Tailoring IPPF Implementation IPPF Implementation<p></p> <p>A fundamental challenge of today’s chief audit executive (CAE) is matching internal audit to the needs of the organization and the expectations of internal audit’s key stakeholders. While there is one International Professional Practices Framework (IPPF) and one <em>International Standards for the Professional Practice of Internal Auditing</em>, internal audit functions vary in their practices and level of development across organizations. A primary role of the CAE is to tailor the application of the IPPF to the organization, taking into account its unique needs and environment and knowing how to leverage a maturity model view of the IPPF and <em>Standards</em> in striving for internal audit excellence.</p><h2>A Living Framework </h2><p>​One of the strengths of the IPPF is the principles-based nature of the <em>Standards</em>. Being principles based allows organizations of different industries, sizes, and locations — with varying governance models and stakeholder expectations — to apply the same set of standards. The principles-based nature of the <em>Standards</em> also helps add clarity and consistency, while still being relevant and adaptable to evolutions in society and in the organizations internal audit serves.</p><p>In 2015, the IPPF received significant enhancements that improved its ability to serve as a tool for internal audit functions to take their practice to higher levels of effectiveness and provide even greater value to their organizations. Two noteworthy changes are:</p><p>Creation of the 10 Core Principles for the Professional Practice of Internal Auditing, which, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all principles should be present and operating effectively. However, with the release of these Core Principles, The IIA also recognized that how an internal audit function demonstrates achievement of the Core Principles may differ from organization to organization. </p><p>Implementation Guides and Supplemental Guides moved from “strongly recommended” status to “recommended” status, adding further flexibility to the IPPF for practitioners. </p><p>The ever-evolving nature of the IPPF gives practitioners the flexibility they need to align to the unique needs of the organizations they serve. The IPPF’s various layers also provide practitioners with a framework they can use to continually integrate new methodologies, tools, resources, and practices to further mature their performance.</p><h2>A Maturity Model View </h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Examples of Successful Uses of Maturity Models​</strong></p><p> </p> <ul><li>The IIA’s Internal Audit Capability Model for the Public Sector <br></li><li>The Internal Audit Maturity Assessment – previously maintained by The IIA Quality Services Department<br></li><li>IIA Path to Quality Model<br></li><li>IIA Practice Guide, Process Capability Maturity Model<br></li><li>IIA Practice Guide, Compliance and Ethics Program Maturity Model<br></li><li>The ISACA COBIT 4.1 Model<br></li><li>The RIMS Risk Maturity Model<br></li><li>Software Engineering Institute Capability Maturity Models<br></li><li>International Organization for Standardization and the International Electrotechnical Commission’s ISO/IEC 15504​<br></li></ul></td></tr></tbody></table><p>When looking at internal audit’s conformance with the <em>Standards</em>, many practitioners and stakeholders at first may think of it as a binary exercise — either being in conformance or not. Perhaps this is natural given the external quality assurance and improvement assessment’s common ratings scale of “generally conforms,” “partially conforms,” and “does not conform” are widely recognized. </p><p>Practitioners should look at using the IPPF and the <em>Standards</em> as part of a journey toward greater maturity and continuous improvement. Such a continuous improvement view is consistent with the IPPF, which includes in the <em>Standards</em> the assertion that quality is not only about assessing quality at one point, but also about improvement, as outlined in Standard 1300: Quality Assurance and Improvement Program. A maturity framework approach allows practitioners to assess the audit function’s implementation of the IPPF to continually improve audit practice. </p><h2>Maturity Model Structure</h2><p>Many organizations have used maturity models to assess and help bring continuous improvement. The IPPF, itself, includes guidance on the use of maturity models, including The IIA’s Practice Guide, Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements. Based on review of other maturity models, the following categories are proposed for use in the model for applying the IPPF: Level 5 – Optimized, Level 4 – Managed, Level 3 – Defined, Level 2 – Repeatable, and Level 1 – Initial/Ad hoc. </p><p>It is natural to ask how these levels align with the category of general conformance to the <em>Standards</em>. For consistency, and to allow the maturity model to capture performance that falls below general conformance — as well as above the base general conformance level — Level 3 on the maturity framework will be defined with attributes that achieve general conformance with the Standards (see “Maturity Model Alignment Points” below). </p><h2>Applying the Maturity Model to the <em>Standards</em></h2><p>By exploring several areas of the <em>Standards</em>, one can see how the maturity model may be applied. Some aspects of the <em>Standards</em> may seem binary, such as Standard 1000: Purpose, Authority, and Responsibility, which requires that an internal audit activity have a charter. Either an organization does or does not have an internal audit charter.</p><p><img src="/2018/PublishingImages/Urton_Maturity%20Model%20Alignment%20Points.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:580px;height:306px;" />However, even given this binary nature, the maturity model can be used to highlight how to differentiate between conformance in Level 3 – Defined and below conformance (Level 2 – Repeatable and Level 1 – Initial/Ad Hoc). Perhaps even more importantly, note how Level 4 – Managed and Level 5 – Optimized can be used to differentiate higher levels of maturity and excellence, using the charter as an opportunity for stakeholder engagement, alignment, and elevation of internal audit stature and opportunity to perform (see “Internal Audit Maturity Model Related to the Standards” at the end of this article).</p><p>A fundamental area such as communication of results applies to every internal audit function. The column, “Standard 2400: Communicating Results,” in the “Internal Audit Maturity Model Related to the <em>Standards</em>” chart at the base levels cover aligning the report with core points in the <em>Standards</em>. The higher levels of 4 – Managed and 5 – Optimized include exploring stakeholder value and insights received, as well as stakeholder, top executive, and board perceptions on the quality of internal audit reporting.</p><p>Lastly, talent is an area of importance and challenge for many internal audit functions, so using a maturity model approach to look at Standard 1000: Proficiency and Due Care, or any other standard to apply the IPPF, can identify an array of practices and performance levels that can result in distinct improvements. </p><p>Currently, internal audit functions often look for leading practices, opportunities to provide more value, and continuous improvement. Taking a fresh view of the IPPF and the <em>Standards</em> through a maturity model approach can help internal audit assess its current state, identify opportunities for improvement aligned with stakeholder priorities, and drive continuous improvement. Having a maturity model can equip the CAE with a framework and tools to help articulate options to stakeholders and the internal audit team. CAEs need to be adept at defining those aspects of applying the maturity model approach that will make a difference in their organization, given the stakeholder expectations and risks.</p><h2>Does Size Impact Maturity?</h2><p>Beyond maturity levels, internal audit, itself, varies in size as does the size of the organization it serves. A smaller internal audit function may not need as much documentation in planning and process as functions serving large, complex organizations. Some elements, such as an internal audit charter, will apply no matter what the size of the organization; however, other aspects of the IPPF, such as how to build talent models, may not require the complexity of infrastructure.</p><p>The IIA’s Practice Guide, Assisting Small Internal Audit Activities in Implementing the <em>International Standards for the Professional Practice of Internal Auditing</em>, notes the level of challenge for a small internal audit function in conforming with various categories of the <em>Standards</em>:</p><ul><li>Low degree of challenge: Standard 1000: Purpose, Authority, and Responsibility.<br></li><li>Medium degree of conformance challenge: Standard 1100: Independence and Objectivity, Standard 1300: Quality Assurance and Improvement Program, Standard 2000: Managing the Internal Audit Activity, Standard 2200: Engagement Planning, and Standard 2300: Performing the Engagement.<br></li><li>High degree of conformance challenge: Standard 1200: Proficiency and Due Professional Care, Standard 2100: Nature of Work, Standard 2400: Communicating Results, Standard 2500: Monitoring Progress, and Standard 2600: Communicating the Acceptance of Risks.<br></li></ul><p><br>For an audit department covering a smaller, less complicated organization, some of the higher levels of internal audit maturity may not be needed. However, some aspects of internal audit excellence that are money and time saving may be as important in a smaller, closely aligned, agile organization as in a large, international conglomerate. </p><p>In a small internal audit department, the challenges can be addressed through flexible planning, process disciplines that keep everyone on track, and tools available to CAEs of small groups. For example, flexibility can be applied during internal audit risk assessments, in duration and style of internal audit projects, and in documentation and communications. In process discipline, internal auditors should focus on what is important to accomplish and eliminate the unnecessary, strive to automate repetitive tasks, and leverage checklists and lessons learned to continually improve. </p><p>Many tools and resources are available to internal audit groups of all sizes and maturity levels, thanks to The IIA, the internet, and peer networks. There also are many technology solutions that can help ease the administrative needs of small departments by facilitating standard workflows, approval/review processes, and action plan follow-up. Having a robust system can be a key source for demonstrating compliance with several of the standards. </p><p><img src="/2018/PublishingImages/Urton_table_p32-33.jpg" alt="" style="margin:5px;" /><br></p> <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:0.1px; } </style> <p><em>Anderson and Dahle are co-authors of </em>Applying the International Professional Practices Framework, 4th Ed<em>., published by the Internal Audit Foundation.​</em></p><style> p.p1 { line-height:12.0px; font:14.0px 'Interstate Light'; } span.s1 { vertical-align:1.5px; } </style>Urton Anderson1
