Practices

 

 

Audit Wellnesshttps://iaonline.theiia.org/2019/Pages/Audit-Wellness.aspxAudit Wellness<p style="text-align:justify;">Auditing is a knowledge-based profession, which means its practitioners have to think for a living. We work extensively with data, requiring significant concentration and focus. We evaluate the effectiveness of business operations, necessitating an ability to analyze and problem-solve. Our capacity to perform these activities effectively hinges not only on our expertise, but on how we take care of ourselves.</p><p style="text-align:justify;">The way we treat our bodies affects the chemicals in our brain, which in turn affects the performance of our minds. Without a strong and healthy mind, everything becomes more difficult — working with spreadsheets, performing analytics, communicating with clients, and so on. Even with extensive knowledge of audit standards and robust technical skills, a weak mind inevitably will affect audit effectiveness. For this reason, internal auditors may want to consider several wellness habits that could help fortify the mind and enhance work performance.<br></p><h2>Improve Focus and Concentration </h2><p style="text-align:justify;">Today's world presents a host of distractions — social media, emails, text messages, reminder notifications — that compromise our ability to focus. We have a "need to know now" tendency, where every notification chime or pop-up banner prompts an immediate screen check. But if we don't check Facebook, Twitter, or Instagram during the day — are we really missing anything important? Would the world come to an end if we didn't respond to emails right away? If someone had a truly urgent request or need, wouldn't a phone call likely accompany the emails or texts?</p><p style="text-align:justify;">According to a 2017 OfficeTeam survey of U.S. organizations, office employees spend about five hours each week on their cellphone focused on nonwork activities such as answering personal emails and checking social media accounts. Succumbing to distractions breaks one's concentration. Plus, valuable time and energy can be lost trying to get back into the flow of the previous task. These little distractions add up and over time negatively affect our budgets, project delivery, and work quality. An auditor's attention is already divided — working on different engagements, across multiple audit sections, with different directors and staff members — and the pressure to deliver can be intense. Introducing unnecessary distractions only makes it harder. Turning off the smartphone, or at least minimizing screen time, can go a long way toward maintaining one's attention on tasks at hand. </p><p style="text-align:justify;">Still, no one is born knowing how to focus. And the workplace is full of interruptions beyond our mobile devices. Co-worker drop-bys, impromptu meetings, Slack messages, and last-minute requests are part of most auditors' daily reality. Over time, these constant demands and interruptions take a toll on our attention span.</p><p style="text-align:justify;">Sustained focus is achieved through practice and deliberate actions. One form of focus training that has gained significant attention in recent years is daily meditation. <br></p><p style="text-align:justify;">According to a 2018 article in the <em>Journal of Cognitive Enhancement</em>, "Regular and intensive meditation sessions over the course of a lifetime could help a person remain attentive and focused well into old age." Researchers came to this conclusion based on results of one of the most extensive longitudinal studies examining a group of meditation practitioners. Beyond enhanced focus and concentration, studies also point to stress and anxiety reduction, improved emotional health, enhanced self-awareness, better sleep, and decreased blood pressure as benefits of regular meditation practice. Taking a daily, restorative mental break could help enhance overall well-being and improve readiness for whatever lies ahead. <br></p><h2>Enhance Learning</h2><p style="text-align:justify;">To keep up with the demands of their work, internal auditors must be able to learn quickly. Auditors do not have the luxury of spending years learning and understanding all the various facets of an organization or department. Practitioners need every advantage they can muster to help tackle what is often a steep learning curve. That requires agility and critical thinking, including the ability to apply past experience to new assignments and to find connections across different parts of the business. Without these skills, problems such as budget overruns and failure to provide timely deliverables are more likely to occur.</p><p style="text-align:justify;">One way of increasing mental agility and learning capacity is through physical exercise. According to a 2014 study conducted by the University of British Columbia, regular aerobic exercise boosts the size of the hippocampus — the area of the brain connected to verbal memory and learning. Other research has shown benefits of exercise to include better alertness, attention, and motivation. While exercise may sometimes feel like a drain on one's already busy schedule, the benefits of adding it to a daily or weekly routine can easily outweigh the cost of time it takes to perform.  <br></p><h2>Fight Fatigue</h2><p style="text-align:justify;">According to the book <em>Fatigue Science of Human Health,</em> co-edited by fatigue science expert Yasuyoshi Watanabe, "Mental fatigue caused by prolonged mental work not only [results in] an increase in sensation of fatigue, but also a decrease in work efficiency." Auditors can easily suffer from mental fatigue during busy season, or while working on a large project with several moving parts and a hard deadline. Fatigue can present itself in the form of drowsiness, decreased motivation, irritability, and distraction. The symptoms not only slow down our work, but could lead to errors in judgement, inaccurate interpretation of information, and loss of valuable time and money.</p><p style="text-align:justify;">One way to battle brain fatigue is by maintaining a healthy diet. According to an article by neurosurgery professor Fernando Gomez-Pinilla on Brainfacts.org, "Because the brain demands such high amounts of energy, the foods we consume greatly affect brain function." Food provides fuel for performance, but not all food is good for the body and mind. In fact, some foods actually reduce energy and can damage mental health and functioning. A 2018 <em>Healthline</em> article, "7 Foods That Drain Your Energy," lists the following culprits: bread and pasta; cereal and yogurts; alcohol; coffee; energy drinks; fried and fast foods; and low-calorie snacks, which can reduce energy levels.</p><p style="text-align:justify;">By contrast, many foods can serve to boost brain health and improve cognitive functioning. In its article, "Foods Linked to Better Brain Power," Harvard Medical School includes green, leafy vegetables, fatty fish, berries, and walnuts among a list of "best brain foods." So when mid-afternoon fatigue sets in during a critical audit engagement, practitioners may want to put down the sugary sweets in favor of these healthier, brain-friendly alternatives.</p><p style="text-align:justify;">Of course, what really sets the stage for mental alertness each day is what happens the night before — the amount of sleep a person gets. In a 2015 <em>Scientific American</em> article, John Peever, director of the Systems Neurobiology Laboratory at the University of Toronto, and Brian J. Murray, director the sleep laboratory of Sunny Health Center, described the function of sleep in this way: "Sleep serves to reenergize the body cells, clear waste from the brain, and support memory and learning." Research from the National Sleep Foundation indicates that adults need between seven and nine hours of uninterrupted sleep.</p><p style="text-align:justify;">Staying up late to binge-watch online content or catch up on social media has consequences. After working a long day, auditors should consider what their brain needs for the following days' work. <br></p><h2>Stay Well</h2><p style="text-align:justify;">Effective audit performance starts from within. Making healthy lifestyle choices can provide a solid foundation for any practitioner's well-being and ability to succeed. As research shows, maintaining a healthy body and mind is key to optimal performance. <br></p>Michelle Swaby1
Don't Just Measure It, Do Something!https://iaonline.theiia.org/2019/Pages/Dont-Just-Measure-It-Do-Something.aspxDon't Just Measure It, Do Something!<p>​How do you measure the success of your internal audit department? The subject comes up repeatedly in conferences, articles, research, and chapter meetings. It is obviously an issue that plagues and perplexes audit departments everywhere, and finding the answer seems to be a holy grail quest for the profession.</p><p>The challenge certainly doesn’t come from a lack of possibilities. Everything from audits completed to use of available audit hours to requests for audits to customer satisfaction to corrective actions completed to efficiency improvements identified to certifications achieved to the number of auditors who can dance on the head of a pin have been suggested, adopted, and rejected. But we all continue to search for internal audit’s success-measurement El Dorado. </p><p>The reason our search continues to fail, even with this unending supply of possibilities, is that audit departments forget two important rules pertaining to the development of success measures. Rule No. 1: The measures should be developed in support of the audit department’s mission. If the department cannot demonstrate how the measures support that mission, then they become vanity measures serving no purpose other than saying, “Look at us!” Note also the assumptions built into this rule — internal audit has a mission statement, that mission is in alignment with the organization’s mission, and every auditor knows and can recite the mission statement. Missing any of these elements results in ineffective measures.</p><p>However, most important is rule No. 2: At the end of the day, have a plan for how all those measures will be used. Author and marketing guru Seth Godin once stated, “Don’t measure anything unless the data helps you make a better decision or change your actions.” And unless an audit department uses its measures to improve internal audit’s choices, do better work, or make the department more effective, then collecting the associated data is just a waste of resources, time, and effort. </p><p>Many audit functions measure, but I have seen very few that use those measures to get better. At most, if they are not meeting the criteria promised to the audit committee, there will be much wailing and gnashing of teeth as the chief audit executive promises improvements. Then the failures are merely used as a blunt instrument to bludgeon members of the audit department into doing better. </p><p>Internal audit functions rarely analyze their shortfalls against success measures to determine the root cause. Too often their response is a simple, “We didn’t meet the measures of success this year so, honest, we’ll work harder next time.” This is a response we wouldn’t accept from a client, and one we cannot accept from ourselves.</p><p>Make sure you are measuring the right things. Make sure you are meticulously ensuring the credibility of the resulting data. And then make sure you are using the results to effect positive change. </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; } </style>Mike Jacka1
