Jamming with Jason E126: Objective Centric and Demand Driven Internal Auditing with Tim Leech

Which centric approach are you following?
I’m speaking with the legendary Tim Leech about the difference between objective, risk, compliance, process, and control centric approaches … and centric is not the same as based.

Listen in at: http://www.jasonmefford.com/jammingwithjason/ and learn the difference so you can start improving the value you add to your organization.

Risk-based internal auditing is objective-centric when you actually link to key objectives … a critical step most in #internalaudit forget. “Risk ranking an audit universe based on another centric model, does not risk-based internal audit make.” Yoda 🙂

When you are ready to become objective-centric and risk-based check out how you can get the step-by-step process for getting started: https://ondemand.criskacademy.com/p/certified-risk-based-internal-auditor-crbia/?affcode=105582_jpp6czlf

Transcript

1
00:00:02.399 –> 00:00:14.549
Jason Mefford: Hey, I am very, very honored today to have Tim leech with me and I’m telling you, if you, if you don’t already know who Tim leeches. Then, shame on you.

2
00:00:14.940 –> 00:00:25.680
Jason Mefford: Because if you’ve been in this industry for any amount of time, you should know who he is and I wanted to bring Tim on today, you know, and kind of introduce him a little bit. He has been around.

3
00:00:26.970 –> 00:00:35.040
Jason Mefford: The industry for a long time. And one of the reasons that I love. Tim and wanted to talk to him is we both like the word contrarians

4
00:00:36.150 –> 00:00:45.300
Jason Mefford: Or we’re often kind of viewed as contrarians and I love the message that Tim brings and that he shares with people.

5
00:00:45.720 –> 00:00:51.000
Jason Mefford: And I’m hoping you know as we go through and talk today, because there’s a few things that I wanted to make sure that we talked about.

6
00:00:51.420 –> 00:01:00.930
Jason Mefford: That it will help many of you kind of understand and solidify and gel, some of these things that people like Tim have been talking about for 30 plus years.

7
00:01:01.350 –> 00:01:13.200
Jason Mefford: But people still aren’t getting it. Okay. So, Tim. Welcome, my friend. I am. I’m actually very honored as well to have. You with me so. How you doing, man.

8
00:01:13.680 –> 00:01:22.440
Tim Leech: Well, thanks for having me. And I appreciate you reaching out to find out about my quote on Prairie.

9
00:01:24.360 –> 00:01:25.050
Tim Leech: Yes.

10
00:01:25.500 –> 00:01:25.890
It’s

11
00:01:27.510 –> 00:01:34.410
Jason Mefford: I was gonna say it’s funny because there’s, there’s a few of us in the industry. You know, we were talking before about people like Norman to where

12
00:01:35.010 –> 00:01:44.220
Jason Mefford: It’s you. We say what’s on our mind and what we think people need to hear but it often doesn’t tow the party line, if you will.

13
00:01:45.120 –> 00:01:52.620
Jason Mefford: And so, you know, people that don’t, you know, preach the religion or tow the party line sometimes kind of get pushed off to the side.

14
00:01:53.340 –> 00:02:11.160
Jason Mefford: And but but the message that you have, you know, because you talk a lot about objective centric. And so, you know, I wanted to kind of get in and you know because you’ve also had enough time in your career that you’ve seen all of the history in the back in the fourth

15
00:02:12.690 –> 00:02:16.440
Jason Mefford: But maybe let’s kind of start off talking a little bit about, you know, what is

16
00:02:16.950 –> 00:02:25.770
Jason Mefford: An objective centric approach and I know you said before that sometimes talking about the other four centric approaches, because there’s kind of five approaches.

17
00:02:26.520 –> 00:02:36.300
Jason Mefford: helps people really kind of understand what the difference is with objective taking an objective centric approach versus some of these other approaches.

18
00:02:37.350 –> 00:02:45.480
Tim Leech: Yeah, I think the notion of, I’m happy to explain the notion of objective centric. But also, you know, introduce the others, but

19
00:02:46.620 –> 00:03:03.300
Tim Leech: It’s fair to say that my entire career has been focused on convincing the world that organizations, both public and private sector would be better off if they aspired to strong first line.

20
00:03:04.800 –> 00:03:14.970
Tim Leech: Objective centric assurance that integrates all of the efforts of the first, second, third,

21
00:03:15.480 –> 00:03:23.040
Tim Leech: And in the framework we promote we consider senior executives to be the fourth line and the board of directors to be the fifth line.

22
00:03:23.700 –> 00:03:32.670
Tim Leech: So I have actively if you were to Google five lines of insurance, you’d find all kinds of articles from Tim leach promoting five lines of insurance but

23
00:03:33.390 –> 00:03:44.670
Tim Leech: At a 30,000 foot level my whole career has been defined by the belief that organizations would run more effectively and

24
00:03:45.600 –> 00:03:56.190
Tim Leech: Be better for stakeholders, including shareholders. If all of the lines would coordinate their efforts around the most important objectives that the entity needs to achieve.

25
00:03:56.880 –> 00:04:07.170
Tim Leech: And that has been the the guiding principle, if you will, from 1985 on when we launched control self assessment at golf Canada.

26
00:04:08.970 –> 00:04:22.200
Tim Leech: So it’s not just about objective centric. The reason I’m so big on objective set centric is if you want. If you believe that management is responsible for managing risk.

27
00:04:23.280 –> 00:04:33.750
Tim Leech: I’ve always just said, how can you not believe that management should be able to assess whether their current choices right now or any good or not so

28
00:04:33.840 –> 00:04:35.370
Jason Mefford: In a part of the whole management.

29
00:04:35.370 –> 00:04:47.370
Tim Leech: Process. So, you know, very early on I would I you know I would sometimes make jokes at large conferences and I had clients that I would say to them.

30
00:04:47.880 –> 00:05:00.450
Tim Leech: Look, you know, I don’t mean this in an offensive way. But the reality is, the more in the better audits, you do the less management thinks they need to learn how to do an assessment of their own situation.

31
00:05:01.350 –> 00:05:12.330
Tim Leech: Somebody that you’re going to come along and do it for them. And you’re going to tell management, the parts you don’t like. And as long as you’re good with a week first line approach to risk management.

32
00:05:13.410 –> 00:05:23.730
Tim Leech: That’s what traditional auditing does is it assumes it literally assumes management has not done an assessment. Otherwise, the first question you would always ask

33
00:05:24.810 –> 00:05:28.260
Tim Leech: Is we’re here to audit topic x

34
00:05:29.490 –> 00:05:44.610
Tim Leech: We’ve decided it’s worth $100,000 internal audit. Fair enough. Wouldn’t you think management would have done a self assessment if if it’s that important to the company that audits going to spend resources.

35
00:05:45.030 –> 00:05:46.170
Jason Mefford: As it kind of look at it.

36
00:05:46.170 –> 00:05:57.360
Jason Mefford: Yeah yeah well and it’s interesting because, as you said it that way to it’s almost because I’m always interested in the psychology and the human behavior behind it, right, is that

37
00:05:58.230 –> 00:06:12.270
Jason Mefford: You know, in the eye has her three lines of defense. Now it’s a three lines model, whatever, blah, blah, blah. Right, that that actually internal audit subconsciously would probably prefer

38
00:06:13.350 –> 00:06:19.230
Jason Mefford: A weaker first line because it gives us a reason to have a job right.

39
00:06:20.610 –> 00:06:29.310
Tim Leech: Well, in the early days when we were promoting the mantra of control risk self assessment, which is fundamentally a strong first line model.

40
00:06:30.540 –> 00:06:42.570
Tim Leech: We would have old guard internal auditors that would literally get up right in the middle of the presentation and say this is nothing to do with why would I teach management how to do that.

41
00:06:43.050 –> 00:06:59.850
Tim Leech: What will there be for us to do. And I said, oh my god. These are people that are in chief internal audit positions that are are saying they actually prefer management to be unaware

42
00:07:00.120 –> 00:07:02.490
Tim Leech: So they’d have plenty of findings.

43
00:07:03.420 –> 00:07:05.340
Jason Mefford: I printed it sounds pretty silly that

44
00:07:05.850 –> 00:07:07.620
Jason Mefford: I did but that’s what they’re saying. Right.

45
00:07:07.740 –> 00:07:14.160
Tim Leech: I wasn’t. I’m not making the story up. It happened and I conferences and

46
00:07:15.600 –> 00:07:26.550
Tim Leech: It took quite a lot of convincing in the early 90s to convince the AIA that teaching management how to better manage

47
00:07:27.180 –> 00:07:41.670
Tim Leech: Risks to their most important objective should really be seen as a core part of internal audits job. It’s not seen as a core part of most internal lot of jobs.

48
00:07:42.330 –> 00:07:57.660
Tim Leech: And and so that’s what we proposed it at Gulf Canada and CEO bought into it and hundreds of clients around the world that I’ve worked with since I went into public practice in way back in

49
00:07:58.890 –> 00:08:09.000
Tim Leech: I guess 1987 I I came in set up the control and risk management services practice for Coopers and lybrand in Toronto.

50
00:08:09.660 –> 00:08:29.760
Tim Leech: And that practice was a mix of forensic accounting controllers self assessment fraud vulnerability ethics and but all of its it’s on that whole you know the I, I took a position for quite a while they set up the CCS a certification.

51
00:08:30.330 –> 00:08:33.090
Tim Leech: And actually did champion for a while.

52
00:08:33.210 –> 00:08:37.770
Tim Leech: But never really got any support and that designation is largely gone

53
00:08:38.340 –> 00:08:40.590
Jason Mefford: Well, it is gone now. They’re not offering it anymore.

54
00:08:40.620 –> 00:09:02.190
Tim Leech: Yeah. And what’s what’s been replaced by is the CRM. A but the CRM. A doesn’t teach them. If you go in and management is not trained not capable and isn’t doing self assessments of their own. You should give them a V report on the quality of their risk management framework.

55
00:09:03.270 –> 00:09:15.690
Tim Leech: I mean, how can you consider a risk management framework to be truly effective if management receives no training, how to identify risks is not expected to regularly.

56
00:09:16.410 –> 00:09:26.280
Tim Leech: Identify and actually write down what are the risks to their most important objectives and doesn’t know how to line up risk treatments with those

57
00:09:27.450 –> 00:09:43.200
Tim Leech: How can you consider a risk framework effective if that’s the case, and the reality is, is if you look at the AIA materials and you look at their most recent guidance on how to assess the effectiveness. They do proposing a maturity scale.

58
00:09:44.280 –> 00:09:57.570
Tim Leech: Go and read the maturity scale and you will realize that level four and five actually do say hey, these are scenarios where management actually knows how to assess

59
00:09:58.800 –> 00:10:08.850
Tim Leech: And is doing it. So that’s, that’s, you know, Level five is called optimized in that framework. So when the I put that out. I said to them, while

60
00:10:09.630 –> 00:10:23.400
Tim Leech: Help me out here. I’m a simple guy does that mean if you’re at level one and two, you have an ineffective control framework, can you have an in a truly effective framework.

61
00:10:24.210 –> 00:10:31.050
Tim Leech: That is that is at the lowest level of maturity. If it’s in a high change rate environment.

62
00:10:32.040 –> 00:10:44.220
Tim Leech: Nowhere in that guidance does it say so. It says, Okay, let’s forget about whether it’s effective or not. Let’s just report, whether it’s what level of maturity. And I said, No, no, no, no, no.

63
00:10:44.820 –> 00:10:54.630
Tim Leech: If I’m on the board of directors, I want to know, say we’re Level two is Level two effective or ineffective, not only

64
00:10:54.930 –> 00:10:57.900
Tim Leech: That I met Level two out of five doesn’t help me.

65
00:10:58.410 –> 00:11:07.890
Jason Mefford: Know, and that’s, that’s one of the problems of maturity models have in general, usually is, again, it’s like, well, is one. Okay, or is it not okay is

66
00:11:07.950 –> 00:11:09.870
Tim Leech: Like what we should aspire to.

67
00:11:10.020 –> 00:11:17.130
Jason Mefford: Or not. And again, so there there’s so nebulous in that way that that it doesn’t it doesn’t ever get back to the effectiveness, like you said,

68
00:11:17.400 –> 00:11:28.410
Tim Leech: Well, and if you read the guidance. It says, big motherhood, things like everybody should tailor their program for their unique search circumstances. But make no mistake standard

69
00:11:30.480 –> 00:11:39.690
Tim Leech: internal auditor should report on the effectiveness of the risk management process. It doesn’t say internal auditor should report what level of

70
00:11:40.050 –> 00:11:40.920
Clarity.

71
00:11:42.360 –> 00:11:44.010
Tim Leech: That’s not what it says.

72
00:11:44.130 –> 00:11:50.370
Tim Leech: Yeah, so you’re really side slipping the fundamental requirement in the standard by saying

73
00:11:50.910 –> 00:12:03.330
Tim Leech: You don’t have to actually say whether it’s effective or ineffective or appropriate or inappropriate. All you have to do is say it’s a two and a half out of five and show them on the little sliding scale how that works.

74
00:12:05.100 –> 00:12:13.050
Jason Mefford: Well, but even the two and a half out of five. It’s like, you know, again, it’s like 2.7 verses 2.8. No, it’s a five step scale. It’s one

75
00:12:13.830 –> 00:12:17.130
Tim Leech: You know, I like the credit where credit’s due and

76
00:12:17.310 –> 00:12:28.290
Tim Leech: Levels four and five are actually describing stronger and stronger first line risk management so implicitly, they are saying

77
00:12:29.190 –> 00:12:36.030
Tim Leech: Except they never actually said four and five is better. They just said that. It’s that it’s more mature.

78
00:12:36.690 –> 00:12:48.300
Tim Leech: So, so, and I, you know, I’m not talking out of school I write these comments directly to the AIA when I read exposure drafts and I regularly pound on these principles when I’m talking

79
00:12:48.870 –> 00:13:00.810
Tim Leech: I correspond I send my posts ALL THE TIME TO THIS YEAR’S global chairs and eat the john who did the working group Chair of the three, the new three lines model.

80
00:13:01.590 –> 00:13:11.940
Tim Leech: And the three lines model is the closest thing yet that the IAA has produced that says the first line should actually assess and report.

81
00:13:12.510 –> 00:13:21.180
Tim Leech: Yeah, but they said assessment report on risk and I wrote them and said I really wish you’d said certainty of achieving objectives.

82
00:13:22.020 –> 00:13:36.750
Jason Mefford: Well, because that’s that’s the point where you and I, you know, agree so much on this is that everybody just wants to use the word risk without really realizing what we’re trying to do when we’re managing risk which goes back to that uncertainty of objectives.

83
00:13:37.290 –> 00:13:50.010
Tim Leech: Right and Norman marks is has been banging that gone we really have not seen the I come out with any clarity and suggest that internal auditors should actually

84
00:13:50.610 –> 00:14:10.020
Tim Leech: Articulate and write down during the auditing planning process, just what are the most important objectives of the corporation and, most recently, I wrote a blog post, because they just issued a new way of doing assurance universes.

85
00:14:11.310 –> 00:14:11.820
Tim Leech: If

86
00:14:11.880 –> 00:14:17.040
Jason Mefford: They didn’t make sense. It does it start with the most important object now. They said they’re going to use risk.

87
00:14:17.190 –> 00:14:26.160
Jason Mefford: Categories. Yeah, well, and which is why, you know, again, I think maybe let’s kind of take us back to these five different centric approaches, because

88
00:14:26.640 –> 00:14:34.110
Jason Mefford: I think this is going to hopefully help people because it same thing when I when I read that document that you’re referring to.

89
00:14:34.890 –> 00:14:44.310
Jason Mefford: Yeah, there was some nice talk about about objectives in there a little bit from a risk standpoint, but then it’s just focusing on the risks not tying back to objectives.

90
00:14:44.760 –> 00:14:52.140
Jason Mefford: But it’s still going right back to a process level audit universe, and there’s no linkage between the two.

91
00:14:52.500 –> 00:15:03.150
Jason Mefford: So, so let’s kind of go through, because usually teach people and talk about five different centric kind of focused approaches. So let’s kind of go through those just talk a little bit about each one

92
00:15:03.600 –> 00:15:10.590
Jason Mefford: So people can really kind of understand the difference with what objective centric really means.

93
00:15:10.740 –> 00:15:33.240
Tim Leech: Sure. I think it’s a you know foundation building block for the last 25 years when I run training courses like I always include a module on on so that the people in the class. Get the idea of the different ways you can approach the task of giving assurance. So the five methods, very simply.

94
00:15:34.260 –> 00:15:40.230
Tim Leech: Are the oldest is compliant centric and organization rights rules rights policies.

95
00:15:41.730 –> 00:15:53.070
Tim Leech: Even back in the old days when I used to get an audit program to go out and audited a refinery either would be all set of things thou shalt do x

96
00:15:53.160 –> 00:15:55.800
Tim Leech: Okay, let’s go on it, whether they’re doing X.

97
00:15:56.100 –> 00:16:01.440
Tim Leech: Now, who decided they should do x. Well, there’s a policy that says they should do X, fair enough.

98
00:16:01.950 –> 00:16:17.040
Tim Leech: So that was the oldest form of auditing is you would go out and you set of rules that somebody had decided in their wisdom were important to do and the auditors would would verify that those rules were being followed. So that’s what I call compliance centric.

99
00:16:19.590 –> 00:16:36.630
Tim Leech: Process centric was when when I joined Coopers and lybrand in 1979 to become an external auditor Coopers and lybrand taught process centric auditing, they would taught taught you to study the revenue cycle the disbursement cycle.

100
00:16:37.830 –> 00:16:50.040
Tim Leech: They had all different ones that they would consider processes and you would work your way through the process flow chart it and you would identify what you called key controls in the process.

101
00:16:50.700 –> 00:17:01.170
Tim Leech: And so that was the earliest form. But the notion was is that no matter what you’re doing. So, you know, in your house at home, you have a process to acquire food.

102
00:17:01.740 –> 00:17:03.690
Tim Leech: You can think of that as a process.

103
00:17:03.690 –> 00:17:09.660
Tim Leech: Right, you could flow chart it. How do we did decide what we want to eat next week.

104
00:17:10.290 –> 00:17:23.310
Tim Leech: What are the steps and you could flow chart that and you could then decide are their flaws in the process. So, but the emphasis was on documenting the process.

105
00:17:23.970 –> 00:17:40.380
Tim Leech: And then risk centric, which has come into vogue the AIA uses the words risk centric regularly and has for the last 1520 years. The idea was, is we can be more than compliance police

106
00:17:41.160 –> 00:17:50.940
Tim Leech: We should, we should look at the biggest risks, the company. However, the process us to decide what are the biggest risk usually started in the audit room.

107
00:17:51.450 –> 00:17:53.550
Tim Leech: With a bunch of auditors sitting around

108
00:17:53.580 –> 00:18:07.500
Tim Leech: Saying, What do we think are the biggest risks process that they use to decide that rarely started by saying, first let’s agree with the company’s biggest and most important objectives are, it just did.

109
00:18:08.130 –> 00:18:22.290
Tim Leech: Dip so that’s risk centric risk centric is you go in a room and you ask a bunch of people in the room. What do you see as the biggest risks to the company to the department to the project.

110
00:18:23.370 –> 00:18:29.640
Tim Leech: People will make up in their own mind what they think the objectives are, and they’ll start telling you what they think risks are.

111
00:18:30.750 –> 00:18:44.070
Tim Leech: But it often does not start by saying before you answer that. Let’s write down what are the 10 most important objectives that must be accomplished by the company.

112
00:18:44.520 –> 00:18:57.900
Tim Leech: The department, the subsidiary, it does it rarely does that. So, so that’s risks entry and it’s done in all different ways but risk registers are the purest form.

113
00:18:58.680 –> 00:19:05.190
Tim Leech: Where you’re asking people this question. What do you see as the biggest risk 10 your parking them all in quote a register.

114
00:19:05.940 –> 00:19:20.820
Tim Leech: And then you’re putting red ambers and greens and you’re doing likelihood and consequences but rarely, is there an answer to which objectives are most quote at risk of not being achieved.

115
00:19:21.570 –> 00:19:30.210
Tim Leech: As a result of the way we’re managing the risks to an objective and so that’s risk centric.

116
00:19:30.720 –> 00:19:49.320
Tim Leech: Control centric. A lot of people haven’t had much experience with but it’s it’s actually evaluating your controls against an accepted control model and Canada built one in the 80s, called the criteria of control cocoa for short.

117
00:19:50.820 –> 00:20:04.170
Tim Leech: United States came along with the first Kosovo internal control financial reporting framework I the correct me if I’m wrong. I think it was around 2003

118
00:20:05.670 –> 00:20:08.580
Tim Leech: Was when Kosovo, let me think.

119
00:20:09.000 –> 00:20:10.380
Jason Mefford: Well, they did the original one in the

120
00:20:10.380 –> 00:20:11.460
Tim Leech: 90s.

121
00:20:11.670 –> 00:20:15.450
Jason Mefford: Yeah, I think they did the original Kosovo and 92

122
00:20:16.080 –> 00:20:17.400
Tim Leech: Well, there was a day.