Centralized vs. Decentralized Audit Functions vs. Decentralized Audit Functions<p>​Internal audit departments typically are structured as centralized or decentralized. Department structure plays an influential role within the department, as well as in the business operations that are audited. Therefore, it is crucial for internal audit management to evaluate which structure is the best fit for its team and the business. </p><p>Per The IIA’s International Professional Practices Framework, an organization’s internal audit activity is required to be in conformance with the <em>Standards</em>. However, the <em>Standards</em> do not specifically address ​departmental structure, so the chief audit executive (CAE) can determine how the internal audit activity is set up by examining the advantages and disadvantages of both centralized and decentralized. </p><h2>Centralized Structure​</h2><p>In a centralized audit department, management and staff work in the same location and either travel to other office locations or work remotely to conduct audits. The centralized structure offers many advantages. First, internal audit leadership works in the same office. Members of management — ranging from supervising seniors to the CAE — not only meet in-person, but, more importantly, demonstrate a consistent “tone at the top.” Also, with the entire team in the same location, any team member has access to management, which can encourage informal, in-person coaching and mentorship.</p><p>Having the team together also promotes consistency in training, both at the entry level and experienced practitioner level. Internal audit policies and procedures, such as workpaper expectations, can be communicated and compliance monitored with greater uniformity. As it relates to uniformity, a centralized department can promote more equal opportunities, such as audit project assignment. In addition, when all staff work out of the same office, more collaboration among team members can occur.</p><p>There also are disadvantages with a centralized departmental structure, such as the inevitable travel component to the job — especially at the staff and senior staff levels. For some, the opportunity to travel the world may be appealing; however, because the time spent on the road can be extensive, it may be difficult to attract and retain top talent. Although conducting audits remotely can decrease the travel commitment, there are some audits that still require on-site walkthroughs; detailed test work; and meetings that cannot be performed via email, phone, or teleconference. On-site audit fieldwork activities are valuable, as there is much to gain when working with the audit client in person. This can be a benefit not only in the current audit, but through observation and informal meetings, candid conversation about the site’s operations can highlight what’s really going on. Additionally, there is value gained when internal audit is geographically closer to the operations it audits, as continual dialogue about regional policies and practices can assist internal audit during its risk assessment and audit planning processes. </p><h2>Decentralized Structure</h2><p>A decentralized department assigns internal audit teams in more than one location, and each team is responsible for auditing that office’s (or region’s) operations. The decentralized internal audit department also offers many advantages. First, when audits are performed at a more local level, there is increased opportunity for internal audit staff members and management to collaborate throughout the actual audits. Internal audit managers can coach employees and provide advice in a variety of areas, such as walkthrough and interview techniques and workpaper and documentation execution. Unlike the centralized structure, where managers might supervise the team remotely, staff members benefit from the in-person guidance when managers are available on-site. </p><p>Additionally, with a decentralized model, audit staff members and management are close to the business operations under review, which can help forge relationships that result in candid dialogue about risk and controls. This can prompt requests for consulting engagements and advisory reviews, which benefit both internal audit and management.</p><p>There also can be some drawbacks to using a decentralized model. First, staff members (and management) may develop expertise limited to the office and region where they work. For example, auditors can gain expertise about part of a process that occurs in their location, such as product design, but miss other process components, such as manufacturing, that help complete the full picture of the process. Specialization also can limit skill development. </p><p>Another downside to a decentralized department is that each auditor typically performs multiple audits at the same time. Unlike a centralized model, which often can incorporate travel (and therefore, each auditor is assigned one project at a time), a decentralized model assigns multiple audit projects to each auditor, which can cause scheduling problems and demand careful attention to balancing priorities and deadlines.</p><h2>Organizational Impact</h2><p>Once internal audit leaders weigh the structure’s impact on the department, itself, it is critical to assess how the structure aligns with the organization. Two perspectives that can be used to evaluate organizational impact are company culture and structural alignment.</p><p>Company culture is the organization’s overall environment and atmosphere. It comprises the stated policies and procedures, as well as the values and norms, both of which permeate interactions, communications, and expectations. Every culture is different, as each organization has its own history and experiences that uniquely shape how the organization makes decisions. Internal audit leaders, therefore, need to determine how the selected department structure will complement the company culture. For instance, if the overall culture encourages manager/employee collaboration as a method to effectively support and train emerging talent, then a decentralized audit department may be a good fit. Such a structure enables managers to be on-site during audits and provide in-person feedback and coaching. However, a different company may encourage a talent development model that promotes professionals as generalists (as opposed to specialists), and therefore, a centralized audit department, which permits a wider range of audit project opportunities, may be a better choice to achieve congruence with the overall culture.</p><p>The manner in which other departments are structured within the organization influences the audit department’s structure. Does the organization have satellite locations? If so, what departments reside in those offices? If there are minimal resources in other offices, then a centralized audit department structure may be a best fit. However, if the organization is experiencing rapid growth in a certain region, an internal audit leader may consider a decentralized structure; by placing dedicated resources in that region, internal audit can partner with local management and collaborate on evaluating key risks and controls.</p><h2>Thoughts for the Future</h2><p>The determination of an internal audit department structure that supports both the audit team and the organization is an important decision made by the CAE and internal audit management. Like many other management decisions, it is worthwhile to evaluate the structure’s continued relevance and applicability periodically, as organizations change — sometimes extensively — over time. ​</p>Christine Hogan Hayes1
Find Your Voice Your Voice<p></p><p>The nature and role of internal auditing in North America has radically altered over the past decade or so. No longer seen as a back-office compliance department, there just to check accounts payable or perform mundane administrative processes, the cutting-edge audit function is increasingly regarded by audit committees and regulators as a trusted advisor. Many chief audit executives (CAEs) have a seat at the top table, advising the C-suite on emerging and strategic risks and helping management mitigate those threats to the organization’s objectives. </p><p>Internal audit has had to work to implement those changes to its role and status, and I have great respect for the courage and determination that takes. But not all internal audit functions are operating at that level. That could be because stakeholders do not fully understand what internal audit does — or can do — and continue to underinvest and undervalue their audit functions. Or, it may be because internal auditors do not always push as hard as they might to fulfill what can be a daunting and uncomfortable role.<br></p><p>My theme as chairman of The IIA’s North American Board over the coming year is “Find Your Voice.” Specifically, I want all internal auditors to reflect on, develop, extend, and communicate the true value they can provide to their organizations. In finding their voices, auditors will be able to achieve their full potential in serving their organizations, and they will be ensuring their ongoing relevance in a rapidly changing world. <br></p><h2>External Pressures</h2><p>There are two major trends that make my message urgent. For the first time in many years, there is an emphasis in the U.S. government on deregulation. This is a radical change from the increasing levels of rulemaking and regulatory scrutiny the profession has faced since the turn of the century. </p><p>Both the U.S. Sarbanes-Oxley Act of 2002 and the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act, as well as countless other pieces of regulatory reform, have tended to emphasize the compliance function of internal audit. If stakeholders, especially in the energy and financial sectors, for instance, see internal audit as a box-ticking function, it is largely as a result of these requirements. </p><p>Since Donald Trump became president, an estimated 600 regulations have been eliminated, according to George Washington University’s Regulatory Studies Center. High-profile examples include the partial repeal of the Dodd-Frank Act, the repeal of the Affordable Care Act individual mandate, and the Federal Communications Commission privacy rules.</p><p>If internal audit’s key stakeholders, including audit committees, believe that most of internal audit’s value comes from ensuring the organization complies with regulations, it does not bode well. They may believe that if the regulations disappear, internal audit will not be needed. This could not be further from the truth. Indeed, while regulations may be eliminated, the risks addressed by them will continue to exist. If anything, risks and the related need for internal audit services increase in a deregulated market. Still, it appears conditions are not prime for internal auditing to become a mandated function within organizations in the foreseeable future.