The Auditor's Mindsethttps://iaonline.theiia.org/2019/Pages/The-Auditors-Mindset.aspxThe Auditor's Mindset<p>Cognitive biases can threaten any individual’s capacity to make good decisions. For internal auditors, audit interviews pose unique settings in which cognitive biases can threaten their professional skepticism. Interviews are conducted to obtain important information in a variety of contexts, including operational audits, compliance testing, and IT audits. Although interviews rarely, if ever, constitute sufficient audit evidence on which to base a conclusion, it is still important that internal auditors maintain their professional skepticism while conducting them. If an internal auditor allows a cognitive bias to impede his or her sense of professional skepticism in an interview, the quality of planning and of subsequent audit procedures is reduced. As a result, extra time is spent following up on unreliable information or, worse, important information is missed. Three biases, in particular, may affect internal auditors’ professional skepticism: truth bias, confirmation bias, and the halo effect.<br></p><h2>Truth Bias </h2><p>The assumption that others are telling the truth is necessary on a day-to-day basis to facilitate routine social interaction. If one tried to verify the truthfulness of every statement made by others, routine communication would grind to a halt. However, the tendency to believe others are providing truthful information may prevent internal auditors from employing appropriate levels of professional skepticism, which entails, at a minimum, a belief that sources of information are neither truthful nor untruthful. Truth bias has been documented repeatedly in deception detection research and seems to be a major factor limiting people’s ability to detect false statements in a variety of settings. The assumption of truthfulness is a common bias that may impede effective decision-making and, by extension, professional skepticism.</p><p>To combat truth bias, internal auditors should remain aware that the profession requires a questioning mind. By definition, truth bias involves a deficient use of questions and additional procedures just when they are needed most. When relying on information obtained in an interview, it is imperative that internal auditors ask themselves whether they employed a critical mindset in assessing the information they received, in posing follow-up questions, and in obtaining corroborating information. If not, then truth bias may have impeded professional skepticism (see “Description as Truth” below). The findings in Norah Dunbar’s, Artemio Ramirez Jr.’s, and Judee Burgoon’s Winter 2003 <em>Communication Reports</em> article, “The Effects of Participation on the Ability to Judge Deceit,” suggest that interviewers should work in pairs, with one interviewer performing the questioning, while the other member of the team observes. Dunbar and her co-authors find that the observer in such scenarios is better able to judge deceit on the part of the interviewee. </p><table cellspacing="0" class="ms-rteTable-4" style="width:100%;"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p> <strong>​Description as Truth</strong><br> </p><p>During an internal audit team’s first day on site at a parts distribution center, it requests a walk-through of the facility to gain an understanding of the intake, storage, inventory, and shipment of parts. A floor manager walks the team members through the facility explaining and answering their questions about each process. Based on the floor manager’s explanations and answers, the team identifies the high-risk processes and develops testing procedures for those processes. On the third day of the visit, the auditors begin testing the inventory process and note that each test is failing. During the results validation meeting with the general manager, the team learns the inventory processes described by the floor manager were incorrect. Because the auditors accepted the floor manager’s description as the truth, they had to recreate and reperform the inventory testing. In hindsight, professional skepticism would dictate that the internal audit team had no basis on which to trust the floor manager’s explanations as credible. Before identifying high-risk processes and designing and carrying out tests, the team should have taken additional steps, such as corroborating the explanations with documented evidence of transactions. Asking themselves if they were comfortable basing several days of work solely on the explanations of one person who they had just met could have saved the team significant time and effort.<br></p></td></tr></tbody></table> <h2>Confirmation Bias</h2><p>When one seeks out or gives too much weight to information consistent with a specific belief, that is confirmation bias at work. It may influence questions asked and how the answers received during an interview are processed. Internal auditors conducting interviews can certainly fall victim to confirmation bias by seeking out information consistent with a specific belief during those interviews. Often, this involves seeking out information that processes are operating as they should. Confirmation bias has the potential to compromise an internal auditor’s professional skepticism by steering the auditor toward a particular conclusion, regardless of the facts. </p><p>In their June 2011 <em>Harvard Business Review</em> article, “The Big Idea: Before You Make That Big Decision…” Daniel Kahneman, Dan Lovallo, and Olivier Sibony suggest managers combat confirmation bias by asking teams that are making recommendations whether credible alternatives to their recommendations have been considered. Interviewers should engage in a similar process. </p><p>To combat confirmation bias in an interview setting, internal auditors should enter with a conscious openness to learning about or uncovering information that is inconsistent with their prior beliefs. After the interview, they should ask themselves whether they learned anything that was contrary to their prior beliefs and whether they missed any opportunities to ask follow-up questions that would have uncovered such information. In other words, as Kahneman and his co-authors recommend, consider credible alternatives. Such an approach is consistent with professional skepticism. If the auditor in the “Seeking Information as Confirmation” example on this page had entered, conducted, and reflected upon her interview with such an attitude, she would have been more likely to focus on the exception that was apparent in the business finance manager’s response.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>Seeking Information as Confirmation</strong></p><p>An inexperienced internal auditor meets with a business finance manager to understand how payments are received from clients and processed. In preparation for the interview, the auditor creates an agenda containing a list of questions. During the interview the auditor asks, “What do you do with checks you receive from clients?” The business finance manager replies, “I deposit most of the checks into the company account.” Without hesitation, the auditor asks the next question on the agenda. She likely has a bias toward finding that the checks are all deposited in the correct bank account. By ignoring the phrase “most of the checks,” the auditor fails to detect that the business finance manager is depositing some checks in inappropriate accounts. In fact, during the course of the audit, it becomes apparent that the finance manager and other persons are depositing some of the checks in their manager’s personal account for department parties and outings. The account owner and the persons making the deposits are ultimately terminated. By seeking out information consistent with what she knew should happen, the internal auditor who conducted the interview initially missed the fact that some checks were processed inappropriately, increasing the possibility that the audit could have missed this fact entirely.<br></p></td></tr></tbody></table><h2>The Halo Effect</h2><p>In the book <em>Thinking Fast and Slow,</em> author Daniel Kahneman describes the <em>halo effect</em> as the “tendency to like (or dislike) everything about a person — including things you have not observed.” Internal auditors should be aware of the biases created by the halo effect. If they like someone or view him or her favorably, they might tend to weigh their opinions and estimates on all topics more heavily than they should. On the other hand, if they do not like a person, they may have a bias in the opposite direction. Either way, they are checking their professional skepticism at the door.</p><p>Kahneman suggests fighting the biases created by the halo effect by verifying information using independent sources. In “The Weight of Credentials” example below, had the halo effect not compromised the auditors’ professional skepticism, they might have been able to corroborate the information provided by the gemologist with independent sources. Such sources should have included additional interviews, as well as documentation. By taking such steps, they could have identified the error instead of relying on the statements from someone perceived as having a halo. There were likely others involved in the processes described by the gemologist who could have discredited his statements. Although there is no guarantee the auditors would have detected the gemologist’s scheme if they had sought out independent sources, they certainly would have increased their chances of detecting information that would have prompted them to take additional steps to further investigate the processes.<br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"> <p><strong>The Weight of Credentials </strong></p><p>An internal audit team was auditing the jewelry return process at a merchandise return center. When the team inquired about the smelting and gemstone procedures, it was referred to the director of jewelry, who also was a licensed gemologist. During the interview, the gemologist was knowledgeable, friendly, and eager to share everything that was working well and everything needing to be improved. As a result, the team viewed him quite favorably. Although some of his process descriptions did not make sense, the team members took the gemologist’s descriptions as accurate because he appeared happy they were there to help him fix all of his processes and, after all, he was a licensed gemologist. Nine months after the audit, the gemologist was arrested for selling gemstones to overseas buyers and depositing the money into his personal account. The auditors should have gathered additional evidence to corroborate the gemologist’s explanations about the jewelry return process, but they were blinded by his credentials and knowledge of jewels. They fell prey to the halo effect.<br></p></td></tr></tbody></table><h2>Knowledge Is Power</h2><p>There are several concrete steps auditors can take to fight the negative effects cognitive biases have on audit interviews. In addition to conducting interviews in pairs, auditors should ask follow-up questions. This can help auditors gain valuable information during interviews. Next, they should obtain corroborating interview evidence by speaking to multiple individuals separately, rather than relying on the sole verbal representations of one person. Finally, and most importantly, auditors should not rely only on evidence gained from interviews during audit planning or testing. They should obtain corroborating evidence by walking through transaction processes or by testing transactions using documented evidence. </p><p>Professional skepticism is vital to an internal auditor’s mindset, whether he or she is gathering initial information to plan an audit or concluding on audit findings. Cognitive biases — such as truth bias, confirmation bias, and the halo effect — can compromise an internal auditor’s professional skepticism. When this happens, it can lead to an overreliance on oral evidence, misinterpretation of answers received during audit interviews, and failed audits. Being aware of cognitive biases and the importance of professional skepticism can help internal auditors guard against these outcomes. <br></p> <style> p.p1 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { font:8.0px Interstate; } </style> <p> <strong>Cliff Nuxoll, CIA, CFE, ACDA,</strong><em> internal audit manager at Arthur J. Gallagher and Co. in Rolling Meadow, Ill., contributed to this article. </em><br></p>Chih-Chen Lee1
