Garret (00:01.944)

Good afternoon, everybody. My name's Garrett Wong, your host of the Investing Twin podcast. Today I have a special guest, Brian Brown, who's on the show with me today. Brian comes to us as a retired chief audit executive. Several companies, great career, loves serving on some boards right now. And today we're gonna be talking about audits, what they are and how risks are with companies. And we'll see where it takes us. Brian, how are you?

Brian Brown (00:31.99)

Great, yeah. Thanks, Garrett, for the invitation. I love to talk about internal audit. That's what we're talking about, internal audit. I'll explain that in a minute. Any chance I get, it's a hidden jewel in a lot of organizations, and a lot of organizations don't have internal audit that shit. So it's a good opportunity for me. How about those chats, eh?

Garret (00:48.899)

Yeah.

Perfect. Yeah, how about those jets behind you? No, currently as of the recording, we are in first place, but we'll see if that backfires on us.

Brian Brown (00:55.359)

Yeah, so, um...

Brian Brown (01:01.186)

Yeah, never get, let's get ahead of ourselves here.

Garret (01:04.236)

Yeah, I thought I'd start with, why don't you just introduce yourself to the audience formally and sort of give a little bit of a background of who you are and sort of an intro. So the audience gets to know you a little bit.

Brian Brown (01:14.946)

Okay, so I'm good. Sure, so as Garrett said, I'm retired chief audit executive, so that's the vernacular, the title that's used in Canada and in North America generally for the head of internal audit. So I led the internal audit function with five organizations in Canada, including a couple of our largest companies, Sears Canada in Toronto, the long since departed, of course, but was a great company back in the day, Great West Life.

in Winnipeg, UGG for those who remember the old grain company, AgriCorps United and the Canadian Grain Commission, Federal Government Agency in the last 10 years of my career. So over my 35 year career, about 25 of it was spent leading internal audit functions. Now that may sound boring, but that it's not at all boring. And it involves risk and-

ethics and fraud and working with boards of directors and executive management. I was part of the executive management committee for these organizations. So yeah, it's been an exciting career. I want to add a couple things though, because in addition to the career like that, I also spent a lot of my time outside of work in various organizations and I highly encourage people to do that. Get outside the box, outside of your work environment and get involved in other things. So

For me, like a lot of people, that started with my kids when they were little, you know, and their activities, I said, I'm gonna get involved in them. So yeah, I coached, I got on boards of community centers and sports organizations and all kinds of stuff just to kind of support them and also see what the program was like for my kids. But that led to all kinds of things. I got involved with my professional association, the Institute of Internal Auditors, which is a global organization. Most professions have a governing body. That's it for us, the IA.

So I was on their global board for a while, North America. I founded iCanada back in 2006, which gave us a Canadian entity. And I got involved with other associations and organizations. And that's continued. After my kids left, I was able to spend more time doing that outside of work. But that gets you outside your box. So I would say I had a career internal audit, so I'm an auditor in a sense. But.

Brian Brown (03:31.922)

I've been a board member, I've worked on marketing, advocacy, and all kinds of other things outside of work through those other aid organizations. So I highly encourage people to do that. So now that I'm, I retired in 2019 from the last job I ever hoped to have, but I've been doing, I have my own little independent consulting practice. So I teach courses, do a bit of consulting, and I'm on four boards right now. So the Manitoba Agricultural Services Corporation Board, where I chair their audit committee of the board.

I'm on two major charities, the Canadian Center for Child Protection based in Winnipeg and Mary Mounding based in Winnipeg and the Institute of Corporate Directors, which is the professional association locally, well, it's a national and locally for people who are on boards of directors who want to be on boards of directors. So I now spend most of my time on the other side of the table for management and get a different perspective on things. So in today's conversation, we can talk about both sides.

as it relates to internal audit risk and governance and so on. So.

Garret (04:33.608)

Yeah, absolutely. No, thank you for that. Before we get into internal audits, I'm curious what, now that you're retired, what brought you to the other side and serving on boards?

Brian Brown (04:46.346)

Well, I had done a lot of it while I was working. Like I said, community centers, sports, and I have some horror stories about those if we have time. But anyway, and my business experience was of value. So if I was on a sports board, I'm not necessarily passionate about the sport, but I know how to run an organization well and how to manage risk and finances and those kinds of things. So.

And I actually just enjoyed being on boards. I found it an interesting perspective. So that was something I wanted to do when I retired. I've been faculty for another thing I've done while I was working for the last 20 years for an organization called the Directors College, which trains people to be on boards of directors. And I just liked that perspective. I found it fascinating. So when I retired, I figured that's something I'd like to do more of, right? So I've...

expanded that and hope to continue adding a couple more. I have capacity right now to add a couple more boards. So if any of your audience members need a board member, particularly one that's good at oversight of risk, audits, finance, I chair two governance committees, I'm on three audit committees of board. Those are subcommittees of the board. So boards generally have committees, subcommittees, to look after and more detailed work. So I just found the work interesting, right?

Garret (06:12.612)

Okay, well, we'll definitely, we're gonna be putting your information into the show notes. So if anybody wants to reach out, certainly that's going to be a great option. Let's move into audits themselves. I mean, for me, before I even knew you existed, and you know, obviously we were introduced by a good friend of mine. I always thought of audits as something with CRA, right? Canada Revenue Agency.

Brian Brown (06:12.837)

Um.

Brian Brown (06:19.31)

Sure. Yeah, it's.

Garret (06:38.584)

Can you kind of, well, I mean, nobody wants to get audited, right? But you're talking about a different type of audit. Can you kind of explain to the audience what your type of audit entails?

Brian Brown (06:49.421)

Yeah, so internal audit is something that organizations have and they're large organizations. I would say any organization with 300 or more probably employees. So virtually every corporation that's traded on the stock exchange would have an internal audit function. So these are generally employees of the company or their contracts with the company. So

It could be outsourced, but what they do, so they operate within the company and essentially they report to the board of directors and the senior management team. So they report to the audit committee of the board. So it's like your own in-house audit function. So what they do, now that's different from the external auditors. So most people are familiar with the external auditors who audit your financial statements.

