The Farley File Farley File<p>​One of the most important questions for any internal auditor is, “Do you know who your clients are?” It’s so fundamental that most internal auditors can probably answer in the affirmative. However, there is a related question that, while just as important, is often overlooked: “Do you know them?”</p><p>Successful internal auditing requires not only knowing who our clients are, but also building rapport and a mutual understanding with them. It means knowing more than just a name and a title; it requires knowing the person behind that title.</p><p>For some people, getting to know clients is easy — especially those with a knack for remembering personal details, which can facilitate relationship building. But not all of us are blessed with that innate talent. The good news is that a simple tool can help.</p><p>James Farley was a U.S. postmaster general and chairman of the Democratic National Committee. His fame, however, comes from the role he played as President Franklin Roosevelt’s campaign manager. Farley kept a file on everyone he or Roosevelt met. It included information on their spouses, their children, and anything else he learned from earlier encounters. Whenever people were scheduled to meet again with Roosevelt, Farley would review the files with him. Roosevelt could then enter the meeting with knowledge that would help him build connection and rapport. Farley files are now commonly kept by politicians and businesspeople.</p><p>At a former job, without knowing we were doing it, my internal audit staff started building Farley files. When an auditor would meet with a client, we would create a file with information about him or her — name, hobbies, passions, etc. We noted advice for working with these individuals, such as effective conversation starters and how to present information to them, as well as how they felt about internal audit — fan, raving fan, lukewarm, actively hostile, etc.</p><p>Sadly, I don’t know if it worked. Not long after we started, I was talking with the human resources (HR) manager and explained our approach. He asked us to stop — and I understand his concerns. After all, HR is responsible for ensuring a lot of regulatory requirements are met when maintaining employee information, particularly when it comes to the security of that information and ensuring it’s not used to support discriminatory practices. But I also think he went overboard. In the world of do-overs, it is something for which I would fight. Even in the short time we started building the files, we found it was a valuable way to record and share the insights we gained about our clients.</p><p>Every internal audit department should consider keeping a Farley file. Work with HR to ensure there are no issues. But push to get it done. The better we know the people we work with, the better our work will be.<br></p>Mike Jacka1
An Assessment of Internal Audit Assessment of Internal Audit<p>​Internal audit is supposed to be an invaluable ally for the audit committee. That doesn’t mean the audit committee shouldn’t try to evaluate the contributions of the function, anyway.</p><p>If internal audit doesn’t deliver value, nobody benefits. Risks can go undetected or unaddressed. Operations executives can grow exasperated with what they perceive as nit-picky auditors intruding into their domains. Above all, corporate boards could have an incomplete picture of the organization’s risks.</p><p>So when I saw The IIA’s new Internal Audit Assessment Tool for Audit Committees, I was intrigued. How have audit committees been faring at assessing the effectiveness of internal audit? </p><p>“How it’s done can vary,” says Ginger Jones, audit committee chair at global chemical company Tronox Corp. “It can be more informal than formal.” At Tronox, for example, the audit committee’s charter requires it to review internal audit annually, but doesn’t require it to use any specific tool for the task. So Jones has her own set of questions to consider, such as: How does internal audit handle tasks related to compliance with the U.S. Sarbanes-Oxley Act of 2002? How do business units view internal audit? How does internal audit develop its talent pipeline?</p><p>That’s a sensible approach. The question is whether the rest of the corporate governance world can implement an evaluation process with sufficient scope and rigor for the challenges organizations face. </p><h2>Understand Your Needs</h2><p>Internal audit exists to help the audit committee ensure risk management is effective. Thus, the audit committee first needs to ask: What do we want internal audit to do for us? Where is our assurance ability a bit weak? </p><p>COVID-19 reminded boards they need a lot of help with risk management, especially with understanding how emergent risks  can turn traditional risks, such as security, fraud, and supply chain, upside down.</p><p>“The lack of a structured work environment can increase the risk of fraud and corruption among staff and suppliers,” says Nocwaka Oliphant, audit committee chair at the South African Council for the Architectural Profession. “A sharp internal audit function would be expected to increase its fraud identification processes in conducting its work.”</p><p>Fraud isn’t the only ground shifting underneath the board’s feet. Oliphant can rattle off a list: public health and safety, business continuity, climate change, and more. Auditors should be able to assist with those assurance challenges. But how does the audit committee know internal audit is ready? </p><p>That brings us back to The IIA’s assessment tool. The document is split into six sections, with topics such as evaluating the quality of internal audit services, assessing communication with the audit team, and gauging its independence and objectivity. Within each topic are several questions an audit committee could ask.</p><p>“A lot of audit committees don’t truly understand what the full role of internal audit can be,” says Anne Mercer, IIA director of professional practices. “Chief audit executives can use the tool to have these conversations. It’s a way to open the door.” </p><h2>Assessment in Practice</h2><p>The assessment tool is meant to help audit committees forge closer ties with internal audit. Indeed, this tool is modeled after another one the Center for Audit Quality developed in the 2010s to help audit committees evaluate their external auditor. “We look at our tool as a companion to that,” Mercer says. </p><p>That said, an assessment doesn’t need to follow a fixed, formal approach. “Pick the parts that are important to you,” Mercer says. “You don’t need to assess all aspects every time.” </p><p>For example, consider how your organization embraces technology. If your business is a fast-growing startup that experiments with a lot of new technologies, you’ll need an audit function comfortable with analyzing new technology, and also embracing it for its own operations. An established multinational, on the other hand, might need auditors skilled at assessing regulatory compliance, assisting with large projects like a merger, or studying megatrends like climate change. </p><p>The assessment, itself, can involve asking senior executives how they view internal audit, as well as chats with managers in first-line roles. Do they ever invite internal audit to help them with projects? (A good sign.) </p><p>The audit committee also should consult with the rest of the board. What risks do they see as the organization’s foremost challenges? Does internal audit have the leadership, expertise, and resources to help with those matters?</p><p>“When I see high-functioning internal audit teams, they’re hiring great people, developing them, and then moving them into the business,” Jones says. That’s also a sign that internal audit has won over the business units. It’s the sort of cooperation that can put an audit committee’s mind at ease.</p><p>And there’s a lot of value in that. <br></p>Matt Kelly1
The Efficient Audit Function Efficient Audit Function<p>​The term <em>efficiency </em>refers to the volume of input needed to produce a certain output. Fewer inputs used for the same output, or the same inputs used to get larger output, result in increased efficiency. When it comes to internal audit work, efficiency can be measured in various ways and for different audit activities. Efficiency should be of particular interest when it comes to completing audit activities with scarce resources.</p><p>Many internal audit departments struggle to complete the audit plan within a certain time and improve efficiency. From this point of view, one could measure audit efficiency by the number of hours spent on executing audit procedures and other activities relevant for audit completion. Focusing on inputs of audit work, there are specific aspects that should be addressed to measure and improve audit efficiency.</p><h2>Announcing Audits</h2><p>Practitioners should strive for a transparent approach to the audit plan, rather than keeping it a secret. While an element of surprise is important for certain audit engagements, it is not the case for most engagements. Additionally, announcing an audit early can help manage audits during challenging periods, such as during the holidays or vacation season. This could potentially avoid possible bottlenecks of having to wait for the documentation to be delivered or client availability for interviews. After all, if auditors strive to be trusted advisors to their organizations and there is trust on both sides, there should be transparency.</p><h2>Assessing Resources </h2><p>When developing audit plans, internal audit should assess the working hours needed separately for each engagement. Setting up the same, or average, resources as a uniform standard does not help measure and improve audit efficiency. When done that way, some engagements will be under time constraints, while others will have more time than needed. Other important aspects that require realistic consideration and planning include vacations, sick leave, and administrative and other audit activities, as well as any resources needed for fraud investigations and consulting activities, which may occur during the same time as the audit engagement.