Posts - Integrating the
Model in the Real

1/13/09: Audit & Risk - Seeing the Forest from the Trees

9/4/08: Security ROI

6/28/08: Boise: A
Terrorist Target?

5/10/01: FFIEC Business
Continuity Planning

4/3/08: SOX 404 Audits

Audit & Risk - Seeing the Forest from the Trees

The Carnegie Mellon CyLab survey on "Governance of Enterprise Security" released in December, 2008 raised an interesting issue. The survey measured Board of Directors' involvement in and understanding of the security of their organizations’ information, applications, and networks. Aside from some standard suggestions for increased Board participation in information security governance, Cylab did make a thought provoking recommendation - "Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks."

The implication is that the Audit Committee (typically chartered by the Board to monitor risk within the business) is fundamentally unable to address enterprise level risks. I agree. I would also argue that the same is true of the audit function in general. Audit looks at specific transactions, accounts and controls to confirm that they comply with applicable laws, regulations and policies. Since laws and policies state the maximum level of risk a business can assume, the assumption is that the Audit Committee and the audit function is the best qualified to identify situations where the corporation has assumed too much risk. But this approach confuses the forest from the trees. Audit looks at the trees or "micro" risks, assessing individual items to determine if they are compliant. "Macro" risk assessment looks at risk across the entire enterprise, industry, markets and geographies. It looks for inter-relationships and complex dependencies Micro risk addresses whether a bank properly accounts for sub-prime mortgages or collateralized debt obligations (CDO's). Macro risk addresses whether the bank, or even the banking industry, should be in the sub-prime or CDO market in the first place. Can one group or entity adequately assess micro and macro risks? Probably, not.

First, there is a subtle conflict of interest. If you are auditing whether the bank's accounting for sub-prime mortgages meets GAAP, there is an implication that financing sub-prime mortgages is acceptable, you just have to account for them properly. In this type of environment, audit has a tendency to focus on confirming the detail and diverting its attention from the larger issues. My other concern is that auditors and accountants are trained to focus on compliance not business issues, nor do they typically have the experience or inclination to focus on business risk.

The answer, as Cylab suggests, is to take the macro risk responsibility out of the hands of the Audit Committee and give it to a newly formed Risk Committee. The major challenge will be finding committee members who can provide the right perspective on the macro trends and risks, individuals who can stand up to management when they argue that, "As long as the music is playing, you’ve got to get up and dance" (Chuck Prince, ex-CEO of Citigroup).