So those are completely independent people who work for another company, a firm, like PW or Deloitte or so on, right? So they come in and they audit your financial statements. Their audit is limited to your financial statements, right? They wanna provide us just a comment or provide you with assurance that the statements are reasonably accurate and your stakeholders or funders or whatever, right? So that's what they do. CRA audits your taxes, it's purely compliance.

There are other types of audits, ISO, if you've worked in manufacturing operations, they'll have their own type of audit to ensure that you're complying with your standard operating procedures. The internal audit I'm talking about is much broader. So it's risk-based within an organization and the idea is kind of twofold. First of all, to provide the board and the audit committee with some assurance that those risks are reasonably well managed so that the organization will achieve its objectives. So we're not just talking about financial risks.

financial statements and so on are one area of risk. But we could be talking about operations. I work for a grand company. I work for financial service. I work for a retail company. So the risks were all over the place. Finance was only a small part of the risk profile, right? So it's all these other operations. So you look at the risks. And what they do is they provide assurance to your board and your senior management that risks within the organization are reasonably well managed.

Brian Brown (09:04.546)

But they also provide recommendations on ways to improve, but not just managing risk, but efficiencies and efficiencies. They look, they might look at compliance with internal policies, even laws, regulations, assets are protected and so on. So it could be all encompassing, but it's a fascinating profession because you get to see a whole organization, right? You get to see all aspects of it, including even IT. I didn't mention IT, but I'm not an IT expert,

overseen many audits of IT. So whatever your risk area is, these internal auditors will work on and find out how the controls, how well they're being managed. You know, is it reasonably well controlled? They make me recommendations to tighten it up. So you said people don't like auditors, and I think the perception there, especially when it comes to internal audit, is if I go back, I would go back like 30 years and say internal audit used to be very much the cop role in a company.

So it was very much like, let's find out who's not following the rules and then get them in trouble. And so that's not the way it's evolved. It's evolved with the way when governance evolved in the late 90s and then after Enron and everything else, governance itself evolved, internal audit evolved too and became much more part of the governance structure of an organization. So it's a long way to answer, but it's internal in that it reports to the board and the CEO or the...

you know, the executive of the company or the organization. Now, but it could be outsourced. It could be contracted to any of the big firms or independent people, guys like me who do it. I don't do it by the way, but there are people like me who are retired that do that kind of work on a contract. Because sometimes some organizations don't want to employ people to do it, right? They don't want to add to their FTE council or contract it out. But it's the same role, right? Reporting to the board.

and providing the board with that type of assurance. So very valuable. So now that I'm on boards and I'm on audit committees and I'm chairing audit committees, it usually reports to audit committees, I'm very happy to have a good, strong internal audit function because I'm getting feedback from them, they're independent, they don't work, they work for the organization, but they don't work for any of the operations they're auditing, right? So I'm getting independent assurance that things are working well, management's getting good advice on things that they could do better.

Brian Brown (11:31.926)

But I'm getting that type of assurance as an audit committee member that management's doing a pretty good job in these areas, right? And that the risks are managed. So I feel pretty good about having an internal audit function. Not every organization has one. So go ahead, Garrett.

Garret (11:47.296)

So yeah, let me stop you there for a second. There's a lot to unpack there. So for the uninitiated like myself, who thought that an audit was either something you had to cringe away from or a financial audit, when you speak about an internal audit, I mean, literally it could be anything within a company in almost any type of industry. Is it kind of?

Is it the board or the CEO that's determining what type of audit they want and what area of the company, or is it like, I just wanna have an internal audit and somebody comes in and sort of assesses in a general sense, like how.

Brian Brown (12:27.758)

So the internal audit function, so there are international standards for the practice of internal auditing. So you have to do a plan. You have to have a plan, an annual or a multi-year plan, and the audits that you do are risk-based. So there's a risk assessment done. So if your organization has a risk, a lot of organizations have an enterprise risk management function or something, so the risks are identified. So it's to be risk-based. So it focuses on the risk. So the audits.

are proposed usually by the internal audit function. They might be suggested by management saying, we want you to look at this area or that area, but they're ultimately approved by the board. The audit committee of the board would approve the plan and the allocation of resources and the budget for the internal audit function and so on. So it's a collaborative exercise between management, the board and the internal audit function to determine what to audit. Because you can't, if...

If you're on a board of an organization or the executive team, you're focused on kind of the top 10 principal risks to the company, right? Those are the big ones. And then you've got a lot. There's 1,000 other risks in the organization that the people below you are managing on a day-to-day basis. But you're kind of focused on the big ones, the top 10, right? Well, you can't expect internal audit to audit the top 10 every year. Like, they're going to pick pieces and parts of those and audit them over some period of time, right? Unless you have a huge budget, you're not going to get that.

every year, right? So it's a collaborative. Who decides? Management as a senior management has input. The internal audit function will propose a plan and the board ultimately will approve the plan. And the number of audits depends on the size of the organization, the amount of budget there is, the number of employees there are, and so on, right? So...

Garret (14:07.851)

Okay.

Garret (14:17.936)

Okay, so maybe walk me through a tip, I know it's hard, but you've given me so much information what a typical would be, but give me an example of a company that's been running, let's say they have 150 plus employees, they have a board, trying to think, maybe they're not publicly traded, but they do have a board and a CEO, they're a $10 million company and they,

Internal audits is a regular function of theirs. So now we're, let's see, in year 10, and they're coming in, or you've now, you've been brought in to bring a contractor in for them. What would that internal audit look like?

Brian Brown (15:01.15)

Yeah, I mean, it's a hard thing to generalize because audit, internal audit is very adaptable to the organization. But again, they're typically employees or the head of internal audit, like me being a chief audit executive, I was always an employee and I had staff that did audit work. What does a typical audit look like? It's hard to say that, you know, usually it starts, once the plan is approved, you'll pick an.

Garret (15:04.053)

I know, but uh...

Brian Brown (15:28.998)

areas to start with. So you might start with a particular audit. It might be a particular operation or a location or an office or something. So when you say, pick a typical one. So one of the organizations on the board runs a lending operation. So there's like a credit management, a credit function, like a bank kind of thing. And they focus on small clients.

that have trouble getting financing from regular banks and credit unions. So the audit, the internal auditor would, first of all, work out the specific scope and objectives of the audit with the management of that area, typically. Like, what are the specific things we want to look at? Because you can't look at everything. You don't have time. You know, you'd be there for years looking at everything. So which are the specific risks within that function that you want me to look at or that I should look at, right?

So they usually work with that area and kind of finalize what the objectives are and the scope of the audit. And then they'll develop, they'll do interviews with employees and staff and others. They'll do testing, they'll test transactions or test whatever it is that they should test. The review files, they'll look, they'll, and, but they'll also look outside. They'll look for kind of best practices or leading practices to kind of compare it against. But what they're looking at is are those risk areas

managed. So are they operating? Do they have the controls in place in two respects? Is a control implemented to mitigate the risk? And is it working? Because management may say, well, we have a control to mitigate. Say you're a lending operation. You may have a control to mitigate the risk of defaults. So a client may just walk away from the loan. So that's a risk. That's a significant risk for any kind of lending operation.

So what do you have in place to mitigate that risk? So what do you have to prevent that? Well, we have a preventative control upfront. We go through the client's personal financial statements. We make sure they actually have a cashflow stream so they can pay it back. We do all those upfront, so that's preventative. But we might take collateral. So if they do default, we have an asset in our hands that we can actually use to offset the loss. And then we monitor their.

Brian Brown (17:49.594)

We monitor their life and see how they're doing. And are they making their payments? Are they late? Just like the bank would do with any of you. So I'm just giving you an example of a type of risk area and the types of controls. So you'd have some kind of monitoring reporting afterwards. But you want to have the preventative stuff in place. So the internal audit would look to see, do you have these things in place? And are they actually working? Are they actually happening? If you say you do some kind of pre-

loan financial analysis of a client, the internal auditors might go and look at client files and see if you actually did a financial. Are they actually being done? Are they complete? Are they authorized or whatever is required? So that's one of the preventative steps. So again, it has nothing to do with financial statements or tax or anything. This is a risk area and the board and senior manager want to know if it's being done right. So that's just one simple example.

It's hard to generalize and then they produce a report at the end and they're required, if they have a, if they see any weaknesses or opportunities for improvement, they're required to provide some kind of recommendations for management to implement. So, so it's a, I'm sure people who are being audited are nervous. That's natural. It's also an imposition on their time, right? Because most people don't have spare time in their job, right? Most people are.

probably have more work than they have time to do it to start with, and then you have an auditor pop in and wanna talk to you, look at your files, or get information from you, that's a pain in the neck, right? So yeah, I mean, it's not a happy day necessarily when you're gonna get audited, right? But the process nowadays is quite collaborative. They work around as best they can, people's time and schedules and so on.

And the idea is to improve the operation, right? So it's not really about finding out who's screwing up or if somebody's getting somebody in trouble. Now, if we have time, we can talk a bit about ethics and fraud because you may, auditors do occasionally see those types of things happening, right? And then that's another whole thing, but it's not the primary objective. So I don't know, I go on and on this, but I think that's kind of how it is.

Garret (20:02.121)

Okay.

Garret (20:05.424)

No, it's that you're very passionate. I love it. I appreciate it. No, I think you mentioned something called risk, right? And obviously risk, I think for the average worker, the average staff member, maybe they're not even who's going through their first internal audit, might not even realize that whatever they're doing, whether it's paperwork, conversing with the client, the way they email your IT department, maybe speak to me about risk and even governance. What role is that in the

Brian Brown (20:34.814)

Yeah, well, so internal audit is all risk-based, right? So you select the area you're going to audit based on risk, relative risk within the organization. And then when you get into that area, you're kind of testing the higher risk areas of whatever it is they're doing, right? But you're right. Most people, well, nowadays, I would say there's a much higher awareness of risk as a term than there used to be because it gets so much publicity generally.

So you've got kind of multiple questions in that question. The way it relates to governance is quite simply, the governance or expectations. So the Securities Commission lists the duties of a board member. And one of the duties of a board is to understand the principal risks of the organization and ensure that they're mitigated, properly mitigated. So it's right there.

As a board, you need to know what are the principal risks. Now, the principal risk would be the top 10 or the top five or whatever it is, like the big ones that could really get the company in trouble or the organization in trouble, whether it's not a company, per se. So you are expected to do that as a board member. So that's where it falls into governance. Governance is about direction and control. So control includes managing risk or overseeing it. Management manages it. Board oversees it.

Brian Brown (22:01.202)

And internal audit contributes to that role by providing you some kind of assurance that the risks internally are reasonably well managed. I've now forgotten the rest of your question. I've linked it to governance now.

Garret (22:16.532)

No, I was just asking Brian about risk and governance. I mean, as a general sense, I guess I'm trying to see if the audience can kind of wrap their head around what I thought was just a specific subject. And it's really quite general because if you're a company owner or you're somebody who works in a large company or even a small company, internal audits, the function of that is really, like you said, to help and identify weaknesses, risks.

something that could take down the organization, either what, you know, we're talking like lawsuits or some kind of privacy breach, negative publicity, maybe, maybe dig down into that for me.