</p><p>A recent IIA global study on the regulation and licensing of internal audit reveals a consensus among stakeholders that, for several reasons, governments should not regulate or mandate internal audit. Regulation can take away decision-making from management and the board, say respondents to the study. </p><p>Regardless, this has not stopped The IIA from moving ahead with a strategy to advocate for a comply-or-explain mandate for publicly traded companies. Under such a mandate, organizations would have to report whether they have an internal audit function and how it is resourced. If they do not have an internal audit function, they would have to explain how they are mitigating risks. Such disclosure provides an increasingly active investor community vital information about a company’s approach to risk management. But in the interim, internal audit should become an integral part of an organization as the result of a carrot, not a stick. </p><p>The second major trend revolves around advances in artificial intelligence (AI), robotic process automation, and other technologies that threaten to replace compliance-based auditing. Internal auditors should fully grasp the implication of such automated auditing. Thomas Sanglier’s recent book, <em>Auditing and Disruptive Technologies</em>, published by The IIA’s Internal Audit Foundation, rightly argues that to thrive in the near future, audit departments will need to adopt and adapt to such advances. Staying relevant to organizations will mean moving up the value chain so that audit is operating at a strategic level. Technology will process the data. </p><p>This is why internal auditors need to tell their stakeholders how valuable effective, strategic, risk-based auditing can be. We can help them see the bigger risk picture by getting involved in supporting the strategic objectives of our organizations. Granted, AI will replace some of the traditional roles and tasks that internal audit has performed, but, in my view, it would be a welcome relief to move away from the humdrum compliance work and start focusing exclusively on what really matters — start focusing, in short, on value.</p><h2>Defining Value</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>Advocacy Tools</strong><br> </p><p>Internal auditors should make full use of The IIA’s advocacy tools to inform their stakeholders of the value an effective function can provide. These include the <a href=""><span class="ms-rteThemeForeColor-1-0">Global Advocacy Platform: Pillars of Good Governance​</span></a><span class="ms-rteThemeForeColor-1-0"> </span>and the <a href=""><span class="ms-rteThemeForeColor-1-0">position papers</span></a>: </p><ul><li>The Three Lines of Defense in Effective Risk Management and Control<br></li><li>The Role of Internal Auditing in Enterprise Risk Management and Control<br></li><li>​The Role of Internal Auditing in Resourcing the Internal Audit Activity<br></li><li>Internal Audit’s Role in Good Governance (available later in 2018)<br></li></ul><p><br>In addition, auditors can take advantage of relevant Internal Auditor magazine articles ​( to get up to date in best practices and share those with their stakeholders, where appropriate. Some recent examples include: </p><ul><li>“5 Steps to Marketing Your Audit Department” <br></li><li>“Your Personal Brand” <br></li><li>“Board Matters”<br></li><li>“The Dynamics of Interpersonal Behavior” ​<br></li></ul> <br> </td></tr></tbody></table><p>There are many definitions of <em>value</em>, because the concept changes over time as the demands on internal audit evolve. The IIA’s International Professional Practices Framework is a good place to start. It says, “the internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance governance, risk management, and control processes; and objectively provides relevant assurance.”</p><p>Putting those sound principles into practice can be more difficult than it might first seem. For example, what is relevant assurance? How can internal audit become more involved in strategic objectives and risks if that is not what stakeholders seem to be expecting? And how do stakeholders understand the value that internal audit can offer?</p><p>There is some truth to the idea that internal audit’s value resides in the eye of the beholder — the board, management, regulators, and other external parties. But we cannot be a passive recipient of those views if they do not mesh with contemporary practice. There is a real risk that stakeholder expectations are based on outdated notions of internal audit. </p><p>For example, one of my stakeholders is an incredibly knowledgeable individual — a former Big Four partner who is heavily involved in his own professional bodies. Recently, I told him we were doing the annual risk assessment and he surprised me by asking why internal audit was doing so. I explained how performing our own risk assessment helps internal audit create a risk-based audit plan and helps the organization achieve its strategic goals. I was glad that he had come to me because, frankly, I assumed he knew what internal audit did.</p><p>The first step to defining your voice is to create a value statement. Examples might include, “external auditors audit the past, we audit the future.” Or, “internal audit assists the board and management in accomplishing their responsibilities.” Or simply, “internal audit helps make the organization more successful.” Be sure to consult internal audit’s stakeholders. Creating a value statement is most effective when the process engages all involved. It is an opportunity to build understanding within the audit team about how audit is perceived and to explain to stakeholders the value internal audit could be offering where that is poorly understood. </p><p>Any value statement has to be addressed to the audience it is intended to inform — so while I urge auditors to advocate and educate stakeholders, they must do so in a language that is free from jargon. Because I work for a not-for-profit organization, my audit committee is made up of members of our community. That includes some financial experts, but also a Baptist minister, a real estate agent, and a couple of other individuals who do not have finance and business backgrounds. While they are smart people, I need to be able to explain internal audit’s value in a way that makes it easy for me to demonstrate what we have achieved through our work for the business. Creating a clear and well-understood definition of internal audit’s value for all stakeholders is a powerful tool.</p><h2>Walking the Talk</h2><p>In addition to advocating for an enhanced role and communicating with, and listening to, stakeholders, internal auditors need to deliver on their promises. Each of us needs to be the best internal auditor he or she can be. That involves being well-educated about the technical aspects of internal auditing, being up-to-date on current and emerging trends, and making a solid commitment to improve and update those soft skills that are crucial to our roles. Internal auditors should be certified to demonstrate their professionalism. Also, I am a big advocate of volunteering in the profession, of joining local chapters or committees and getting involved. I have benefited greatly on both counts. I am up-to-date on best practices and emerging issues in internal audit, and my organization has benefited from the technical skills I have obtained through my participation. At the same time, I have met some amazing people and developed some great friendships.</p><p>One area that CAEs often overlook is using external quality assessments as a challenge to the board. All internal audit departments should undertake periodic quality assessments, as mandated by The IIA’s Standard 1312, which says an external quality assessment must be performed every five years. I accept that it can be a difficult process to go through, but it can also be a tool for change. Presenting the results of such a review to stakeholders can support the CAE’s constant requests that the function be involved in more strategic and challenging work. If CAEs know they are not using audit staff most effectively, the quality review will reflect that in an evidence-based way. It is another way CAEs can find their voice and demonstrate that the audit committee can get real value from its audit function.</p><p>Being the best can be challenging and sometimes lonely. It can take time, effort, and patience to get the message through that internal audit is a forward-looking and progressive part of the business when those around you do not necessarily share or understand that view. </p><p>To stand in front of a stakeholder and say, “I’m supposed to be involved in strategic initiatives and have a seat at the table” is not always successful or well-received. To further support auditors, The IIA’s North American Board is putting more emphasis on advocating for members — an approach I will continue and extend where possible. It is no longer enough for The IIA’s advocacy to focus on attending meetings in Washington, D.C., to try to influence legislation and advocate for better governance. Although this is incredibly important and we continue to push initiatives with the U.S. Securities and Exchange Commission and other regulators, The IIA also is appealing directly to stakeholders. For example, we are hoping to partner with organizations like the National Association of Corporate Directors (NACD) to make sure they have the tools to inform their members about what they should be looking for from their internal auditors. Many audit committee and board members belong to the NACD and similar bodies. There are many other organizations that serve CEOs, chief financial officers, and other groups, and The IIA North American Board will be advocating and educating on the value internal audit can provide to their members. I urge internal auditors to also advocate for themselves — to “find your voice.” The IIA has many tools to assist you in this endeavor. For example, send copies of IIA advocacy documents to your stakeholders (see “Advocacy Tools,” page 38). Sometimes it is more objective and compelling when it comes from a third party.</p><h2>Finding Internal Audit’s Voice</h2><p>Obviously, what I have set out as my theme will take more than a year to achieve. But working together as a profession, and with our key stakeholders, we can help internal audit find its voice — and its place — to foster success and create opportunities in our organizations and beyond. </p><p></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <strong> </strong> <style> span.s1 { vertical-align:1.5px; } </style><strong> </strong> <p> <strong>The 2018–19 North American Board Chairman​</strong></p>​​Karen Brady began her career with Ernst & Young in New Orleans and has served in various executive positions, including controller and chief audit executive within the hospitality industry. She is a Certified Internal Auditor and Certified Fraud Examiner and has her Certification in Risk Management Assurance.  <p>Today, Brady is the corporate vice president of audit and chief compliance officer for Baptist Health South Florida. Baptist Health is the largest, not-for-profit health-care organization in South Florida, including 10 hospitals and over 50 outpatient facilities spanning four counties. With more than 18,000 employees and over 3,000 physicians, Baptist Health is considered one of the nation’s top employers, according to Fortune’s 100 Best Companies to Work For. It also has been recognized by the Ethisphere Institute as one of the World’s Most Ethical Companies for the past eight years. Brady has been with Baptist Health for over 25 years and during that time has implemented a robust, award-winning Internal Audit and Compliance department.</p><p>In addition to serving as North American Board chair and as a Global Board member, she has volunteered at The IIA in various capacities for many years. For example, she is a past conference chair (2011), Learning Solutions Committee chair (2011–2013), and Global Professional Development chair (2015–2017). </p><p>Brady also is past president of the Florida Health Care Compliance Association. Recognizing the importance of giving back to the community, she serves as chair of the Finance and Audit Committee on the Board of Riverside House, a charitable organization that helps guide men and women convicted of crime toward becoming productive citizens through a nondenominational, faith-based approach.</p><p>She is a fitness enthusiast and enjoys her morning runs. In her spare time, she enjoys travel, hiking, and water sports with her husband Jim. ​</p></td></tr></tbody></table><p></p> <style> p.p1 { line-height:12.0px; font:42.5px 'Interstate Light'; } p.p2 { line-height:12.0px; font:9.0px 'Interstate Light'; } p.p3 { text-indent:12.0px; line-height:12.0px; font:9.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:-0.2px; } span.s3 { letter-spacing:0.1px; } </style>Karen Brady0