</p><h2>Scheduling</h2><p>Scheduling the engagements allows all employees — not just internal auditors — to be aware of what is expected from them and to schedule their activities accordingly. Waiting to schedule engagements until after the completion of the previous audit can lead to huge workloads and pressure for the audit team, as well as discourage efficiency improvements. Worse, it can lead the department to stagnate or lose efficiency.</p><h2>Deadlines and Exceptions</h2><p>Clearly defined audit engagement completion deadlines are necessary for efficiency. They should be treated as time management guidelines that help auditors stay in line with relevant plans and targets, rather than strict, rigid limitations. The absence of deadlines could create chaos within the audit department and result in engagements that never end. While prolonged deadlines are sometimes needed, they should be the exception and not the rule. If they occur frequently, it may indicate that the audit planning or execution is not working correctly. </p><h2>Empowering Audit Teams</h2><p>Trusting audit team members to organize and execute engagements, stay in line with audit methodologies, and keep to deadlines without constantly checking on them allows them to find their own flexible solutions to accomplish their goals. In a trustful, open, and honest relationship, leaders step in when asked to help solve any problems encountered by auditors that they're not able to work through on their own. This trust should also exist among audit team members. </p><h2>Automating Audit Procedures</h2><p>Automating audit procedures can improve work efficiency by providing quicker analytical insights on data, trend analysis, graphical representations, and outlier identification. However, overreliance on automation could have an adverse effect if its use is not thought through. It may result in more manual work after the automated procedures have been completed in comparison to the manual execution of relevant audit procedures.</p><h2>Consider Stop-and-go Auditing</h2><p>A stop-and-go audit approach may help some departments find efficiency and add value. When planning an audit project, the lead auditor develops:</p><ul><li>A more up-to-date and in-depth understanding of the risks in the subject area than the audit management team could have when they added it to the periodic audit plan.</li><li><p>A sense of the control environment and culture of the area. </p></li></ul><p>After the planning phase, the lead auditor and audit manager make a "stop or go" decision. If an assessed risk is lower in comparison to other areas not in the plan, they write a memo explaining why to all concerned parties.<br></p><p>If the decision is made to proceed with the audit, the next step is to assess the design of the controls over the key risks. If it is concluded that the controls are well-designed and auditors are satisfied with the culture, they might stop the audit without performing any testing. An audit report is issued, but it states very clearly that the opinion is only on the design, and this is understood by all parties. Or, they proceed to full testing.</p><p>This technique runs the risk of missing deficiencies, but that is always a possibility. Stopping audits when there is a sufficient comfort with the risk saves time to audit other areas that seemed less risky during the periodic planning process, but are now perceived to have greater risk. </p><h2>Efficiency KPIs</h2><p>There is no unique set of efficiency-related key performance indicators (KPIs) that fit all audit activities. When designing KPIs, auditors can apply the usual risk assessment approach to identify which aspects require action. Good starting points are assessing current efficiency; observing the strengths, weaknesses, and motivational aspects for auditors; and identifying risks. With this approach, the audit function can identify the aspects it should focus on to improve efficiency, and create and verify relevant KPIs in line with the assessment.</p><h2>Continuous Monitoring</h2><p>Monitoring progress also is important for measuring and improving audit efficiency. Designing a dedicated dashboard for this purpose, with the aim of having continuous, real-time results readily available, would give an overview of the whole audit department. In this way, all audit team members could constantly monitor their progress, note when and where corrective actions are needed, and implement them timely.</p><h2>Maintaining Quality</h2><p>Considering that internal auditors are trusted advisors who are expected to provide valuable and useful insights, actions to measure and improve audit efficiency are meaningless if they result in poor quality audits. Thus, maintaining the holy union of efficiency and quality should never be questioned or compromised.<br></p>Maja Milosavljevic1
A Comprehensive Talent Strategy Comprehensive Talent Strategy<p>​The disruption created worldwide by COVID-19 requires that organizations adapt to the new normal of a post-pandemic business environment. The pandemic forced new challenges on organizations already dealing with such disruptors as the gig economy and the impact of digitalization.</p><p>For organizations generally, and for internal audit specifically, having trained and motivated employees is vital. Indeed, The IIA's OnRisk 2021 report identified talent management — which includes identifying, hiring, and retaining top talent — as one of the most relevant risks facing today's C-suites, boards, and audit executives. </p><p>To meet these demands, internal audit leaders should have a comprehensive talent management strategy that addresses recruiting needs and professional development challenges. Hiring managers also need to approach talent with an eye toward cultural fit, and to maintain a positive, supportive environment that keeps employees connected and engaged.</p><h2>A Different Kind of Recruiting</h2><p>Dana Lawrence, senior director of Compliance and Internal Control at Azlo, a San Francisco-based online bank for small businesses, says she has a different perspective on recruiting. "I'm an extension of the company," she says. Lawrence promotes the company and her department within the audit and risk community, whether at internal audit events, tech meetups, or other venues. Because she has worked with smaller companies, she sees this as important in building the brand of her organization and for attracting a larger pool of applicants.</p><p>Lawrence says she advises internal audit hiring managers to approach qualified candidates they know, even if those individuals have not applied for the job. This is an important consideration in terms of diversity, equity, and inclusion, she says, as it helps reach potential candidates who might not think they're a match for the position.</p><p>Citing a 2019 LinkedIn survey, Gender Insights Report: How Women Find Jobs Differently, Lawrence notes that men will apply for a position if they have 60% of the qualifications, while women tend to apply only if they meet 100% of them. "Men will stretch, women might tend to be more self-limiting" she says, adding that she works to bring more women into her recruiting pipeline.</p><p>At Huntington National Bank, where IIA Director of Professional Practices Dan Walker formerly served as vice president, audit group manager, internal audit brought diverse candidates into the interview process but kept many of their personal details anonymous. They scrubbed resumes of names, colleges, and other information that could potentially lead to bias against candidates, he says. In addition, the bank worked to include more diversity among interviewers. </p><p>Lawrence adds that bias training is important for interviewers, as it helps give them a different perspective. "I've tended to see people typically favor people who are like themselves," she says. </p><p>Stacey Schabel, senior vice president and chief audit executive at Jackson Financial Inc. (JFI) in Lansing, Mich., says she takes a balanced approach in structuring her team. When hiring, she looks to maintain a mix of different backgrounds, knowledge, and expertise, which could include someone with external audit experience, or a data scientist who has never worked in internal audit.</p><p>For example, she says, a key leader from another department in the company can join the team and learn, hands-on, about internal audit. Importantly, that individual brings his or her technical knowledge to the department and can serve as an advocate for the value internal audit brings to the organization. "We don't just think about hiring auditors, we focus on core knowledge and expertise," she says.</p><p>Schabel underscores the importance of having a talent pipeline, which at JFI includes leaders as well as interns and contacts across the industry. She also stresses the need to think ahead, and to be plugged into the organization's strategic objectives, as a means of planning for the expertise that will be needed to support future work.</p><p>Banco del Crédito, as the largest bank in Peru, historically did not have a problem attracting talent, and preferred to hire from the Big Four firms. But since shifting focus to data competencies, especially data analytics, it has had problems finding auditors with these competencies through the traditional recruiting process, says Enzo Tolentino, the bank's head of Audit - Data Analytics and Corporate Development.</p><p>As a result, interns are an important source of talent, comprising about 10% of the internal audit department's 95 practitioners. The department looks for interns a year away from graduation who have the potential to be trained in auditing and data analytics. The internship gives internal audit time to work with the interns, to get to know them and their abilities.</p><h2>The Importance of Culture</h2><p>The cultural fit between new employees and the organization needs to be discussed throughout the talent management process, from recruiting to professional development, Walker says. Hiring managers need to have a thorough conversation with prospective employees during the interview process to determine their compatibility. </p><p>Once employees are hired, keeping them engaged and maintaining a positive, supportive culture should be a priority — particularly in the remote work-world of the pandemic. In part, this involves helping the team stay connected. Walker advises creating opportunities for people to talk to each other, such as a virtual coffee, or happy hour activities such as Pictionary or music trivia.