From Emerging to Leaderhttps://iaonline.theiia.org/2019/Pages/From-Emerging-to-Leader.aspxFrom Emerging to Leader<h2>How has your career advanced since becoming an Emerging Leader?<br></h2><p><strong>Bordelon</strong> Since being recognized as an Emerging Leader in 2014, I have received multiple promotions. I’m now an associate director at my firm. I’m still at the same great firm 14 years after starting as an intern in 2005. I also have expanded my family and have a four-year-old son and a two-year-old daughter. Trying to set a good example for them and show them that I have a job that I love and can excel at while also being present and visible for them is a daily goal.<br></p><p><strong>Rusate</strong> Since 2017, I have further developed myself professionally by obtaining my Certified Internal Auditor, Certification in Risk Management Assurance, and Certified Information Systems Auditor designations. Working for my current employer has given me the opportunity to advance my skills, while working alongside industry experts, in an environment that openly promotes and rewards individuals for professional development. <br></p><h2>What is your advice for new internal auditors? </h2><p><strong><img src="/2019/PublishingImages/Alex-Rusate.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Rusate</strong> Never stop learning. You can always obtain more knowledge through certifications, internal business processes, industry level knowledge, etc. I have pursued a variety of internal audit skill sets because I expect that the internal auditor of the future will need to have a strong background in financial, operational, IT, and regulatory matters to keep relevant in the evolving business landscape. New technology, such as intelligent automation, will help scale down the tedious tasks that consume auditors’ time and allow them to work on more sophisticated matters that require a higher skill set. </p><p><strong>Bordelon</strong> Don’t overlook the soft skills of listening, being friendly and respectful, asking questions, having a strong work ethic, etc. You can learn the hard skills through research and on-the-job training, but you often cannot teach soft skills. These are usually the distinguishing characteristics between leaders and the status quo.<br></p><h2>What skills have helped you most in your career?</h2><p><strong><img src="/2019/PublishingImages/Leslie-Bordelon.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Bordelon</strong> Maintaining a positive outlook/disposition regardless of the project, client temperament, location — travel or not — or circumstance has been an essential skill that has helped me in my career. I try to look at all situations in a positive light and see all projects as an opportunity to add one more arrow to my quiver of skills. Having this outlook has helped me when deadlines are tough or I’m traveling away from my family. Another skill that has helped me is flexibility. I’m a planner by nature and love to know what I’m working on for the next week, year, or even five years. Being a consultant in internal audit has challenged me in that area as my schedule/work commitments change almost daily. Trying to go with the flow and be flexible has been a skill that I’ve had to develop over time, but one that has served me well in my career. </p><p><strong>Rusate</strong> Thinking critically and taking on new challenges with enthusiasm are two traits that have helped me most in my career. Thinking critically has helped me when I have identified opportunities for improvement for unaddressed risks during walkthroughs and testing, and not simply taking management’s explanation at face value. Typically, management will know significantly more about a process than you; however, when you combine critical thinking with your holistic knowledge of the company, you can identify risks and opportunities for improvement. Taking on new challenges, such as auditing areas not traditionally reviewed or subject matter that I do not have experience with, has helped to enhance my career. When encountering these situations, I make sure that I have or develop the skills needed to conduct the engagement before accepting it in accordance with IIA Standard 1210: Proficiency. When you have the ability to identify risks, discover process improvements, and step up to address engagements that are important to the chief audit executive, management, or the board, it helps make you a trusted advisor.<br></p><h2>What has been your most satisfying moment as an internal auditor?</h2><p><strong>Rusate</strong> My most satisfying moment was when the global controller reached out to the internal audit team to ask that we help at an advisory level to investigate a potential accounting issue at a manufacturing plant. The figures were not consistent with management’s expectation or the fiscal performance of the other manufacturing plants, and management did not have resources available to look into the irregularity. I was assigned to the engagement and was able to determine the root cause of the issue — the implementation of a new ERP system the previous year. Identifying the root cause enabled management to implement corrective actions that led to the company having increased profitability from that plant on a consistent basis. </p><p><strong>Bordelon</strong> I worked on a project last year with a very tight deadline, a mountain of work, and a good bit of travel. I had a team of all stars, and we worked together to accomplish more than anyone thought possible in such a short period. In fact, we not only completed the project on time, but delivered extra value in many ways and built some great friendships and bonds along the way. It’s a project that I won’t soon forget.</p><h2>What frustrates you most in your work?</h2><p><strong>Bordelon</strong> I get frustrated with the negative connotation some people have regarding Sarbanes-Oxley work. I think that work is a fantastic way to learn all aspects of a company, build relationships with clients, and expand your knowledge of an industry. Sarbanes-Oxley work has been invaluable in my career and has afforded me the ability to work on both my hard and soft skills.</p><p><strong>Rusate</strong> A challenge in the profession is working with engagement contacts to make sure you maintain a good balance between achieving audit deliverable dates while still being cognizant of their day-to-day responsibilities. Maintaining a mutually respectful relationship with the engagement contacts will help ensure the audit is received in a positive manner and ensure the sustainability of effective audits going forward. <br></p><h2>Why do you stay in the profession? </h2><p><strong>Rusate</strong> I stay in the profession because of the diversity of the subject matter, growth opportunities, and the ability to add value across the entire organization. This profession allows me to gain exposure to functions across businesses, which then enables me to more accurately identify key risks within processes. Furthermore, internal auditing is growing faster than most other professions, according to the U.S. Bureau of Labor Statistics. As reported in the last issuance of the bureau’s Occupational Outlook Handbook, employment for internal audit professionals will grow 10% from 2016 to 2026, faster than the 7% national projected average for all occupations. The main reason I stay in the profession is to add value to the organization. Whether it be through identifying risk and working with management to mitigate it down to an acceptable level or identifying process improvement opportunities that drive revenue or cut costs, those are some of the most rewarding aspects of the profession. </p><p><strong>Bordelon</strong> I stay in the profession because I enjoy the mentoring that my job enables me to participate in and being able to help my clients solve problems and achieve their goals. My colleagues, teams, and mentors are an extension of my family, and I truly feel valued and appreciated in my company and by my clients. </p><p>I’m also excited about the future of internal auditing. As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work. Adopting more agile practices and understanding both the opportunities and the risks presented by these technologies will put next-generation auditing in a great position to help companies transform their businesses. I’m really looking forward to being a part of that process.  <br></p>Staff1
Communication Skills for Successhttps://iaonline.theiia.org/2019/Pages/Communication-Skills-for-Success.aspxCommunication Skills for Success<p>After gaining years of internal audit experience, associate internal auditors may be promoted to senior internal auditor. Internal audit management may recognize the auditor’s professional growth and want to encourage continued development. </p><p>Senior internal auditors are responsible for leading audits across the organization while working with associate internal auditors on various audit projects. Through many years’ experience, senior auditors have had extensive opportunities to hone internal audit-specific skills, such as testing, workpaper execution, and audit report writing. <br></p><p>New senior auditors may not have experience in the area of developing and coaching  the individuals on their audit project team. And while senior auditors may have strategies for teaching internal audit practices and processes, they might not possess the skills that help develop a well-rounded associate auditor. Therefore, it is the senior auditor’s responsibility to not only understand what promotes the professional growth of associate auditors, but also the strategies for effectively teaching the skills that ensure success. How the skills are taught often impacts the ability to grasp new internal audit concepts and processes. </p><p>Three key communication skills for new senior auditors to master are language selection and usage that encourages learning and growth, demonstrating strong communication skills to strengthen the skills of the team, and facilitating strategic communications through business partnerships. These skills cover the various interactions internal auditors experience daily.</p><h2>1. Language Selection</h2><p>A senior auditor’s word selection, tone, and inflection can make a tremendous difference in the effectiveness of communication. One area in particular is providing constructive feedback. Such feedback, while both well-intentioned and important, may not be well-received because of the inflection and tone of voice. Some associates may be able to hear the message through the inflection and tone, but others may focus solely on it, and completely miss the objective of the message. </p><p>To assess the associate auditor’s understanding when explaining an internal audit concept, the senior auditor might ask, “Does that make sense?” versus “Are we okay?” or “Are we good?” This makes a difference in determining progress and encouraging discussion. While it may be well-meaning, “Does that make sense?” is phrased in such a way that might not permit feedback (and if it does, is focused on the topic being taught). “Are we okay?” can open dialogue for the associate auditor to ask questions, as well as voice concerns. Using “we” indicates that the learning process involves both the internal audit senior and associate. This phrasing can sometimes encourage a broader conversation, rather than solely confirming a successful transfer of knowledge. </p><p>Simple changes in wording can have a huge impact on the team’s morale and skill development, especially because associate auditors may have varying professional backgrounds and different learning styles. Word choice, tone, and inflection can help reinforce the meaning of one’s message and encourages professional and productive discussions.