Culture of Accountability of Accountability<p>​<span style="font-size:12px;">Holding people and organizations to account has historically been a case of pinning blame on them for failures they either caused directly or should have been aware of. As a result, organizations should not be surprised if employees are reluctant to embrace a culture of accountability. But Paul Russell, director and co-founder of soft skills training firm Luxury Academy, says that the key to encouraging employees to be more accountable is to teach them that the term is not synonymous with blame.</span></p><p>"Whereas accountability is a strategic approach implemented by management to enable more effective working practices, blame looks to apportion guilt for mistakes," Russell says. "A blame culture is inhibiting for employees, while an accountability culture should help employees to exhibit productive, effective working practices."</p><p>For employees to take ownership of problems and mistakes, they must have a strong understanding of customer expectations and their role in delivering them, Russell says. The workplace culture, he adds, should be one where roles and responsibilities are clearly defined, with an effective leadership strategy that encourages open communication and team working. Employees should receive consistent training, be encouraged to take accountability for the customer experience, and empowered to put things right if they go wrong. </p><p>Internal audit also has a strong role to play in the process. For example, in the U.K.'s Corporate Governance Code, internal audit has a duty to provide assurance to the board on the organization's culture.</p><p>"Internal audit needs to review accountabilities as part of its internal audit processes, as well as look at the culture of the unit being audited," says Philippa Foster Back, director at the Institute of Business Ethics, a U.K.-based organization that advocates for better business behavior. "And a key question that internal audit should ask is if employees can — and do — speak up and raise issues."</p><p>Foster Back points out that organizations need to have robust management reporting lines — as well as "speak up" and whistleblowing procedures — so that employees know how they can escalate concerns, rather than being left to either resolve issues themselves (where they might not be qualified to do so) or take the blame for mistakes made (which is also inappropriate).  She adds that getting employees to take ownership of problems and stopping them from covering up mistakes or passing the buck is easier to encourage if the organization's culture is open.</p><p> "In an open culture there is a dialogue and discussion of scenarios of dilemmas faced and mistakes being made," Foster Back says. "If these are openly discussed, say in a team meeting, the language is created so it isn't so difficult to own up. And underlying this open culture is the necessary support of leaders recognizing the importance of learning from mistakes."</p><p>Ultimately, achieving a culture of accountability will not happen overnight. "People struggle with what accountability means and are therefore afraid to take ownership of problems or make decisions on issues outside of their comfort zones or pay grades," says Liz Sandwith, chief professional practices advisor at the U.K.'s Chartered Institute of Internal Auditors.</p><p>However, progress will be achieved when people become more familiar with what the term implies. "We need people to understand what 'accountability' is, because it means taking responsibility for one's actions — and not in a negative, 'blaming and shaming' way," Sandwith says.</p><p>"Rather, accountability means making decisions when necessary for the benefit of the organization," she continues. "If those decisions turn out to be 'bad' decisions, these employees should not be punished: The organizational culture should be one in which mistakes can be tolerated, and where lessons can be learned, and training provided."</p>Neil Hodge0
Audits From Afar From Afar<p>​Current audit methodologies are taking advantage of rapid technology advances to offer greater accuracy and insight into complex operations, often with fewer person-hours. Many internal audit departments have applied agile, automated processes to improve the previously manual approach for measuring and managing controls and processes.</p><p>But what about the way internal auditors perform the audits, themselves? For example, much of internal audit's work — information-gathering, walkthroughs, and interviews — still is done on-site. Leveraging today's technologies to conduct remote audits could streamline this process and increase the efficiencies of internal audits.</p><h2>On the Road</h2><p>Internal auditors perform walkthroughs to measure the effectiveness and level of compliance of an organization's internal control system. The fieldwork portion of these walkthroughs typically involves small teams traveling to various locations and setting up shop for one or two weeks. There, auditors pull team leads, directors, vice presidents, and even top executives away from their daily duties to evaluate the control systems and targeted processes. Teams then perform substantive tests, examine analytical procedures, hold direct interviews, and raise inquiries with various levels of management.</p><p>Not only is this approach inconvenient for the individual site locations in terms of blocking out conference rooms, hotel cubicles, and meeting schedules, but it can become time-consuming for leadership and increase internal audit's travel costs. In fact, internal audit efforts can easily reach thousands of dollars per location, team, and area of focus. Moreover, the time spent traveling to the location instead could be spent on auditing, which could decrease the total audit hours. </p><p>On-site audits have another downside: The extensive travel and time away from home can actually be a drain on employee resources and contribute to turnover. Like most employees, today's internal auditors juggle complex work and personal lives, including ever-increasing commuting times and expenses, travel, and family responsibilities. Establishing more off-site audit work can help organizations retain talent and in some cases recruit employees who might otherwise not have wanted to work in a location.</p><h2>Auditing Remotely</h2><p>Leveraging technology to perform walkthroughs remotely can free up on-site resources and enable internal audit and management to more efficiently plan, interact, and share substantive data. Take for example the planning phase of the audit process. Planning the audit sets the stage for evaluating management's assertions, beginning the process of obtaining material evidence, aligning initial planning expectations with current audit findings, and building the supporting documentation library. </p><p>Yet, technology advances have improved routine data-collection activities and streamlined the historically manual methods around the measurement of processes and controls, including compiling information from disparate systems. That has minimized the need to be on-site to gather information. </p><p>The key to a remote audit is planning and appropriate resource management. Here are some tips and strategies.</p><p><strong>Use technology such as video chats, conference lines, secure file sharing, and virtual private networks.</strong> Conversations with the client, or even with members of the audit team, do not have to take place in person. Many organizations have a video chat capability on their employees' computers, enabling auditors to have those face-to-face conversations virtually. In addition, secure file sharing addresses the concerns of clients who do not want to share electronic documents because they fear they will get hacked. </p><p><strong>Schedule time ahead of planned fieldwork. </strong>This is more efficient for both the remote audit staff and the client. A week or two before the audit start date, auditors should email the client to schedule initial walkthroughs. Auditors should inform the client that they will be conducting an audit remotely and prepare the client to gather any electronic documents needed by the time the meeting occurs.</p><p><strong>Establish the remote auditing rules of engagement for the internal audit team.</strong> Whether it's one person or an entire team working off-site, the remote auditors should be aware of expectations. For example, rules of engagement could include when individuals should be available, status updates at the end of the day, and points of contact on the audit team for questions before engaging the client. These rules can help achieve good communication, which sometimes can be lost when auditing remotely. </p><p><strong>Determine specific roles and responsibilities for all team members.</strong> Roles and responsibilities can be included in the rules of engagement. For example, the manager in charge of the audit should assign an individual to be the single point of contact responsible for setting up meetings with the client. Another role that should be assigned is the individual who keeps track of the status of the audit and staffing to avoid having individuals on the team working on the same tasks.</p><p><strong>Set check-in times each day with the internal audit team to ensure the audit is still on schedule</strong><strong>.</strong> These check-ins are critical to the success of a remote audit. Because the audit team is not in the same physical location, communication does not occur as often throughout the day. A set check-in time will help communication flow and keep the audit on track.</p><p><strong>Start with less complex audits.</strong> Once internal audit has established its ability to perform simple audits off-site, it can transition to other complex areas later in the year. For example, an audit that typically can be completed off-site is electronic banking. The documents are usually electronic and can be sent securely, and the processes are less complex. </p><p>A more complex audit, like allowance for loan and lease losses (ALLL), should be performed on-site at first, to understand the complexities involved in the process as well as the complexities of the ALLL model. Internal auditors always should look at the audit plan and work with management to determine which audits would be more complex than others. </p><h2>Embrace Established Technology Principles</h2><p>It is no secret that technology is making life easier. By taking advantage of well-established technology principles, organizations and business leaders can transform business areas such as internal audit that often depend on manual processes. Innovations such as secure file sharing, video chats, and virtual private networks can facilitate remote audits that create flexibility and ease for both the client and the audit team. </p>Matthew J. Suhovsky0
Social Capital Pays Dividends Capital Pays Dividends<p>​​To be a trusted advisor, internal auditors need to have strong relationships with executives and audit clients. Building those relationships is about accumulating "social capital." Social capital is a complex subject with many definitions, but the Social Capital Research & Training website notes that "the commonalities of most definitions of social capital are that they focus on social relations that have productive benefits." In practical terms, <em>social capital</em> refers to the power people are willing to use on another person's behalf because of the strength of their relationship with that person. </p><p>In internal auditing, building and using social capital can mean the difference between successfully igniting change within an organization and just filing another report. Some audit clients perceive that internal audit is at odds with other parts of the organization. They may not think internal audit recommendations are useful and may only make minimal efforts to address them. In addition, clients may use their own social capital to block audit recommendations, support their own positions, or resist meaningful change. Consequently, although internal audit may be in the right, it may not succeed in recommending needed change. This is especially the case when internal audit has not accumulated its own social capital.</p><p>However, internal auditors cannot abandon objectivity in pursuit of building relationships. Auditors' ability to balance objectivity and social capital can impact not only what they are able to accomplish, but their career trajectory. </p><p>Consider this example: The chief audit executive (CAE) has been asked to join other executives in a luxury box to watch a basketball game. If the CAE participates, is internal audit's independence and objectivity compromised? On the other hand, would choosing to not take part damage the CAE's social capital and compromise internal audit's ability to successfully navigate through challenging issues within the organization? </p><p>Attending the basketball game is just one piece of a larger puzzle of interactions between management and internal auditing. If the auditor has already built social capital by demonstrating commitment, being collegial, and proving his or her capabilities, participating in such social events can further the work of internal audit, not cloud it.</p><h2>Demonstrate Commitment </h2><p>While a sense of commitment to an internal auditor's own work is critical, it also is important to consider commitment as viewed through the eyes of audit clients. Successfully initiating change is not just about working hard and delivering an audit report; it is about convincing clients that internal audit has the organization's and the clients' interests in mind. When an internal auditor seeks to establish common ground, such as the mutual overall goal of improving the organization, the truth can motivate clients instead of frustrate them. For clients, this can mean the difference between feeling chastised and feeling like their efforts to change will be meaningful and worthwhile. </p><p>Interviews with experienced internal auditors reveal how they apply social capital principles to improve audit outcomes. "Everybody involved in an audit has the same goal typically — to make the organization better," says Hollie Andrus, financial audit director for the Office of the State Auditor of Utah. "I am lucky to work with people inside my office and with people I audit who care about their organizations and want to do the best job possible. This certainly makes it easier to create a symbiotic environment." </p><p>Building social capital "helps promote change more quickly," she says. "There is a level of respect and trust from both sides of the table, whether that be with co-workers or clients." Andrus' experience shows how emphasizing shared commitment to the organization builds social capital.</p><p>However, part of an internal auditor's job is to tackle challenges. Sometimes that means Andrus must write tough findings or recommendations for an audit client. "Organizations receiving these tough findings are more open to our concerns and suggestions if our relationship is one of respect rather than of hostility," she says. </p><p>This relationship is built on the premise that everyone in the organization — which includes all state departments, agencies, and public universities in Utah — shares a similar commitment. This presumption may not hold true in all cases across such a large organization, but Andrus' attitude and approach invite others to respond in kind.</p><p>Establishing shared commitment can be accomplished in many other ways outside of work. One avenue is volunteering for the charitable causes the organization supports. The workplace by necessity has deadlines, pressures, discussions about differences, and sometimes unpleasant interactions. Sometimes volunteering with co-workers, participating on an athletic team, or attending a training conference together builds relationships of trust faster than simply going through everyday business activities. </p><p>While such involvement needs to be genuine to build social capital, it is helpful when such involvement is also strategic. For example, Andrus serves on an advisory board of Utah Valley University (UVU), where many of her employees and audit clients received their degrees. Choosing to demonstrate commitment to a university is particularly effective in building social capital because alumni have strong social and emotional ties to their schools. UVU, with Utah's largest student enrollment, supports students in pursuing jobs in the state government, so Andrus encounters many graduates in her work. Sharing this common commitment makes building positive work relationships and developing social capital easier than if the shared commitment did not exist. </p><h2>Be Collegial </h2><p>A willingness to cooperate and be considerate of colleagues builds social capital. If internal audit reports are delivered unexpectedly like knives in the back, objectivity may prevail, but social capital is lost. On the other hand, if there are 10 valid findings and the two most important are watered down after an excellent dinner, objectivity is lost. The better approach is to tackle the big issues, but to do so with collegiality. </p><p>J. Michael McGuire, the CEO of Grant Thornton, commented on this issue when fielding questions at an accounting research conference earlier this year. McGuire indicated that the grit and social skills to ask hard questions while maintaining relationships is crucial. He explained that such abilities, or early progress in developing those skills, are among the top characteristics Grant Thornton looks for in new hires and are part of what makes those employees successful.</p><p>How do those on the other side of the audit feel about the importance of collegiality? An insurance industry chief financial officer (CFO) explains her perspective on the difference between being audited by a good auditor and a bad auditor. The CFO, who prefers her name not be mentioned, describes a situation in a previous job as a controller that illustrates poor collegiality on the part of an internal auditor. </p><p>An internal auditor asked someone in another part of the organization a question and received an uncertain answer, "I am not sure, but I think. …" Rather than verify the employee's story with the controller, the auditor took the issue up the audit ranks, and his supervisor then approached the organization's executive team with the issue. When the controller was finally called back into the conversation, she was blindsided with the problem. It turned out there was no problem at all — just misunderstood information. </p><p>This story demonstrates that it pays for internal auditors to be collegial with others and show them the respect internal auditors would like to receive, themselves. By neglecting principles of collegiality and failing to confirm the employee's story with the <br>controller, the auditor destroyed his social capital in all directions. The controller lost interest in collegially responding to the auditor's requests and facilitating a smooth audit. The auditor's supervisors were frustrated because they had wasted time and frustrated the organization's executives.</p><p>The CFO also describes what it is like to have a collegial internal auditor. This kind of auditor treats audit clients as friends. Everyone knows the auditor's job still must be done, but being collegial makes the experience less painful. She recommends that auditors think of what it would be like to audit a friend. The auditor would need to inform a friend of mistakes he or she made and of the need to be prompt with information, but the auditor would do so with decency. This kind of auditor, she says, would be candid, and it would feel as if the auditor is rooting for the client instead of waiting for an opportunity to criticize. Moreover, this auditor would be transparent about where things stand instead of making the client wonder what is happening. This is what a person would do for a friend, because he or she would want to maintain the relationship. </p><p>In the CFO's experience, most internal audit clients respond well to collegial treatment. Those who do not may require other approaches. The challenge is to not let the unpleasant experiences keep internal auditors from building social capital with those who are more amenable.</p><p>Joni Lusty, an assistant director at EY, has experience recruiting and developing employees in all areas of the business. Her simple and practical recommendations for building social capital center around collegiality. First, it is best to be oneself, and to be honest and straightforward. Second, she recommends listening carefully to avoid jumping to conclusions and making assumptions about what people are saying. When clients feel that internal auditors are doing this, they are more likely to do the same with the auditor. </p><h2>Leverage Capabilities</h2><p>In internal auditing, capability does not mean that the auditor knows everything, but that he or she prepares as well as possible and admits his or her shortcomings. Otherwise, auditors unnecessarily waste more of the client's time and cause frustration. Paying attention to capabilities can build mutual respect and social capital.</p><p>As the organization's employees are impressed with internal auditors' capabilities, they may be more willing to work with them. For instance, the IT function may not want to expose a problem to an internal auditor, but the department may decide to involve internal audit if it has worked with the auditor before and seen how he or she solves problems. </p><p>Although it is challenging to be all things to all parts of an organization, internal audit's usefulness can increase when the team comprises people with strong but different skills. If auditors are then encouraged to come to each other's aid and share their strengths with each other, the individual social capital of each auditor and the collective social capital can grow. This can enhance the group's overall ability to work together and help the organization improve.