</p><p>Lawrence points to the value of Gallup's Q12 employee engagement questionnaire, which asks employees to consider basic questions about their workplace — do they have a best friend at work, have they gotten recognition or praise for doing good work? In the current work environment, employees need to know that their manager has an interest in their career and in their goals, she says. And organizations need to review the results and take action where appropriate, Walker adds.</p><p>Maintaining camaraderie and morale during the pandemic and the shift to remote work has been a focus at JFI, Schabel says. When work first went remote, her team continued with the same number of formal meetings, but realized they were missing the spontaneous chats and quick phone calls that take place in an office.</p><p>After informal surveys to gather the team's feedback, meetings were added to build in unstructured time. That way, areas that needed to be addressed could be covered, while also allowing time for more chats. The most important and effective step has been keeping in touch with all of her team members, Schabel says. This ensures that she understands what her team members need and makes them feel valued and connected.</p><p>Schabel sees her job as a leader supporting JFI's success as a company, she says, but also as supporting her team members as people. She seeks to understand their goals and help them grow and develop into leaders who can build on their knowledge of internal audit and serve JFI, and the internal audit profession, in many ways.  </p><h2>Training and Development<br></h2><p>Everybody on JFI's audit team is expected to become a Certified Internal Auditor (CIA), as well as earn specialty certifications related to their areas of focus, Schabel says. "It supports the necessary training we need to perform our role well and shows the level and knowledge and expertise we have," she says, adding that this is especially important for team members who are not auditors by background. </p><p>Lawrence says she expects potential hires to have appropriate technical skills, and she looks for candidates who are open to feedback, can accept criticism, and have resilience coupled with curiosity. "This is not a job for everyone," she says, "but if you genuinely are curious, and you can be comfortable with being uncomfortable for quite a while, it can be a pretty cool career path." </p><p>Lawrence says her training program is not structured, partly due to the nature of working in a startup organization. Even so, she has a training budget, and she is a big believer in certifications. Every member of her team is either a CIA or working toward becoming one. She also gives her employees stretch assignments, depending on their career goals. </p><p>Lawrence says she holds weekly one-on-one meetings with her team members, and managers are expected to do the same with their employees. Short-term, one-to five-year goals are discussed in quarterly meetings. "I totally believe in supporting people in their career path and in the direction that they want to go," Lawrence says.</p><p>Managers and employees need have conversations about their performance and their plans for growth, Walker says, and this is true regardless of whether the organization has a skills assessment or formal training plan. Lawrence agrees, emphasizing the importance of investing in employees. "I think engaging people, genuinely listening to them, genuinely showing support, and trying to challenge them appropriately is the key to retaining talent," she says.</p><p>Walker also points to the importance of tailoring skills assessments toward individual training needs.. At Huntington, his group built its own competency model with 50 core audit skills and 94 financial services competency areas. This model was mapped to the audit plan, which allowed the group to look at upcoming audits and see the potential skills gaps. Employees also completed a skills assessment that included both a self-assessment and a manager assessment to identify gaps in competency levels. Significant gaps were evaluated to develop individual and department training plans. Any remaining gaps were addressed through co-sourcing or recruiting efforts (see "Talent Development Cycle" at right for a high-level depiction of the process). <img src="/2021/PublishingImages/Talent%20Management-Talent%20Development%20Graphic.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /><br></p><p>Such an integrated framework is important for capturing and evaluating professional skills based on competencies, Tolentino says. Currently, his organization is aligning standards for the recruiting process with competency development. In addition, Tolentino is working to include the specific needs of internal audit in the evaluation model. The organization's goal is to have the same standards in recruiting, competency development, and performance evaluation. </p><p>The bank's training curriculum has three levels — basic, intermediate, and advanced specialty — totaling 160 hours of coursework. The basic level reinforces areas of knowledge the new employees already should have, such as internal controls, risk management, and The IIA's International Professional Practices Framework. The intermediate level covers emerging needs like data analytics and Agile methodologies, while the third level includes specialized areas such as cybersecurity and market or credit risk.</p><p>What has the bank learned? First, required competencies and learning outcomes need to be linked; and second, the curriculum needs to be responsive to changing circumstances. Finally, the department needs to be creative to deal with reduced budgets, for example, by using employees who have training experience, Tolentino says.</p><h2>Talent Management in the New Normal</h2><p>Hiring managers, including those in internal audit, will face challenges recruiting workers in the post-COVID-19 work environment, making it imperative for them to have a comprehensive talent management strategy. They will need to look for a mix of skills and backgrounds in their recruits, and importantly, will need to look for recruits with curiosity and a desire to learn — traits that will be a necessity as organizations navigate the new work landscape.</p><p>And just as importantly, managers will need to maintain a positive, supportive culture. They also will need to be flexible in the changing environment, supporting their employees and at the same time challenging them to develop their career, even if it means those employees eventually leave the organization.<br></p>Geoffrey Nordhoff1
Return to the Workplace to the Workplace<p><span class="ms-rteStyle-Quote">​"Not everyone will be super comfortable with in-person interviews because of COVID-19, but I understand we are business as usual."</span><br></p><p>That's the response I got when I asked a warehouse manager if he preferred for me to conduct audit interviews in person or over Microsoft Teams. When my organization pivoted to working remotely in April, I was confident we were facing the greatest challenge our audit function would see in 2020. However, our return to the workplace and the new challenges it created proved me wrong.</p><p>I've read some outstanding articles and attended great webinars on best practices for auditing remotely, and I'm grateful these resources exist. But I fear many of us are failing to prepare adequately for how to audit when our companies shift back into a state of "normal" — or a new normal unlike anything we've experienced before.</p><p>My organization was one of the first to bring all of its corporate employees back to the workplace. With some precautions such as mask wearing in common areas and socially distanced seating in conference rooms, we were told it was "business as usual." However, I quickly learned that business as usual was anything but usual. </p><p>Some of my audit clients prefer in-person meetings. Others have asked me to conduct an entire audit virtually with file sharing and video calls from our individual offices in the same building. Still others have preferred a hybrid approach. While I'm still learning how best to navigate auditing during the pandemic, I've picked up a few tips along the way that I hope will help guide others as they also return to the workplace.<br></p><h2>Overcommunicate </h2><p>Communication is key in the best of times. In the worst of times — or a global pandemic — it's absolutely critical. I've started keeping a catalog of the department heads who prefer in-person meetings versus virtual meetings. If I'm not sure, I schedule the initial planning meeting as a video call, which sometimes results in their telling me to just come to their office. We then discuss their preferences as well as the goals for the audit and work together to find a way to accommodate both. </p><p>Sometimes it's a challenge. In the audit referenced above, we needed to observe some processes occurring in the warehouse, but some of the warehouse staff weren't comfortable with an in-person visit from internal audit. At the same time, they lacked the technology needed for us to perform a virtual observation. As I worked with the warehouse manager to find a solution that was both within his team's comfort level and conducive to providing the audit assurance we required, we found creative solutions. For example, he arranged for me to observe an employee who'd already contracted and recovered from COVID-19 and was less concerned about in-person interaction. We also established clear expectations — during my visit, for example, we would all wear masks and distance as much as possible. What had seemed like an auditing nightmare 30 minutes earlier quickly became feasible because of clear, intentional communication and expectation-setting.</p><p>In another audit, client team members expressed their preference for conducting all interviews virtually. We agreed to their request and arranged for video conferencing. One of the interviewees, a technical expert with the group, mentioned his exhaustion after our lengthy, 90-minute discussion. With an in-person interview, I would have quickly noticed the warning signs of exhaustion and asked if he wanted to end the meeting for the day and resume later. Since he was sharing his screen, I wasn't able to look for visual cues of discomfort. I learned the importance of more frequent check-ins during video calls and of giving clients more options up front for meeting lengths and structure.      </p><h2>People Not Politics </h2><p>One of the least foreseen challenges of COVID-19 era auditing has been avoiding what I call "pandemic politics." I work in a building with around 700 people, and each has his or her own perspective on how our COVID-19 response should have gone and how we should be acting in the workplace. Whether masks really work or are an invasion of personal liberty, the extent to which one should limit in-person social interactions, and whether COVID-19 is a devastating virus or "just the flu" are all topics about which most people seem to hold strong opinions. Of course, the mix of opinions held may also differ by region and culture. </p><p>I've found it helpful to avoid discussing the politics of the situation and instead focus on the people. I try to assess and defer to others' preferences and comfort levels whenever possible — as long as it does not conflict with the organization's COVID-19 policies —<strong><em> </em></strong>so that I'm not unintentionally sending the wrong message and damaging a working relationship.   </p><p>Auditors should feel empowered to communicate their preferences as well, and it can be done without getting political. There have been times, for example, when I've found myself uncomfortable with a proposed scenario that did not involve social distancing. Explaining that, as an auditor, it's important to follow the organization's social distancing policies has gone a long way in avoiding potentially dangerous situations without hurting feelings. I've also found that as I show my respect for others' preferences, they are quick to return the favor.          </p><h2>Establish Risk Appetite</h2><p>In every aspect of the business, internal auditors need to understand the risk appetite the board and management have chosen to adopt. Understanding the pandemic risk appetite is no exception. As an essential business that operates more than 850 convenience stores, my organization has taken on some risk to keep its stores open. Understanding this appetite helps me as I plan, perform, and report on audit and consulting reviews, including a lookback our chief audit executive (CAE) and I facilitated on our organization's COVID-19 response efforts.</p><p>However, it's also vital for me to set and define my own personal risk appetite and to verify that it generally aligns with that of my organization. Performing audits at my organization would be especially challenging if I were not willing to accept the risks of returning to our office, resuming some modified business travel, and interacting face-to-face (or mask-to-mask) with clients. Understanding my tolerance for COVID-19 risk has also enabled me to request accommodations at times — for example, asking to be booked on airlines that have strict cleaning procedures and require masks. It's also empowered me to make personal choices such as taking the stairs versus a crowded elevator, wearing a mask during meetings, or distancing myself during larger work gatherings.</p><p>If you are an audit leader, it's important to understand your staff's risk appetites as well. Several months ago, a coworker returned from an out-of-town audit where he was scheduled to observe a key second line function. The person he was supposed to observe had been running a fever but insisted he would be there for the audit meeting. Thankfully, my coworker knew his own risk appetite and had been empowered by our CAE to make the right choice by rescheduling the observation. This turned out to be particularly fortuitous as the person he would have been observing received a positive COVID-19 test result later that day.<br></p><h2>Be Agile</h2><p>We had our "normal" audit process pre-COVID-19. Then we developed a new normal during our pivot-to-home time and again when we returned to the office. But frankly, my new normal changes with every new engagement I begin. It changes with every meeting I conduct and every project I lead. Change is our new normal. I used to believe that communication was the most essential skill for a 21<sup>st</sup> century auditor. I now believe it to be agility. Only through proactively anticipating and adapting to a constant state of change will we succeed in staying relevant and delivering value both during and after the pandemic.</p><p>Agility involves looking at each engagement with a fresh eye. Reusing the previous year's work program is widely regarded as a dangerous audit pitfall, yet many auditors still blindly follow this practice. During the planning phase of every audit, our group tries to approach the scope with an open mind and adapt our procedures to add the most value. Sometimes this involves adding a consulting component. Sometimes it involves scoping out a low-risk area or focusing more on an emerging risk. I have yet to work on an audit where the risk control matrix was identical from year to year. While agility has historically been a core element of our internal audit department, the pandemic and its new challenges have only emphasized its importance.  </p><h2>Keep Innovating</h2><p>While the pandemic brought unprecedented challenges, auditors responded with insight and innovation. In many organizations, auditors took on new roles as trusted advisors, using their knowledge of risk to provide advice and assurance in nontraditional ways. Some auditors assisted with evaluating or advising on the COVID-19 response plan. Others developed more efficient procedures using data analytics or robotic process automation. Auditors found that not only could they audit remotely, but they could also minimize disruption to the business. We found that, in some cases, auditing virtually actually provided benefits. </p><p>It could be temping when returning to the workplace to go back to "business as usual," especially if at that point the threat of COVID-19 is greatly reduced. Or it could be tempting to retain all the changes made during the pandemic. But we must evaluate which changes were true innovations that we should keep versus adaptations needed for a period of time. We must also keep innovating at the same speed we did in 2020 because emerging risks aren't slowing down. </p><p>Auditors proved in 2020 that we were capable of rapid, creative, and noteworthy innovations. It's only by continuing along that revolutionary path that we can continue to increase the value audit provides into 2021 and beyond.<br></p>Jami Shine1
Update: Audit's Pulse Is Strong Audit's Pulse Is Strong<p>​The IIA's latest North American Pulse of Internal Audit report reveals the profession is doing better than many audit leaders initially feared under the shadow of the COVID-19 pandemic. The survey of 588 internal audit leaders finds that although the pandemic's impact on organizations has been severe, its impact on internal audit has been largely stable. </p><p>For example, 80% of health-care industry respondents rate the pandemic's impact as extensive for the organization, but only 37% say it had an extensive impact on internal audit. Less than 20% of audit leaders in financial and insurance organizations rate COVID-19's impact as minimal for the overall organization, but 41% rate it as minimal for internal audit.</p><p>This is not to say that internal audit functions were unaffected, however. Travel budgets were drastically reduced across industries. Yet despite such cuts, many variables that are most important to assessing internal audit's health remain relatively stable.</p><p>For example, only 17% of respondents report internal audit staffing budgets were cut, and only 26% say their external sourcing budgets have decreased. For professional development, 69% of respondents say their budgets stayed about the same or increased. </p><p>Overall, 44% say their budgets have stayed about the same. Internal audit staffing was more stable, with 64% reporting their staffing levels remain unchanged. </p><p><img src="/2021/PublishingImages/Update-apr%2721-factoid-1.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:190px;height:722px;" />Although internal audit functions still face challenges as a result of the pandemic, such signs are encouraging as the economy recovers. "While the pandemic continues to extract a heavy cost and organizations manage through crisis, many internal audit functions have been able to adapt, innovate, and rise to the challenge," says Jim Pelletier, vice president, Professional Standards and Knowledge, at The IIA. <strong>— L. Wamsley</strong><br></p><h2>ESG Is Top Success Driver<br></h2><h3>Investors link environmental and social impact to value.<br></h3><p>Nearly half of institutional investors rate the integration of material environmental, social, and governance (ESG) opportunities into strategy as the biggest driver of success, according to the EY Center for Board Matters' 2021 Proxy Season Preview. Of the more than 60 institutional investors surveyed, 42% cite the diversity of the board, management, and workforce as a top driver. </p><p>The report offers six ways to help companies enhance their ESG reporting, starting with focusing on topics that intersect with the business and its strategy. It advises that "investors want boards to help companies adapt their strategies for a future in which prioritizing stakeholders and considering environmental and social impacts will be critical to building resilience and creating long-term value."</p><p>Without mandated ESG reporting globally, ratings systems have proliferated but are poorly correlated, according to Aggregate Confusion: The Divergence of ESG Ratings, a working paper from the MIT Sloan School of Management. One attempt to establish a global set of uniform standards is Stakeholder Capitalism Metrics, released in September 2020 by the World Economic Forum International Business Council. <strong>— L. Nelson</strong><br></p><h2>Contrasting Views of Today's Risks <br></h2><h3>Global studies warn of digital- and pandemic-related threats. <br></h3><p>Risk is in the eye of the beholder, and such is the case in looking at two global risk reports for 2021 and beyond. There are crossover areas of risk in the Global Risks Report 2021 from the World Economic Forum (WEF) and Executive Perspectives on Top Risks for 2021 and 2030 from North Carolina State University and Protiviti. Predictably, the pandemic rose to the top of both studies. </p><p>The WEF report focuses on societal impacts of risk based on insights from about 650 respondents representing international coalitions, business leaders, academia, and government and nongovernmental organizations. The N.C. State/Protiviti report represents the views of 1,081 C-suite executives and board members. Each respondent group sees the pandemic from different perspectives.</p><p>Business leaders view the crisis through the lens of pandemic-related policies and regulations as well as how economic conditions may constrain growth and reduce customer demand. The WEF study, meanwhile, identifies livelihood crises and youth disillusionment as knock-on effects of the pandemic. </p><p>Digital disruption also features prominently in both surveys, with business leaders concerned about retraining employees and competing with "born-digital" companies. In contrast, the WEF report examines this risk through the lens of digital inequality, digital power concentration, and adverse technology advances. Cyber risk is echoed in both studies.</p><p>The biggest disconnect involves climate change. The environment is not as high on the radar of business leaders, with some exceptions. "Climate is in there, but it's not a short-term issue for 2021," said Mark Beasley, director of the Enterprise Risk Management Initiative at N.C. State University in Raleigh, during a recent Protiviti webinar. </p><p>Conversely, climate action failure, human-caused damage, extreme weather, and biodiversity loss rank high in the WEF's risk survey. <strong>— C. Janesko</strong></p><h2> <img src="/2021/PublishingImages/Bob-Zukis-215x240.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Cyber Governance After SolarWinds<br></h2><h3>Following the massive 2020 cyberattack, boards will be accountable for catastrophic systemic risks, says Digital Directors Network CEO Bob Zukis.</h3><p> <strong>Is the magnitude of the SolarWinds attack putting pressure on boards to be accountable for cybersecurity governance? </strong></p><p>While I don't think we'll see a Sarbanes-Oxley-like regulatory response, it will result in some targeted legislation — specifically the U.S. Cybersecurity Disclosure Act. This legislation will require the board to disclose if it has any directors with cybersecurity skills. Now cybersecurity is an investor and consumer public interest issue, the stakes are high financially, and it's clearly in the public interest. So regulators have to act because companies are not even taking the basic steps they should be.<br></p><p>In terms of governance, the SolarWinds breach is highlighting the scale and scope of systemic risk — that is, risk within and between the parts of a highly connected digital ecosystem. This also will be a real challenge for the technology industry to identify and mitigate systemic risk issues and concerns for their products. The first class-action lawsuit has already been filed against SolarWinds focusing on claims of misleading disclosures around the impact of its products to its customers. But every company's digital business system is also inherently rife with systemic risk.<br></p><p> <strong>Are directors knowledgeable enough about the risks and all the different ways attacks can occur to provide effective oversight and governance?</strong></p><p>Most corporate boards are nowhere near where they need to be. The fact that well over 50% of the S&P 500 still tasks their audit committee with cybersecurity risk oversight is one warning sign. However, there is a small group of leaders who get it. They are putting cybersecurity skills onto their boards, organizing their boardroom efforts on these issues in focused technology and cybersecurity committees, and starting to change how they understand risk — moving beyond conventional risk management into systemic risk management.</p><p>While accounting and finance directors on audit committees do a great job, the skills and competencies aren't there to effectively oversee the cybersecurity agenda. You can't govern what you don't understand. Directors need to do much more than ask questions; they are there to question and understand answers.</p><p> <img src="/2021/PublishingImages/Update-apr%2721-factoid-2.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:190px;" />The full board should also be trained and develop a base competency in digital and cybersecurity risk oversight. As more and more business value drives through digital means and channels, boardrooms need that cybersecurity breadth and depth to protect the digital value that they are creating.</p><p> <strong>How can internal audit functions help boards be more prepared and informed to address cybersecurity risks?</strong></p><p>This is the lesson from SolarWinds and the digital business system: Companies will continue to neglect systemic risk at their peril. Systemic failure is often much faster and cataclysmic than traditional risk failures. That's what's unique about cybersecurity risk — there is a constant battle to take or impair value going on. Improve your odds of winning that battle, and it drives a better business outcome. Cybersecurity risk is also increasingly looking to exploit the inherent systemic weaknesses in complex digital business systems, so the two need to work together. </p><p>This is where internal audit has a critical role to play in understanding, managing, and mitigating systemic risks throughout a business. Cybersecurity risk is the active threat to the digital business system. The internal audit function has an entirely new world of risk to begin to understand, and it's all about systemic risk. Delaware Supreme Court Chief Justice Collins Seitz recently said, "Boards must be able to demonstrate credibly that they are thinking about systemic risk." If the courts are making this kind of a statement, they are clearly anticipating holding the board to a higher standard of accountability to this issue.<br></p><h2>Fixing America’s Broken Infrastructure<br></h2><h3>Investment is needed to raise competitiveness, report says.<br></h3><p>Revitalizing U.S. infrastructure is a recurring theme in the political platforms of the country's two main political parties. Yet, "nearly every facet of the country's infrastructure is below global standards and deteriorating daily," says a report from the Committee for Economic Development of The Conference Board. </p><p>COVID-19 has only "increased the urgency of raising America's global competitiveness," according to A U.S. Infrastructure Plan: Building for the Long Haul. The report from the New York-based business think tank notes that federal nondefense physical investment has generally declined since the 1960s. </p><p>Closing the U.S. infrastructure gap will require principled cost-benefit analyses, sound use of public–private partnerships, and alternative approaches for using private investment resources, the report advises. Efficient choices will account for climate change risk and incorporate user fees into sustainable funding, according to the report. <strong>— L. Nelson</strong><br></p>Staff1
Learning, Growth, and Inclusion, Growth, and Inclusion<p>​Just weeks after accepting his position as IIA president and CEO, Anthony Pugliese's schedule was jam packed with IIA-related activities. He arrived bright-eyed and smiling at IIA Global Headquarters for meetings, interviews, and a photo shoot amid a whirlwind schedule.</p><p>That whirlwind will no doubt intensify as Pugliese officially takes the helm, replacing longtime leader Richard Chambers. He says he is enthusiastic about the potential for a more vibrant, innovative, and future-ready internal audit profession — and IIA. His vision prioritizes new approaches to learning and training; technological advancement and acumen; human intelligence skills; and diversity, equity, and inclusion (DE&I) — all vital to internal audit's long-term growth and relevance, he says. </p><p>"Internal auditors get to see the whole organization in a way that not many others do," Pugliese says. "That can be challenging, but it's also exciting because it never stops changing and our profession gets to be in the middle of it, advising management and giving assurance to shareholders and audit committees." </p><p>Pugliese's broad experience includes seven years at Deloitte, 21 years at the Association of International Certified Professional Accountants (AICPA), and more than two years in his most recent position, president and CEO of the California Society of CPAs (CalCPA), the largest state CPA organization in the U.S. The IIA's Global Executive Search Committee selected him after a meticulous, stakeholder-informed global search. "Anthony has the breadth, depth, and scale of experience, business acumen, and strategic thinking that will facilitate the growth of The IIA and ready it for the future of the internal audit profession — from membership and global advocacy to digital transformation and technological innovation," says Mike Joyce, Blue Cross Blue Shield Association vice president, chief auditor and compliance officer, who chaired the committee.</p><h2>Turning Vision Into Action</h2><p>When digging into his new role at The IIA, Pugliese asked individual stakeholders open-ended questions, allowing themes to emerge organically. He takes in data "constantly and quickly," he says, combining intuition and judgment, grounded in the facts he has available. "I don't like to get bogged down, and I try to find the common themes," he notes. "Complex problems can often be simplified with questions like, 'Why do we do that?' or 'What are we trying to fix?'"</p><p>Pugliese's ability to consume information quickly and distill it into a clear strategy has been noted throughout his career. "Anthony has a superhuman ability to synthesize information from across the organization, connect ideas and people, and drive collaboration and results — all with a sense of humor and wit that makes working with him feel like fun," says Heather Pownall, a management consultant for (ISC)<sup>2</sup>, who worked in business development under Pugliese's leadership at the AICPA. "He was the connective tissue, understanding everything that was going on across the organization and unifying the executive team."