</p><h2>2. Demonstrating Communication Skills</h2><p>When a senior auditor thoughtfully considers language, and makes necessary changes in phrasing and tone to best support the team, it is appropriate to then demonstrate his or her communication skills. As senior auditors work with a variety of stakeholders, they should consider their written and oral communications.  </p><p><strong>Written Communication</strong> New associate auditors who are learning the internal audit department culture will undoubtedly copy the communication style of their leaders; therefore, it is critical to reflect upon one’s own written communication and replace bad communication habits with a strong communication style. After all, one cannot hold associate auditors to a high communication standard if senior auditors are not modeling appropriate communication skills, themselves. From time to time, jargon is used in memorandums and emails are sent lacking punctuation, grammar, or spelling. Associate auditors are included in correspondence, so professional language and communication should be used in all interactions. Even if it takes a few extra minutes, senior auditors should proofread written communication. <br></p><p><strong>Oral Communication</strong> Exposing associates to various learning experiences is important; however, careful planning by the senior auditor is necessary to set up the individual and team for success. For example, if an associate auditor has never presented in front of audit client management, why have him or her present for the first time at the closing meeting, which may be more sensitive than the opening meeting? The associate may be successful, but chances are, without experience, he or she will flounder. Such unplanned approaches to training decrease team morale, and send a message to the audit client that internal audit is not a supportive and growth-focused department. A planned and intentional approach to communication training sends a message that the senior auditor cares not only about the success of the audit, but the associates, too. <br></p><h2>3. Strategic Communication </h2><p>Strong business partnering relationships are often built in informal ways, whether that be a walk around the office during lunch, a short coffee break, or by dropping by someone’s office. Chances are that at one time or another, a leader within the internal audit department has included the recently promoted senior auditor in such opportunities. By including associates in such interactions, it helps them build their own network and demonstrates the way in which to build their own relationships with leaders throughout the enterprise. This can help improve the image and reputation of the internal audit department within the organization.</p><p>Senior auditors also can help facilitate opportunities for communication skill improvement among associate auditors through the presentation of technical skills. Associate auditors may have professional and educational backgrounds in areas outside of the department under review, but possess specialized skills in subjects such as predictive modeling and project management. These skills are not only valuable in their application within the internal audit role, but they are also useful across the enterprise. When appropriate, senior auditors can initiate the conversation among business management about the possibility of a workshop or webinar, for example, and encourage the associate auditor to share his or her expertise with audit clients. </p><h2>Fostering Success </h2><p>Being promoted from associate internal auditor to senior internal auditor is reason to celebrate one’s professional accomplishments. However, with such promotion comes increased responsibility. And to foster further success, it is necessary to implement the communication skills that will progress one’s own professional development, as well as help improve the skills of emerging talent within the internal audit department. <br></p>Christine Hogan Hayes1
Well-deserved Criticism?https://iaonline.theiia.org/2019/Pages/Well-deserved-Criticism.aspxWell-deserved Criticism?<p>During the last few years, internal auditing has faced significant criticism from both stakeholders and practitioners. Much of it centers around audit effectiveness and the profession’s ability to identify and report risks and failures, as highlighted in research from professional service firms. The IIA’s own 2019 North American Pulse of Internal Audit points to audit communication deficiencies and potential misalignment with corporate boards on risk areas. But does the profession deserve all of this criticism? Is it truly underperforming? <br></p><p>In my experience, senior management at publicly listed companies mostly views internal audit as a necessary evil — a nonessential service function that is either required by a listing exchange or by corporate boards. Otherwise, there is no general appetite to maintain an internal audit function unless the senior executive team, or the board, recognizes the value internal audit adds in providing assurance and improvement opportunities. Because internal audit is not valued, it is not granted sufficient operating budget, which limits the function’s ability to cover organizational risks. </p><p>Not surprisingly, many surveys of the profession reveal that internal audit struggles to attract and retain talent, is mostly underfunded, and lacks resources, including technology. Gartner’s 2018 Audit State of the Function report projected budgets increasing only slightly in 2019 and flat head count for 2019, consistent with prior years. And among respondents to Deloitte’s 2018 Global Chief Audit Executive survey, more than 40% said their audit functions lacked skills and talent; plus, only 21% used advanced analytics. How can the profession proactively identify and manage cutting-edge risks in areas such as blockchain, cybersecurity, and fraud when it does not have appropriate capital and technology?</p><p>But limited budgets and resources are not the profession’s only impediments — lack of control over internal audit’s activities and purview, as manifested through our organizational reporting relationships, also presents a problem. At most U.S. publicly listed firms, the chief audit executive reports administratively to the chief financial officer (CFO) and functionally to the audit committee. This configuration risks the CFO providing insufficient budget and other resources and using internal audit to complete projects and tasks not included in the audit plan — activities that might ordinarily fall on other CFO functions — thereby detracting from internal audit’s ability to conduct risk-based audits or complete its plan. </p><p>Given its limited budgets, inadequate technology resources, understaffing, and lack of autonomy, the profession does not deserve much of the harsh criticism it has received. Only when the audit function is truly independent and empowered will it be able to provide effective support to management and the board, sit at the forefront of risk management, and be able to proactively identify and help remedy corporate misconduct and fraud.  <br></p>Chris Dogas1
Editor's Note: Internal Audit's Emerging Starshttps://iaonline.theiia.org/2019/Pages/Editors-Note-Internal-Audits-Emerging-Stars.aspxEditor's Note: Internal Audit's Emerging Stars<p>This marks the seventh year <em>Internal Auditor</em> has recognized emerging leaders in the internal audit profession. Our <a href="/2019/Pages/Emerging-Leaders-2019.aspx">2019 Emerging Leaders</a> join 100 other young professionals who have been recognized since 2013. </p><p>Past honorees have not rested on their laurels, but instead, as expected, continue to achieve great things. For example:</p><ul><li>At the time they were named Emerging Leaders, 74 had their Certified Internal Auditor (CIA) designation. Today, 89 are CIAs. </li><li>Since being named an Emerging Leader, 71 have new job titles or have moved to new companies.</li><li>Three Emerging Leaders have served on The IIA’s North American Board and Global Board of Directors. Seventeen leaders have served on one or more of The IIA’s committees.</li><li><p>Emerging Leaders have written 88 blog posts/articles for the magazine, and 46 leaders have been interviewed for Internal Auditor articles. <br></p></li></ul><p>Two former Emerging Leaders, Leslie Bordelon (2014) and Alex Rusate (2017) share how their careers have progressed since their recognition in this issue’s <a href="/2019/Pages/From-Emerging-to-Leader.aspx">“Eye on Business."</a> Rusate, for example, has obtained three new certifications since 2017. Bordelon and Rusate offer up-and-coming internal auditors advice on how to advance in the profession and explain why they stay in internal auditing. Bordelon says she’s excited about the future of the profession. “As companies start to embrace new technologies such as machine learning and robotic process automation, internal audit teams have to really rethink how they approach their work,” she says.<br></p><p>Technology is a theme throughout the “Emerging Leaders 2019” article. “In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they assume analytics are key to internal audit and continually expand their skills — often on their own time,” writes author Russell Jackson. This year’s leaders recognize that this expertise can open doors for internal auditors, and they’re eager to be meaningful players in their organization’s success, Jackson says. </p><p>On another note, when you’re Wright, you’re Wright. With this issue, we wish “Risk Watch” contributing editor Charlie Wright a fond farewell and introduce Rick Wright (no relation) as the new contributing editor. A big thank you to Charlie for his time and effort, and for the outstanding contributions he’s made to this department. We are fortunate to have Rick as Charlie’s replacement beginning in December. Rick is the director of internal audit and enterprise risk management for YRC Worldwide. He is also the author of <em>The Internal Auditor’s Guide to Risk Assessment and Internal Auditing: Uncover the Myths, Discover the Value</em>. Welcome, Rick!<br></p>Anne Millage0
