Diversity in Action in Action<p>​For any chief audit executives (CAEs) unsure of the need to embrace diversity in their teams, consider this: Diverse teams outperform non-diverse ones. According to data from management consultancy McKinsey, gender diverse teams outperform those lacking this mix by 15 percent. "If that doesn't get you on board with diversity and inclusion, then it might be time to rethink your approach to team management," says Kate Headley, director of talent management firm The Clear Company.</p><p>There are several ways that CAEs can take action to improve gender diversity in their teams. Linnea Texin, senior consultant at Corporate Citizenship, a management consultancy, suggests that firstly, CAEs should engage their teams to pinpoint the key issues that affect their ability to recruit, advance, and retain female talent, while also looking at wider, external issues, such as regional and industry trends.</p><p>Secondly, CAEs should ask key stakeholders — including executives, core team members, and customers — what key actions they feel the team should take to improve diversity. Thirdly, audit executives should set performance metrics and targets to check they are making progress. And lastly, the whole strategy should be well-communicated so that the whole team understands the rationale and is behind it. "More transparency helps build trust," says Texin.</p><p>Any successful approach to improving gender diversity will depend on attracting and hiring female talent, followed by developing, motivating, and retaining staff, says Patrick Voss, managing director at Jeito, a culture and engagement consultancy. Each requires a different set of activities to make it successful, says Voss — and he offers two simple options to help make it work.</p><p>"For those internal audit teams that are in-house and of a much bigger company, speak to the human resources team to see what initiatives they have in place to encourage greater diversity in the workplace. The chances are that a potential employee will be drawn by the company brand in the first place, so consider how the internal audit team can build on this."</p><p>Secondly, Voss advises asking members the audit team, as well as individuals outside the audit function, to describe the culture in three words. The response, she says, will help provide an idea of how internal audit is perceived. "Then speak to female colleagues and peers and assess their reaction to these descriptions," she adds. "If they suggest this sounds like an unappealing place to work, think about how you might shift this culture."</p><p>Stephen Frost, founder of Frost Included, a diversity consultancy, says that "gender bias" in departments and organizations can be reduced through conscious and more self-aware leadership, and through changes to the recruitment and appraisal processes. "A Harvard Kennedy School study found that a more diverse recruitment resulted when candidates were presented in groups, rather than one-by-one," Frost says. "Mixed interview panels are also important, and organizations like Goldman Sachs, Lloyds Bank, and KPMG now insist on at least one female executive in any panel when interviewing for senior-level recruitment," he adds.</p><p>Another method is to process applications and potential promotions purely based on skills and experience. Using a "name blind" policy will also help avoid discrimination not only by gender, but also by age, nationality, address, and any other information that has nothing to do with past successes and experience.</p><p>However, the key issue to improve inclusivity and performance within internal audit departments shouldn't necessarily be just about gender, Frost says. "For various complex sociological reasons you may also have women who actually manifest typically male attributes and attitudes, which is not the answer. Successful businesses need to create an environment that is genuinely diverse in its character and outlook, and it should challenge and counterbalance such stereotypical male values."</p><p>Experts also warn about confusing diversity with a "numbers game." Voss says that CAEs should not try to "set targets for target's sake." "Aiming for a 50/50 split is fantastic, but if it is unlikely to be reached, then aim for step-by-step increases that might be more manageable," he explains. "Think through where you currently are on gender balance and set yourself realistic targets based on the pool of talent you have access to and the marketplace."</p><p>Headley also says that it may be best to "forget about numbers" as they can "be detrimental to success." "In smaller teams, quotas can often be both harder to achieve and irrelevant in terms of the skills needed to carry out the job at hand," she says.</p><p>Research has shown that companies do not need to have a 50/50 split between men and women to achieve the benefits associated with gender diversity. In fact, The CS Gender 3000: Women in Senior Management, a 2014 report by financial services firm Credit Suisse, shows that even at the highest level of the organization, companies with just one female director achieved better share price performance than those companies without women during the previous six years. </p><p>"Embracing true diversity means focusing on the capabilities of the individual, rather than their gender, ethnic origin, social background, or any other demographic," Headley says. "This includes assessing a person's potential to develop the technical skills needed for the role, rather than their existing abilities. If your recruitment processes are inclusive, the by-product will be a truly diverse team."</p>Neil Hodge1