</p><p>The IIA's Executive Search Committee noted that Pugliese exuberantly takes on challenges and develops vision, strategy, and actionable plans. "Establishing a vision and being able to drive it through is a critical leadership skill," says Charlie Wright, Jack Henry & Associates chief risk officer, who served on the committee. "Anthony is a seasoned association leader who has a strategic focus on running a business, which will be critical to taking The IIA from where it is today and bringing us into tomorrow. He has very creative ideas about partnerships, our approach to training, how to respond to disruptive technology, and how to advance our digital transformation process."</p><h2>Responding to Change and Disruption</h2><p>A key priority for Pugliese is ensuring the internal audit profession remains relevant in today's highly disruptive business environment. Internal auditors must keep moving beyond their comfort zones, he says. They must consistently seek to expand their awareness and update their competencies through continuing education and training, especially in the areas of technology; human intelligence; and environmental, social, and governance (ESG). "The primary role of any professional association is to make sure that its members stay relevant," he explains. "The world is at a point where change is so fast that the people coming out of colleges and universities have more knowledge than the people mentoring and supervising them, so it's really incumbent upon our members to keep up. That is why I think education is so important."</p><p>While internal auditors hold the responsibility for seeking opportunities to learn, Pugliese also recognizes that The IIA must continually produce training on timely, relevant topics and design training platforms that attract members and give them something valuable. "We have to figure out a way to make learning fun so that people want to do it and that it's relevant to the issues we want to solve," he says. "Successful training means members walk out knowing how to do something versus just being able to remember what they heard."</p><p>Pugliese also says internal auditors need to be on the leading edge of awareness about technological developments and trends. "Technology has gone from being a way of increasing efficiency to something that is far more transformative across business and surely across every profession," Pugliese told Richard Chambers in a February edition of Chambers' IA Insights and Advice video series. "Embracing some of the disruptive aspects of business today and being able to guide management and boards and audit committees through things like technological disruption is going to be huge in positioning us for ongoing relevancy."</p><h2>Going Beyond Technology</h2><p>But internal auditors should not limit their continuing education to technology, Pugliese says. ESG is a burgeoning area that internal auditors are well-positioned to address. "Measuring and assessing nonfinancial indicators of success is really exciting, and internal auditors are very well-situated to do that kind of work, in fact better than almost any other profession," he says. "It's one of the biggest opportunities I've seen for internal audit to add value in a tangible way, not just to management and the board, but to everybody."</p><p>Human intelligence competency is also important for internal auditors. "Those skills you don't necessarily consider critical to a job — perception, intuition, and teamwork — actually are becoming more important," Pugliese says. "Internal auditors have to rely on many different people in the conduct of their work; they can't possibly know it all. So being able to assemble and lead a team is vital. Sometimes those skills are natural or innate, but often you can acquire them." </p><p>A self-described extrovert, Pugliese counts humor among his human intelligence skills. "Sometimes people can be overly serious when the situation doesn't warrant it," he says. "I found out early on that if you've got a good knack for using the right kind of humor and the right timing, it can defuse a lot of tension and anxiety." </p><p>While a love of people and a quick wit seem to come naturally to Pugliese, self-awareness, which he defines as understanding the way one is perceived by others, is more hard-won. "That's actually very important for any job, but particularly in the CEO role, much of what you do is to motivate people," he says.</p><h2>Cultivating An Inclusive Culture</h2><p>Pugliese is known for his ability to engage and empower people — key ingredients for building an inclusive culture. Terry Grafenstine, global chief auditor for technology at Citi, is a longtime IIA volunteer and member who met Pugliese while serving on the AICPA's board. As a public sector internal auditor, she was worried about fitting into a group dominated by private industry CPAs. "Anthony made me feel so welcome, like the things that I contributed were different and meaningful," Grafenstine recounts. She says Pugliese was instrumental in the AICPA's merger with the U.K.-based Chartered Institute of Management Accountants (CIMA) and that he brought together individuals from different cultures, backgrounds, and industries, and motivated them around a common vision. "He made us feel like what we each had to say was important, and as a result, he got more out of the sum than the parts," Grafenstine explains.</p><p>Demonstrated effectiveness as a driver of inclusive culture was important to the executive search committee and the stakeholders surveyed by the committee at the onset of the process. The business benefits include increasing collaboration between IIA Headquarters and global affiliates and members, which ensures global voices feel equally heard and valued and maximizes the sharing of intellectual capital, according to Joyce. "We want to support diversity and inclusion throughout The IIA, both in the workplace and among our membership globally, so we probed all the candidates about their experience and engagement around that," Joyce explains.</p><h2>Taking Action on Diversity </h2><p>Pugliese says people often avoid the topic of diversity because they don't understand what to do with it. "It can be uncomfortable for some people," he says. "Yet when you talk to someone in an underrepresented population, it's really not that uncomfortable, because people want to talk and to give their point of view. And you just have to be respectful."</p><p>Pugliese has proven his willingness to tackle such issues directly, with measured thought and action. Following the death of George Floyd, a Black man who died while being restrained by Minneapolis police last year, Pugliese issued a DE&I statement to the membership of CalCPA, committing to form a member-led DE&I committee responsible for establishing goals and practices to identify and address racial inequities. Additionally, CalCPA and the Institute of Management Accountants jointly issued a survey-driven report that exposed troubling disparities in the senior ranks of the accounting industry. "We have gotten a little bit better on hiring, in terms of bringing in underrepresented populations, but we haven't done much better in terms of bringing those individuals all the way up into key senior management roles," Pugliese explains. "And I sense the same concerns are here in the internal audit profession, so we're going to continue this work." </p><p>In addition to being the right thing to do, the survival of the profession is contingent upon underrepresented groups seeing themselves in business roles like internal auditing, Pugliese adds. "Diversity, equity, and inclusion are business decisions as much as they are ethical decisions," he says, noting that changing demographics alone make diversity "intrinsically important" to the pipeline of future auditors. </p><p>Pugliese says having a global board of directors with members from underrepresented groups will lead this progress. "They get it, including me; for the LGBTQIA population, I get it," he says. Leveraging personal experiences will foster multiple approaches to success, he notes, but the process of trying various plans of attack prompts an urgency in getting started. "There's not one magic program."</p><h2>Embracing Change</h2><p>As organizations face a whirlwind of change, technologically and socially, internal auditors must be ready to go all in on the unique opportunities at their fingertips. Pugliese is palpably enthusiastic about ensuring The IIA is the dynamic and inclusive authority, educator, and advocate to help the profession seize those opportunities globally.</p><p>"His energy is clearly contagious," says Jenitha John, CEO of the Independent Regulatory Board for Auditors and IIA Global Board chair, who served on the search committee. She and others laud Pugliese's insight, foresight, and fresh perspectives as well as his ability to parlay them into a vision for The IIA. "Anthony demonstrates the caliber and attributes we require in the next CEO," she says. "We look forward to his expertise and wisdom."<br></p>Lauressa Nelson0
How Do You Measure Internal Audit Value? Do You Measure Internal Audit Value?<p>​The importance of internal audit value delivery to the organization it serves has been recognized and encouraged by The IIA for years. In fact, value focus is noted in the International Professional Practices Framework (IPPF) elements, including the Mission, Definition, <em>International Standards for the Professional Practice of Internal Auditing</em>, Code of Ethics, Core Principles, and The IIA’s Value Proposition.</p><p>Today, value can only be delivered when internal audit innovates in who it hires, what it assesses, and how it executes and communicates; understands and aligns with organizational strategies; and has a laser focus on critical and emerging risk areas. Stakeholders expect internal audit to have broad, unrestricted scopes expanding beyond financial risks and encompassing operational and strategic areas. Increasingly, stakeholders expect internal audit to address not just hard topics, but also soft topics, such as the quality of the culture and the control environment. The services internal auditors provide to stakeholders must deliver:</p><ul><li>Knowledge about major organizational risks, related mitigation, and needed improvements.</li><li>Assurance that sufficient risk mitigation (generally internal control) is in place and operating.