Emerging Leaders: 2019https://iaonline.theiia.org/2019/Pages/Emerging-Leaders-2019.aspxEmerging Leaders: 2019<p>​Each year's Emerging Leaders talk less about the profession pivoting to a trusted advisor role and more about actually performing that role — and how excited they are to expand internal audit's influence into new areas. Indeed, the 2019 Emerging Leaders' diversity shows partly in the variety of experiences they've had in an advisory capacity and their specific goals for expanding the profession's profile. And as in previous years, the 2019 Emerging Leaders are a diverse, multinational group. Since the first crop of honorees in 2013, 14 countries have been represented; this year's professionals hail from The Republic of Belarus, Canada, the U.S., and Zambia. Just under half since the beginning are women, just over half are men — many of whom have advanced to positions of greater leadership and gone on to volunteer in key IIA governance and advisory positions. </p><p>As a group, this year's Emerging Leaders are enthusiastic about talking up internal auditing — to schools, business groups, and their colleagues — and about supporting the profession through expanded participation in local professional organizations. Technology, as always, is what these high-performing practitioners want to talk about. Automation and data analytics are familiar. In fact, emphasizing analytics seems almost old-fashioned to the 2019 honorees; they assume analytics are key to internal auditing and continually expand their skills — often on their own time. That expertise opens doors to more internal auditor interaction with organizations' executives, and this year's Emerging Leaders are eager to take advantage of the opportunities they see ahead to be meaningful players in their enterprises' success.</p><h2> <img src="/2019/PublishingImages/Sweeney.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jordan Sweeney, <strong>CFE</strong><br></h2><p> <strong>28,</strong><strong> Senior Auditor</strong><br><strong>City of Sacramento, Calif.</strong></p><p>Jordan Sweeney conducts “impactful audits,” as one colleague puts it, and she is hailed for following up to ensure recommendations are implemented. From day one, the University of California at Davis graduate was given sole responsibility for auditing the city’s Department of Utilities (DOU). As a result of her consistent follow-up efforts, the DOU has achieved “a realized monetary benefit of more than $15.2 million dollars,” reports Sweeney’s supervisor, Sacramento Assistant City Auditor Lynn Bashaw. “She continues to work with the department to implement recommendations made in her audits,” Bashaw adds, “as well as recommendations made in previous audits.” Sweeney says providing informal audit training to DOU staff members responsible for the recommendation follow-up efforts helps them understand what internal audit is looking for and communicate that to other staff, thereby reducing the number of documentation requests she has to submit. She also manages the city’s whistleblower hotline for reporting fraud, waste, or abuse, and so far has resolved more than 80 cases. Sweeney, who holds a master’s degree in civil engineering, came to the profession after learning about it at home — her husband is a premium auditor for an insurance company. The work seemed challenging yet fun, she explains, and used many of the same data analysis and problem-solving skills an engineering education requires. Sweeney adds: “I felt it would be very rewarding to be a part of something with such a big impact on how the government operates.” </p><h2> <img src="/2019/PublishingImages/Cheng.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Cheng Cheng, CIA</h2><p> <strong>28, Consultant, Enterprise Risk Service</strong><br><strong>MNP LLP</strong><br><strong>Toronto<br></strong></p><p> <strong></strong>This is how Cheng Cheng characterizes his profession: "I selected internal auditing because it's challenging, nonroutine, and fun." The University of Toronto graduate started out with a degree in commerce and a master's degree in accounting; early in his career, Cheng worked on finance, assurance, and internal audit-related jobs, ultimately opting for the latter as his main focus. "Every day is a new challenge and learning  opportunity," he says. One early challenge was how dependent consulting is on experience and industry knowledge, which he lacked at the time. "I forced myself out of my comfort zone," he says. "I told myself, 'Don't' be afraid to ask questions.'" And having tapped his mentor's experience to great effect, he advises those working with professionals who have extensive knowledge in the field to observe how they work. Cheng's own work encompasses internal controls over financial reporting, payroll audits, external quality assessment, and risk-based operational and compliance audits, notes MNP colleague Jim Barbour, who cites another challenge Cheng has overcome. "A recent client required him to reconstruct multiple years' payroll reporting to tax authorities," Barbour says. "He used document capture and data analytics tools to prepare and evaluate the source data for the required deliverables." Cheng points to the value of communication skills as key to explaining deliverables to clients. "No matter how technology evolves," he says, "we will always need to build relationships with people." Outside internal audit, pick-up basketball games most weekends constitute Cheng's No. 1 hobby. He's also an active volunteer in MNP's Community Activity Project and Education program and serves as treasurer for IIA–Toronto. </p><h2> <img src="/2019/PublishingImages/Fritz.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Blaine Fritz, CIA</h2><p> <strong>29, Governance & Operations Manager/Chief of Staff</strong><br><strong>GSK</strong><br><strong>Research Triangle Park, N.C.</strong></p><p>Blaine Fritz became an internal auditor to understand how companies work from the inside out. He hit the professional jackpot: The Michigan State University graduate has led global audit teams and conducted engagements across multiple risks — commercial practices, anti-bribery and corruption, financial controls and reporting, and supply chain, to name a few. His work has spanned multiple functions, cultures, and geographies, including North and South America, Europe, and Asia. The former audit manager, who’s since moved into Managed Markets and Government Affairs, has also led multiple initiatives to improve the internal audit function at GSK, notes his manager, John Boone, vice president, Contract Management and Operations. “He’s gathering observations on the impact of an audit from a business perspective,” Boone says, “and will feed these observations back into the internal audit function to improve efficiency and effectiveness and minimize business disruption in future audits.” Other projects include leading the Audit Ways of Working Alignment Project, which identified differences in approach between regions and among risk areas, and facilitating training on audit process and third-party oversight. The people part of the equation, Fritz says, is key. “My work provides an opportunity to gain a global perspective and cultural awareness through the people I meet around the world,” he says. Fritz focuses on internal audit’s evolving role, noting that use of the audit function as a resource for insights gained through sharing of good practices across the business represents an important change for the profession. “Auditors can share an enterprise view gained from experiences in different risks and parts of the business,” he comments. Outside the office, the soccer player and youth team coach also serves as an Early Talent Mentor for GSK’s Future Leaders Program and as a member of GSK’s Orange Day Volunteer Committee; each year, employees spend Orange Day off-site, volunteering at a charity of their choosing.</p><h2> <img src="/2019/PublishingImages/Donner.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Melissa Morlan Donner, CIA</h2><p> <strong>26, Audit Supervisor</strong><br><strong>Bank of America</strong><br><strong>Chicago</strong></p><p>Melissa Morlan Donner prefers people to face forward in their approach to internal auditing. "If 'well, that's how we did it last year' is the only rationale you have for something," she says, "there's probably a way to improve it." That often involves automation and, especially, being able to understand what it's doing. Already, the University of Florida graduate notes, a key skill for internal auditors is "the ability to understand how automation can be applied." Writing code is a plus for anyone to possess, she says. "But more important is being able to clearly articulate what you think an automated process would look like and have a grasp of what is possible before working with an automation expert to get it done." Donner built her audit skills analyzing and testing controls across various industries as a consultant, while also project managing the day-to-day activities of those engagements, reports current supervisor Janet Jarnagin, an audit director at Bank of America. Now Donner is responsible for board and executive management reporting, including presentations summarizing audit results, issue status, and audit department performance to the organization's highest governing bodies, Jarnagin says. Within months of starting at Bank of America, Donner designed a new monthly business review for the chief audit executive (CAE) to oversee department operations and revamped the issue management report for the CEO's management team. Donner says that's a good example of the trusted advisor role internal audit is taking on, and she adds that data visualization is an increasingly important part of it. Reporting a 1% to 2% month-over-month increase via text or a slide may not raise red flags, she explains. But seeing a line chart spanning six months that shows a 10%-plus increase — with a six-month projection if nothing happens — "can really serve as a call to action," she says. Donner is a member of The IIA's Chicago chapter and volunteers at TutorMate, an online program that helps kids improve their reading skills.</p><h2> <img src="/2019/PublishingImages/Munshya.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Kenson Munshya, CIA, CISA</h2><p> <strong>29, Audit Manager</strong><br><strong>Stanbic Bank Zambia</strong><br><strong>Lusaka</strong></p><p>Kenson Munshya first saw internal audit from the outside, and found himself impressed by practitioners' insights and deep understanding of the organizations he was auditing externally. "Over time," the Rusangu University Zambia graduate says, "I started looking at the internal auditors' reports as one of the reference points to gain an understanding of clients." Then he joined them — and started spreading the word about internal auditing. "He has a mission to make a difference in the profession," says colleague Chuma Silutongwe. He adds that Munshya was instrumental in helping parent company Standard Bank Group's Africa regions team win the firm's 2018 Group Internal Audit Mark of Excellence Award for enhancing the use of data analytics and audit automation. Plus, he's supported teams from Namibia, Malawi, Botswana, and Mauritius in providing key insight on IT-related engagements, such as cybersecurity and business continuity audits. Munshya says practitioners need to prepare for the future by improving their skills in data analytics, machine learning, and artificial intelligence (AI); he is piloting the automation of the company's audit process using those very skills. Still, he adds, "ultimately, it comes down to one's people skills to manage change and influence decisions." Internal auditing often involves negotiating with management, so a firm grasp of the disruptive technologies combined with people skills is key, Munshya stresses. "I'm amazed at internal audit's ability to influence an organization and be a change agent around strategy and operations, as well as around governance, risk, and internal controls," he says. Outside of internal audit, Munshya enjoys decidedly low-tech pastimes, including chess, jogging, and reading. He also volunteers for outreach programs through his church and is an active member of IIA–Zambia. </p><h2> <img src="/2019/PublishingImages/Cook.