Top Articles of 2016 Articles of 2016<div>Last year we published nearly 150 articles on our website, in addition to our blogs and social media posts. Below are the year’s 10 most popular features, based on visits to the site.</div><div><br>Judging by the list, it’s clear that you, our audience, were especially hungry for perspectives on fraud-related topics. You also showed an interest in soft skills and ways to improve the internal audit function. Our annual feature on Emerging Leaders has historically been a top performer as well, and 2016 (see No. 2 spot) was no exception.<br></div><p></p><div><ol><li> <a href="/2016/Pages/Toxic-Leaders-Toxic-Culture.aspx">Toxic Leaders, Toxic Culture​</a><br></li><li> <a href="/2016/Pages/On-the-Rise-2016.aspx">On the Rise: 2016​</a><br></li><li> <a href="/2016/Pages/Getting-More-From-Interviews.aspx">Getting More From Interviews</a><br></li><li> <a href="/2016/Pages/A-Matter-of-Trust.aspx">A Matter of Trust</a><br></li><li> <a href="/2016/Pages/Proactive-Fraud-Analysis.aspx">Proactive Fraud Analysis</a><br></li><li> <a href="/2016/Pages/5-Steps-to-Agile-Project-Success.aspx">5 Steps to Agile Project Success</a><br></li><li> <a href="/2016/Pages/Fraud-and-Related-party-Transactions.aspx">Fraud and Related-party Transactions</a><br></li><li> <a href="/2016/Pages/Integrating-Key-Risk-and-Performance-Indicators.aspx">Integrating Key Risk and Performance Indicators</a><br></li><li> <a href="/2016/Pages/On-the-Hunt-for-Payroll-Fraud.aspx">On the Hunt for Payroll Fraud</a><br></li><li> <a href="/2016/Pages/Optimizing-Internal-Audit.aspx">Optimizing Internal Audit​​</a><br></li></ol></div><p><br></p>Staff0
Growth Through Challenge Through Challenge<p>​Nothing prepared Kayla Brown for her first audit road trip. After a steady diet of compliance work at Atlanta-based children’s apparel company Carter’s Inc., she was sent across the country to audit the operations of six of its California stores. She was 23 years old, traveling alone, and had never rented a car before. “Being on your first job,” she says, “it’s the little things that can stress you out.”<br></p><p>Once Brown arrived on the West Coast, she encountered some initial skepticism from store managers. Some thought she didn’t seem old enough to be auditing the businesses they had worked at for many years. Most of the audits went smoothly, but one store didn’t do so well. “Luckily, the store manager was good to work with, so it wasn’t a difficult conversation,” she says. “But it’s not great to be the bad guy. You want the business to get better and you want to serve as a partner.”<br></p><p>Despite Brown’s nervousness, the California audits were a great experience and a launching pad for her current career. Three years into her job, she has led Carter’s retail store audits throughout the U.S. and Canada. <br></p><p>Brown’s desire to be a business partner and her eagerness to learn are typical of young auditors entering the profession. Like Brown, challenges encountered during early audit assignments are often the fire that ignites successful careers at a young age. Some of <em>Internal Auditor</em>’s current and previous Emerging Leaders share their experiences.<br></p><h2>Into the Deep End</h2><p>Today’s young auditors reflect the profession’s growing emphasis on being multifaceted — no one’s going to confuse them with accountants. Some like Brown have emerged from universities with internal audit curricula, such as those that are part of The IIA’s Internal Audit Educational Partnership. Others have come over from external audit firms. Then there are those like Seth Peterson who fall into the job.<br></p><p>Peterson, assistant vice president and internal audit manager with The First National Bank in Sioux Falls, S.D., wasn’t looking to be an internal auditor — his interest was banking. A professor at Buena Vista University suggested he get a job as a bank examiner to gain a sense of which area of banking he wanted to pursue, but there weren’t any openings. After a stint in an operations job at another Sioux Falls-based bank, he applied for an internal audit opening that could give him the overall view of the bank that he wanted.<br></p><p>For Peterson, internal audit was a whole new world. He knew nothing about auditing, and he didn’t know what to expect. Yet, what initially was intended to be a short-term position quickly turned into a great career opportunity. “Everything about internal auditing was new to me,” he says. “I went into it with an open slate: I didn’t know what I was doing. I thought, ‘Let’s figure this out and shape what I want to do.’” <br></p><p>Those first audits were a trial by fire. His first bank had a series of frauds and control breakdowns. “It let me see when things go bad, how bad they could go,” Peterson recalls. Although the frauds were consumer-driven, the audits involved gathering facts from bank employees who were fearful that their mistakes might cost them their job. For a young auditor, they were tough conversations that involved balancing internal audit’s need to be objective with the interest to build trust with audit clients. “Looking back, I could have been better prepared and equipped to handle those interviews,” Peterson admits. <br></p><p>Such trials can be a great way to learn, as long as auditors aren’t overwhelmed by them, Peterson says. He credits his boss at the time, