I have determined that 98 percent of operational risk is the result of cognitive load, or what is known as decision risk. The vast majority of operational risk, fraud and other internal control failures come from human decision making, intentional or otherwise.

If you could save 50 to 80 percent of operational losses simply by automating key internal controls over a five-year period, real benefits could be realized to the bottom line. I am convinced that auditors, compliance and risk professionals’ focus on high-frequency/low-impact risks is to the detriment of addressing the true risks hidden beneath the surface.

Tier II audits should focus on a risk-based approach. Not the version used today by audit firms in which they decide what the risks are. I am talking about a truly risk-based approach driven by a quantitative analysis of events. With few exceptions, auditors do not have a robust database of losses, events or IT issues to identify high-risk exposures, thereby resorting solely on qualitative determinations of risks and resulting in the major cause of nerd debates.

If you don’t believe me, the next time you are presented with a significant or material finding in an audit report, ask the auditor to explain the distribution of probabilities of expected failure that led to the audit finding. This will be a short conversation if you tell the auditor that you need this information so that senior management can prioritize this finding with the other initiatives they have on their plate.

Audit opinions are an important part of the oversight process and should not be taken lightly. However, I am suggesting that a risk-based approach should not be opinion-based; it should be measurable. The TCoR/TCoC will continue to rise unless a better approach is taken to measure risk reduction.

Management Observations

Management should work closely with audit to understand internal control design. The car industry, aerospace, NASA and other industries have become safer and reduced risks by minimizing the cognitive load on humans who perform complex tasks and maintain high levels of quality performance. We all get tired, and when we do, things slip. We are asking entry-level Millennials to perform at high levels while we allow them access to their social media accounts to keep up with sports news and the latest Kardashian Instagram posts! Something will break in the balance.

The insider threat and operational risks have been perennial problems. Why not simply incorporate internal controls into operating systems and allow operations staff to focus on customers’ needs most efficiently? If you look at the majority of cyber risk events, the primary vulnerability not security defense posture, but human behavior – including the inability of security personnel to keep up with manual processing and updates to internal control maintenance.

In order for this transformation to work most effectively, management must have data to understand why high-frequency/low-impact risks exist! Is it because of complex policies and procedures? Manual workarounds? A lack of straight-through processing? Or other factors? Automating poorly designed controls saves money and reduces risks.

It also helps to reduce the debate about what risk and good internal controls design are.

[i] https://en.wikipedia.org/wiki/Cognitive_load


Previous Post

Corporate Governance and the Imagination of Reality

Next Post

Bates Group LLC Launches RegTelligence™

James Bone

James Bone

James Bone’s career has spanned 29 years of management, financial services and regulatory compliance risk experience with Frito-Lay, Inc., Abbot Labs, Merrill Lynch, and Fidelity Investments. James founded Global Compliance Associates, LLC and TheGRCBlueBook in 2009 to consult with global professional services firms, private equity investors, and risk and compliance professionals seeking insights in governance, risk and compliance (“GRC”) leading practices and best in class vendors. James is a frequent speaker at industry conferences and contributing writer for Compliance Week and Corporate Compliance Insights and serves as faculty presenter and independent consultant for several global consulting firms specializing in governance, risk and compliance, IT compliance and the GRC vendor market. James created TheGRCBlueBook.com to provide risk and compliance professionals with transparency into the GRC vendor marketplace by creating a forum for writing reviews on GRC products and sharing success stories on the risk practices that are most effective. James is currently attending Harvard Extension School for a Master of Arts in Management with an emphasis in accounting and finance. James received an honorary PhD in Letters from Drury University in Springfield, Missouri and is a member of the Breech Business School Hall of Fame as well as the Missouri Sports Hall of Fame. Having graduated from the Boston University Graduate School of Education, James received his M.Ed. in Management and Organizational Design in 1997 and a Bachelor of Arts in Business Administration from Drury University in 1980.  

Related Posts

flying blind concept moody balloon drawing

Flying Blind on AI: The New Normal for Compliance Teams

by Jennifer L. Gaskin
July 1, 2025

With the Senate's decisive vote against a state AI regulation moratorium, compliance officers face a stark reality: Most organizations are...

ice building

How Business Leaders Can Navigate a Shifting Immigration Policy Landscape

by Jorge Lopez, Deepti Orekondy and George Michael Thompson
June 25, 2025

Immigration policy changes under the Trump Administration extend far beyond border security, creating immediate business disruptions from workforce gaps to...

risk reporting concepts

The ‘So What?’ Problem With Board Risk Reporting

by Jim DeLoach
June 24, 2025

10 modern principles for transforming risk communication from compliance exercise to strategic dialogue in uncertain times

board of directors meeting table

Before You Say Yes to That Board Seat: A Director’s Due Diligence Checklist

by Chase Cole and Sidney Edgar
June 24, 2025

Public company directors face scrutiny from Wall Street, Congress, the SEC and beyond — comprehensive preparation is essential for business...

Next Post
Bates Group LLC Launches RegTelligence™

Bates Group LLC Launches RegTelligence™

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights