SlideShare a Scribd company logo

Farewell to pass or fail, James Christie at ExpoQA14, Madrid, May 2014.

James Christie Christie
James Christie Christie

An explanation of how auditing and testing are facing similar problems, ie how to communicate valuable information about risk to the people who need to know. The audit profession is having to move away from simplistic binary opinions (yes/no, true/false, pass//fail). Tester need to look to auditors for help, and they can offer valuable information to auditors too, if they are doing their job well and not offering binary opinions.

Business
1 of 44
Download to read offline
Madrid, 26th to 28th May 2014 Farewell to “pass or fail”? James Christie www.clarotesting.com blog: www.wordpress.clarotesting.com
Madrid, 26th to 28th May 2014 1b James Christie jack of all trades, master of some Test Manager & Consultant Developer & Business Analyst Information Security Manager Project Manager Computer Auditor investment accountant trainee chartered accountant
Madrid, 26th to 28th May 2014 Rikard Edgren (see his Oredev talk) “Reality isn’t binary… we don’t know everything in advance. We should observe the software without a hypothesis to nullify.” 2a Image courtesy digitalart/ FreeDigitalPhotos.net The Binary Trap
Madrid, 26th to 28th May 2014 2b The questions we can answer yes/no with most certainty are probably those that don't matter. The danger is that we focus on them because the light is better there. The Binary Trap
Madrid, 26th to 28th May 2014 2c The Binary Trap It’s not meant to be easy, it’s meant to be valuable. Test scripts are not testing. Ticklists are not auditing.
Madrid, 26th to 28th May 2014 How do we know anything? What matters? Who cares? “Toknow that weknow what we know, and to know that wedo not know what we do not know, that istrue knowledge.” Copernicus Evidence and Opinion 3a
Madrid, 26th to 28th May 2014 A positivist worldview? 3e Are we too keen to assume that the world we are investigating is a neater and more ordered place than it really is? Have we treated testing as if it is like a scientific experiment where we know and control all the variables?
Madrid, 26th to 28th May 2014 A balanced approach? (just doing the best we can) 3f We might not knowthings with certainty, but we can make statements based on evidence & keep refining our opinion.
Madrid, 26th to 28th May 2014 The relevance to testers 3g Relying on scripts and ticklists assumes that the information we want is under the streetlight. It assumes that we can know in advance what matters, what we need to look for. It assumes that the important questions can be answered with a “yes” or “no”.
Madrid, 26th to 28th May 2014 3h If we focus only on what was specified we will not see what was needed but neither specified nor built (5). And we won’t see what was not specified or needed, but was built (6). Thanks to James Lyndsay, Iain McCowatt, James Bach & Michael Bolton. The relevance to testers and auditors want to know too Either could be damaging.
Madrid, 26th to 28th May 2014 4a What is external audit? “External auditors are watchdogs not bloodhounds” English legal case Self image “… reasonable assurance about whether the financial statements as a whole are free from material misstatement” “… seguridad razonable de que los estados financieros en su conjunto están libres de incorrección material” International Standard On Auditing 200 Norma Internacional De Auditoría 200 (applies in EU)
Madrid, 26th to 28th May 2014 4b What is external audit? “… reasonable assurance about whether the financial statements as a whole are free from material misstatement” “… seguridad razonable de que los estados financieros en su conjunto están libres de incorrección material” International Standard On Auditing 200 Norma Internacional De Auditoría 200 (applies in EU) “External auditors are watchdogs not bloodhounds” English legal case Reality
Madrid, 26th to 28th May 2014 4c External auditor independence Challenging client management? “Commercial suicide” allegedquote from current chair of UK Financial Conduct Authority. John Griffith-Jones Clarification: “pre crisis, it was not the generally understood role of the auditor to criticise his client’s business model and … he might have got short shrift from management for so doing.” Images courtesy Artur84/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4d Big 4 audit fees for 2007 “…fees are now coming before independence, objectivity (and sometimes, even competence) in important parts of the accounting profession.” Paul Moore (ex partner KPMG, ex Head of Group Regulatory Risk, HBOS -2013) Images courtesy Artur84/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4e Big 6 foul ups in USA Grant Thornton 65%(43%) BDO55%(39%) Ernst & Young48%(36%) PWC39%(41%) KPMG34%(23%) Deloitte25%(42%) (% of audits inspected deemed to be “audit failures” by regulator) US PCAOB Audit Failures 2012 (2011) Images courtesy digitalart & Artur84/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4f Has external audit had its day? “With or without new rules, the main worry for auditors may be that people wonder whether their reports are worth a bean.” The Economist, April 2014 “The fact that the audit process failed to highlight developing problems in the banking sector does cause us to question exactly how useful audit currently is.” House of Commons Treasury Committee “Banking Crisis”, 2009
Madrid, 26th to 28th May 2014 4g Has external audit had its day? “External audit is now largely out-dated. The binary nature of the opinion renders it useless.” Richard Anderson chairman of the Institute of Risk Management, 2011 “The problem is that there's not a lot of evidence that (external) auditors are very good at assessing risk.” Charles Cullinan, Bryant College, USA
Madrid, 26th to 28th May 2014 4h “Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improvean organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Global Institute of Internal Auditors Internal audit –a different perspective “La auditoría interna es una actividad independientey objetiva de aseguramiento y consulta, concebida para agregar valor y mejorar las operaciones de una organización. Ayuda a una organización a cumplir sus objetivos pues aporta un enfoque sistemático y disciplinado con el que evaluar y mejorar la eficacia de los procesos de gestión de riesgos, control y gobierno.” El Instituto de Auditores Internos de España
Madrid, 26th to 28th May 2014 4i Top six qualities internal auditors needIIA’s 2013 Global Pulse of the Profession survey 1 -Critical thinking 2 –Communication skills 3 –Risk management 4 –IT knowledge 5 –Data mining & analytics (fraud! ) 6 –Accounting knowledge Image courtesy cooldesign & FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4j Internal auditors know more Deeper business knowledge Greater tacit knowledge Greater nous (streetwise, savvy, shrewd, insightful) More mature, and stronger characters? Image courtesy Krormrathog& FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4k Are internal auditors stronger? You can’t bully good internal auditors. If you can bully them they don’t last long. Image courtesy Chanpipat & FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 4l The internal audit hothouse Internal audit is used as a training ground for high quality staff, at companies that take audit seriously.
Madrid, 26th to 28th May 2014 5a Risk and the financial crash Risk is a tricky concept and auditors didn’t handle it well. Image courtesy cooldesign & FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5b What is risk? “...the chance, high or low, of somebody being harmed by the hazard, and how serious the harm could be” (UK Health & Safety Executive) “the effect of uncertainty on objectives” (ISO 31000) “a set of circumstances that hinder the achievement of objectives” (David M Griffiths, internal auditor) Image courtesy jscreationzs& FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5c What is risk? UK Health & Safety Executive’s risk matrix
Madrid, 26th to 28th May 2014 5d Risk –the big dilemma Simple, understandable and totally misleading? Complex, more accurate (possibly) and totally uninformative? or Images courtesy Luigi Diamanti, Mr Brightman& FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5e Risk –the big dilemma Rick Buy –Chief Risk Officer. His stated aim was to “condense all the risks of the corporation into a single metric.” (it used to be the Big 5)
Madrid, 26th to 28th May 2014 5f We lost sight of risk “With half a decade’s hindsight, it is clear the crisis had multiple causes. The most obvious is the financiers themselves – especially the irrationally exuberant Anglo-Saxon sort, who claimed to have found a way to banish risk when in fact they had simply lost track of it.” The Economist, 2013 Image courtesy pakorn / FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5g We lost sight of risk “The weaknesses of group risk in HBOS were a matter of design, not accident.” UK Parliamentary Commission on Banking Standards “An Accident Waiting To Happen: The Failure of HBOS” Image courtesy pakorn / FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5h Assurance about risks Auditors are looking for reasonable assurance, not absolute assurance. Appropriate… sufficient… reasonable… material
Madrid, 26th to 28th May 2014 5i Knowing more about the risks that matter “Audit priorities (should) align with those of the board and executive management. Risks that keep our stakeholders up at night also should be of concern to us.” Richard Chambers, CEO & President of Institute of Internal Auditors “The problem is that there's not a lot of evidence that (external) auditors are very good at assessing risk.” (reminder!) Charles Cullinan, Bryant College Image courtesy digitalart /FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5j An auditor –one who learns by listening Good auditors learn by listening Bad auditors don’t listen. Their ticklist tells them the “right answers”. UK & US regulators are pushing auditors away from binary opinions. The EU too?
Madrid, 26th to 28th May 2014 5k Attitude of the Institute of Internal Auditors Traditional compliance auditing; “tipping out the pieces of a jigsaw puzzle on to the Audit Committee table rather than turning those pieces into a picture.” Sarah Blackburn, ex President of IIA UK Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5l Attitude of the Institute of Internal Auditors Moving this way? “In a risk-based approach to security, compliance is provided by security –security is not necessarily provided by compliance.” John Wheeler, Gartner Inc “Many organizations look at compliance as a set of check boxes… compliance is not the goal, it’s a result of securing data in a dynamic and dangerous world.” Mike Rothman, Security Incite Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 5m Attitude of the Institute of Internal Auditors Moving this way?
Madrid, 26th to 28th May 2014 5n Information Systems Audit & Control Association –moving this way? “the standards committee… define best practice at a point in time, but… best sinks to ‘just okay’ practice with the passage of time. A standard is obsolete the day it is published… Carried forward over time, standard practice is mediocrity.” Steven Ross, former ISACA president, ISACA Journal 2013
Madrid, 26th to 28th May 2014 5o Risk Based Auditing There are no right answers (probably). The ticklist is not the audit. It’s just a tool. Auditors who needticklists are unprofessional compliance monkeys. That demeans and deskills the profession. Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 6a What does a goodauditor expect? The same as a good test manager. Working withgoodauditors Images courtesy Stuart Miles & David Castillo Dominici/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 6b What do auditors expect from test reports? (with thanks to Rapid Software Testing) Learning about how the product was tested. Learning about how good the testing was. Learning about the product. But above all -learning about the risks that matter, the risks that keep the stakeholders awake at night. Images courtesy Stuart Miles & David Castillo Dominici/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 6c What do auditors expect from test reports? Don’t empty the box onto the table. Put the pieces together to assemble a clear picture, to tell a compelling story about the risks that matter. Don’t try to tell the story by counting the passes and fails. Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 6d What do auditors expect from test reports? Auditors live and die by evidence. Opinions are not casual observations. They must be backed by evidence. Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 7a Wrapping up Get the auditors on your side Learn about their concerns. Get their insights into uncertainty, risks and threats. Be pro-active. Go and speak to the auditors. Learn about their “known unknowns”. Get their support if you need time, resources and people. Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 7b Wrapping up Get the auditors on your side Never do something just because “that’s what the auditors will expect”. Never follow the letter of the law and ignore the spirit. Say what you mean. Mean what you say. Neverlie! Do the right thing and be ready to justify it. Image courtesy Stuart Miles/FreeDigitalPhotos.net
Madrid, 26th to 28th May 2014 7c Wrapping up Image courtesy Stuart Miles/FreeDigitalPhotos.net

Recommended

Transition to College
Transition to CollegeTransition to College
Transition to CollegeEducationQuest
 
transition from HS 2015
transition from HS 2015transition from HS 2015
transition from HS 2015Robin Lurie-Meyerkopf M.Ed.
 
Peer transition power pointpkn3.0 (1).2
Peer transition power pointpkn3.0 (1).2Peer transition power pointpkn3.0 (1).2
Peer transition power pointpkn3.0 (1).2Pamela Noble
 
Peer counseling
Peer counselingPeer counseling
Peer counselingPRINTDESK by Dan
 
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Kevin Duffey
 
FEI Digital Week Webinar at Innovation Management - October 2019
FEI Digital Week Webinar at Innovation Management - October 2019 FEI Digital Week Webinar at Innovation Management - October 2019
FEI Digital Week Webinar at Innovation Management - October 2019 SmartOrg
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2Stephanie Crates
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 

Recommended

Transition to College
Transition to CollegeTransition to College
Transition to CollegeEducationQuest
 
transition from HS 2015
transition from HS 2015transition from HS 2015
transition from HS 2015Robin Lurie-Meyerkopf M.Ed.
 
Peer transition power pointpkn3.0 (1).2
Peer transition power pointpkn3.0 (1).2Peer transition power pointpkn3.0 (1).2
Peer transition power pointpkn3.0 (1).2Pamela Noble
 
Peer counseling
Peer counselingPeer counseling
Peer counselingPRINTDESK by Dan
 
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020
Cyber Risk Measurement: what 25 CISOs & CROs plan for 2020Kevin Duffey
 
FEI Digital Week Webinar at Innovation Management - October 2019
FEI Digital Week Webinar at Innovation Management - October 2019 FEI Digital Week Webinar at Innovation Management - October 2019
FEI Digital Week Webinar at Innovation Management - October 2019 SmartOrg
 
Cyber_security_survey201415_2
Cyber_security_survey201415_2Cyber_security_survey201415_2
Cyber_security_survey201415_2Stephanie Crates
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Webinar | Risk management in asset management
Webinar | Risk management in asset managementWebinar | Risk management in asset management
Webinar | Risk management in asset managementStork
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public RelationsPhilip Sheldrake
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public RelationsCharityComms
 
Supporting reviews and performance: the role of the PMO
Supporting reviews and performance: the role of the PMOSupporting reviews and performance: the role of the PMO
Supporting reviews and performance: the role of the PMOAssociation for Project Management
 
James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...James Christie Christie
 
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data CompaniesRPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data CompaniesScott Terry
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...Institute of Contemporary Sciences
 
AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)Eugene Yan Ziyou
 
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwCACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwCACCASG Community Manager
 
War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit🍁Steve Davies
 
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...Marketing Network marcus evans
 
Artesian Connections 18
Artesian Connections 18Artesian Connections 18
Artesian Connections 18Stuart Newton
 
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...Global Business Events
 
International Auditing Standards (ISA)
International Auditing Standards (ISA)International Auditing Standards (ISA)
International Auditing Standards (ISA)Manon Cuylits
 
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...almatotals
 
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015Craig Rispin
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018Match-Maker Ventures
 
Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?Aggregage
 
Ray poynter global trends in mr
Ray poynter global trends in mrRay poynter global trends in mr
Ray poynter global trends in mrTomoko Yoshida
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 

More Related Content

Similar to Farewell to pass or fail, James Christie at ExpoQA14, Madrid, May 2014.

Webinar | Risk management in asset management
Webinar | Risk management in asset managementWebinar | Risk management in asset management
Webinar | Risk management in asset managementStork
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public RelationsPhilip Sheldrake
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public RelationsCharityComms
 
James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...James Christie Christie
 
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data CompaniesRPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data CompaniesScott Terry
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24
 
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...Institute of Contemporary Sciences
 
AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)Eugene Yan Ziyou
 
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwCACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwCACCASG Community Manager
 
War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit🍁Steve Davies
 
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...Marketing Network marcus evans
 
Artesian Connections 18
Artesian Connections 18Artesian Connections 18
Artesian Connections 18Stuart Newton
 
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...Global Business Events
 
International Auditing Standards (ISA)
International Auditing Standards (ISA)International Auditing Standards (ISA)
International Auditing Standards (ISA)Manon Cuylits
 
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...almatotals
 
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015Craig Rispin
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018Match-Maker Ventures
 
Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?Aggregage
 
Ray poynter global trends in mr
Ray poynter global trends in mrRay poynter global trends in mr
Ray poynter global trends in mrTomoko Yoshida
 

Similar to Farewell to pass or fail, James Christie at ExpoQA14, Madrid, May 2014. (20)

Webinar | Risk management in asset management
Webinar | Risk management in asset managementWebinar | Risk management in asset management
Webinar | Risk management in asset management
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public Relations
 
Measuring Public Relations
Measuring Public RelationsMeasuring Public Relations
Measuring Public Relations
 
Supporting reviews and performance: the role of the PMO
Supporting reviews and performance: the role of the PMOSupporting reviews and performance: the role of the PMO
Supporting reviews and performance: the role of the PMO
 
James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...James Christie CAST 2014 Standards – promoting quality or restricting competi...
James Christie CAST 2014 Standards – promoting quality or restricting competi...
 
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data CompaniesRPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
RPM2 Selected to the CIO Review "Top 100" Most Promising Big Data Companies
 
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
Outpost24 webinar - Why asset discovery is the missing link to enterprise vul...
 
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
Deep learning fast and slow, a responsible and explainable AI framework - Ahm...
 
AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)AXA x DSSG Meetup Sharing (Feb 2016)
AXA x DSSG Meetup Sharing (Feb 2016)
 
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwCACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
ACCA Smart Finance Series - Trust in the Digital Age Presented by PwC
 
War Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profitWar Games -Simulating cyber incidents for fun and profit
War Games -Simulating cyber incidents for fun and profit
 
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
Digital Bridge: Exploring Digital Landscapes in Packaging to Develop Interdis...
 
Artesian Connections 18
Artesian Connections 18Artesian Connections 18
Artesian Connections 18
 
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
Lee Glendon & Nick Wildgoose - Seeing the wood from the trees: New approaches...
 
International Auditing Standards (ISA)
International Auditing Standards (ISA)International Auditing Standards (ISA)
International Auditing Standards (ISA)
 
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
Onisiforos Onisiforou - Internal Auditing: Looking Ahead - Challenges, dilemm...
 
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
Australis Music Group - The Future of Music Instrument Retail - 3 December 2015
 
MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018MMV Webinar 3. Cybersecurity Perspectives. March 2018
MMV Webinar 3. Cybersecurity Perspectives. March 2018
 
Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?Are You Ready For Predictive Analytics?
Are You Ready For Predictive Analytics?
 
Ray poynter global trends in mr
Ray poynter global trends in mrRay poynter global trends in mr
Ray poynter global trends in mr
 

Recently uploaded

M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxtrishalcan8
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageMatteo Carbone
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingShawn Pang
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in managementchhavia330
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxAndy Lambert
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...lizamodels9
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsApsara Of India
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Roland Driesen
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Servicediscovermytutordmt
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Tina Ji
 

Recently uploaded (20)

M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptxSocio-economic-Impact-of-business-consumers-suppliers-and.pptx
Socio-economic-Impact-of-business-consumers-suppliers-and.pptx
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth MarketingTech Startup Growth Hacking 101 - Basics on Growth Marketing
Tech Startup Growth Hacking 101 - Basics on Growth Marketing
 
GD Birla and his contribution in management
GD Birla and his contribution in managementGD Birla and his contribution in management
GD Birla and his contribution in management
 
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service PuneVIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Kirti 8617697112 Independent Escort Service Pune
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call GirlsCash Payment 9602870969 Escort Service in Udaipur Call Girls
Cash Payment 9602870969 Escort Service in Udaipur Call Girls
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Call Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room ServiceCall Girls in Gomti Nagar - 7388211116 - With room Service
Call Girls in Gomti Nagar - 7388211116 - With room Service
 
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
Russian Faridabad Call Girls(Badarpur) : ☎ 8168257667, @4999
 

Farewell to pass or fail, James Christie at ExpoQA14, Madrid, May 2014.

  • 1. Madrid, 26th to 28th May 2014 Farewell to “pass or fail”? James Christie www.clarotesting.com blog: www.wordpress.clarotesting.com
  • 2. Madrid, 26th to 28th May 2014 1b James Christie jack of all trades, master of some Test Manager & Consultant Developer & Business Analyst Information Security Manager Project Manager Computer Auditor investment accountant trainee chartered accountant
  • 3. Madrid, 26th to 28th May 2014 Rikard Edgren (see his Oredev talk) “Reality isn’t binary… we don’t know everything in advance. We should observe the software without a hypothesis to nullify.” 2a Image courtesy digitalart/ FreeDigitalPhotos.net The Binary Trap
  • 4. Madrid, 26th to 28th May 2014 2b The questions we can answer yes/no with most certainty are probably those that don't matter. The danger is that we focus on them because the light is better there. The Binary Trap
  • 5. Madrid, 26th to 28th May 2014 2c The Binary Trap It’s not meant to be easy, it’s meant to be valuable. Test scripts are not testing. Ticklists are not auditing.
  • 6. Madrid, 26th to 28th May 2014 How do we know anything? What matters? Who cares? “Toknow that weknow what we know, and to know that wedo not know what we do not know, that istrue knowledge.” Copernicus Evidence and Opinion 3a
  • 7. Madrid, 26th to 28th May 2014 A positivist worldview? 3e Are we too keen to assume that the world we are investigating is a neater and more ordered place than it really is? Have we treated testing as if it is like a scientific experiment where we know and control all the variables?
  • 8. Madrid, 26th to 28th May 2014 A balanced approach? (just doing the best we can) 3f We might not knowthings with certainty, but we can make statements based on evidence & keep refining our opinion.
  • 9. Madrid, 26th to 28th May 2014 The relevance to testers 3g Relying on scripts and ticklists assumes that the information we want is under the streetlight. It assumes that we can know in advance what matters, what we need to look for. It assumes that the important questions can be answered with a “yes” or “no”.
  • 10. Madrid, 26th to 28th May 2014 3h If we focus only on what was specified we will not see what was needed but neither specified nor built (5). And we won’t see what was not specified or needed, but was built (6). Thanks to James Lyndsay, Iain McCowatt, James Bach & Michael Bolton. The relevance to testers and auditors want to know too Either could be damaging.
  • 11. Madrid, 26th to 28th May 2014 4a What is external audit? “External auditors are watchdogs not bloodhounds” English legal case Self image “… reasonable assurance about whether the financial statements as a whole are free from material misstatement” “… seguridad razonable de que los estados financieros en su conjunto están libres de incorrección material” International Standard On Auditing 200 Norma Internacional De Auditoría 200 (applies in EU)
  • 12. Madrid, 26th to 28th May 2014 4b What is external audit? “… reasonable assurance about whether the financial statements as a whole are free from material misstatement” “… seguridad razonable de que los estados financieros en su conjunto están libres de incorrección material” International Standard On Auditing 200 Norma Internacional De Auditoría 200 (applies in EU) “External auditors are watchdogs not bloodhounds” English legal case Reality
  • 13. Madrid, 26th to 28th May 2014 4c External auditor independence Challenging client management? “Commercial suicide” allegedquote from current chair of UK Financial Conduct Authority. John Griffith-Jones Clarification: “pre crisis, it was not the generally understood role of the auditor to criticise his client’s business model and … he might have got short shrift from management for so doing.” Images courtesy Artur84/FreeDigitalPhotos.net
  • 14. Madrid, 26th to 28th May 2014 4d Big 4 audit fees for 2007 “…fees are now coming before independence, objectivity (and sometimes, even competence) in important parts of the accounting profession.” Paul Moore (ex partner KPMG, ex Head of Group Regulatory Risk, HBOS -2013) Images courtesy Artur84/FreeDigitalPhotos.net
  • 15. Madrid, 26th to 28th May 2014 4e Big 6 foul ups in USA Grant Thornton 65%(43%) BDO55%(39%) Ernst & Young48%(36%) PWC39%(41%) KPMG34%(23%) Deloitte25%(42%) (% of audits inspected deemed to be “audit failures” by regulator) US PCAOB Audit Failures 2012 (2011) Images courtesy digitalart & Artur84/FreeDigitalPhotos.net