Brian Brown (22:55.526)

Yeah, I mean, that's so as a senior management and a board member, you really don't want to see your company in the paper or in nobody reads newspapers anymore, but in the media, right? You don't really want to see them in the media, right? And so internal audit, you could say part of the role is to help keep you out of the media, right? By finding these weaknesses before they blow up on you, right? And helping to identify them and fix them. Now.

Garret (23:07.24)

Great.

Brian Brown (23:24.898)

That's also management's job. So if I were running an IT shop, I wouldn't be relying on internal audit to come in and find my weaknesses. That would be part of my job to make sure I have those risk areas properly managed. That's part of your job. But what internal audit does is they come in from the outside. So they work for the company, but they're coming in from outside because they don't work in IT. And now they're going to have an independent objective look at what the controls are that you've put in place. OK?

Brian Brown (23:57.46)

So when they provide an opinion on that, it has a bit more value and weight, maybe, than the head of IT saying that they have those controls in place, because the head of IT runs the operation. He or she is not independent. So if you're the manager of an area and I ask you how your organization is running, are you managing your risk well? Generally, you get a pretty positive response. I mean, it's not that people are trying to mislead people,

you're biased because it's your organization, right? So that internal audit being independent, brings a more objective look and say, yeah, but maybe you need to tighten up here and there. So it happens at the board level. I mean, CEO reports to the board are generally 90% positive about all the great news that's going on in the company. That's just natural, right? And the CEO will, no.

Garret (24:50.852)

Sure, sure.

Brian Brown (24:53.702)

I've never worked with a crooked CEO, but I mean, they're a crooked CEO is just like they're a crooked everything else, right? But a good CEO will also flag for the board, you know, a big issue. So one of the organizations involved in had a breach, some, you know, kind of like a hacker breach, right? And they access some client files.

And the IT people figured that out found out that they did that right so that was brought to the board's attention The CEO didn't make high ed he brought to the board touch because there's a hugely sensitive issue, right But my point though is that the CEO the CFO are not independent What they're telling you is generally what they want to tell you, right? So internal audit being objective and independent can tell you from their perspective What's going on and I've never had to sort of?

significantly disagree with a CEO, but I would share things that maybe hadn't been shared before with the board. And likewise, for a CEO, you don't know what's going, I mean, you Garrett are a CEO of your company, right? You have 20 employees, you don't know what each employee is doing every day. You don't have time to know that, right? And if you ask them, you're probably getting generally good news from them, right? They're telling you all the great work they're doing, right? And I'm not saying they're lying or being, you know,

Garret (26:07.297)

Great.

Garret (26:13.44)

Right. Yeah.

Brian Brown (26:18.634)

deliberately misleading you, but they're also not inclined necessarily, it's not necessarily human nature to come and say, well, I really did a really bad job today, Garrett. You know, I let that thing break down, you know, so they're gonna, if there was a breakdown, they're gonna try and fix it and deal with it, right? So anyway, human nature is not necessarily objective. So I'm not saying I don't trust people, but there's a line we use.

And you'll hear this a lot, not just from internal auditors, but you'll hear this from governance and boards. Trust, but verify, right? So part of the verify is internal audit in an organization that has one. So if you don't have internal audit, if you're too small, because there is a cost, right? If you want to bring on another employee, if you have a 20 or 30 person employee company, you don't necessarily want to bring on another employee just to be your internal auditor. That's a cost. It's a cost.

Garret (26:53.365)

Yes, yes.

Brian Brown (27:13.954)

benefits and everything else, HR, all that stuff. Someone has to supervise them. So you can contract. So you can contract people. And you may say in a small company, I only need one small audit a year, because really there's not most of the risks. With a small company like that, I can keep my fingers on myself as a CEO, because it's big enough that I can't keep my fingers on. But I want someone objective and independent to look at something each year, just to give me a little extra comfort.

And it's really all about helping you sleep at night. So as a CEO, it's useful for you too, because it helps you sleep at night. So you might bring somebody in to say, just look at our financial controls. Look at how we look at our payables, receivables, the basic cash handling process, and things like that. You might say, just look at that one area this year. Small audit, but hey, cash, man. The number one thing that disappears in a company is cash. Now most.

Garret (28:12.361)

Yeah, no, for sure.

Brian Brown (28:12.61)

There's not a lot of cash around anymore, but asset misappropriation is the number one fraud, right? So, you know, just have somebody look at that. And then you might say the next year, okay, well, let's look at, you know, if you had property, let's look at asset management. See how we manage our inventories or something like that. So, you know, you can bring in, you could pay 30, 40 grand, you can probably get a little audit done, and you know, helps you sleep at night. And it's kind of an internal audit because it's you managing it, you're overseeing it.

They report to you or report to your board if you have a board. Anyway.

Garret (28:48.424)

Okay. You know, you said a few things there, but we've mentioned boards several times. Now you're saying you're sitting on the other side. Speak to me in your experience how important that collaboration point is between board management, you know, ensuring effective audit and governance processes.

Brian Brown (29:07.354)

Yeah, so first of all, boards exist as an intermediary, essentially. I'm going way back to the Adam Smith agency theory from hundreds of years ago. But boards essentially exist as the intermediary between what they call the principles, the people that supply the money, the shareholders, or the funders, or the taxpayer, or whatever, and management. So boards like the intermediary.

there could be a natural conflict because management wants, I'll be very, I'm being a bit facetious here, but management wants to have the maximum amount of money available to them to do their work and do the minimum amount of work. So if you just talked about return on assets or return on investment, you know, the best thing for management would be a very low target to achieve and have lots of money to spend to get there.

Right. So obviously at the other end, they want to provide as little money as possible and get the maximum return as a shareholder. I don't want to give you millions of dollars. If I can give you a 10 grand and get 25 percent return on my investment, I'm happy. Management doesn't want to have to do that. Right. So the board sits in the middle and says, OK, here's what we expect. Here's how we're going to manage here. Here's the direction we're giving management. Here's the controls. And here's what we expect. Right. So so I'm really going back to the old days.

