rubik’s cube audit approach - chapters site · pdf filerubik’s cube audit...

Johnny CagleApril 20, 2017

Rubik’s Cube Audit Approach

Agenda• Session 1 – Introduction• Session 2 – Rubik’s Cube• Session 3 – Reporting Audit• Session 4 – Operations Audit• Session 5 – Compliance Audit• Conclusions

2

Why?FROM:“When I finish, I know enough to start.”

TO:“When I start, I know enough to finish.”

3


Introduction4

Agenda• Background• Research• Fruit of the Loom• Berkshire Hathaway• Fruit of the Loom Internal Audit• Auditors’ Dilemma• Theory of Constraints• Strategic Architecture• Foreign Corrupt Practices Act

(“FCPA”)• Committee of Sponsoring

Organizations (“COSO”)

• Sarbanes-Oxley Act of 2002 (“SOX”)

• SEC Guidance on SOX• Integrated Audit• Risk & Internal Audit• “Risk”• Cost of Risk• Risk-Based Audit• Model-Based Audit• Summary• Insights• Conclusions 5

Background• BS Accounting, Lipscomb, 1971• MBA, Samford, 1982• IIA Member #31919 (1970s)• Certified Fraud Examiner• “Innovative Auditor”• Gulf States Paper Corporation• Intergraph Corporation• SAIC (DoD, USDA, DOI, NASA…)• Tempurpedic• Rhino Energy• Fruit of the Loom

6

ResearchUniversities• “Auditing Real-Time Systems” (1971)• “Christian Code of Ethics for Business” (1980)• “Forecasting the GNP, Price Level &

Unemployment” (1980)• “Occupational Stress and Productivity” (1981)

Corporate• “Statement of Business Ethics” (1989)• “Internal Control Objectives” (1991)• “Corporate Business Model” (1998)• “Integrating Methodology & Technology” (1999)• “Strategic Mapping – Mapping Business Success

in Three Dimensions” (2002)• “Model-Based Auditing” (2004)• “Business Process Engineering / Business

Process Improvement” (2009)• “Risk Accounting – A New Way to Control Period

Cost” (2014)• “A Top-Down, Risk-Based Approach to

Performance Auditing for Internal Auditors” (2015)

• “Rubik’s Cube Audit Approach” (2017) 7

Fruit of the Loom (“Fruit”)• Founded in 1851• Awarded trademark # 418 in 1871 for

the Fruit of the Loom brand• Purchased by Berkshire Hathaway Inc.

in 2002• Purchased Russell Corporation in 2006• Purchased Vanity Fair Intimates in 2007• $2+ Billion annual revenue• 33,000 employees globally

8

Fruit of the Loom Corporate Headquarters – Bowling Green, KY

Berkshire Hathaway (“Berkshire”)• Original Berkshire Hathaway Inc.

Founded in 1839• Bought by Warren Buffett in 1964• Headquarters in Omaha, Nebraska• Over 60 wholly-owned subsidiaries

with some also owning several subsidiaries

• Significant investments in Coca-Cola, American Express, IBM, Wells Fargo and others

• $224 Billion annual revenue• 368,000 employees globally• 25 headquarters staff

9

Warren Buffett, CEO Berkshire Hathaway Inc.

“Risk comes from not knowing what you’re doing.”

Berkshire SubsidiariesAcme Brick CompanyApplied UnderwritersBen Bridge JewelerBenjamin Moore & Co.Berkshire Hathaway AutomotiveBerkshire Hathaway Energy CompanyBerkshire Hathaway GUARD Insurance CompaniesBerkshire Hathaway HomestateCompaniesBerkshire Hathaway Specialty InsuranceBH Media GroupBoatU.S.Borsheims Fine JewelryBrooksBuffalo NEWS, Buffalo NYBNSFBusiness Wire

International Dairy Queen, Inc.IMC International Metalworking CompaniesJohns ManvilleJordan's FurnitureJustin BrandsKraft HeinzLarson-JuhlLiquidPower Specialty Products Inc. (LSPI)Louis - Motorcycle & LeisureLubrizol CorporationMarmon Holdings, Inc.McLane CompanyMedPro Group

10

Central States Indemnity CompanyCharter BrokerageClayton HomesCORT Business ServicesCTB Inc.DuracellFechheimer Brothers CompanyFlightSafetyForest RiverFruit of the Loom CompaniesGaran IncorporatedGateway Underwriters AgencyGEICO Auto InsuranceGeneral ReHelzberg DiamondsH.H. Brown Shoe GroupHomeServices of America

National Indemnity CompanyNebraska Furniture MartNetJets®Oriental Trading CompanyPampered Chef®Precision Castparts Corp.Precision Steel Warehouse, Inc.RC Willey Home FurnishingsRichline GroupScott Fetzer CompaniesSee's CandiesShaw IndustriesStar FurnitureTTI, Inc.United States Liability Insurance GroupXTRA Corporation

Responsibilities

Goals, Objectives &

Requirements

Audits & Projects

Management Requests

Laws, Regulations, Standards,

Policies, Processes &

Systems

Risk of Material Missed

Opportunity

Risk of Material Adverse

Event

Fruit IA MissionProvide independent audit and assurance services to help the Company reach its goals while maintaining ethical business practices and effective internal controls with respect to personnel, processes and systems.

• Assess Risks• Test Controls• Focus on Service• “Audit Forward”

11

Fruit IA OrganizationJohnny Cagle, CFEVP Internal Audit

(US)

Stephen Thompson, CADirector

Europe, Morocco & Vietnam

(UK)

Rachid BadouiStaff Auditor

(Morocco)

Matthew Pendel, CIAManager

Americas Operations, IT & Reporting

(US)

Jackie PerkinsIT Auditor

(US)

Lesly ReyesStaff Auditor

(Central America)

Amanda J. Brown, CIASupervisor

Global Ethics & Compliance & Asia Pacific

(US)

Chase Carver Staff Auditor

(US)

12

Berkshire Audit Focus

Reputation Management

(GRC)

Continuity Management

(ITGC)

Access Management

(ITGC)

Change Management

(ITGC)

Evidence Management (SOX / FCPA)

Relationship Management

(FCPA)

Privacy Management

(EU GDPR)

13

The Auditor’s Dilemma• Financial vs. Operational• Substantive vs. Control• Balance Sheet vs. Income Statement• Analytics vs. Sampling• Values vs. Processes• Internal vs. External• Testing vs. Interviewing• Actual vs. Forecast• Cost vs. Benefit• Control vs. Risk• Certainty vs. Uncertainty• Global vs. Local• COSO vs. COBIT• etc. vs. etc… 14

“When you come to a fork in the road, take it!” – Yogi Berra

Theory of Constraints• The Theory of Constraints (TOC) is a management paradigm that views any

manageable system as being limited in achieving more of its goals by a very small number of constraints. There is always at least one constraint, and TOC uses a focusing process to identify the constraint and restructure the rest of the organization around it.

• Developed by Eli Goldratt• Books:

– “The Goal” (1984)– “Critical Chain”– “Beyond the Goal”– Many others…

15

Theory of Constraints• The Goal:

– Maximize Throughput (Margin)– Minimize Inventory– Minimize Operating Expense

• The #1 Constraint is “making decisions without all of the relevant data”.

• The Thinking Process helps determine:– What to Change?– What to Change To?– How to Change?

• Five Focusing Steps:1. Identify the Constraint2. Exploit the Constraint3. Subordinate everything to the

Constraint4. Elevate the Constraint5. Prevent Inertia from Becoming

the Constraint• “Technology can bring benefits if

and only if it diminishes a limitation.”

16

Strategic Architecture• “How Strategic Architecture Wins Technology Wars”• Harvard Business Review – March-April 1993:

– Charles R. Morris– Charles H. Ferguson

• Proposed assumptions on how technology companies survive(d) technology architecture evolution.

• “Organizational architecture and decision making mirror technical architecture.”– What is our “technical architecture”?

17

Strategic Architecture

18

• Follow-Up HBR Article – April 2000 – Lessons Learned:

– Competitive success flows to the company that manages to establish proprietary architectural control over a broad, fast moving competitive space.

– Architectures impose order on the system and make interconnections possible.

– Proprietary architectures are under constant competitive attack.

– Legislated standards usually settle to the least common denominator.

• Architectural Standards Setters:– Microprocessor – Intel– Operating System – Microsoft– Network System – Novell– Printer Page System – Adobe, HP

• IBM opened its architecture too broadly.

• Apple held its architecture too closely.

• “Point Product” vendors (e.g. Lotus) are always at risk when the architectural leader changes the rules of the game.

Foreign Corrupt Practices Act• "(A) make and keep books, records, and accounts, which, in reasonable

detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer; and

• "(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

– " ( i ) transactions are executed in accordance with management's general or specific authorization;

– " ( i i ) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and ( I I ) to maintain accountability for assets;

– " ( i i i ) access to assets is permitted only in accordance with management's general or specific authorization; and

– "(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

19

FCPA – December 1977

COSO• Committee of Sponsoring Organizations of the

Treadway Commission (“COSO”):– Internal Control – Integrated Framework - 1992– Refreshed in 2013

• In an “effective” internal control system, the following five components work to support the achievement of an entity's mission, strategies and related business objectives:– Control Environment– Risk Assessment– Control Activities– Information and Communication– Monitoring 20

Integrated Internal Control Framework - 1992

Components & Principles

21

COSO ERM• The COSO Enterprise Risk Management (“ERM”)

framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

• Relationship to Internal Control — Integrated Framework:• Adds “Strategic” category.• Expands and elaborates on elements

of internal control as set out in COSO’s“control framework.”

• Includes objective setting as a separate component.

• Expands the control framework’s “Financial Reporting” and “Risk Assessment.” 22

ERM Integrated Framework - 2004

Sarbanes-Oxley Act• The Sarbanes-Oxley Act of 2002 (SOX) is an act passed by U.S.

Congress in 2002 to protect investors from the possibility of fraudulent accounting activities by corporations. The SOX Act mandated strict reforms to improve financial disclosures from corporations and prevent accounting fraud.

– Section 302 – Corporate Responsibility for Financial Reports– Section 404 – Management Assessment of Internal Controls

• Security Exchange Commission (SEC) Guidance for SOX Compliance in 2007:

– Recommends Top-Down Risk-Based Audit of Internal Controls over Financial Reporting

• Public Company Accounting Oversight Board (PCAOB):– Requires an integrated audit of the financial statements and

internal controls over financial reporting23

SOX – July 2002

SEC Guidance on SOX

24

Integrated Audit• An Integrated Audit is where auditors, in

addition to an opinion on the financial statements, must also express an opinion on the effectiveness of a company's internal control over financial reporting, in accordance with PCAOB Auditing Standard No. 5.– Opinion on the financial statements.– Opinion on the effectiveness of

internal control over financial reporting.

– How to audit both simultaneously?

25

Risk & Internal Auditing• Risk is the potential of gaining or losing something of value. (Wikipedia)

• “Risk comes from not knowing what you’re doing.” (Warren Buffett)

• Enterprise Risk Management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. (Wikipedia)

• Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governanceprocesses. (The IIA) 26

“Risk”• Amazon – 0• American Express – 3• Bank of America – 13• Berkshire Hathaway – (Annual

Letter) – 7• Coca Cola – 0• General Electric – 0• Gildan – 4• Google – 2

Use of “Risk” in Select Quarterly Investor Call Transcripts in 2012, 2013 and 2014

• Hanes – 4• IBM – 0• Microsoft – 2• Nike – 3• Oracle – 2• Tempur-Sealy – 2• Under Armour – 3• WalMart – 5• Wells Fargo – 13

5

Cost of Risk• Patented Methodology

to Calculate Enterprise Total Cost of Risk

• Based on Actual & Forecast Income Statements

• Quantifies the Impact of Risk on Performance

• Invented / Patented by Gary Bierc

28

Risk-Based Audit• A Risk-Based Audit is an internal methodology which is primarily focused on the risk

involved (inherent or residual) in the activities or system and provide assurance that risk is being managed within defined risk appetite levels.

• Used by many auditors by preparing a risk assessment in advance of the audit and tailoring the audit to the relevant risks.

• Risk / Control / Test matrices are prepared in advance for audits using this approach.

29

Risk Controls Tests Results

All shipments are not invoiced.

Shipment information is automatically transferred to Accounts Receivable for invoicing.

Select a random sample of shipments and trace to related invoices.

Select a random sample of invoices and trace to related shipments.

Reconcile shipment data to invoice data.

No exceptions noted.

or…

Exceptions noted. See explanation of test results.

Model-Based Audit• A Model-Based Audit is

an audit based on a pre-developed model that has enough structure and data to be a relevant comparison to live results. It helps ensure audit completeness and visibility into significant non-audit scope areas of concern.

30

Summary• What to change?

– From using a limited dimension audit approach.• What to change to?

– To using a three-dimensional audit approach based on the COSO Cube.

• How to change?– Begin with the COSO Cube and simplify it to represent

any organization or entity.• What is the number one constraint?

– “Making decisions without all of the relevant data.”• How do we “exploit the constraint”?

– Create a model that represents all of the relevant data.– Find the single center cube and relate everything else

to that cube.

31


Summary• FROM:

32


• TO:

Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips

Simplified Integrated Internal Control Framework - 2017

Insights• 6 sides• 27 cubes (3X3X3)

• 6 face center cubes• 8 corner cubes• 12 center edge cubes• = 26 face cubes

• + 1 center center “cube”– Reporting– Risk– Responsibilities 33

# Top Left Right1 Operations Control Requirements4 Operations Risk Requirements7 Operations Monitor Requirements

10 Operations Control Responsibilities13 Operations Risk Responsibilities16 Operations Monitor Responsibilities19 Operations Control Relationships22 Operations Risk Relationships25 Operations Monitor Relationships2 Reporting Control Requirements5 Reporting Risk Requirements8 Reporting Monitor Requirements

22 Reporting Control Responsibilities14 Reporting Risk Responsibilities17 Reporting Monitor Responsibilities20 Reporting Control Relationships23 Reporting Risk Relationships26 Reporting Monitor Relationships3 Compliance Control Requirements6 Compliance Risk Requirements9 Compliance Monitor Requirements

12 Compliance Control Responsibilities15 Compliance Risk Responsibilities18 Compliance Monitor Responsibilities21 Compliance Control Relationships24 Compliance Risk Relationships27 Compliance Monitor Relationships

Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips


Insights

34

Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips


AuditPerspective

StakeholderPerspective

ManagementPerspective

Conclusions• Constraints control performance but can be leveraged to improve performance.• Strategic Architecture establishes organizational and decision making design.• FCPA requires books, records & system of internal accounting control.• COSO provides an updated Internal Control – Integrated Framework.• COSO provides an Enterprise Risk Management Framework.• SOX requires documented and tested Internal Controls over Financial Reporting.• SEC SOX guidance provides for a top-down risk-based compliance approach.• PCAOB requires an integrated audit.• Risk-Based audits extend Internal Auditing into the impact of risk on performance.• Model-based audits provide a comparative model to benchmark and test against with actual and budget

results.• A simplified COSO Model provides a model for Operations, Reporting & Compliance benchmarking.• New rules are needed to use a model-based approach.• The 3X3X3 Cube is a good comparative physical model to use for a model-based approach.

35“Find the center. Audit out!”

New Rules• Rule of One – Find the center. Audit out.

• Rule of Three – Focus on three dimensions.

• Rule of Ten – Minimum 10% Operating Margin.

• Rule of Twenty – Identify and work on the 20% of actions that drive 80% of results.

• Rule of Thirty – Expect no more than 30% cost of control.

36


Session 2 – Rubik’s Cube37

Agenda• History• Solutions• Solving• Importance• Relevance• Conclusions

38

https://www.youtube.com/watch?v=egWvQuT5TCU

https://www.youtube.com/watch?v=egWvQuT5TCU

History• The Rubik's cube was invented in 1974 by Erno Rubik, a Hungarian architect,

who wanted a working model to help explain three-dimensional geometry.

• After designing the “magic cube” as he called it (twice the weight of the current toy), he realized he could not actually solve the puzzle.

39

https://www.youtube.com/watch?v=bOxNBQxp4_A

https://www.youtube.com/watch?v=bOxNBQxp4_A

Solutions

40

• 43,252,003,274,489,856,000 (43 Quintillion) Combinations.

• Lowest Number of Moves to Solve is 20.• Numerous Solutions on YouTube, On-Line and in

Books and Apps.• World Records – 4.73 Seconds – Felix Zemdigs

– 4.74 Seconds – Mats Valkhttps://www.youtube.com/watch?v=tLksISrKtO8

https://www.youtube.com/watch?v=tLksISrKtO8

Solutions

41

• Stage 1 – Know Your Cube.• Stage 2 – Form The White Cross.• Stage 3 – Place The White Corners.• Stage 4 – Fix The Middle Layer.• Stage 5 – Form The Yellow Cross.• Stage 6 – Align the Yellow Cross.• Stage 7 – Place The Yellow Corners.

T2 Games

Solving• Detailed instructions as

provided by T2 Games.• Close but not guaranteed.• “Practice Makes Perfect”.• Knowing where you are

and what you are trying to do at each point is critical.

• It can be done!

T2 Gameshttps://www.youtube.com/watch?v=9Za5PhDBpQQ 42

https://www.youtube.com/watch?v=9Za5PhDBpQQ

Importance• We live in a multi-dimensional world, but make decisions as

if we live in only one or two dimensions.• Three dimensions are generally enough to achieve

completeness if time is not considered.• Think about GPS vs. Paper Maps:

– 3 vs. 2– Latitude– Longitude– Altitude

• A physical object that is relevant to any organization is helpful in seeing the impact of changes and understanding how to prevent harmful changes as well as protect helpful changes. 43

Relevance• How is this relevant to Internal Auditing?

