Monday, January 20, 2020

Can Internal Auditors Identify Corporate Identity Crisis?

According to a Globe and Mail article published a couple of days ago, Canada's favorite coffee shop chain ( Tim Hortons) is going through an identity crisis that could erode its long-established brand. I will not be discussing Tim Hortons's situation in this post even though the coffee shop is an important part of the life of almost every Canadian ( It serves 8 of every 10 cups of coffee consumed outside the home in Canada), but rather I will use it as an inspiration to discuss whether internal audit is equipped to identify corporate identity crisis before it impacts the organization's brand and reputation.

What is Corporate Identity Crisis?

In general, identity crisis in people describe a state of confusion about who they are, their role in society and what they want to achieve in life. When it comes to corporations it means that how the organization perceives itself and promotes itself is in conflict. This description was offered by Jeffery A. Jolton, Ph.D. and Tim L. Geisert of Kenexa in an article entitled "Corporate Identity Crises". They offer more explanation regarding the conflict:

"This conflict prevents the organization from being able to fully attain its goals. Some companies are well aware of the conflict, but either don’t see it as an obstacle (yet it is) or don’t know how to resolve it in order to move forward. Many companies, however, are clueless. Although it is something that others may see as obvious, the leadership isn’t aware there is a problem, and as a result, faces a wall in the company’s progress that it is unable to see"

There are many causes of identity crises in organizations such as a change in leadership, rapid growth, disruption, merger, and change in culture. The signs of identity crisis could be obvious and visible and in other times could be difficult to spot!

To identify the crisis. one should have a deep understanding of the organization's business, objectives, strategic plans, customers, competition and potential risks and disruptions.

Identity crisis could impact organizations negatively if not identified at an early stage and treated!

What Internal Audit Can Do?

Do you think internal auditors are capable of identifying the signs of corporate identity crises in their organizations? Were you personally involved in an identity crisis situation? If your answer is yes please share:

  • How you arrived at the conclusion that there may be an exposure to a crisis. What signs triggered your attention?
  • What audit steps and procedures did you employ to verify and measure the risk of identity crises?
  • What was the management reaction to your findings and recommendations?
  • Was the issue satisfactorily resolved?

In my opinion, the first step in identifying the issue is for internal audit to recognize that corporate identity crisis is a real risk that could happen to any organization! It should be part of the continuous risk assessment and audit planning.

Many techniques can be used to identify identity crisis such as observations, discussions with all levels within the organization, attending executive meetings, internal and external surveys, and culture audits.

These are my thoughts, please share yours!

Photo Credit: sdecoret/ Shutterstock)

Saturday, January 11, 2020

Internal Audit Relationship with Regulators

The Chartered Institute of Internal auditors has recently published an Internal Code of Practice which provides guidance on effective internal audit in the private and third sectors. This code builds on the success of its previous of a similar code for the financial services firms.

The code covers a wide range of areas:

  •   role and mandate of internal audit,
  •   scope and priorities of internal audit 
  •   interaction with risk management, compliance, and finance
  •   reporting results
  •   independence and authority of internal audit
  •   resources
  •   QIAP
  •   relationship with regulators
  •  Relationship with external auditors

I will limit the discussion in this post to the relationship with regulators. The code states that:

" The chief internal auditor should consider the impact of the regulatory environment and have an open, constructive and cooperative relationship with relevant regulators."

How do you interpret and apply the above statement in your country? 
Do you think the code should provide more details and guidance on this important issue?
Would your management accept an open and cooperative relationship with regulators?
What should be the nature, objectives, and scope of such a relationship?

Back in 2015, I wrote a post about  the same subject after reading a Thomson Reuters white paper, you may want to take a look at it:

Please provide your thoughts!

Sunday, January 5, 2020

Should The IIA & ISACA merge?

In a joint IIA and ISACA press release back in 2010, the following statement was included to explain why the management of both organizations have met to discuss shared challenges and opportunities:

"Given the similar—but not same—nature of ISACA’s and The IIA’s professional areas, it is not surprising that the organizations have faced many of the same situations over the past several years." 

A decade later and while we acknowledge that there is a reasonable level of coordination between both organizations, one can not stop wondering if there is a need for both organizations to merge to better serve their members and customers!

Should the rapid change in professional roles, technology, disruption, risks and stakeholders' expectations justify a merger? There were indications throughout various surveys that CAE's are now more involved in the management of IT audits and that this trend is expected to continue in the future. Is this enough reason to start thinking about a merger?

I have raised the merger issue in several posts in the past but did not receive enough feedback! I hope we can now start a debate on this issue. I would love to hear the views of those who support and oppose such a merger!

These are my thoughts, please share yours.


Are you getting the most from the ethics mandatory hours?

 Like many of you at this time of year, I have been looking to take the mandatory two hours of ethics training to comply with the IIA cpe  r...