So when you talk about collaboration, there could be a natural sort of conflict, but the best organizations have a, it's a collaborative approach. The board and manage board is there first of all to oversee management, right? The board could say no, they should say no once in a while if management's off the rails, but it should really be a collaborative exercise. Likewise audit under that, it should be collaborative. Do we all agree these are the risk areas or these are the things we want to do with.

if the internal auditors provide recommendations, management should be implementing. So the board should be comfortable that management's gonna implement them, right? And that's kind of the ultimate test, right? Does management take the audit seriously? But the whole thing should be a collaborative exercise. We call it a triangular relationship because as a head of internal audit,

Brian Brown (31:26.142)

I report to the board, but I also have a CEO and I need to work with them every day, right, in the senior management team. So I have this kind of triangular relationship and it could be conflicted, but ideally it's collaborative, right? And now boards can get too collaborative with management. And, you know, when you go back in history, back into the 90s, before the first governance revolution.

You know, one of the findings of some of the early, some of the corporate collapses in those days, like Bering's Bank and so on, was that boards were too collaborative with management. Right? They were too close to management. There wasn't enough separation. Essentially, the CEO picked the board members. They were all his buddies. It was all men then, right? They were all his buddies. He put them on the board and basically a board meeting consisted of the CEO telling the board all about what's going on and then they have lunch and go play golf. Right? That's the old days of what it was like to be on a board.

Right. Nowadays, that doesn't work. Right. The regulators, the securities commissions, you know, the other regulators expect boards now and shareholders expect boards. There's too many stories now, proxy fights and everything else. Right. The shareholders expect the board to do a job. Right. You have to do some work. Right. But it's not expected to be a conflict in relationship. Does it expect to be a collaborative relationship? The board should be helping management as well as so in a way policing them. But it's not.

policing them in a sense, because most management's highly professional. They're not going to go off the rails and go rogue in any way. But the board's job is also to provide a degree of control and oversight over management.

Garret (33:07.468)

Yeah, you know, I when I think about boards and I've served on several I'm currently on a few I find that boards don't have a lot of technical knowledge necessarily about the company itself. They might be To a certain extent, you know reading financial statements and voting and things like that. How do you find? Or how does a board even decide what area from that high level? like do they have to take direction from management, but really

That's where I'm, you know, is there a sort of a conflict there?

Brian Brown (33:36.35)

Yeah, you're right. So the reality is management spends, you know, 2000 hours a year plus on the business and board members spend about 120 hours a year. There is no contest, right? There's no way a board member knows what's going on and the organization knows the business better than management. And it doesn't matter. I'm on two charity boards. It's the same thing, right? I show up for a monthly meeting or a quarterly meeting, right? And they work there every day, right? So they know way more than me.

So the role becomes more of question and answer. Am I getting good answers? Am I getting reporting that gives me enough comfort level that they're doing the job well? Is there a good strategy? Am I comfortable with the strategy? Or they follow executing the strategy? Now when it comes to internal audit and the risk areas, as a board member, I don't do the risk assessment. That's management's job. That's managed out to manage the risk.

What I want to know is do they have a good process? Is it complete and thorough? And when they give me their list of the principal risk, which is the top, again, I keep saying the top 10 or whatever it is, does that make sense to me as an outsider? What I know about the environment and the org, does that make sense? Does it make sense? It was a good process to get there. And then do they have controls in place to mitigate those risk areas? So one of the things we board members bring is

We've worked for a lot of other organizations. Most senior management, many of them have spent their whole career with that one organization. They don't have that breadth of knowledge. They know their organization in depth, but they don't have the breadth. But we've worked for other organizations. We've seen a lot of other things. So we bring that to the table. A friend of mine who served on many boards used to say a board meeting is a meeting when the wise people meet with the smart people.

So the smart people were the senior management, right? The wise people are the board members, right? The wise people meet the smart people at a board meeting. And so you do what you can. So when it comes to internal audit and risk management, the board only has limited knowledge, right? They're relying on management to provide good information. Internal audit helps to ensure that information's reasonably accurate and correct and makes sense.

Brian Brown (35:58.61)

An internal audit will propose an audit plan based on what they see as the risk areas and you know the board has to decide does it look reasonable, right? And there's no guarantees that you're right when you're on a board. But you know you talk about fiduciary duties and it's all about did you do the work? Did you do some due diligence? Did you take, you know, make a reasonable effort to understand what's going on? You're not expected to.

Garret (36:10.761)

Okay.

Brian Brown (36:25.022)

understand it as well as management.

Garret (36:27.988)

Right, right. You know, I, you mentioned that there's an international organization, international standards. Maybe speak to me about that because in that context then, when you have this conversation that's going on between management and the board, what are we auditing? What are we looking at right now? How is it going to be audited? This overlying, I mean, almost like a code of conduct, standards, ethics, maybe speak to me about, about that, that international, yeah.

Brian Brown (36:54.294)

Yeah. So the standards do include a code of ethics for internal auditors, right? And I mean, one of the worst things you could have would be an unethical internal auditor. It's like having a dirty cop, right? Yeah, well, I've had to remove an internal auditor in my career because I couldn't trust him anymore. And I can't have that, right? You've got to be clean. Anyway. So.

Garret (37:06.802)

And I'm sure it happens.

Yep.

Garret (37:18.85)

Right.

Brian Brown (37:23.53)

So the international standards, the IIA, the Institute of Internal Auditors, says international standards, they're not prescriptive, they're principles-based, but they'll talk about how an internal audit function should be set up generally and what the components are, and then they talk about how an audit should be done, right? What are the processes? But it's not prescriptive down into the detail, right? And...

The reason for that is the internal audit needs to be adaptable to every organization. So there are standards, but they'll say things like you need to communicate. We'll talk about risk. Your audit plan needs to be risk-based, but it doesn't tell you how to do that, right? It doesn't give you specifics, right? And it says you have to produce a report at the end. You have to communicate with the audit committee of the board and so on about the results, but it doesn't tell you what that should look like.