• What lessons can we learn?

• How do we apply it to audits?

• Why would we want to apply it to audits?

• How would we explain it to management?

44

Conclusions• A Rubik’s Cube is a changeable control framework.• A Rubik’s Cube integrated with the COSO Framework

could be considered to be an Enterprise Architecture.• A Rubik’s Cube is solvable where organizational mis-

alignments may not be.• A Rubik’s Cube is visible as far as its alignment where

organizational visibility may not be possible.• A Rubik’s Cube has one center center cube that is the

pivot point for all of the other cubes.• Studying the Rubik’s Cube can provide insights into

organizational mis-alignments and how to correct them. 45


Session 3 – Reporting Audit46

Agenda• Insights• Purpose• Exercise• Conclusions

47








Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips


“Find the center. Audit out!”

Purpose• Reporting Audit:

– Audit of Financial Statements / Accounts– Risk / Control / Test Matrix– Core Domains:

• Reporting• Risk• Responsibilities

– Results

49

Reporting Audit• Financial statement audit• Internal controls over financial

reporting• Integrated financial audit• Goals driven performance• Risk matrix:

– Risk – material misstatement, adverse event or condition

– Control – design & operating effectiveness & efficiency

– Monitor – walkthroughs, tests & reports

RiskReporting

Responsibilities

MonitorOperations

Requirements

Control

Audit

Relationships

Compliance

ProductsObjectives

Processes

Reporting Exercise• Using the modified COSO Cube:

– Develop a Risk / Control / Test Matrix for an audit of Cash

– Develop an audit program that focuses on a “Find the center. Audit out.” approach to auditing Cash

– Prepare to present your audit plan to the Chief Auditor

Reporting RCT MatrixRisk Control Evidence Test

Material Misstatement

AccountReconciliations

Reviewed and approved reconciliations

Obtain & confirm

Organizational responsibilities

Balance Sheet / Changes in Cash Statement

52

Conclusions• ???

53


Session 4 – Operations Audit54


55








Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips



Purpose• Operations Audit:

– Audit of Inventory Control Processes– Risk / Control / Test Matrix– Core Domains:


– Results

57

Operations Audit• Process audit• Internal controls• Integrated performance audit• Goals driven performance• Risk matrix:

– Risk – material adverse event or condition



RiskReporting

Responsibilities

MonitorOperations

Requirements

Control

Audit

Relationships

Compliance

ProductsObjectives

Processes

Operations Exercise• Using the modified COSO Cube:

– Develop a Risk / Control / Test Matrix for an audit of inventory control processes

– Develop an audit program that focuses on a “Find the center. Audit out.”approach to auditing inventory


Operations RCT MatrixRisk Control Evidence Test

Material Adverse Event or Condition

Risk-based pre-developed and tested procedures.

Approved & tested procedures

Obtain & confirm


Actual and budget income statements

60

Conclusions• ???

61


Session 5 – Compliance Audit62


63








Requ

irem

ents

Resp

onsi

bilit

ies

Rela

tions

hips



Purpose• Compliance Audit:

– Audit of compliance for a regulatory requirement– Risk / Control / Test Matrix– Core Domains:


– Results

65

Compliance Audit• Government audit• Internal controls• Integrated performance audit• Goals driven performance• Risk matrix:

– Risk – material adverse event or condition



RiskReporting

Responsibilities

MonitorOperations

Requirements

Control

Audit

Relationships

Compliance

ProductsObjectives

Processes

Compliance Exercise• Using the modified COSO Cube:

– Develop a Risk / Control / Test Matrix for an audit of a regulatory compliance requirement

– Develop an audit program that focuses on a “Find the center. Audit out.” approach to auditing compliance


Compliance RCT MatrixRisk Control Evidence Test

Material Adverse Event or Condition

Risk-based pre-developed and tested procedures.

Approved & tested procedures.

Obtain & confirm.


Related compliance account actual and budget analyses

68

Conclusions• ???

69


Conclusions70

New Rules• Rule of One – Find the center. Audit out.

• Rule of Three – Focus on three dimensions.

• Rule of Ten – Minimum 10% Operating Margin.

• Rule of Twenty – Identify and work on the 20% of actions that drive 80% of results.

• Rule of Thirty – Expect no more than 30% cost of control.

71

Conclusion

72



Rubik’s Cube Audit Approach73

rubik’s cube audit approach - chapters site · pdf filerubik’s cube audit...

Documents