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Maddie Cook, CPA</h2><p> <strong>30, Senior Manager, Consulting</strong><br><strong>Crowe LLP</strong><br><strong>Los Angeles</strong></p><p>Maddie Cook is in the enviable position of working in a role that requires her to indulge in one of her favorite pastimes. The job requires travel, and Cook says, "I really enjoy learning about the cultures that are new to me and sampling local cuisine." And her travels provide valuable insights for her global client work, notes Pamela Hrubey, a Crowe managing director and Cook's career coach. "She leverages the business experience she has gained from working in Canada and the United States to support a variety of clients with offices around the globe," Hrubey says, "bringing a balanced business perspective along with her deep knowledge of internal controls." The University of Western Ontario graduate is also part of an innovation team considering ways to leverage blockchain technology to create internal audit efficiencies, and she's been researching the potential of robotic process automation and AI. "Clearly we will see, over time, these technologies playing a large role within our profession," she comments. To assess controls around that technology, internal auditors will need a robust understanding of how it functions, the associated risks, and the organization's strategy for integrating the technology into its business processes. "The more knowledge we have, the better we will be able to assist, review, and potentially advise management on implementation in the future," Cook says. She also points to significant opportunity to use these technologies in audit work. Companies are making the move to blockchain and other technologies to advance their businesses, she notes. "Internal auditors will need to adapt our methodologies to maximize the associated benefits of the new tools by developing audit programs that increase organizations' confidence in their use." Outside the profession, Cook has donated her time to the Boys & Girls Club of America, a community food bank, and an organization that builds bikes for kids.</p><h2> <img src="/2019/PublishingImages/Wang.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jiahui “Bella” Wang, CIA</h2><p> <strong>28, Senior Internal Auditor, Computer Information Analyst</strong><br><strong>Atlas Air Inc.</strong><br><strong>Purchase, N.Y.</strong></p><p>Bella Wang was surprised to learn how much soft skills support the technical aspects of internal auditing. "I didn't understand the diversity of attributes a practitioner needs to have to be effective," the St. John's University graduate explains. In particular, Wang says that recognizing the importance of sales skills was a professional "aha!" moment. "We are selling our expertise, ideas, and recommendations almost every day to help add value to our organizations." Wang accomplishes that with a firm foundation of technical knowledge, says her supervisor, Charles Windeknecht, Atlas Air's vice president, Internal Audit. "She consistently exhibits a deep understanding of the risk and control considerations she is assessing," he says, "by asking challenging questions in a relevant and meaningful manner." The questions change, of course, as the technology that powers the profession changes. "Technology and automation will make changes in how, where, and when we perform audits," Wang says. Already, she has designed and built several data analytics programs to support internal audit's objective of executing more effective testing, Windeknecht notes. Wang says her department uses analytics routines during annual fraud assessments to help management isolate higher risk transactions. "Senior management is coming to us with more requests to help them identify process improvement opportunities," she says. Wang is also active with the youth education nonprofit Junior Achievement and often speaks at area college and university events about the benefits of internal auditing.</p><h2> <img src="/2019/PublishingImages/Beeston.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Megan Beeston, CFE</h2><p> <strong>29, PRG Senior Associate</strong><br><strong>Frazier & Deeter LLC</strong><br><strong>Atlanta</strong></p><p>Stephen Brown, CAE at PRGX Global, recalls the time Megan Beeston was working on an IT project for his company as part of a co-sourced team when her supervisor was injured and unavailable for an extended period. “Megan stepped up and successfully managed the project with minimal oversight, and exceeded expectations in every way,” Brown says. The Kennesaw State University graduate says the experience provided her tremendous opportunity for learning and growth. “Working in public accounting constantly involves quickly and seamlessly adapting to unexpected situations to avoid delays in projects and deadlines,” she says. She benefitted from having built good relationships with clients — and having the ear of her company’s managers. Early on, she says, she stepped back and realized that internal audit has long used data analytics. But the progress underway now is even more exciting, she adds, as technology increasingly enables internal auditors to expand their capabilities past current roles. “Integrating IT concepts into our strategies will allow us to provide the most value-add to our organizations,” she says. “Any initiative for research or training in technology and how we can apply systems to be more efficient is an important step for us.” Beeston came to the profession when a professor presented it in a compelling way — making her realize she could use people skills to make her role more successful and help people solve problems, which she saw as a perfect fit. Her internship exposed her to a variety of roles and projects, piquing her interest even further. “The ability to wear many hats — as an extension of an organization as its internal audit function, as a service auditor, or consulting through process improvements and security assessments — challenges me technically and as a person,” she says. Outside internal audit, Beeston plays tennis and watches college football. She also fundraises for the Leukemia & Lymphoma Society through her company, volunteers on select weekends with the pediatric grief counseling organization Kate’s Club, and co-chairs the mentor–mentee program at her local IIA chapter.</p><h2> <img src="/2019/PublishingImages/Orunkhanov.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Aidar Orunkhanov</h2><p> <strong>29, Solutions Director</strong><br><strong>TAMR</strong><br><strong>Cambridge, Mass.</strong></p><p>Aidar Orunkhanov approaches internal audit from a different perspective. The University of Illinois at Urbana–Champaign graduate started out in data analytics and came across internal auditing by chance. But he noticed that the profession was beginning to implement data-driven methodologies and saw the potential to implement analytics. He’s now back in data analytics, at a start-up that applies machine learning to data unification, but comments that the massive amounts of data produced by new technology will propel internal auditing toward near-real-time functionality and other elements of automation, raising some worries about technology replacing humans. But he says the technology can’t replace humans completely: “I’d call it ‘using new tools’ rather than ‘managing robotic assets.’ Robotic process automation [RPA] is an ideal solution to frequently repeated rule-based processes.” RPA, in fact, should free up time for more creative and exciting work, he says. One example: He led development of an automated dashboard at a former employer that provides auditors with timely changes to risk profiles and data-enabled outliers for testing purposes. He also co-led a hands-on data analytics training program for 200 colleagues. In addition, Orunkhanov lectures at Boston University, teaching a graduate-level course in business analytics. On weekends, he enjoys travel photography. “The gear I carry has grown exponentially,” he says,” but an incredible Instagram picture is worth it all.” Orunkhanov also volunteers at a local food bank and helps families file their tax returns.</p><h2> <img src="/2019/PublishingImages/Carnevale.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Marilyn Carnevale, CIA, CPA</h2><p> <strong>30, Senior Auditor</strong><br><strong>Rutgers, The State University of New Jersey</strong><br><strong>Piscataway, N.J.</strong></p><p>After a stint in external audit, Marilyn Carnevale has been happily surprised by how gratifying she’s found her internal audit career — particularly the newness of each assignment. “Internal audit procedures often have to be developed from scratch to meet the unique needs of an organization,” she says. “It’s exceptionally challenging, but completely rewarding when our recommendations come to fruition.” At Rutgers, her alma mater, Carnevale was assigned to assist on “a major, multi-phased project,” reports her supervisor, Marion Candrea, manager, Audit and Advisory Services. “It was part of a highly regulated area that required a rigorous learning curve that she easily overcame,” Candrea says, adding that Carnevale started taking on lead auditor tasks right away. With that responsibility came the opportunity to work with student interns. In fact, she was so effective that she soon earned the title of internship program supervisor. Carnevale remembers people leaving her former public accounting firm for internal audit positions, but adds now: “Honestly, I did not even know if I would be any good at it.” Her ties to the university moved her to pursue the position she’s in. “The fact that I’d never heard of internal auditing until about four years into my career is partially why I believe in advocating for the profession,” she says. That includes educating students about options beyond public accounting. In her free time, Carnevale volunteers at The IIA’s Central Jersey Chapter, attends Rutgers athletics events, donates her hair to Locks of Love and Pantene Beautiful Lengths — and plays the piano. </p><h2> <img src="/2019/PublishingImages/Ballweg.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Christopher Ballweg, CIA, CISA</h2><p> <strong>28, IT Audit Supervisor</strong><br><strong>American Financial Group Inc.</strong><br><strong>Cincinnati</strong></p><p>No matter how much internal audit technology advances, success in the profession will always rely on people skills, according to Christopher Ballweg. With a primary focus on IT audits, he sees technological advancements as key to driving change — but the University of Kentucky graduate also stresses that “relationship-building, clear communication, and adaptability” are a practitioners’ most important competencies. Indeed, he says, auditors must be able to clearly communicate any questions or observations, regardless of the business partner. Education helps. Ballweg started at American Financial Group right out of college, notes former colleague Brian McNalley, IT audit manager at Macy’s and a 2018 Emerging Leader. Since then, he has received two key professional certifications and an MBA from Mount St. Joseph University. On the job, Ballweg has been a team leader for engagements involving cybersecurity, disaster recovery, business continuity, the Payment Card Industry Data Security Standard, and U.S. Sarbanes-Oxley Act of 2002 compliance. “A key challenge is ensuring that our work is adding value to our various stakeholders,” Ballweg says. Practitioners who want to be seen as trusted advisors, he adds, must know stakeholders’ goals and ensure that engagements are focused on delivering value. That, he says, requires flexibility. “Continuous change is the aspect of the profession I enjoy most,” he says. When he started, cybersecurity audits and the U.S. National Institute of Standards and Technology Cybersecurity Framework were “still in their infancy,” he says. “Now they’re on the mind of nearly every stakeholder in an organization.” Ballweg has been active in The IIA’s Cincinnati Chapter since 2013, and is a board member of his local American Cancer Society Young Professionals group.