Whereas the external auditors, the financial statement auditors, it's all prescribed in their standards. The audit report, if you're on the board of several companies, the audit report is exactly the same. You get for every company, right? It's the same report. That's not the way it works in internal audit. And the reason is because every organization that has internal audit is so different. You've got to be adaptable, right? But the basic underlying structure needs to be the same. And one of the standards requires, at least on a five-year cycle,

an external review of your internal audit function, which is no different than any most other professions that require like a peer review of some kind, right? So you're required to have somebody come in and they will look at, they'll basically audit the auditors. They'll take a look at your internal audit function to ensure that you're conforming with the standards. And they'll tell you who you are and they'll tell your audit committee where you're not, right? But again, it's not.

Garret (38:53.233)

Sure, sure.

Brian Brown (39:10.69)

very prescriptive. It says, it'll say that to draw conclusions on an audit, you need to accumulate sufficient reliable evidence. It doesn't tell you what the evidence is, but you need to accumulate that type of evidence to draw a conclusion. Needs to be sufficient, reliable. There's a few other requirements, but you get the idea. So the practice of internal auditing, actually around the world, is essentially the same, but it's adaptable within each organization.

So that's why, I mean, I could lead the internal audit for five different organizations in three different industries and I could still do it, right? I wasn't an expert in those businesses. Well, you get to be after a while, but I know how to lead an internal audit function. I know what they should be doing. So I know what the relationship with the board and audit committee should be. So yeah.

Garret (40:07.865)

Okay. Let me switch gears just slightly, even though I know it's not your area of comfort, but obviously I'm a real estate investor, I've been a realtor before. We do have the Manitoba Securities Commission here in Manitoba, which really oversees the fiduciary side of that regulation for real estate agents, brokers, really the end of the day to make sure a consumer is not hurt. If you could extrapolate,

Brian Brown (40:19.278)

Mm-hmm.

Garret (40:33.588)

knowing that organization exists, okay, that's fine. But if you were brought in for a real estate organization, even if it's the largest, I mean, pick your largest brokerage out there, what do you think or if you could imagine the types of risk there could be within a real estate organization outside of your standard in best, well, again, I don't wanna go off on another tangent here, but I mean, we know that there's...

Brian Brown (40:52.618)

Oh boy.

Garret (41:00.908)

financial risks, right? There's lots of money going through there, but could you see there'd be risks in what? Like privacy breaches or other things with contracts?

Brian Brown (41:12.254)

Yeah, so I mean the basic, I mean IT, so if I was doing a risk assessment and I facilitate risk assessments in organizations, I don't know a lot about, right? But we'll break it into categories and say, okay, there's strategic risk. So there's operational risk. Within operations, there's risk to things that go wrong. There's financial risk, the loss of money somehow or the waste or overpaying for things. There's...

There's fraud. There's compliance with regulations and laws. You need to manage that risk somehow to make sure that there isn't a breach there. And then the fifth one would be IT generally. So nowadays IT is a huge risk area. You've got ransomware, cyber hacking, all kinds of stuff, privacy breaches, all kinds of things that are risk areas. So sort of work through those categories. And it's hard for me to be specific about an organization I've never worked in real estate investing.

The one thing I would say is that I'm a bit surprised that the Securities Commission doesn't have more requirements for some kind of independent assurance for these companies, like Internal Audit. So OSFI, which regulates financial services, like the insurance companies, the banks and so on, they're very clear in their regulations about the role of the board, the role of a

of an independent assurance function like internal audit and the type of work they need to do and the type of reporting on risks that need to go to senior management and the board, right? And they, and OSFIE itself will do audits, compliance type audits in those companies. So I'm a little bit surprised that doesn't go on in the real estate sector, but anyway.

Garret (42:59.884)

Well, I mean, it does to a certain extent, but again, I mean, I'm, I'm a broker as well, but limited to the act of property management. Okay. So again, we, we have to get our books audited each year. Um, an accountant has to turn in a report, right. Uh, and that's in by a deadline, but it's a very scripted check-listed report. I've always found it's so general. It's almost.

Brian Brown (43:12.302)

Yep. Very interesting. Yep.

Garret (43:26.852)

too general, like there might be 10 things on it and the auditor, and this is more like a notice to reader type thing, but they just have to ensure, you know, let's say 10 check boxes. But if it's slightly outside that gray area, they don't actually have to report it because it didn't specifically ask for it with that check box, if you know what I'm saying. So I've always found that, again, we know that money changes hands and there's lots of, you know, dishonest people out there.

depending on what type of account you get to simply fill out this one page report, now your audit is done, it's finished, right? And you've now satisfied the requirements of the Securities Commission, but what about your organization, right? I don't believe, unless I don't know my own auditing process within the management company, that there's anything else other than...

You know, obviously my insurance company wants to make sure they want to see my management contract, make sure that there isn't anything with undue risk there, but nothing in terms of an internal audit.

Brian Brown (44:29.13)

Yeah, yeah, so you're a small company, so I'm not surprised you don't have an internal function there. In terms of risk areas, so what I suggest people do is look at, so risk relates to objectives. So you've got at the corporate level, but within your businesses, right? So what you do is you look. I try to drop the word risk, because when you say risk,

Garret (44:34.02)

Fair.

Brian Brown (44:57.122)

What are the risks in your operation? So if you said to one of your employees, what are the risks in your operation? They're probably gonna go cross-eyed and look at you, like, what the heck are you talking about? But if you say to them something like, okay, let's just have a conversation about what could go wrong here. What could go wrong here? You tend to get a better conversation because people like to talk about what they do, right? So what could go wrong? That you work in, you're a step in a process, right? So what could go wrong here? And...