123
00:20:17.700 –> 00:20:22.980
Jason Mefford: Yeah, but then they did the update with was a Tuesday I was like 2003 or something.

124
00:20:23.010 –> 00:20:35.460
Tim Leech: Yeah, they treat the history of Kosovo was Treadway Commission went and studied what went wrong. One of the Treadway Commission’s findings was that nobody agreed with the words internal control meant

125
00:20:36.870 –> 00:20:47.880
Tim Leech: So Treadway he became the sponsors of Treadway are in fact the founding members of Kosovo so Treadway morphed into Kosovo.

126
00:20:48.510 –> 00:20:59.190
Tim Leech: And Kosovo, then turned out the very first effort which in my mind was significantly less useful than the Canadian for Category 20 element model.

127
00:20:59.820 –> 00:21:20.070
Tim Leech: The first effort at coastal was a five category and a lot of people don’t know that the actual exposure draft of the first go so was a nine category model that was genius. The authors were Coopers and lybrand and it actually did say objectives were the most important category.

128
00:21:21.660 –> 00:21:22.980
Jason Mefford: Of lost to history.

129
00:21:23.430 –> 00:21:29.220
Tim Leech: In between, and I I’ve written about this at length, but I have all of the details like with the quotes and

130
00:21:29.610 –> 00:21:44.130
Tim Leech: So the original exposure draft of Kosovo actually said you should have objectives and you should measure whether you’re achieving them. The final five category framework that was released around whatever that date was

131
00:21:47.160 –> 00:21:57.240
Tim Leech: All gone. So we went back to old speak with words like control environment and and communication, which was vague.

132
00:21:58.170 –> 00:22:00.330
Tim Leech: It didn’t say you should measure anything and

133
00:22:00.330 –> 00:22:04.230
Tim Leech: Just said you should communicate stuff so so

134
00:22:05.310 –> 00:22:21.210
Tim Leech: But if you go back and you look at the exposure draft. I was so excited about that exposure. Now, I thought it was genuine breakthrough thinking and it got hammered back into audit speak. By the time the final product got released, but

135
00:22:22.290 –> 00:22:39.360
Tim Leech: So coco, coco, coco came out with a five category and the elements you actually had to try and figure out yourself that they were kind of written, but they weren’t nice and crisp and clear like the Canadian one was a fourth category 20 criteria.

136
00:22:39.360 –> 00:22:51.150
Tim Leech: In Kosovo was five categories know devote dodo boat bad but what were the sub elements of those five categories. It was kind of vague and I made them up.

137
00:22:51.660 –> 00:23:02.340
Tim Leech: So I actually converted it into a probably about a 70 or 80 element model under the five categories. So that’s what I call control.

138
00:23:03.060 –> 00:23:17.520
Tim Leech: centric you’re taking a framework that somebody says is good, but we can look at things like the Malcolm Baldrige Quality Framework, we can look at other models that even co bit

139
00:23:18.930 –> 00:23:41.490
Tim Leech: Is in essence a control centric framework. It’s saying you should be doing this bunch of stuff. So anybody that writes a framework that says you will look good. If you do these things. So now co when they updated the code causal framework. They did actually turn it into a 20 category.

140
00:23:41.730 –> 00:23:42.870
Tim Leech: Yeah, so let’s

141
00:23:44.070 –> 00:23:52.050
Tim Leech: Go now, but now it’s got principles. So the principles are the sub elements. And so that’s control criteria.

142
00:23:53.670 –> 00:24:00.090
Tim Leech: So if you were to use that you would actually describe to your audit committee, how you

143
00:24:00.840 –> 00:24:16.530
Tim Leech: Look, or don’t look like the model that you’re using as the framework to report against. So you’d say do we measure up against. So Sarbanes Oxley actually requires an opinion against the Kosovo internal control framework.

144
00:24:17.460 –> 00:24:31.560
Tim Leech: Now most auditor skip that step and never really give you one but it literally says in the words that they’re looking for an opinion against the suitable framework right they define what a suitable framework.

145
00:24:31.770 –> 00:24:37.560
Tim Leech: Is but everybody used coastal they said you could use to the Canadian framework.

146
00:24:37.590 –> 00:24:38.040
Jason Mefford: Well, because

147
00:24:38.220 –> 00:24:38.910
Tim Leech: Framework.

148
00:24:38.940 –> 00:24:51.150
Jason Mefford: But yeah, because in one I think paper one letter back from somebody at the SEC, they said well COSA is an example of one of them, like we mean And everybody’s like, oh, okay. Well, yeah, but you can use any of them.

149
00:24:51.450 –> 00:25:04.560
Tim Leech: Well, and the reality is, is, you know, the big four accounting firms are US centric and the requirement for Sarbanes Oxley to report an opinion against a control framework.

150
00:25:06.960 –> 00:25:12.780
Tim Leech: Required all of the largest companies in the world that access the US Securities Markets for capital.

151
00:25:13.620 –> 00:25:24.750
Tim Leech: To have opinions, whether they are not in accordance with coastal first from the CEO and CFO and then independently from the external auditor.

152
00:25:25.470 –> 00:25:36.300
Tim Leech: So that’s a control criteria model objective centric says let’s start by agreeing, what are the organizations or the department or the subsidiaries top

153
00:25:36.870 –> 00:25:43.200
Tim Leech: Most important value creation objectives. These are the things that are going to make us great drive us forward.

154
00:25:43.860 –> 00:25:53.100
Tim Leech: And what are the most important value preservation value preservation not going to make you great, but if you don’t do them well. It’ll take you into the ditch.

155
00:25:53.520 –> 00:26:04.500
Tim Leech: And destroy your value of your company and your shareholders. So nobody’s going to ever win the company of the year, because they published fabulous financial statements.

156
00:26:05.040 –> 00:26:08.850
Tim Leech: But if they published materially wrong financial statements.

157
00:26:09.330 –> 00:26:10.110
Jason Mefford: It’s not good.

158
00:26:10.470 –> 00:26:13.230
Tim Leech: It’s not good. And the same goes with data.

159
00:26:13.230 –> 00:26:27.060
Tim Leech: Security, you lose all your customers social security numbers and credit card numbers and all their personal health data. It’s bad. But, you know, protecting it wasn’t going to make you a great hospital.

160
00:26:29.010 –> 00:26:29.850
Tim Leech: So, so

161
00:26:30.180 –> 00:26:42.480
Tim Leech: That’s what objective centric is so we have encouraged people and on our website on the resources page, you can download a nice 15 page summary description of the five methods.

162
00:26:43.020 –> 00:26:53.820
Tim Leech: And we encourage people to actually inventory look is your internal audit department. So I actually encourage audit committee chairman to ask the CAE.

163
00:26:54.600 –> 00:27:03.840
Tim Leech: What percentage of these five methods do you use in doing your audit work. So I want you to take all of the hours that the audit department puts in

164
00:27:04.740 –> 00:27:16.860
Tim Leech: Which combination of these five methods are you using and the reality and most audit jobs, the one they use least or perhaps not at all is objective center.