  • 16. Madrid, 26th to 28th May 2014 4f Has external audit had its day? “With or without new rules, the main worry for auditors may be that people wonder whether their reports are worth a bean.” The Economist, April 2014 “The fact that the audit process failed to highlight developing problems in the banking sector does cause us to question exactly how useful audit currently is.” House of Commons Treasury Committee “Banking Crisis”, 2009
  • 17. Madrid, 26th to 28th May 2014 4g Has external audit had its day? “External audit is now largely out-dated. The binary nature of the opinion renders it useless.” Richard Anderson chairman of the Institute of Risk Management, 2011 “The problem is that there's not a lot of evidence that (external) auditors are very good at assessing risk.” Charles Cullinan, Bryant College, USA
  • 18. Madrid, 26th to 28th May 2014 4h “Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improvean organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Global Institute of Internal Auditors Internal audit –a different perspective “La auditoría interna es una actividad independientey objetiva de aseguramiento y consulta, concebida para agregar valor y mejorar las operaciones de una organización. Ayuda a una organización a cumplir sus objetivos pues aporta un enfoque sistemático y disciplinado con el que evaluar y mejorar la eficacia de los procesos de gestión de riesgos, control y gobierno.” El Instituto de Auditores Internos de España
  • 19. Madrid, 26th to 28th May 2014 4i Top six qualities internal auditors needIIA’s 2013 Global Pulse of the Profession survey 1 -Critical thinking 2 –Communication skills 3 –Risk management 4 –IT knowledge 5 –Data mining & analytics (fraud! ) 6 –Accounting knowledge Image courtesy cooldesign & FreeDigitalPhotos.net
  • 20. Madrid, 26th to 28th May 2014 4j Internal auditors know more Deeper business knowledge Greater tacit knowledge Greater nous (streetwise, savvy, shrewd, insightful) More mature, and stronger characters? Image courtesy Krormrathog& FreeDigitalPhotos.net
  • 21. Madrid, 26th to 28th May 2014 4k Are internal auditors stronger? You can’t bully good internal auditors. If you can bully them they don’t last long. Image courtesy Chanpipat & FreeDigitalPhotos.net
  • 22. Madrid, 26th to 28th May 2014 4l The internal audit hothouse Internal audit is used as a training ground for high quality staff, at companies that take audit seriously.
  • 23. Madrid, 26th to 28th May 2014 5a Risk and the financial crash Risk is a tricky concept and auditors didn’t handle it well. Image courtesy cooldesign & FreeDigitalPhotos.net
  • 24. Madrid, 26th to 28th May 2014 5b What is risk? “...the chance, high or low, of somebody being harmed by the hazard, and how serious the harm could be” (UK Health & Safety Executive) “the effect of uncertainty on objectives” (ISO 31000) “a set of circumstances that hinder the achievement of objectives” (David M Griffiths, internal auditor) Image courtesy jscreationzs& FreeDigitalPhotos.net
  • 25. Madrid, 26th to 28th May 2014 5c What is risk? UK Health & Safety Executive’s risk matrix
  • 26. Madrid, 26th to 28th May 2014 5d Risk –the big dilemma Simple, understandable and totally misleading? Complex, more accurate (possibly) and totally uninformative? or Images courtesy Luigi Diamanti, Mr Brightman& FreeDigitalPhotos.net
  • 27. Madrid, 26th to 28th May 2014 5e Risk –the big dilemma Rick Buy –Chief Risk Officer. His stated aim was to “condense all the risks of the corporation into a single metric.” (it used to be the Big 5)
  • 28. Madrid, 26th to 28th May 2014 5f We lost sight of risk “With half a decade’s hindsight, it is clear the crisis had multiple causes. The most obvious is the financiers themselves – especially the irrationally exuberant Anglo-Saxon sort, who claimed to have found a way to banish risk when in fact they had simply lost track of it.” The Economist, 2013 Image courtesy pakorn / FreeDigitalPhotos.net
  • 29. Madrid, 26th to 28th May 2014 5g We lost sight of risk “The weaknesses of group risk in HBOS were a matter of design, not accident.” UK Parliamentary Commission on Banking Standards “An Accident Waiting To Happen: The Failure of HBOS” Image courtesy pakorn / FreeDigitalPhotos.net
  • 30. Madrid, 26th to 28th May 2014 5h Assurance about risks Auditors are looking for reasonable assurance, not absolute assurance. Appropriate… sufficient… reasonable… material