</p><p>Often, CAEs and internal audit partners in audit firms are respected for the skills they have developed over time. Those capabilities include a mixture of analytical and soft skills. These people are usually well-connected to many other professionals because of their adherence to principles of relationship building. </p><p>An interesting characteristic of many internal auditors is that even in the midst of their heavy workloads, these practitioners make time and find ways to maintain their social capital. In talking to these professionals, one message becomes clear: They care about people. That caring results in social capital. </p><h2>The Social Capital Approach</h2><p>Mark Gotberg, assistant director of internal auditing at Brigham Young University, left his previous job at a CPA firm, in part, because he wanted to feel committed to something more important than building others' wealth. This commitment is clear in the contributions he has made to the university. One example has less to do with the results of his audits and more to do with those who work with him. He goes out of his way to hire and train student auditors, and he spends time mentoring students. </p><p>In his internal audit position, Gotberg leverages capabilities learned from consulting. When working with his clients, he listens to all levels of employees. He says the people closest to a problem often have the solution to it, but they may not have the ability to put their ideas together, present their ideas, or convince management to apply the solution. "Developing relationships with people at the lowest levels and getting them to trust me has provided me with the best tips for organizational and process improvement," he explains. </p><p>Gotberg builds social capital with audit clients as he helps them orchestrate the change they want. His collegiality comes out in this process, as well as in reporting. He makes sure the wording of his reports is as fair and helpful to the client as possible, while always providing the audit service the organization needs. He explores solutions to problems and manages clients' expectations. By using these skills, he builds social capital instead of just finishing audits and producing reports. </p><p>Andrus also comments on this social capital-focused approach to internal auditing. "Adversarial relationships only breed dislike and hostility — nothing is accomplished and nothing is improved upon," she says. "An audit client once told me that he would make corrections I proposed because of my attitude toward the audit and the client. He also said that if another auditor — one who was more hostile — requested or proposed the same changes, he would 'dig his heels in' and would not make the change because of the other auditor's attitude." Giving credence to social capital in the right ways can enhance an internal auditor's effectiveness rather than subtract from it. </p><h2>A Social Investment</h2><p>In the balancing act between objectivity and developing relationships, it is not always possible to build social capital with audit clients. For instance, sometimes internal auditors prepare cases and assist in prosecutions. As difficult as this type of situation may be, it also can highlight internal auditors' capabilities and make clear their commitment and efforts to accomplish the organization's goals. This, in turn, can impress the right kind of people in the organization and build social capital with them. </p><p>Reconsider the question of whether the CAE should accept the invitation to attend the basketball game with the other executives. The answer is "yes," if the CAE has carefully built the right kinds of relationships through demonstrating commitment, being collegial, and leveraging internal audit's capabilities to deliver worthwhile results. The social capital created at the event may be helpful when a future daunting issue requires cooperation from audit clients. Social capital, then, is like money in the bank — develop it now because internal auditors eventually will need it. </p>Joshua K. Cieslewicz1
Auditing in an Uncooperative Organization in an Uncooperative Organization<p>​For an internal auditor, an uncooperative organization may be characterized as one in which it is difficult to do his or her job. This may be because of a client's resistance to change, lack of trust in internal audit, viewing the function unfavorably, or not understanding the role of internal audit. Any of these scenarios can cause the client to resist working collaboratively with auditors whose job it is to make positive changes in the organization. Internal auditors are supposed to be trusted advisors, so this can be a challenging situation, especially for new auditors. </p><p>Turbulent organizational environments or poor communication and cooperation between internal auditors and clients can exacerbate the problem. But lack of trust and understanding about the role of internal audit can cause the most harm. Trust can take years of effort to build and it is easy to destroy. Even though internal auditors do their job based on facts, they need to have good relationships with other employees in the organization to ensure long-lasting cooperation. When audit clients understand what internal audit does, they are less likely to respond with statements like, "Your findings are not true," "We don't have time for you," or "We're not implementing your recommendations."</p><p>Several suggestions may help internal auditors change the mindset of uncooperative employees while building themselves up as trusted advisors. </p><p><strong>Communicate Directly</strong> Talk to people face to face as often as possible. Emails cannot convey moods, feelings, or body language. Auditors should use every opportunity to have direct contact and communication with clients. That will not only enable auditors to talk to clients more easily, but also puts them in a position to get additional information and react appropriately in difficult situations.</p><p><strong>Empathize and Understand</strong> Understanding the context of someone's reaction is essential when approaching clients. If auditors show understanding of their clients' situation, or auditors recognize the pressure the client is under, it is much easier to gain the client's trust and get buy-in on audit findings. Listening and responding with empathy can foster better working relationships overall.</p><p><strong>Have a Positive Attitude</strong> While working with clients, a positive approach toward the client might be one of the most important aspects of internal auditors' work. Auditors should avoid presenting their findings for effect, restrain themselves from sensationalism, and try to present positive aspects of their work. They should explain to clients how implementing corrective actions on findings will benefit them. Auditors should use every opportunity to give positive feedback to their clients and talk about their clients' collaboration to higher management.</p><p><strong>Show Cooperation </strong>Another critical element of a successful audit is cooperation. A willingness to cooperate makes it easier for internal auditors to establish trust with clients. Auditors should be available to their clients. They should provide them with relevant information on time, organize regular status meetings, send reminders, and be available for meetings at their request.</p><p><strong>Be Professional</strong> Internal auditors must remain professional, objective, and independent at all times to conform with Standard 1100: Independence and Objectivity. Even when auditors are kind and positive, they should not abandon their fact-based conclusions in exchange for good cooperation from their clients (see "<a href="/2018/Pages/Social-Capital-Pays-Dividends.aspx">Social Capital Pays Dividends​</a>"). </p><p><strong>Escalate, When Necessary</strong><strong> </strong>If internal auditors cannot accomplish their job by being cooperative, empathetic, and open to clients, they should choose the option of escalation. This might be the only way some clients will take auditors seriously. Depending on the client's personality, it may be necessary to demonstrate the auditor's role and influence to establish an appropriate long-term relationship. </p><p><strong>Be a Change Catalyst</strong> Internal auditors should not be afraid to propose changes. This is especially true in uncooperative organizations. Typically, the environment in uncooperative organizations is characterized by frequent changes, so employees might be even more open to changes than in other organizations. Every auditor might be faced with situations in which proposed changes are challenged from many sides, but this should not be viewed as an obstacle. Effective internal auditors can convince management to take action on issues identified and implement their proposed recommendations.</p><p><strong>Contribute to Efficiency </strong>Internal audit findings and recommendations should not only be used for correcting what is wrong, but also for improving or streamlining the use of available resources. If work efficiency can be improved and resources freed up for other purposes, internal audit should point it out. In turbulent organizations, which typically lack resources, these kinds of findings will be appreciated by clients. </p><p><strong>Get Involved </strong>Auditors should involve themselves in all current projects, actions, campaigns, and any other activity the organization is undertaking. This will not only keep auditors updated, but it will also show they are interested in future developments in the organization. However, junior members of internal audit departments should undertake these kinds of initiatives only with permission of internal audit management.​</p><p><strong>Be Creative</strong> Internal auditors play a role in creating and organizing the internal audit engagement, from designing the audit program and procedures to workpapers and audit reports. Although no two audits are alike, auditors should make their work as interesting as possible for themselves and their clients. In this way, auditors' work will be much easier and motivating, and feel like less of a burden. Although these kinds of activities primarily relate to lead auditors, junior auditors also can express their creativity through proposing possible work improvements.</p><h2>A Strong Relationship</h2><p>Building trust is a long process. Auditors may encounter many obstacles, unpleasant people, and bad days, but they share with their audit clients a commitment to the same goal — the success of the organization. Practitioners are in a position to promote the profession so that audit clients better understand internal audit's role in business, which can result in less resistance during audits. By building trust, clients are more likely to view auditors as the advisors and partners that they are. The better an auditor's relationship with his or her clients, the more open they will be to the auditor's critiques and suggestions for improvements. That can not only make the auditor's job easier, but it also is a win-win situation for the organization. ​</p>Maja Milosavljevic1
Culture Article Wins Thurston Award Article Wins Thurston Award<p>​James Roth, president of training and consulting firm AuditTrends, received the 2018 John B. Thurston Award for his article, "How to Audit Culture," on May 7 at The IIA's International Conference in Dubai. Published in <em>Internal Auditor</em>'s June 2017 issue, the article discusses how culture audits can help practitioners gain insight into the causes of poor organizational behavior.​<br><br>The Thurston Award, established in 1952 in honor of The IIA's first international president, is awarded to the best feature article by an internal audit practitioner that appeared in the magazine during the previous year. ​<br><br>​Read the award-winning article <a href="/2017/Pages/How-to-Audit-Culture.aspx">here</a>.  </p>Staff0
Elevating Team Performance Team Performance<p>​In 2010, I became chief audit executive (CAE) of Central Bank of Armenia, an independent institution that oversees and regulates the country's financial sector. During that time, the internal audit department was in a state of flux — the former CAE had been promoted to a board-level role, and many capable internal auditors had left the team. I quickly began reshaping the function by hiring and training new staff members, aligning our methodology to The IIA's International Professional Practices Framework, automating processes, and devising our strategy. </p><p>The IIA Practice Guide, Measuring Internal Audit Effectiveness and Efficiency, released that same year, prompted me to also start thinking about performance assessment. At the time, Central Bank used a one-size-fits-all approach to measure performance based on the number of planned versus actual hours for tasks — a somewhat bureaucratic activity that added little value. Our department chose to abandon this system in favor of a customized performance assessment approach, triggering a change that soon led the entire organization to follow suit. </p><p>My idea was to link performance assessments to staff motivation so that we hire and develop people consistent with our vision of the function. We sought to encompass both short- and long-term objectives and to keep the process simple yet comprehensive. Perhaps more importantly, we aimed to establish what those objectives would mean for individual staff members. With these ideas in mind, we developed an assessment process — comprising five main elements — that looks to identify and leverage employees' strengths while also determining opportunities for improvement through training, coaching and mentoring, and, most importantly, self-development. </p><h2>Defining Objectives, Performance Elements</h2><p>We began by referencing the IIA Practice Guide and other literature on performance assessment to help establish objectives that would satisfy stakeholder needs and provide high-quality work. Our efforts resulted in four main performance objectives:</p><ul><li>Perform value-adding activity, which is linked to the quality of our recommendations and insights.</li><li>Successfully execute the annual internal audit plan, where deadlines are met without sacrificing quality.<br></li><li>Deliver high-quality reports and documentation, including regular audit reports, summary and other reports, and workpapers.<br></li><li>Provide sound and effective communication, both written and oral.<br></li></ul><p><br></p><p>Next, we began thinking about how employee performance would connect to the four objectives. We wanted to help give direction to staff members and motivate them to behave, perform, communicate, and grow in a way that would move toward achieving these objectives. Toward this end, we established five performance elements: collaboration, efficiency, professional development, visibility, and responsibility. </p><p>For each of these elements, we devised several measurement criteria. Because every engagement is unique, using simple quantitative criteria — such as number of risks identified, recommendations given, and open follow-up issues — would have been ineffective. We instead chose primarily qualitative criteria that rely on collective input across the audit function. In other words, everyone contributes to the performance assessment exercise by providing feedback on other members of the team via a questionnaire form and in-person discussion. ​</p><p><strong>Collaboration</strong> Internal audit performs best when it operates cohesively as a team and leverages collective knowledge, rather than working in silos. As part of our teamwork philosophy, and unlike the rest of the organization, everyone in the internal audit function works together under one roof as a means of facilitating team collaboration.</p><p>Per our criteria, an effective collaborator is:</p><ul><li><em>An Active Listener</em> — participates in discussions and presents opinions.<br></li><li><em>A Fair-minded Debater</em> —remains open to debate and separates issues from people.<br></li><li><em>A Desired Team Member</em> — someone with whom colleagues would like to work on audit or other projects.<br></li><li><em>A Supporter</em> — supports colleagues on both audit-specific assignments and on projects outside his or her primary work responsibilities. <br></li></ul><p><br></p><p>Assessments of collaboration skills are performed as a 360-degree exercise — everyone assesses everyone else anonymously, and generalized results are then discussed with the team. We encourage feedback and stress that the assessment is meant to serve as a professional development tool rather than a means of punishment. The process also provides an incentive to maintain healthy working relationships across the team, as any self-focused outlier can be identified easily through the assessment. Moreover, all auditors are asked to include the CAE in their assessments, ensuring that everyone, including team leadership, participates in the process.</p><p>Maintaining an open and honest environment is key to effective collaboration. The process starts with hiring the right people and continues as we integrate them into the team. Our assessment process then reinforces the importance of collaboration and fosters employee buy-in. And as an added measure, we anonymously select a Knowledge Champion of the Year to promote learning and sharing among the team. ​</p><p><strong>Efficiency</strong> Auditor efficiency is about delivering quality work to our stakeholders cost-effectively and on time. We measure efficiency by determining whether our team's practitioners: </p><ul><li>Provide valuable recommendations both within and outside audit engagements.<br></li><li>Meet audit and other project deadlines.<br></li><li>Deliver high-quality reports and workpapers.<br></li><li>Maintain sound relationships and communication with clients.<br></li></ul><p><br></p><p>These criteria replicate the department's internal audit performance objectives described earlier. Members of the managerial team — composed of the CAE; deputy CAE; and financial, operational, and IT audit unit managers — discuss staff performance across all four of these areas and provide assessments based on their experience with each individual. They also review self-assessments completed by every team member. Moreover, all staff members provide a peer assessment for those colleagues with whom they worked in the period under review.​</p><p><strong>Professional Development</strong> We expect all team members to pursue professional development, even after receiving certifications. With The IIA Global Internal Audit Competency Framework in mind, professional development is defined across four criteria:</p><ul><li>Interpersonal skills, including verbal and nonverbal communication, listening and negotiation, and teamwork. <br></li><li>Technical knowledge and tools, such as data collection and analysis, working with spreadsheets, problem solving, and slide preparation. <br></li><li>Knowledge of the <em>International Standards for the Professional Practice of Internal Auditing</em>, as well as internal audit theory, methodology, and application.<br></li><li>Specialized areas of expertise, such as International Financial Reporting Standards; governance, risk, and control; risk management frameworks; IT auditing; COBIT; and fraud.<br></li></ul><p><br></p><p>We look for each internal auditor to obtain at least one international certification — such as the Certified Internal Auditor (CIA), Chartered Certified Accountant (ACCA), Certified Information Security Auditor (CISA), Certification in Risk Management Assurance (CRMA), and Certified in Risk and Information Systems Control (CRISC) — relevant to his or her specialty unit and duties. Auditors may pursue other certifications or qualifications from The IIA, ISACA, or the Association of Certified Fraud Examiners. We also consider practitioners' backgrounds — such as whether our financial auditors<br> have Big 4 experience and to what extent our IT auditors possess technology experience.</p><p>Development becomes more subtle after someone achieves certification. Evaluation measures include training events attended, presentations delivered, and knowledge and skills developed. </p><p><strong>Visibility</strong> We regard visibility as a key practitioner attribute. Each member of the team should ideally be recognized not only for his or her personal character and ethical behavior, but also for subject matter expertise. </p><p>Our assessment criteria for visibility comprise two main areas. First, the internal auditor should be expanding his or her visibility across the organization through participation in bankwide discussions and working groups and by establishing and maintaining professional relationships with colleagues.</p><p>Second, we look for practitioners to expand beyond the boundaries of the organization and become a well-known expert in the industry. This effort may involve volunteering with IIA–Armenia, teaching at local universities or training centers, presenting at conferences, writing articles for professional publications, and serving on audit committees and boards. Further visibility can be obtained by traveling outside the country to speak at conferences, facilitate roundtable discussions, deliver training sessions, and participate in external quality assessment teams. We assess visibility during the period under review against each individual's potential using feedback from colleagues and examining identifiable achievements such as presentations, training engagements, and published articles. ​</p><p><strong>Responsibility</strong> We measure internal auditors' responsibility by how well they perform their duties. Responsibility is gauged according to performance on top-down assignments — carrying out tasks assigned by audit management — and by work performed from the bottom up, where auditors take additional responsibility through personal initiatives. The latter type of work is important to becoming a true professional and a valued member of the team. Examples include creating a newsletter, developing new training courses, building relationships, and writing articles. However, gaining the ability to perform bottom-up initiatives can take time, especially with new hires, as it often requires extensive knowledge, expertise, and visibility. Some start sooner with small initiatives at the department level, such as developing new designs for presentations, whereas others need more time to begin making bottom-up contributions.