165
00:27:18.120 –> 00:27:19.740
Jason Mefford: Yeah, well, I think, I think that’s a

166
00:27:20.940 –> 00:27:28.080
Jason Mefford: You know, I use a different term just because everybody’s been talking about risk based auditing. So I had been using the term risk based internal auditing, but it’s

167
00:27:28.560 –> 00:27:37.830
Jason Mefford: It’s really what you’re talking about, from the objective centric standpoint is what are the what are the key objectives and we go from there. Right. And everything that’s on your audit plan.

168
00:27:38.670 –> 00:27:45.930
Jason Mefford: In my opinion, should probably come from there. But I think it’s interesting how how you said here to that I want to kind of bring up for people is

169
00:27:46.620 –> 00:27:58.350
Jason Mefford: If you look at your audit plan. Right. How much of it is compliance centric. How much of it is process centric. How much of it is control centric or risk centric.

170
00:27:58.800 –> 00:28:07.500
Jason Mefford: Or really goes back to the objective because there. I mean, there is the reality is we have to do some compliance things we might have to do some control things

171
00:28:07.950 –> 00:28:20.850
Jason Mefford: Just as an expectation. But to me, you know, really, the process and risk even flows from the objective. Right. Is that is that if we really understand what our

172
00:28:21.480 –> 00:28:33.660
Jason Mefford: Most important value creation or value preservation objectives are, then the risks and the processes that we need to look at are going to flow from that.

173
00:28:34.620 –> 00:28:43.650
Tim Leech: Yeah. And one of the things that we make very clear is that one of this fundamental flaws and risk registers, is that they take.

174
00:28:44.250 –> 00:28:51.240
Tim Leech: Risks that relate to many, many objectives and they plug them into a register in isolation.

175
00:28:51.930 –> 00:28:59.130
Tim Leech: Well, if you took your home and you said one of the risk is that occupants are unaware of that there’s a fire.

176
00:28:59.850 –> 00:29:13.980
Tim Leech: And then you put it in a risk register and yeah but I mediums and low on it and you decide your there’s going to be a risk owner, but nobody in the house is responsible for safeguarding the health and safety of the occupants.

177
00:29:15.780 –> 00:29:17.340
Tim Leech: Against injury and death.

178
00:29:17.850 –> 00:29:25.860
Tim Leech: So, so, you know, unfortunately. And one of the things that I’ve done, I’ve actually done this, I go in a traditional

179
00:29:27.210 –> 00:29:48.120
Tim Leech: Company where the audit department has been doing 20 3050 100 audits, a year, you can reverse engineer them and you say, which objectives are implied in the work that was done on this audit. So your reverse engineer and say, well, you wouldn’t look at that you wouldn’t look at that control.

180
00:29:49.410 –> 00:29:52.740
Tim Leech: If there wasn’t an objective to do XYZ

181
00:29:53.940 –> 00:29:54.810
Jason Mefford: So also, you

182
00:29:55.140 –> 00:29:57.330
Tim Leech: You revert your immerse

183
00:29:57.480 –> 00:30:07.980
Tim Leech: The thing and then you and what those tests have always shown me is very few internal audit departments have gone anywhere near the most important value creation objectives.

184
00:30:08.310 –> 00:30:27.030
Tim Leech: Most of the audit plans are around value preservation and traditional type objectives. And when you say I, you know, look, I’ve just finished reading the strategic plan that went to the board. Show me what percentage of your internal life plan next year is specific on those objectives.

185
00:30:28.680 –> 00:30:31.920
Jason Mefford: Most of the time on. I’ve asked those it’s yeah it’s even zero

186
00:30:32.280 –> 00:30:44.100
Tim Leech: Yeah, I can be and and you know that, but my attitude is, you know, I’VE ALWAYS Promoted I’ve used the term supply driven most internal auditing done in the world is supply driven

187
00:30:44.850 –> 00:30:54.030
Tim Leech: The, the internal audit department walks up decides what they’re going to audit runs it by the audit committee who are busy and don’t really care. I

188
00:30:54.150 –> 00:30:57.630
Tim Leech: Hardly. If you know in the hundreds of clients I i

189
00:30:58.320 –> 00:31:11.370
Tim Leech: I’ve worked with over the years, the number of really insightful feedback from an audit committee or a senior leadership team on the audit planning is rarely

190
00:31:12.270 –> 00:31:24.930
Tim Leech: Much and I don’t blame them for that they’re busy people so they just sort of say on unless this is going to bother me a whole lot and inconvenience, my staff, you go ahead and do those audits.

191
00:31:25.980 –> 00:31:36.990
Tim Leech: And you know, I encourage audit committees to become demand driven. I say look at audit department, you’ve got cost 5 MILLION BUCKS.

192
00:31:38.130 –> 00:31:45.960
Tim Leech: Why don’t you actually take the time as an audit committee to agree what it is you want them to do in terms of outcomes.

193
00:31:47.520 –> 00:31:49.440
Tim Leech: Like let’s agree with those are

194
00:31:49.740 –> 00:31:55.440
Tim Leech: So before I try and assess the effectiveness of your $5 million internal audit department.

195
00:31:56.040 –> 00:32:19.260
Tim Leech: I want the customers to tell me what is it they most want from the $5 million in terms of outcomes. And the reality is, is if in fact the, the reality is, is they only want the audit department to pacify regulators and to pacify and keep the external auditors.

196
00:32:20.760 –> 00:32:28.260
Tim Leech: Okay, and they don’t really expect the internal audit department will ever go anywhere near the most important risk. Fair enough.

197
00:32:29.100 –> 00:32:40.950
Tim Leech: At least we’ve got it in black and white. That says internal audit department is not to look at the most important objectives of the company. It’s not your domain if that’s the decision that’s fine.

198
00:32:41.730 –> 00:32:50.340
Tim Leech: But don’t let the internal audit department saying continue saying they’re auditing the top risks when they’re not going anywhere near the top objectives.

199
00:32:51.480 –> 00:32:58.980
Jason Mefford: But I think it’s interesting the way you just put that is using supply driven and demand driven for your audit plans.

200
00:32:59.520 –> 00:33:04.410
Jason Mefford: I think it’s a great way that hopefully that kind of hits people to is

201
00:33:04.980 –> 00:33:13.740
Jason Mefford: You know when you’re just kind of picking and deciding what you think needs to be on the audit report or in the audit plan, you know, like we talked about. Usually it’s kind of an echo chamber.

202
00:33:14.220 –> 00:33:25.200
Jason Mefford: In ourselves. We might ask input from a few people. But we just pretty much put down what we want to do audit committee rubber stamps it that’s supply driven. That’s what we want to do.

203
00:33:26.040 –> 00:33:35.640
Jason Mefford: And actually getting the input and allowing the audit plan to be demand driven by what the executives and the board really want

204
00:33:36.240 –> 00:33:47.430
Jason Mefford: He has a totally, totally different thing. Now I know and that’s what I encourage people to do as well. It’s like if you want to be relevant, you’ll figure out what actually makes you relevant, it’s what the people need or want

205
00:33:48.060 –> 00:33:55.440
Jason Mefford: But I get a lot of people that push back and go, but if but if they’re telling me what to do. Then I’m no longer independent and objective.

206
00:33:55.800 –> 00:33:59.880
Tim Leech: Well, if in fact it is the board of directors, that’s

207
00:33:59.910 –> 00:34:05.820
Tim Leech: Telling what you what to do. I would I would counsel you not to be independent.