You know, most people are honest and they want to make things as good as possible. So that's the kind of recession I would have with front line employees or managers, mid-level or managers. I wouldn't say, so what are the risks in your area? Because I sound like an auditor when I do that and they don't know what I mean, right? They don't know, what do you mean by risk? And I have to explain what a risk is. So I would say, okay, so what are you trying to accomplish here? What are you trying to accomplish? What are you trying to get? What's your objective? Like why do you exist? What are you trying to accomplish?

And then what could go wrong? What could get in the way of that happening? What could get in the way of you being successful doing your job? OK, so let's explore those a little bit. What could get in the way? Oh, OK. So these two or three things, those would be bad if they happened. That would really hurt your chances of success. So what do you have in place to reduce those from happening? The likelihood of those happening. So what do you have in place? What do you do to stop those from happening?

So you try and use non-audit language when you're having these conversations and explore them and people, you know, like I don't identify risk, but generally the people at work there identify the risks, you know, and then they tell me what they've got in place to mitigate them to reduce the likelihood of them happening or the impact of them happening, right? So you measure them usually on two factors. Usually it's the likelihood, how likely is it to happen? And then if it does happen, how bad could it be?

Garret (46:37.696)

Right, right.

Garret (46:45.249)

Okay.

Brian Brown (46:54.418)

So usually you measure them on those too, because there are a lot of things. Okay, so what are the risks that someone could steal pens from your supply cabinet? Pretty high. I would say that probably happens about every day. And do you care? Probably not, because the control to manage that, like having people have to return their empty pen before they can get a new one, the control, the cost exceeds the value of the asset.

Garret (47:08.76)

Yeah.

Right.

Brian Brown (47:22.582)

So that's probably happening a lot, using your photocopier for personal use, right? Like, you know, that kind of stuff. So that's likely, those are risk areas, right? That's lost to the company, but the likelihood's pretty high, but the impact is almost nil, right? You just write it off, right? On the other hand, you know, you could have a fire or you could have an IT breach probably once in your lifetime and you're out of business.

Garret (47:23.523)

Right.

Garret (47:38.532)

Sure. Okay. Yeah.

Brian Brown (47:50.29)

right, or you're shut down or somebody has a ransomware attack and you're out of business, you know, we have hospitals that get in Canada that get these ransom attacks and they can't use their systems for like a week. Well, the impact is massive, right? Now, how are you going to deal with that? Okay, so what do we have in place? I'm not going to bother with the control over the supply cabinet. Well, a little bit of control, but I'm not going to invest in it. But I'm going to invest in these other ones, you know, so you...

Garret (48:14.644)

Yeah, no, for sure. I think...

Brian Brown (48:18.518)

You can even plot these on a graph. They call it a heat map, where you've got high impact, high likelihood. And actually, ransomware and some of these cyberattacks are pretty much high likelihood and high impact today. But you've got a red zone there, and then you've got the orange and yellow, and then you've got a green zone, which are risks that are low likelihood, low impact. Don't worry about it. So I ask people to work in the areas. And then, you know.

Garret (48:42.744)

Okay.

Brian Brown (48:48.194)

You know, your senior management team, I've been part of senior management team, so this manager team sits down together and says, okay, what do we see? What do we see of the risk? What could go wrong? You know, and each division or each operation within that group has its own set, right? But what do we see and how big is it at the corporate level, right? So you'll have insurance to mitigate some risks, right? But it doesn't mitigate everything. And by the way, insurance won't pay, insurance won't pay unless you...

Garret (49:13.996)

So at the end of the day...

Brian Brown (49:17.014)

you've taken reasonable steps to mitigate it.

Garret (49:20.524)

Right. But at the end of the day, a report is created, right? And that report is given to the board, to the stakeholders, to whomever. It has to be acted upon in some capacity. What are the recommendations that are included in an internal audit?

Brian Brown (49:39.126)

Yeah, so there are recommendations, typically recommendations to address any areas of potential improvement. And they may be prioritized. Some may be really important, and some may be like minor things you could do better, right? So they're probably prioritized. Some take a long time to implement. If it's somebody require a whole new computer application or something, that could take two or three years to implement. But yeah, so there should be some action plan out of there for management that commits to some kind of resolution.

of the issue, right? So the board wants to see what the management's got an action plan and then usually internal audit functional do some follow-up, you know, over time and say, okay, you know, this was a recommendation from two years ago, management's done nothing about it. So if I'm on the board, I'm kind of alarmed about that if it's significant, you know, so then, yeah, so there's a follow-up process there too. Again, based on significance because some of the internal audit recommendations may be fairly minor issues.

Garret (50:28.259)

Right.

Garret (50:32.504)

Okay.

Brian Brown (50:38.862)

that somebody could fix like the next day, you know, and some may require a significant investment and may take years to implement. So, yeah.

Garret (50:42.016)

Right.

Garret (50:50.026)

Okay.

Garret (50:53.988)

You mentioned how things have changed over the years and it used to be that good cop, bad cop type of thing. Maybe before we wrap up here, speak to me about emerging trends, based on your experience, what's happening, what's changing in the industry now in auditing governance that could maybe impact the industry as a whole.

Brian Brown (51:02.254)

I'm sorry.

Brian Brown (51:16.55)

Yeah. So I mean, the biggest development, I would say, in the last 10 years is digitization and now AI, right? Artificial intelligence. And I'm not an expert in AI because I retired before it really hit the fan. But before that, the whole ability to analyze 100% of a population through digital analysis, right? Data analysis tools versus, you know,

Garret (51:27.652)

Okay.