</li><li><p>Objective insights, arising from analysis and organizational experience, to improve organizational agility, efficiency, and effectiveness. <br></p></li></ul><p>Knowledge, assurance, objectivity, and insight are difficult to measure directly. Many CAEs resort to process measurements, such as completion of the approved audit plan or meeting cycle time to issue a final report, as surrogates for measuring the value of their services. </p><h2>The Wrong Metrics<br></h2><p>Internal audit is not the only profession that struggles with the value question. For example, in the medical field, value — or quality of care rendered — is certainly a goal. But quality of care is hard to objectively measure, so doctors often are evaluated by process measures, such as the number of patients treated in a day. Unfortunately, this may reduce the ability to achieve the value goal, as doctors motivated to see more patients may spend less time with each one, resulting in less ability to understand and deliver the quality of care required. </p><p>Similarly, CAEs who focus on process metrics such as completion of the approved audit plan may undermine their value delivery goal by focusing on finishing audits, rather than considering extending an audit to deliver better assurance or more focused recommendations. Or consider the risk of perfectly executing the wrong plan that delivers zero value, but results in a high metric. Clearly, completion of the audit plan does not measure value delivered. But what metric does or could?</p><h2>Challenges of Measurement<br></h2><p>Directly measuring value is challenging. Examples of some of the more significant challenges to measuring value are described here. <br></p><p><strong>Stakeholder Expectations</strong> Internal auditors must first understand what their stakeholders want and how they view value, and then measure against those wants and expectations. But the reality is that some stakeholders may not understand the breadth of capabilities a modern internal audit function has, or may even want a less aggressive function that doesn’t challenge the status quo. In such a situation, stakeholder expectations may be significantly lower than the role described in the Mission and Definition of internal auditing. The opposite is also possible, with stakeholder expectations far exceeding a reasonable performance level. And to make it even more challenging, expectations might vary for the board versus senior management. Audit research has shown that boards focus more on assurance while management primarily seeks new insights from internal audit. <br></p><p><strong>Subjective Nature</strong> Value is often in the eye of the beholder and not easily quantified. For example, an internal auditor who helps management identify and correct inefficiencies in a new process design is certainly delivering value. But how does one quantify time and resources not wasted on a design because it was corrected pre-implementation? <br></p><p><strong>Client Surveys</strong> Many CAEs presume they can measure value by asking clients if they have received value from audit work performed. The challenge is that client responses may be skewed by their emotional reaction to a recent audit. Or they may not have a reasonable or best-in-class expectation so their feedback may be based on flawed criteria. Finally, surveys may be asking the wrong questions by inquiring about audit processes rather than value received.<br></p><p><strong>Nature of the Audit Engagement</strong> One objective of an assurance engagement is to assess the effectiveness of risk management and report on the assessment to the board and senior management. Value may come from providing assurance that risks are well-managed. In other engagements with an advisory focus, such as helping management design risk management processes for a new acquisition or system, value may be less about assurance and more about providing recommendations to improve a control design. In audit investigations, value may be about dollars recovered. This is not to suggest these three examples are mutually exclusive. But it does affirm that value is complex and it is unlikely that any one metric can cover any and all services. </p><h2>Importance of Measurements<br></h2><p>Internal auditors want to make a positive contribution to their organizations. Unfortunately, in far too many cases, the measurements or key performance indicators that the profession uses to attempt to measure staff (and perhaps evaluate staff) can unintentionally drive the opposite behavior desired. </p><p>Stories abound of auditors who focused on the timeline, the budget, or the calendar — delivering against standard metrics but not delivering true value. Worse are the stories where auditors avoided audit areas that could have provided value in favor of maximizing process metrics, such as concluding an audit on time by ignoring warning signs that emerged late in an audit. </p><h2>A Balanced Approach<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>INTERNAL AUDIT FOUNDATIONS</strong><p>Aside from having the right measurements, the foundations of the internal audit function must already be in place. Their importance cannot be overstated.</p><ul><li>A documented mission focused on value delivery and helping the organization achieve its strategies and objectives.</li><li>A clear and appropriate charter providing requisite authority, access, and unrestricted scope.</li><li>A risk-based audit plan approved by the board that is routinely adjusted as the organization’s risks change. </li><li>A professional team with broad and appropriate skills and qualifications. </li><li>A courageous and respected CAE who is willing to tackle and communicate challenging issues, while striving to innovate and continuously enhance the team’s capabilities and performance.</li><li>Regular interaction with, and feedback from, key stakeholders to ensure a mutual understanding of evolving expectations.<br></li></ul></td></tr></tbody></table><p>To avoid the shortcomings of solely relying on process metrics, CAEs should  implement a balanced set of complementary measures. These measurements, tracked over time, can indicate if a function’s focus on value is, in fact, the top priority for the audit team and paying off in organizational improvements and client satisfaction. The four categories of measurements recommended include value drivers, client behavior, client feedback, and audit process. Coupled with the elements listed in “Internal Audit Foundations” at right, these balanced measurements enable internal audit to plan, execute, measure, and communicate value delivered.<br></p><p><strong>Value Drivers</strong> These measurements consider the fundamental behaviors that should lead to relatively higher quality performance. Measurements such as the percentage of auditors with masters’ degrees or certified internal auditors, adherence to the IPPF, or the percentage of auditors with operating or managerial experience will increase the likelihood of value delivery. <br></p><p><strong>Client Behavior</strong> These measurements reflect value if management or the board solicits internal audit assistance, positively corrects identified audit issues timely, and actively seeks internal auditors for special projects or open positions. These can include increasing requests over time from a cross section of functions within an organization, the trend of corrective actions implemented on time, a reduction of repeat findings, or the number of auditors placed in other roles throughout the organization.</p><p>A positive trend in such metrics suggests that management recognizes the value of the internal audit function and the importance of correcting issues noted. To achieve a positive trend, internal audit must focus on higher relative risk areas, effectively communicate the importance and impact of audit issues identified, and help identify solutions that address the root cause. The “Why did this happen?” and “Who cares?” questions must be convincingly answered to persuade management to reprioritize activities and implement corrective action. To be sought out for new roles, auditors must earn management’s respect for their organizational knowledge, balanced judgment, communication skills, and ability to identify and help manage risks.<br></p><p><strong>Client Feedback</strong> Client surveys can be an effective tool to capture the subjective view of value from management’s perspective. However, they must be used with great thought and care. Suggestions for ensuring the effectiveness of this tool include:</p><p>Focusing surveys on management’s perceptions and experiences with the audit team and results, and not on the audit process. Surveys that ask if a planning meeting was held or if the report was issued timely focus on the process and provide information that audit management should already know. Rather, ask questions to solicit management’s viewpoints. Did the audit team present itself professionally? Was management informed on the area under review? Were the results presented accurately, fairly, and timely? Did management receive value from the audit? Would management seek internal audit’s assistance in the future? </p><p>Providing an opportunity for written comments, not just numerical ratings. Better yet, offer an opportunity for a live conversation with the CAE or internal audit management to discuss and probe areas of satisfaction or dissatisfaction.</p><p>Avoiding using client survey results in auditor performance reviews, which risks creating a conflict with the auditor when difficult issues arise in an audit. Auditors should be courageous and willing to question the status quo to offer insights. The last thing an auditor should ask is, “Do I pursue the issue and irritate management, which is evaluating me soon? Or do I soften or drop the issue to get a higher rating?” <br></p><p><strong>Audit Process</strong> These measures are typically used today. Value is inferred if the audit plan has been approved and is executed timely — with appropriate changes as the risk profile of the organization evolves — and if audit results are communicated timely. It remains useful when balanced with other measurements and are not the primary focus of performance feedback.</p><h2>Reinforcing Audit's Mission<br></h2><p>Organizations are changing at warp speed. To keep up, internal audit needs to be agile, responsive, and focused on value delivery — and the right metrics can reinforce the desired value-based behaviors. Even with a balanced set of measurements, value delivery is still not directly measured. However, by evaluating value drivers, client behavior, and client feedback trends, as well as audit process measurements, audit management will have a much stronger indication of value delivered and improvement over time. And, critically, this balanced set will reinforce the value-based mission of the internal audit function, motivating the audit team and minimizing the risk that it focuses on the due date and budget rather than the substance of the audit. <br></p>Patricia K. Miller1