208
00:34:07.800 –> 00:34:07.980
Jason Mefford: There.

209
00:34:08.250 –> 00:34:13.230
Tim Leech: The Monday night, and I’m going to go do whatever I want. Regardless of what any of my customers.

210
00:34:13.920 –> 00:34:27.480
Tim Leech: Actually after they’ve been asked to think about it, but on our website on the resource page there’s there’s a five step overview of objective centric and the first step is to agree, what are the most important

211
00:34:28.140 –> 00:34:40.200
Tim Leech: Object, you know, value creation and now you preservation objectives and we want the leadership team to decide who who in management owns each of those objectives.

212
00:34:41.100 –> 00:34:55.050
Tim Leech: What level of risk assessment rigor. Do we want to analyze this the risk and the certainty of achieving those objectives. That’s what we call risk certainty assessment rigor.

213
00:34:56.310 –> 00:35:06.990
Tim Leech: And do we want independent assurance from internal audit on the representation on the state of risk uncertainty from internal audit, the answer is no.

214
00:35:08.130 –> 00:35:19.890
Tim Leech: So that step literally defines the entire work plan for the risk department if there is one. And for the internal audit department, however.

215
00:35:20.760 –> 00:35:28.110
Tim Leech: It assumes that the company has accepted the business case for a strong first line because it’s saying

216
00:35:28.860 –> 00:35:37.650
Tim Leech: The primary assessor reporter will be the management that only objective, they will be the primary assessor reporters.

217
00:35:38.190 –> 00:35:47.310
Tim Leech: The risk department will help them do that and put some discipline over it and provide editorial comments on on the product.

218
00:35:48.210 –> 00:36:00.330
Tim Leech: And if it’s decided that internal audit has a role as an independent insurance provider. It’s not internal audits job to say whether they like the controls or not.

219
00:36:00.810 –> 00:36:15.750
Tim Leech: Its internal audits job to say has the representation been accurately described in terms of where the weaknesses are, where the strengths are and how that links to current performance being produced on those objectives so

220
00:36:16.770 –> 00:36:23.640
Tim Leech: It’s very simple diagram. It’s five steps in it literally defines what a demand driven

221
00:36:24.750 –> 00:36:33.900
Tim Leech: Process looks like and what an objective centric. So if you want strong first line if you believe that strong first line.

222
00:36:34.770 –> 00:36:44.910
Tim Leech: Risk governance will be more nimble more agile is a big word out there, everybody wants to say we’re agile. How can you be agile, if we’re waiting for the second and third line to

223
00:36:44.910 –> 00:36:46.260
Tim Leech: Report, there might be

224
00:36:46.290 –> 00:36:49.890
Jason Mefford: Problems. We can’t do so.

225
00:36:50.160 –> 00:36:58.080
Tim Leech: If you’re going to want to be an agile company, you better be a strong first line company. Well how you going to be a strong first line company.

226
00:36:58.290 –> 00:37:16.380
Tim Leech: You’re going to be a strong first line company if management believes they should are expected to be able to identify and measure the risks and think in a thoughtful way about how to respond to those risks to increase the certainty important objectives will be achieved. Yeah.

227
00:37:17.790 –> 00:37:26.970
Jason Mefford: Well, and I think it’s, you know, I want to be conscious of time, too, because we try to keep the podcasts. We could, I could talk to you for like two or three hours, man.

228
00:37:27.600 –> 00:37:34.530
Jason Mefford: But, but I wanted to maybe hit on on one other thing here. And then we’re going to probably have need to kind of wrap it up for today, but

229
00:37:35.220 –> 00:37:41.700
Jason Mefford: You know I get. I get a lot of people that you know when I’m talking about objective centric and I’m sure you’ve gotten this question.

230
00:37:42.600 –> 00:37:56.310
Jason Mefford: Over your whole career is, you know, we talked about how a lot of times, artists, staying away from it. Probably because they prefer to focus on what’s comfortable for them what they’ve done in the past, right, what the history has kind of been

231
00:37:56.940 –> 00:38:08.130
Jason Mefford: Instead of jumping in and looking at what really are the most important objectives in the organization and I get a lot of people that say, Well, I don’t do that because I don’t know what they are.

232
00:38:09.840 –> 00:38:15.300
Jason Mefford: Right. So, so what do you, what do you say to be I know again you’re laughing now. Okay. Right.

233
00:38:16.170 –> 00:38:25.020
Jason Mefford: But when an auditor says, well, but I don’t know what the objectives are, so how can I audit those objectives or when I find out what those objectives are

234
00:38:25.380 –> 00:38:33.870
Jason Mefford: I don’t know what to do with it. It’s too high level and I’m supposed to be auditing the processes. Right. I hear this all the time. So,

235
00:38:34.950 –> 00:38:35.130
Tim Leech: We

236
00:38:35.370 –> 00:38:43.020
Tim Leech: Like to give the orientation on on the methodologies to the senior leadership team and the audit committee and risk committees.

237
00:38:44.100 –> 00:38:52.980
Tim Leech: What do they want from internal audit. Do they want a bunch of compliance jacking on low level processes or do they want opinions and and input and help

238
00:38:53.820 –> 00:39:04.110
Tim Leech: Do they want, fundamentally, do they want internal audit to help management manage the certainty that the most important objectives will be achieved. And if the answer is yes.

239
00:39:05.250 –> 00:39:12.900
Tim Leech: Then audit has to radically change the way it’s done in a large number of organizations today. If the answer is no.

240
00:39:13.350 –> 00:39:30.900
Tim Leech: We just want to be able to say we have an audit department. I used to go in a $5 million audit budget, a year and they may be thinking about outsourcing it to Coopers and lybrand and I you know I, I’d say, Well, you know, what’s, what’s your budget is 5 million. And I’d say to them all.

241
00:39:32.400 –> 00:39:33.690
Tim Leech: I can do it for half

242
00:39:35.820 –> 00:39:44.400
Tim Leech: Client would sort of, what do you mean, how could you possibly say you haven’t even you don’t even know what they’re doing. I said,

243
00:39:45.540 –> 00:39:48.240
Tim Leech: It’s not so much whether I know what they’re doing.

244
00:39:49.200 –> 00:40:02.790
Tim Leech: It’s that I’m almost certain. You haven’t told them with any clarity, what outcomes you want from them. And as long as the primary reason for their existence is to say we have an audit department that does audits the right audit reports.

245
00:40:03.450 –> 00:40:14.250
Tim Leech: I can do audits and I can write on it reports for $2.5 million you’ve been paying five for people doing audits and doing audit reports.

246
00:40:15.180 –> 00:40:24.420
Tim Leech: I need you know you shouldn’t have been paying 10 because you don’t know and have not told them what specific things you want an opinion on

247
00:40:25.110 –> 00:40:44.100
Tim Leech: So, in the absence of clarity of what it is you want from that internal audit function, we could pay look if if you’re feeling you want even bigger savings. Let’s pare it down to 1,000,005 that’ll be a decent assignment for me will do just as many audit reports as they were doing before.

248
00:40:46.350 –> 00:40:59.460
Tim Leech: And you’ll be able to say Coopers and lybrand is now doing your audits and they’re a world class firm with incredibly deep resources that can be called to audit the most significant risks. A company can face.

249
00:41:00.240 –> 00:41:19.470
Tim Leech: So you know I don’t like to make fun of it. But the reality is, and when I have this discussion with audit committee chairs why often golf with and and socialize with, say, no, it’s true. So, but here’s the rub. What’s the biggest metric

250
00:41:20.730 –> 00:41:25.710
Tim Leech: That internal audit departments use percentage of audit plan covered

251
00:41:26.640 –> 00:41:36.660
Tim Leech: Well, how bad and outcome statement is that that that’s like measuring a salesman on the number and the quality of their sales calls but with

252
00:41:37.140 –> 00:41:49.620
Tim Leech: Without any clarity on how many sales. Do you want them to me. So, you know, one of the first things I do when I get called into audit to do an assessment of the effectiveness of an audit department.

253
00:41:50.070 –> 00:42:00.780
Tim Leech: I will spend the time and drive out of the, the senior leadership team and the board. What is it you want from the 5 MILLION BUCKS. You’re spending.

254
00:42:02.490 –> 00:42:10.140
Tim Leech: If you can define what it is you want I can give you an idea of how many resources, it will take to do it.

255
00:42:10.800 –> 00:42:25.440
Tim Leech: However, if you say I just want to be able to say we have an audit department, we have a chief audit executive and we do audits and the audience are reported to the leadership team and the board, pick a number, and we’ll all work to it.

256
00:42:26.580 –> 00:42:26.880
Tim Leech: Because

257
00:42:26.940 –> 00:42:35.580
Tim Leech: There’s no intellectual integrity around how many resources you need unless there is clarity on the outcome soft

258
00:42:36.240 –> 00:42:46.380
Jason Mefford: Ending ending right and that, and that’s the whole, you know, especially now. So anybody who’s listing that’s ahead of audit. So in place. Did you just hear how easy

259
00:42:46.830 –> 00:43:01.410
Jason Mefford: Tim made it sound to get your, your, your, your whole group outsourced and you out of the job if you’re not kind of answering that question is, what, what does the board and the executives really expect from internal audit.

260
00:43:03.180 –> 00:43:15.000
Jason Mefford: And, you know, again, this is it’s a it’s a difficult time for some people, for some organizations and they may choose to take the hey you know Tim come into it for 1.5 instead of five right

261
00:43:15.660 –> 00:43:26.880
Jason Mefford: And and ultimately it’s it’s the company’s prerogative on what to do, but I can tell you if if you’ve been doing a supply driven audit plan.

262
00:43:28.170 –> 00:43:29.190
Jason Mefford: You’re at risk.

263
00:43:30.720 –> 00:43:31.380
Jason Mefford: Risk

264
00:43:31.530 –> 00:43:34.290
Tim Leech: Be careful, doubt, it’ll be called a risk based

265
00:43:37.650 –> 00:43:55.980
Jason Mefford: Right and ran really to be relevant. We have to understand what the objectives are of the organization those top objectives and if and then start helping with them. Right. Because if not, I mean, we’re just checking the box somebody else can check the box.

266
00:43:57.180 –> 00:44:08.730
Jason Mefford: Much cheaper. In fact, today I was just reading an article about auditors is one of the jobs that the World Economic Forum expects to be outsourced to machines within about five or six years.

267
00:44:09.330 –> 00:44:12.030
Tim Leech: Well, certainly if its compliance centric, or even

268
00:44:12.030 –> 00:44:18.390
Tim Leech: Control centric though both of those methods are extremely amenable to artificial intelligence.

269
00:44:19.020 –> 00:44:34.860
Tim Leech: Risk Based, you can certainly use the software that I built, you could wire up key risk indicators and escalation triggers and all of those things. And all it would all be done by machines and set off alarms on dashboards.

270
00:44:35.910 –> 00:44:50.400
Tim Leech: All of that is possible, but you know what I believe is very difficult to do because it requires judgment on acceptability of certainty of achieving objectives is that

271
00:44:53.550 –> 00:44:55.350
Tim Leech: That really

272
00:44:56.550 –> 00:45:09.450
Tim Leech: If the audit department has been instructed by the leadership team in the board that they are to provide independent assurance on the reliability of information, they get on objectives number

273
00:45:09.930 –> 00:45:25.110
Tim Leech: 269 14 and 18 and they want medium level assurance on the reliability of those data sets. I think you can do a much more rational approach in terms of

274
00:45:26.340 –> 00:45:41.850
Tim Leech: How many resources do I need to do that. And in the absence of any clarity on what it is, the leadership and the board one. I mean, I’m speaking from experience I’ve had clients that they were outsourcing.

275
00:45:43.500 –> 00:45:47.610
Tim Leech: $250,000 to Deloitte, they would do a DOD. It’s a year.

276
00:45:48.690 –> 00:46:01.740
Tim Leech: And then they would say in their annual report, we have an internal audit department. They are doing risk based internal auditing and they’re delivering five reports they don’t actually mentioned five because it sounds bad, but

277
00:46:01.770 –> 00:46:03.360
Jason Mefford: Yeah, the reports.

278
00:46:03.660 –> 00:46:12.780
Tim Leech: Yeah, the reports to to that are going to the board and to the leadership team and management is taking appropriate actions as required.

279
00:46:13.800 –> 00:46:28.830
Tim Leech: Well, that’s fine, but you know, I’m going into a client right now that was outsourcing five audits, a year. So what I’m saying to them is if you go with a strong first line.

280
00:46:29.640 –> 00:46:44.910
Tim Leech: Objective centric, we can cover, far, far more objectives for the amount of money you were spending on five artists, because we’re going to go. We’re going to use training and facilitation as our primary

281
00:46:45.480 –> 00:47:00.870
Tim Leech: Vehicle to do this with some quality assurance. If it’s felt to be worthwhile by the leadership team and or the board. So this is all about making it demand driven. Once you know

282
00:47:02.430 –> 00:47:11.520
Tim Leech: Unfortunately, the vast majority of internal audit in the world is supply driven and it’s extremely vulnerable to being outsourced

283
00:47:11.940 –> 00:47:32.130
Tim Leech: Right now in a tough environment where the regulator hasn’t really defined with any clarity, what they want in the you can argue that some of the better financial regulators have at least some idea of what they expect as outcomes from internal audit, not usually. Very good, but

284
00:47:33.360 –> 00:47:41.550
Tim Leech: The point is, is to take the time clarify what outcomes you seek from whatever amount of money you’re going to spend on that activity.

285
00:47:42.390 –> 00:48:00.270
Tim Leech: And then work to the outcome resource it to the level of outcome. And if if that number is too high, change the specifications then delete objective number four and seven and just go with clarity, there is no independent insurance on those objectives.

286
00:48:01.590 –> 00:48:09.000
Tim Leech: Don’t. Don’t pretend that five audits, a year is going to really assure that the company has an effective risk and control framework.

287
00:48:10.140 –> 00:48:12.480
Jason Mefford: Yeah, it can’t it possibly can.

288
00:48:12.630 –> 00:48:31.680
Tim Leech: And, you know, and I see sometimes the the stuff out of the AIA talking about benchmarking how big your audit department is against the other departments. Well, all of that is irrelevant if none of them departments if define what it is they want from them in those companies.

289
00:48:32.040 –> 00:48:41.850
Jason Mefford: Yeah benchmarks are another one that I just, I don’t understand. It’s like little boys pulling out a tape measure, you know, and it’s like okay, it does give you signals.

290
00:48:42.360 –> 00:48:48.240
Tim Leech: Right, you know, back in my CL days, which is now P WC winning. You say, we can use our vast

291
00:48:48.810 –> 00:49:03.360
Tim Leech: Global resources and and and compare how you’re doing your internal auditing against the way other companies, but that’s not helpful if it turns out the whole of the internal auditing sector hasn’t been very effective.

292
00:49:03.750 –> 00:49:07.680
Tim Leech: And it has not been measuring outcomes. It’s been measuring inputs.

293
00:49:08.460 –> 00:49:15.090
Tim Leech: So you got to get out of. First you got to get agreement what outcomes do you seek from the investment in the function

294
00:49:15.870 –> 00:49:30.450
Tim Leech: And unfortunately, the I quality assurance review does not demand that as the first step of a QA review and I believe unequivocally insured. So you know that that’s key and

295
00:49:31.980 –> 00:49:33.360
Tim Leech: So demand driven

296
00:49:34.560 –> 00:49:46.110
Tim Leech: Objective centric with the philosophy that strong first line is a goal. Those are the my guiding principles and I just slide true decade after decade.

297
00:49:47.370 –> 00:49:49.290
Tim Leech: Those are things that are important.

298
00:49:49.710 –> 00:49:54.930
Tim Leech: But here’s, here’s the rub. Nobody has debated with me that I’m wrong.

299
00:49:56.910 –> 00:50:02.850
Tim Leech: Nobody’s marshalling arguments and saying, Oh, you’re far better with a week first line.

300
00:50:03.480 –> 00:50:17.790
Tim Leech: Second and Third lines will catch all that bad things that are going on out there that then you say, well, how did you decide how much second and third line, you’re going to engage to compensate for the week first line in a world is changing every month.

301
00:50:19.920 –> 00:50:30.930
Jason Mefford: Well, no, and nobody’s willing to debate you Tim because you’re right, you know, and it’s and the problem is they’re just not willing to accept it or come along with it so

302
00:50:31.560 –> 00:50:41.340
Jason Mefford: You know, that’s why I love. I’m trying to, to help out and push. I haven’t been doing it nearly as long as you have, but I’m going to keep pushing and keep being the contrary, and for people to

303
00:50:41.910 –> 00:50:49.680
Jason Mefford: You know, pull their head out of their ass and actually think about this in the right way and and realize that, you know, like you said,

304
00:50:50.070 –> 00:50:54.930
Jason Mefford: Most of these other centric approaches you can you can program the software to do it.

305
00:50:55.500 –> 00:51:03.660
Jason Mefford: But, you know, if you’re really going, you know, to have the clarity and and do the things that require the human judgment.

306
00:51:04.170 –> 00:51:20.580
Jason Mefford: And the actual human interaction right of actually being able to be intelligent emotionally with people and know how to use things like psychology and influence to actually develop relationships and work through some of this stuff, you know, the machines are going to take over.

307
00:51:20.640 –> 00:51:25.140
Tim Leech: And wait, you know, where’s the cognitive biases that work on the management side and

308
00:51:25.200 –> 00:51:26.340
Tim Leech: Oh, and I

309
00:51:27.600 –> 00:51:45.420
Tim Leech: expose some of them and get a better appreciation, but you know I don’t like to be all negative. I have to give kudos to Richard chambers CEO president of the AIA nominated me and put me on his 10 thought leaders of the decade.

310
00:51:46.410 –> 00:51:51.000
Tim Leech: And the write up those says every profession needs somebody like to

311
00:51:52.500 –> 00:51:53.640
Tim Leech: Continually

312
00:51:54.120 –> 00:51:54.750
harassing

313
00:51:56.670 –> 00:52:08.580
Tim Leech: There’s got to be better ways to do it. And I think one of the earmarks or one of the hallmarks of being a professional should be relentlessly looking is there better ways to

314
00:52:09.000 –> 00:52:19.350
Tim Leech: Actually satisfy what our customers want. And if the answer is, well, they haven’t bothered to tell us. Well, you better take the time and try and get it out of them, because

315
00:52:19.770 –> 00:52:28.710
Tim Leech: I’ll tell you if your customer doesn’t know exactly what it is they want you, for you are very vulnerable to getting rid of it.

316
00:52:29.190 –> 00:52:41.610
Jason Mefford: Well, exactly. Exactly. Well, Tim. Thank you. Thank you. Thank you. Thank you, love talking to you. So I’ll probably have to have you back in the future as well. But I really appreciate

317
00:52:42.690 –> 00:52:53.730
Jason Mefford: Like I said at the beginning, you have been one of those people in the profession. That’s always been kind of, you know, pushing it and and and asking us how we can do things different.

318
00:52:54.390 –> 00:53:00.240
Jason Mefford: It’s metal meant a lot to me. I mean, again, in my development as well, kind of

319
00:53:01.080 –> 00:53:14.130
Jason Mefford: You know, hearing what you’ve been saying and thinking about it and doing my own research and my own playing with it but you know I keep coming back to the same thing where it’s like Tim. You’re right. Man, that’s why I’m saying the same thing to itself.

320
00:53:14.190 –> 00:53:14.520
Jason Mefford: So,

321
00:53:14.700 –> 00:53:28.980
Tim Leech: You know, I would encourage those of you that even if you only like some of the ideas. Consider following me on LinkedIn. I’ve got a LinkedIn discussion group called objective centric risk uncertainty management all my posts are there.

322
00:53:29.910 –> 00:53:44.520
Tim Leech: You become a member of it. You can you can read the two years of radical thinking about it and a lot of my posts i’m i’m just as focused on the second line as I am on the third line.

323
00:53:45.180 –> 00:53:53.400
Tim Leech: And all of it, though, is promoting the the business case for strong first line objective centric demand driven assurance.

324
00:53:53.820 –> 00:53:55.110
Tim Leech: Yep, absolutely.

325
00:53:55.680 –> 00:54:08.730
Jason Mefford: That’s a theme. Well, I’ll link up in the show notes for that and and just again, since this is usually audio. I’ll put it in the show notes, too. But what’s the, what’s the website. The best website for people because I know you refer to the resources.

326
00:54:09.240 –> 00:54:09.480
Well,

327
00:54:10.500 –> 00:54:12.750
Tim Leech: Risk oversight solutions com

328
00:54:13.650 –> 00:54:15.060
Jason Mefford: Risk oversight solutions.

329
00:54:16.560 –> 00:54:24.900
Jason Mefford: Alright, so go out and download some of the stuff asked to join the LinkedIn group and keep the discussion going.

330
00:54:26.370 –> 00:54:27.630
Jason Mefford: Well, Tim. Thanks again, man.

331
00:54:29.040 –> 00:54:32.460
Tim Leech: Appreciate it. That’s really the opportunity you have a good one.

332
00:54:32.790 –> 00:54:33.360
Jason Mefford: Thanks. You too.

Facebook Comments