Brian Brown (51:46.514)

sampling and so on. So for auditors, if you have the technology, you can, you can, you know, rather than pulling a sample of something to test it to see if the controls are working, you can look at the whole population, right? You downloaded the whole data analysis, right? But likewise, the risks are there too, right? Because the more we rely on this data, the more risk that if it gets screwed up somehow, either internally or by somebody external, um,

Garret (51:59.87)

Hmm

Brian Brown (52:15.186)

the bigger impact it has, right? So I think this whole digital world that we're in, and now the evolution to AI is the biggest kind of evolution that's going on in the last 10 years. And I don't know much about AI other than I've played with chat GBT a little bit, but I would say, I know internal auditors now are educating themselves fast on this to help.

boards and senior management understand the risks in AI and what they need to have in place. I would flip that around though and say that there's huge potential from what I can tell with AI, right? There's huge potential for organizations to benefit from.

Garret (52:54.324)

Well, it's a tool, right? And I'm just looking at, I mean, now, I mean, yes, I started with chat GPT, but there's entire data analysis sets that you can do. You can literally upload a file, you know, ter, you know, gigabytes of information, whatever it is, thousands and thousands of pages. And in 10 seconds, it sort of tells you, now again, we could get into a whole nother podcast. How accurate is it? Are you sure that the AI is giving you what you want to get? And how are you auditing?

Brian Brown (53:05.582)

Yeah.

Brian Brown (53:21.289)

Yeah.

Garret (53:23.98)

that sample, I mean, you just go down a huge rabbit hole.

Brian Brown (53:25.334)

Yeah, I'm not an expert in how to do any of that. But I mean, I sit on boards where AI is in use. So the questions are there, right? So what do we have in place? So what data are we uploading? Don't upload anything confidential, proprietary, private. Be careful, because that could be exposed externally. Be careful what you're using it for, right? But on the other hand, like,

If we can make use of it, then go for it. Like you said, you can get all kinds of, I mean, your grocery store is using it, right? You go online, I go to Canadian Tire, excuse me, I shouldn't be plugging a company, but I might go to Canadian Tire's website and look up lawnmowers, and the next day I'm on the TSN Sports website, and lawnmower ads are popping up, like they're using it, right, and they're using it to their own advantage.

Brian Brown (54:22.59)

I don't know how they do it, but they're doing it. And so there's huge opportunities there. So yeah, I think boards and organizations need to work on both sides of this very aggressively. One is finding out how you can maximize the benefit. And on the other hand, understanding what the risks are about AI and making sure that you've got good controls around that and you're not.

creating more problem. And like you said, check the answers you get. The little bit I've done with chat GPT, I didn't always get the right answer. I've tested it and it doesn't always give you the right answer. So what it gives you is fast and sometimes it's amazing, but hmm.

Garret (54:58.957)

Yep.

Garret (55:09.916)

And where is the input going, right? I mean, as a property management company, we could go down that rabbit hole too. I recently let go a bunch of employees and not just because of ChatGPT, but I saw extensive use of it. I didn't even think about the other side of it, Brian, where maybe they're asking certain questions on how do I say this to a certain client and who knows, you know, where's that information going, right? Now you're talking about privacy and is it...

out there on the net now because you've asked ChatGPT or is it a closed conversation? And that's just day-to-day operations, nevermind in the context of an internal audit.

Brian Brown (55:47.79)

Yeah. Yeah, so I mean, internally, any organization needs to have some kind of policies around this. It's like internet use. I've been in the business world long enough to know when internet was became available in companies. And everyone was concerned that no one would get any work done because basically they had cable TV on their desk. So there were policies around what you could do on the internet within a company. And there still are. You can't go to certain types of websites.

Garret (56:06.583)

Yep.

Garret (56:16.548)

Sure.

Brian Brown (56:17.354)

Certain things are blacklisted or whitelisted, right, within your organization. So you can and can't get there. And you can't download software usually within a company yourself. Your IT people have to do that. And you can't plug sticks in. There's all these things, right? And the same should apply with your use of AI, right? There needs to be a whole policy structure out of it. The problem right now is most of us don't know what those are, because we don't even know what it could do.

Garret (56:30.999)

Yep.

Brian Brown (56:47.838)

We don't know what the limits should be because we don't know what the limits are.

Garret (56:53.94)

Yeah, so now you've got an internal audit and you have to worry about is AI being used, is the auditor using AI as a tool to analyze, and then what is the risks and everything, right? I mean, it just, I think it just keeps multiplying. Definitely it's another whole podcast, I think, all in to itself.

Brian Brown (57:10.518)

Yeah, yeah. It's.

Yeah, and you need to get somebody who's a real expert in AI to talk about that. So I just ask questions.

Garret (57:19.656)

Maybe one day. But yeah, but for today, you know, we're running out of time here. I wanna wrap it up. Like to thank you of course for coming on. But before we stop, I always ask every guest this question and I wanna hear what you have to say. So this is the Investing to Win podcast. How do you define success, Brian? And what does winning look like for you?

Brian Brown (57:44.542)

Wow, and you know what? I wasn't prepared for this question, but I should have been. So I'm kind of a softy at my age. So if you talk about investing, obviously, now I'm now a conservative investor because I'm semi retired, right? So for me, it's I don't want to lose anything. That's a win. I can stay ahead of inflation, which is tough. That's a win for me right now. When you talk generally.

I'm a collaborator generally, so I like a win-win scenarios. So I'm involved with charities. I'm passionate about children. Maximizing the work for children. So for me, the biggest win, I have five grandkids who I spend a lot of time with. If we can make the world better, safer, and more successful for children, I think that's a huge win for us as a society. So I'm not so much into my own personal victories anymore.

I just want to have fun and play around and do this kind of thing, help people out. But this is way off our topic today, but make the world better for children and safer for children.

Garret (58:57.184)

Hey, it was an open question and I love your answer. There's nothing wrong with that. So Brian, thanks again for joining me on the podcast. Open up a world that I didn't even know existed and I'm sure people who were tuning in at the beginning got something different than what they came for. So thank you very much.

Brian Brown (59:16.513)

Good. OK. Hope it was of help, been of interest.

Garret (59:20.512)

All right, we'll talk to you later. Thanks for coming on.

Brian Brown (59:22.754)

See you guys.