Putting the Auditors First the Auditors First<p></p><p>Internal audit strategies tend to focus on what we will do for the organization, often using verbiage found in the International Professional Practices Framework. Phrases like “independent and objective,” “assurance and consulting activity,” “enhance and protect value,” and “systematic and disciplined approach” populate most departmental vision and mission statements. And the underlying goals and objectives reinforce these positions with phrases related to ensuring controls function correctly, supporting risk management, reporting results, and performing follow-ups. (While researching this column, I found one department whose first stated objective was to achieve the department’s objectives.)</p><p>This is all well and good. The concepts and traits contained therein are important to our success and our ability to support the organizations we serve. They help build the solid foundation that allows internal audit functions to do the work they need to do. But we may be missing something important in all this.</p><p>Organizations have realized that when they take care of the employees, the employees will take care of the customer. Herb Kelleher, co-founder and former CEO of Southwest Airlines — an organization widely respected for its customer service — put it most succinctly: “You have to treat your employees like customers.” With the realization that happy employees make happy customers, those organizations are putting employees first. And they’re succeeding. </p><p>If this is all true — and solid research as well as anecdotal references support the concept of putting employees first — then what does it mean for internal auditors? The underlying question becomes: How does your internal audit department treat its internal auditors? </p><p>At this point I suspect many are rising to their feet proclaiming, “Our internal auditors are the No. 1 asset in our department.” But if the auditors are the most important part of the audit department — if they are, indeed, No. 1 — is that allegiance professed in the department’s visions, missions, or objectives?</p><p>I recently became aware of an audit department that lists its No. 1 core value as the hiring and continuous training of the best people. That is a strong statement, and it speaks volumes about the department. But it stands out because it is a rare sighting in the world of internal audit.</p><p>The only way any audit department succeeds is because of the people who do the work. And even if audit leaders believe the auditors who do the work are their No. 1 priority, that belief is meaningless if they haven’t articulated and exhibited it. Without formal acknowledgment, it’s just hot air flowing into the balloon employees will climb aboard as they leave the department.</p><p>Audit leaders should take a closer look at their mission, vision, objectives, and charter. And they should make sure that their No. 1 asset — the people — is a proud and prominent part of what is being valued. <br></p>Mike Jacka1
Flowchart Basics Basics<p></p><p>When Frank and Lillian Gilbreth introduced the first process flowchart to a group of engineers in 1921, the innovative method of giving a pictorial view of a process quickly gained admiration in the academic and business worlds. Flowcharts gained popularity over the decades and today are used by many professions. Accordingly, by the 1970s, the International Organization for Standardization (ISO) developed standards around them. </p><p>Internal auditors may have mixed reactions about flowcharts. Many will venture to reveal their love-hate relationship as there are often flashbacks to a great amount of time and effort — and, possibly, frustration — in creating, validating, correcting, and recreating flowcharts. Others may refer to the adage, “a picture is worth a thousand words.” Regardless, these diagrams are valuable tools for auditors and have many applications. Currently, technologies such as process mining are revolutionizing the way flowcharts are created and analyzed because of their transparency and the value of information they provide.</p><p>In simple terms, a flowchart is a visual representation of a process showing activities and workflow. These illustrations present steps, systems, and information inputs and outputs, all represented by various symbols. In other words, a flowchart is a map that shows specific features in a process and how data, documents, systems, individuals or departments, actions, and decisions flow and interact. In short, flowcharts can make complex information easier to understand. </p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p>​<strong>RELATED STANDARDS</strong><br></p><p>Several IIA implementation guides mention flowcharts for planning and execution purposes. The most significant are: <br></p><ul><li>Standard 2201: Planning Considerations</li><li>Standard 2300: Performing the Engagement</li><li>Standard 2310: Identifying Information</li><li>Standard 2320: Analysis and Evaluation</li><li>Standard 2330: Documenting Information</li></ul></td></tr></tbody></table><p>Flowcharts are typically easy to read and understand given the global standardization of symbols. For example, processes are represented by rectangles, decision points by diamonds, manual steps by trapezoids, and databases by cylinders. These symbols are connected by arrows showing the linked activity in the process. Flowcharts may contain short notes or comments to provide additional details and may even include a legend. In addition, flowcharts generally have a structured flow, such as top to bottom or left to right, and contain multipage connectors, if needed, along with start and end points.</p><h2>Uses</h2><p>Internal auditors use flowcharts in their work for various reasons, including: </p><ul><li><strong>Training and guidance</strong> – incorporated in manuals, presentations, and other educational materials, or as part of policies, guidelines, or methodologies to complement or illustrate narrated procedures and requirements. </li><li><strong>Execution and delivery of engagements</strong> – to understand processes and controls design during engagement planning, analyze and evaluate information throughout project execution, and support the formulation of results and opinions. For example, auditors use flowcharts to identify control gaps or process inefficiencies or, when appropriate, as concise visuals in reporting. <br></li><li><strong>Fulfilling requirements</strong> – to support organizations that must meet regulatory requirements, such as the U.S. Sarbanes-Oxley Act of 2002, which requires the documentation of business processes and internal controls (e.g., used to complement narratives and risk/control matrices) or to obtain and maintain accreditations such as specific ISO certifications.</li></ul><h2>Limitations</h2><p>While flowcharts are useful for auditors, they also have certain limitations, such as: </p><ul><li><strong>Structure.</strong> One of the biggest limitations is that flowcharts tend to focus on a linear flow. They also present a process as intended to be, instead of how a process actually operates.<br></li><li><strong>Oversimplification.</strong> To make it easier for people to understand, flowcharts oversimplify processes and data flows. In addition, when auditors rely exclusively on flowcharts they may miss risks outside the processes, including emerging risks, as well as the critically important soft controls. </li><li><strong>Overcomplication.</strong> Just as oversimplification can be an issue, providing too much detail can result in awkward, complex, and non-visually appealing maps. </li><li><strong>Administrative burden.</strong> Creating and updating flowcharts requires resources. Revisions may be necessary to create the right diagram when auditors should be spending their time focusing on other areas.</li></ul><h2>Process Mining</h2><p>Process mining is a technology and technique used for discovering, monitoring, and improving processes. This method involves extracting recorded data from event logs in information systems and illustrating actual process flows and variations. While traditional flowcharts illustrate an assumed process, process mining provides a representation of the real process. Because process mapping can be fast, fully automated, and repeated, organizations are using the technology in many ways, including conformance checking, identification and analysis of issues, and continuous optimization initiatives. </p><p>Process mining has many implications as a way of transforming and innovating how auditors conduct their work. For example, as a computer-assisted audit tool, auditors can use it to obtain and analyze a holistic view of the entire process chain, instead of just sampling. This view is based on actual data, not assumptions, allowing auditors to observe and explore the inner workings of a process to find out what is really happening. With this information, auditors can pinpoint issues, validate deviations or inefficiencies, identify and evaluate root causes, and recommend practical remedial action plans and mitigation strategies. At the same time, audit departments can rethink the audit process, itself, and find efficiencies along the way. This may include reducing or eliminating conventional interviews and walkthroughs, designing innovative continuous monitoring or continuous auditing solutions, and eliminating outdated documentation. </p><h2>Old Tool, New Tricks</h2><p>Knowing how to develop and analyze flowcharts is considered basic knowledge for internal auditors. New tools and techniques around process mapping are paving the road for fresher ways to execute and deliver assurance and advisory services. By embracing enabling technologies, auditors can reshape their thinking and provide more in-depth insight and foresight, produce impactful reporting, and deliver valuable support throughout their organizations. </p>David Dominquez1

  • AuditBoard-May-2021-Premium-1
  • Awareness-Month-May-2021-Premium-2
  • Virtual-IC-May-2021-Premium-3