</p><h2>Providing Feedback </h2><p><strong></strong>We conduct performance assessments twice a year. And while each follows a rigorous process, the year-end review involves more thorough assessment. Moreover, the collaboration assessments are limited to once annually, to avoid overburdening the team and to allow auditors sufficient time to change behavior if needed. </p><p>The managerial team shares feedback directly with each team member via three spider charts. The first two charts depict 360-degree collaboration assessment results, showing the individual's ratings against the average for the four criteria within this measurement (active listener, fair-minded debater, desired team member, supporter) and the average rating for the individual by every assessor against the assessors' average rating for everyone (see "Collaboration Assessment by Quality" and "Collaboration Assessment by Assessor" below).</p><p>A third chart shows the individuals' ratings for all five elements of the assessment (see "Performance Assessment Summary Chart" below). The chart's blue line represents the managerial average rating, the red line depicts the average for the overall team, and the green line shows the self-assessment. </p><p>Our managerial team discusses every element of the assessment with each member of the team. Managers also are assessed. The individual under review is free to join or forgo the discussion. During our most recent assessment exercise, everyone chose to be present at his or her own assessment to hear positive feedback as well as opportunities for improvement.</p><p>Following the year-end assessment, we devise a development plan for each team member for the coming year. The plan includes visibility and initiative strategies, certification goals, and knowledge and skill development through audit engagements where teams are mixed via integrated auditing. </p><h2>Tangible Results</h2><p>Since implementing our assessment process, we've received two "generally conform" ratings from external quality assessments performed by Dutch Central Bank colleagues — one in 2012 and another in 2017 — as well as mission-positive conclusions from an International Monetary Fund safeguards assessment. Collectively, our team has a portfolio of numerous certifications, including five CIAs, three CRMAs, four ACCAs, one CISA, and three CRISCs. Several staff members are teaching at local universities and many volunteer for IIA–Armenia by helping organize conferences and other events, developing and maintaining website content and quarterly bulletins, and promoting membership. Outside the country, some of our staff members have spoken at conferences and other events, delivered training, and participated in external quality assessments. </p><p>These results stem from the direction provided by our assessments. We see new team members developing new skills and experienced auditors continuing development beyond certification. Our audit reports receive praise — including best-practice kudos from our external assessors — and relationships with audit clients are balanced. Lastly, our internal auditors are respected as professionals, due in part to their international qualifications and visibility both inside and outside the organization. The assessment process has strengthened our team, expanded its capabilities, and made us an even greater asset to organizational stakeholders.</p><p><img src="/2018/PublishingImages/Chalabyan_Assessment-Rating-Chart.jpg" class="ms-rtePosition-5" alt="" style="margin:5px;width:650px;height:241px;" /><br></p>Ara Chalabyan1
Crafting the Audit Report the Audit Report<h2>​​What are internal auditors doing wrong with audit reports?</h2><p><strong>HUBBLE</strong> Internal audit reporting often is not part of a broader stakeholder communication plan. Before internal auditors determine their approach for audit reports, they should understand the various internal audit stakeholder expec​tations and establish a plan for formal and informal communication. As report preferences will vary by organization, and even individual, having a comprehensive reporting plan will ensure internal audit is communicating the right information, in the right format, at the right time. Specifically, internal auditors commonly create very long reports with a lot of context their particular readers may not find valuable. This makes finding the important information difficult, or it is potentially missed altogether. Internal auditors can use other forms of reporting, including verbal communication and memos, for smaller groups of recipients.</p><p><strong>PUNDMANN</strong> Internal auditors sometimes issue audit reports that look more like workpapers, with lots of words and data, providing few — if any — relevant insights and action items. If internal auditors really want to be seen as adding value to their stakeholders, they need to start reporting more strategically, with information relevant to the reader, leading with insights and action items instead of data. </p><h2>What is often missing from the audit report?</h2><p><strong><strong><img src="/2018/PublishingImages/Sandy-Pundmann.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />PUNDMANN</strong></strong> Audit reports are often missing the "why does this matter?" aspect. Auditors diligently try to write their findings using the condition, cause, criteria, and effect format. But, many times they don't convey the risks or opportunities, which tell readers why they should care. Formatting also is key. Can readers easily scan the report to quickly get the information they need? Does the report include an executive summary, key insights, and graphics? Audit reports should provide perspectives on what the project did not cover to avoid offering a false sense of security. For example, a cyber audit could mean many different things to different stakeholders. Did you conduct an attack and penetration audit? Did you look at resiliency? Clarifying which areas were in and out of scope can prevent the false comfort that comes with assuming auditors assessed something. </p><p><strong><strong>HUBBLE</strong></strong> Insight! Internal auditors can demonstrate the most value when they translate their internal audit results — observations as well as leading practices — into meaningful information from a business perspective. Internal auditors should ask themselves "So what?" when drafting the first paragraph of the audit report. They should think from a business leader perspective and communicate in a way that enables the business to understand the connection of the audit report to the business operation and to achieving its strategic objectives. Internal auditors also need to apply professional judgment and be comfortable giving insight on overall control environments without testing the entire control set within a particular function or process. By clearly articulating the scope of the audit, risk priorities, and their assessment of management's control awareness, internal auditors can apply their business acumen and provide insight from audit results that go beyond the number of control weaknesses identified.​</p><h2>What should auditors leave out of the report?</h2><p><strong><strong><img src="/2018/PublishingImages/michelle-hubble.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />HUBBLE</strong></strong> Information that has no correlation to the risks deemed as high priority in the risk assessment. Often, we see internal auditors performing end-to-end audits over an entire de​partment or process, testing controls that pertain to risks that are not seen as a priority for the organization. I've seen where low issues are not included in an audit report, though I would caution if an audit plan is truly risk driven, these issues should still be worthy of written documentation. I suggest auditors evaluate, during the audit planning phase, what control activities are correlated to priority risks and the overall audit objective. Continuing to consider the "so what" factor, the auditor will sharpen the audit scope. This way the auditor not only avoids documenting information that is not pertinent to the audit objective, but also does not spend time testing these areas. The level of detail for testing and reporting is something leading practice internal audit functions discuss with their stakeholders, explicitly with the audit committee or governing body. As reporting is a function of the assurance provided, it is essential that the auditors include or omit information as aligned with the internal audit mandate and risk assessment and audit plan approach. </p><p><strong><strong>PUNDMANN</strong></strong> Auditors don't need to share the entire journey of how they arrived at a finding. Appendixes can be used to provide supporting data and facts for the reader who wants more information. Exclude extraneous words and data that don't add value to the report. How many audit findings start out with "During our review we noted that …?" Filler words take away from the far more important insights elsewhere in the report. Crispness is key. ​</p><h2>What types of visuals can enhance an audit report?</h2><p><strong><strong>PUNDMANN</strong></strong> Lengthy reports that don't call attention up front to the most important items miss an opportunity to effectively communicate with the reader. Stakeholders want a quick view of priority areas first to help them get context and perspective, so they can discern where they need to dig in more deeply. Those quick views could come in the form of graphics, charts, infographics, ratings, or dashboards. We've particularly seen dashboards work well by offering visualizations or heat maps of internal audit assessment areas. </p><p><strong><strong>HUBBLE</strong></strong> Charts are always a favorite, as they are quick and easy to gauge results from a comparison of data. I suggest internal auditors start using interactive dashboards to further reinforce the notion that reporting is one piece of ongoing communication. Through interactive dashboards, report recipients can navigate the information and ask questions, allowing them to consume the information in a customized, organic way. ​</p><h2>Are there any adjustments for audit reports that will be read on smartphones?</h2><p><strong><strong>HUBBLE</strong></strong> Regardless of how a report is viewed, internal auditors should consider how the reader will consume the information. Of course, reports will be read on smartphones and formatting needs to be considered. Internal audit should align its communication plan with the organization's overall digital transformation — a strategic initiative in many organizations — specifically, as organizations shift to using apps in place of smartphone enabled, web-friendly browser views. Internal audit should lead by example and consider how it can communicate through a more holistic digital channel, such as using apps to communicate and interact across the function and with its stakeholders. </p><p><strong><strong>PUNDMANN</strong>​</strong> We need to assume that all audit reports will be read on a smart device. Beyond putting those reports in a device-friendly format, internal audit should try to get its key messages across up front in an executive summary or in the body of an email without forcing the reader to open endless attachments. ​</p>Staff1

  • Gleim-cia-changes-webinar_June 18-30_PRemium 1
  • SCCE 2018 June 19-30_Premium 2
  • IIA CIALS-CIA-Learning_June 2018_Premium 3