  • 31. Madrid, 26th to 28th May 2014 5i Knowing more about the risks that matter “Audit priorities (should) align with those of the board and executive management. Risks that keep our stakeholders up at night also should be of concern to us.” Richard Chambers, CEO & President of Institute of Internal Auditors “The problem is that there's not a lot of evidence that (external) auditors are very good at assessing risk.” (reminder!) Charles Cullinan, Bryant College Image courtesy digitalart /FreeDigitalPhotos.net
  • 32. Madrid, 26th to 28th May 2014 5j An auditor –one who learns by listening Good auditors learn by listening Bad auditors don’t listen. Their ticklist tells them the “right answers”. UK & US regulators are pushing auditors away from binary opinions. The EU too?
  • 33. Madrid, 26th to 28th May 2014 5k Attitude of the Institute of Internal Auditors Traditional compliance auditing; “tipping out the pieces of a jigsaw puzzle on to the Audit Committee table rather than turning those pieces into a picture.” Sarah Blackburn, ex President of IIA UK Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 34. Madrid, 26th to 28th May 2014 5l Attitude of the Institute of Internal Auditors Moving this way? “In a risk-based approach to security, compliance is provided by security –security is not necessarily provided by compliance.” John Wheeler, Gartner Inc “Many organizations look at compliance as a set of check boxes… compliance is not the goal, it’s a result of securing data in a dynamic and dangerous world.” Mike Rothman, Security Incite Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 35. Madrid, 26th to 28th May 2014 5m Attitude of the Institute of Internal Auditors Moving this way?
  • 36. Madrid, 26th to 28th May 2014 5n Information Systems Audit & Control Association –moving this way? “the standards committee… define best practice at a point in time, but… best sinks to ‘just okay’ practice with the passage of time. A standard is obsolete the day it is published… Carried forward over time, standard practice is mediocrity.” Steven Ross, former ISACA president, ISACA Journal 2013
  • 37. Madrid, 26th to 28th May 2014 5o Risk Based Auditing There are no right answers (probably). The ticklist is not the audit. It’s just a tool. Auditors who needticklists are unprofessional compliance monkeys. That demeans and deskills the profession. Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 38. Madrid, 26th to 28th May 2014 6a What does a goodauditor expect? The same as a good test manager. Working withgoodauditors Images courtesy Stuart Miles & David Castillo Dominici/FreeDigitalPhotos.net
  • 39. Madrid, 26th to 28th May 2014 6b What do auditors expect from test reports? (with thanks to Rapid Software Testing) Learning about how the product was tested. Learning about how good the testing was. Learning about the product. But above all -learning about the risks that matter, the risks that keep the stakeholders awake at night. Images courtesy Stuart Miles & David Castillo Dominici/FreeDigitalPhotos.net
  • 40. Madrid, 26th to 28th May 2014 6c What do auditors expect from test reports? Don’t empty the box onto the table. Put the pieces together to assemble a clear picture, to tell a compelling story about the risks that matter. Don’t try to tell the story by counting the passes and fails. Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 41. Madrid, 26th to 28th May 2014 6d What do auditors expect from test reports? Auditors live and die by evidence. Opinions are not casual observations. They must be backed by evidence. Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 42. Madrid, 26th to 28th May 2014 7a Wrapping up Get the auditors on your side Learn about their concerns. Get their insights into uncertainty, risks and threats. Be pro-active. Go and speak to the auditors. Learn about their “known unknowns”. Get their support if you need time, resources and people. Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 43. Madrid, 26th to 28th May 2014 7b Wrapping up Get the auditors on your side Never do something just because “that’s what the auditors will expect”. Never follow the letter of the law and ignore the spirit. Say what you mean. Mean what you say. Neverlie! Do the right thing and be ready to justify it. Image courtesy Stuart Miles/FreeDigitalPhotos.net
  • 44. Madrid, 26th to 28th May 2014 7c Wrapping up Image courtesy Stuart Miles/FreeDigitalPhotos.net