</p><h2> <img src="/2019/PublishingImages/Delores.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Christiane Dolores</h2><p> <strong>29, Internal Audit Manager</strong><br><strong>Caesars Entertainment Corp.</strong><br><strong>Las Vegas</strong></p><p>Today's students at the University of Nevada Las Vegas have access to a career insight that Christiane Dolores didn't. The alumna makes a point to attend events on campus to meet students and engage them in the internal audit community, she says, because most of her time as a student was spent learning about external auditing. She's become deeply involved in the profession, having served on the IIA–Las Vegas board as secretary, vice president of Programs, and now vice president, notes her supervisor, Victor Echenique, Caesars' internal audit director. Dolores led an awareness initiative about the services internal audit provides and created a brochure for Internal Audit Awareness Month that was distributed to 145 colleagues throughout the Caesars organization. She excels at her job, Echenique says, winning the "Audit Ninja" title as internal audit's Employee of the Quarter and Employee of the Year six times in a department of more than 80 practitioners. She manages planning and execution of compliance, financial, and operational audits of business operations at casino properties in multiple states, and she's a leader in the department's philanthropy efforts. Dolores didn't set out to be an internal auditor, starting her career in Accounts Receivable and moving around the enterprise to learn several different accounting functions in the organization's nongaming enterprises. "I had no intention of working for internal audit," she says. Then, conversations with a colleague helped change her mind. Now she calls it "probably the best decision I've made for myself." </p><h2> <img src="/2019/PublishingImages/Katsiaryna.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Katsiaryna Pranovich</h2><p> <strong>29, Chief Auditor </strong> <br> <strong>JSC MTBank</strong><br><strong>Minsk, Republic of Belarus</strong></p><p>Katsiaryna Pranovich has learned the value of listening. Early on, she found communicating with internal clients to be “the most laborious, difficult aspect of the job.” But then she learned to listen more attentively to her colleagues, she says, to focus better on what they need from her. “That, plus gaining experience and exercising patience allowed me to adjust my style of communication,” she explains. Pranovich sharpens her people and public speaking skills with stand-up performances of her own comedy material in local clubs and cafes. One of her favorite parts of the job, the Belarusian State Technical University graduate emphasizes, is helping colleagues deal with difficult situations. Another is the opportunity to “engage in different areas of the organization’s activities.” Pranovich extends her internal audit interactions outside the enterprise as well, notes Pavel Varyvonchyk, CAE at JSC MTBank. “She constantly expands her professional skills by attending seminars and conferences,” he says, “which allows her to maintain professional relations with internal auditors at similar companies here and in neighboring countries.” Indeed, Varyvonchyk adds, Pranovich is a two-time winner of the firm’s Best Employee Award. One reason is her involvement in a project examining data mining for automated internal auditing, which aims for continuous monitoring of key departmental indicators of possible process violations. Another project Pranovich heads up is creating automated workpapers and options for management decision-making following audits. Pranovich is, in fact, lauded for her methodologically accurate documents. “The devil is in the details,” she says, “especially with the increasing speed of work and changes in business processes.”</p><h2> <img src="/2019/PublishingImages/Spittler.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" />Steve Spittler, CPA, CISA</h2><p> <strong>28, Senior IT Internal Auditor</strong><br><strong>LPL Financial</strong><br><strong>Fort Mill, S.C.</strong></p><p>Steve Spittler is a technology enthusiast with strong people skills — two important assets for an internal auditor specializing in IT engagements. “As companies move to the cloud and increase use of third-party vendors,” says the Bentley University graduate, “even practitioners who mainly perform business or compliance audits need to understand the implications cybersecurity could have on their engagements.” Nearly every audit his team performs has cybersecurity considerations, he notes. A recent challenge involved leading both the Vendor SOC1 testing program and the cybersecurity audit for the enterprise, reports co-worker and unofficial mentee Anja Erlandson, senior analyst, risk management, at LPL. “He not only completed the tasks,” she says, “he assisted the business in creating new internal controls, making recommendations consistent with industry best practices.” He also has added visual analytics to audit reports, analyzed large data sets to identify discrepancies, and tested the effectiveness of department policies and procedures. The first few years of Spittler’s career were spent as a public accountant conducting external financial audits; he says the move to his current post represented an opportunity to grow his skills. His social network also has expanded. Spittler says: “What I love about my job is the level of collaboration and the people.” Most of his engagements are integrated, with the business audit and IT audit teams working together, he notes, citing the value of building relationships with clients. Practitioners often can see firsthand the improvements made because of their recommendations, he adds. Off the clock, Spittler volunteers at the Humane Society, the Metrolina Food Bank, and the Boys & Girls Club of America.</p><h2> <img src="/2019/PublishingImages/Murray.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Sarah Murray, CIA</h2><p> <strong>27, Senior Auditor</strong><br><strong>Savannah River Nuclear Solutions</strong><br><strong>Aiken, S.C.<br></strong></p><p> <strong></strong>For Sarah Murray, early career inspiration came from an audit class project that involved creating flowcharts and identifying control deficiencies. "It was totally different than anything I had done in my accounting studies thus far," she says. The Augusta University graduate enjoyed it enough to apply for an internal audit internship and ended up "falling in love with the work and the variety of people that you get to meet." One part of the job she's especially fond of is working with data. "It always has a story to tell you," she notes. Former Augusta University accounting lecturer and current colleague Steve Loflin, principal internal auditor at Savannah River Nuclear Solutions, says Murray's skills in analytical and substantive testing are exceptionally advanced. "As much as she impressed me as a student," he comments, "I've been even more impressed by her abilities as an internal auditor." Loflin adds that Murray is known for her timely and effective auditing and her ability to build relationships. Murray does have an agenda: She's out to end the "gotcha" and "take no prisoners" stereotypes of internal auditors. She makes a point to find ways to minimize nervous tension during engagements by checking clients' work spaces for clues to a favorite football team or new grandchildren. "I get them talking about those things to loosen them up," she notes, "and see audit as a function that is truly there to help." Murray also volunteers with local youth ministries, and with the River of Life, which provides exterior home repairs and improvements to local community members. In addition, she's active in, and a former officer of, The IIA's Central Savannah River Area Chapter. </p><p><br></p><p><img src="/2019/PublishingImages/EmergingLeaders_oct%2719_judges.jpg" alt="" style="margin:5px;" /><br></p>Russell A. Jackson0
Auditing With Grithttps://iaonline.theiia.org/2019/Pages/Auditing-With-Grit.aspxAuditing With Grit<p>What seems like an eternity ago, I received a book in the mail titled <em>Grit: The Power of Passion and Perseverance</em>, by Angela Duckworth. It was sent to me by my mentor and friend with a note that said, "You are gritty, and gritty is good." I wasn't sure at first what he meant, but after reading the book I was inclined to agree that grit is a quality I possess.</p><p>According to Duckworth, "[If you have] a deep and abiding interest, a ready appetite for constant challenge, an evolved sense of purpose, and a buoyant confidence in your ability to keep going that no adversity could sink," you probably rate high on the grit scale. I like to think this describes me. It may also describe many internal auditors, as these qualities are often necessary to perform our jobs effectively. </p><h2>Personal and Professional Grit  </h2><p>My capacity for grit was tested a few years ago when I faced a challenge in my personal life. In 2015, I tested positive for the BRAC1 breast cancer gene mutation. After discussions with close family and friends, I underwent multiple preventive surgeries, including a double mastectomy in 2016. While some might consider this measure extreme, an 86% chance of developing breast cancer in my lifetime was not something I was willing to accept. Now my risk has been reduced to 10% per general statistics, and 2–5% per my doctors — odds I'm much more comfortable with. </p><p>I also discovered the value of grit in my professional life. Early in my career, I took an internal audit position at a large financial services company. I then left the job a few years later for a traditional accounting position, only to return soon afterward to internal auditing upon realizing that's where my true passion lies. I progressed quickly to the role of internal audit director and woke up every day for the next eight years with the same enthusiasm I had at the beginning of my career — and the perseverance to make a difference in the audit profession.   </p><p>Staying true to my friend and mentor's observation, I recently mustered internal grit once again by resolving to start my own business. Now my work involves practicing, teaching, and training others about internal auditing, including the concept of <em>grit</em> and how it applies exceptionally well to the profession.</p><h2>Grit in Practice</h2><p>Duckworth describes those with grit as high achievers who possess qualities such as diligence, persistence, determination, focus, and the ability to overcome obstacles. She also explains in her book that talent, aptitude, skill, and education are not enough. </p><p>Grit, as it relates to internal auditing, starts with a passion and desire to make a difference in the organization. It means looking forward to the next engagement or challenge. It means having the courage to point out what others may not want to see. </p><p>Great auditors have to combine an understanding of operations, financial processes, and technology with the curiosity to find risky or unusual items. They also must possess the ability to establish relationships and build trust with management. And, of course, auditors must do all this while not always being greeted with open arms by their clients.</p><p>How do great auditors accomplish great things? They do it with grit. They audit with passion, working toward longer term, strategic goals that are of value to the organization, with the necessary resolve and follow-through to reach those goals. They do it with perseverance, working with the courage and determination to pursue an engagement or finding, despite obstacles, until their job is complete.</p><h2>Are You Gritty?</h2><p>How do practitioners determine whether they have the qualities to be a gritty auditor? First, they should make sure they are in the right place or in the right profession by answering a few questions:</p><ul><li>Are you passionate about your organization, clients, and engagements? </li><li>Do you look forward to delivering relevant, value-added findings to management?  </li><li><p>Do you believe in the larger purpose of auditing and its impact on your organization or clients?</p></li></ul><p>If the answer to each of these questions is "yes," internal auditors should then make sure they tackle their work every day with an eye toward five key factors: </p><ol><li><strong>Achievement.</strong> Believe respect is earned and reward and recognition come after achievement.  Add value through the systematic identification and mitigation of risk and implementation of solutions that result in significant improvements.</li><li><strong>Focus.</strong> Gain the necessary knowledge for each engagement. Risk assess engagements using appropriate knowledge and input. Focus on meeting value-added objectives. Set timetables and manage engagements to timely completion.</li><li><strong>Time/Resources.</strong> Allocate time to the high-impact goals, risks, and improvement opportunities within engagements. Apply the latest tools and technology while controlling audit costs; do more with less.</li><li><strong>Effort.</strong> Create a culture of commitment. Be committed to every engagement and to supporting the success of the organization. Work hard and smart. Continuously improve yourself and your techniques.</li><li><strong>Reputation.</strong> Build a reputation for providing a valuable service and fulfilling promises. Be known for your resolve and agility to overcome obstacles and ensure success. Remain adept and nimble as you audit in an ever-changing world, within evolving organizations, leadership, strategies, technologies, and risks.</li></ol><p>Practitioners who perform their work with these factors top of mind can safely say they audit with grit.</p><h2>The Power of Grit</h2><p>To quote Duckworth, "Our potential is one thing, what we do with it is quite another." Internal auditors have a tremendous platform to improve effectiveness within an organization, a platform that is sometimes underutilized. It's time to show grit as auditors and spend each day working to our full potential. <br></p>Amanda "Jo" Erven1
A Blended Approachhttps://iaonline.theiia.org/2019/Pages/A-Blended-Approach.aspxA Blended Approach<p>​Traditional audits are often awash in wasted time, unnecessary conflict, and incorrect assumptions. Active auditing is a form of Agile auditing that was developed in a major utility company to eliminate, or at least substantially decrease, these kinds of wasteful activities. The term active auditing was, in fact, coined because it is the antonym of passivity and waiting.</p><p>Lean — often synonymous with the Toyota Production System — is a change-making methodology. Agile is an IT project management approach. Active auditing borrows concepts from both disciplines to create a more efficient way to run audits. The catalog of material describing both Lean and Agile principles is vast, so active auditing borrows only what is needed to create an audit system that can work better than a traditional one. The system can best be explained by breaking it down into three pillars.</p><h2>Pillar One: Energetic Collaboration<br></h2><p>Lean and Agile both preach that there can be only one team, and that team members must work together throughout the project. However, the reality is often two teams — the audit client and auditors — facing each other across a battlefield even while proclaiming their intent to work collaboratively. Active auditing recognizes that both teams work for the board, and the board has the right to expect both to behave as a single, combined team. </p><p> <img src="/2019/PublishingImages/Coleman-combining-lean-agile-techniques.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:450px;height:331px;" />Collaborating energetically is a choice to which both auditors and audit clients must commit. Without deliberate and overt commitment, both groups tend to fall back into bad habits. Once committed, the two develop shared ground rules — defining what’s nonnegotiable for each of them and how they want to work together. Personal connection is critical for collaboration, so information should be shared early, often, and in person, as much as possible.</p><p>Beyond the practical steps, auditors must lead in making themselves open and vulnerable. This can be a scary step, as auditors typically are so accustomed to maintaining professional distance that laying their cards on the table may not come naturally. Auditors must be the first to extend an authentic, though likely uncomfortable, hand to the audit clients to collaborate. And they must mean it — in everything they say and do.</p><p>When teams energetically collaborate, better information is offered, rather than extracted; far less time is wasted; there are fewer misunderstandings; clients grow to believe the auditors understand them; there is less conflict, which is good for clients and auditor; and the audit can be fun.</p><h2>Pillar Two: Iterative Audit Execution<br></h2><p>Agile as a software development methodology was created to counter traditional sequential Waterfall techniques. Waterfall is how most construction projects are managed — by planning, designing, building, and implementing. It relies on high-quality requirements-gathering at the beginning of a project and an acceptance that changes midstream are unwelcome. In contrast, Agile embraces flexibility and change. To manage this flexibility, Agile breaks the work down into iterations, or sprints. An iteration is a mini-software project, with a specified beginning and end, that is structured to produce working and sellable software at its completion. If a typical large software project takes two years, an Agile project will produce perhaps 12 instances of sellable code over that time, whereas a Waterfall project will produce one. </p><p>The overall risk of the project is reduced because the Agile project tests the market frequently, while the Waterfall project hopes its grand unveiling two years from now is still what the market wants.</p><p>Active auditing borrows from the concept of iterations — breaking down the audit program into mini-audits. The typical steps of an audit — from risk assessment to workpaper approval — still occur, but in smaller chunks. And they are completed before moving to the next iteration. </p><p>Active auditing starts by building an overall audit program, which is the best initial guess at the right control objectives and fieldwork steps. Then, using engagement planning sessions, the work is assigned to time-boxed iterations. Time-boxing establishes start and end dates that auditors and clients commit to work within. It’s best to keep an iteration to between two and four weeks, but that choice depends on the fieldwork. After each iteration, the single, combined team pauses to reevaluate and ask: </p><ul><li>Based on what’s been learned, what needs to change? <br></li><li>Is the risk assessment still valid? <br></li><li>Are all the fieldwork steps required to assess the con-<br></li><li>trol objective? <br></li><li>Are the right people involved? <br></li><li>Where are the bottlenecks? <br></li></ul><p>Both Lean and Agile teach internal auditors to welcome change to their audit program as they learn more and reassess risk. They can’t assume initial planning was perfect, so they should embrace an evolving audit. In return, when audits are executed as smaller mini-audits, they become easier to manage because work is done in digestible bites, countermeasures to address problems can be applied in the next iteration, and the audit can be stopped after an iteration and still have useful results.<br></p><h2>Pillar Three: Visual Management <br></h2><p>A central principle of Lean is to make waste visible. When waste is visible, the people involved can work together to eliminate it. Frequently, “waste” appears in audit work in the form of waiting, unnecessary motion, rework, and overproduction. Active auditing uses visual management techniques borrowed from Lean to allow the combined team to fully understand the audit’s progress and each member of the combined team’s part in it. </p><p>The greatest waste in auditing involves waiting. Waiting for data to be provided, emails to be returned, interviews to be scheduled, and so on. Internal auditors compensate by shifting their focus to other things, but that means rework as they have to reeducate themselves on the subject when they return to that work. Making lost time visible using visual management tools drives wait time down. </p><p>As often as every day for 15-30 minutes, auditors and clients should hold a standup meeting around a visual control board (VCB). The VCB consists of panels that show progress on the audit program, assigned tasks, a “dog house” for tasks that aren’t getting done, a shared master calendar, and a “hearts & minds” board to capture shared expectations and concerns. Because Lean is inherently a change-making methodology, it provides techniques for helping build mutual purpose, and daily standup meetings with the audit clients in front of the VCB are an important example. VCBs can be as large as an entire purpose-built wall or as small as an 11x17 piece of paper taped to a conference room whiteboard. Visual management can ensure: </p><ul><li>Every member of the single, combined audit–client team is constantly updated on status. <br></li><li>Problems are visible long before they manifest; waiting actions — such as data or report requests — are visible to the entire team, and therefore can be expedited. <br></li><li>The human aspects of an audit (anxiety, mistrust, etc.) are addressed openly and treated as legitimate risks to the project.<br></li></ul> <h2>Celebrate the Audit <br></h2><p>Active auditing borrows two additional important concepts from Agile. The first is retrospectives. In an Agile software project, after each sprint, the team gets together to examine what went well and what should change. This is a critical aspect of improvement and it should occur at the end of every audit, and often at the end of any sizeable iteration. Ceremonies and celebrations are the second concept borrowed from Agile for the conclusion of the audit. The team members come together to celebrate, perhaps with food, and take a moment to reflect on the work they did together. </p><h2>Audit Without Limits <br></h2><p>It can be difficult to implement all three pillars at once. The best first step is to start holding frequent, but brief, standup meetings with audit clients and auditors. It will quickly become clear that the standups are more effective with some form of visual management tool. The VCB should be developed early and expanded and refined over time. As standups progress, it should become easier to collaborate more effectively by developing ground rules and acknowledging the human side of the auditor–client relationship.   </p><p>In the end, the three pillars of active auditing work in concert. Energetic collaboration allows visual management to function smoothly to manage the audit work. Tight monitoring of progress through visual management allows the audit to execute iteratively. Timely and frequently completed audit work is the outcome of internal auditors and the audit clients working as a single team. The specific techniques used are likely to vary among companies and even across audits, but the core concepts contained in each pillar are universal and can be implemented anywhere. <br></p>Prescott Coleman1

  • AuditBoard_Dec 2091_Premium 1
  • IIA CIA_Dec 2019_Premium 2
  • IIA AEC_Dec 2019_Premium 3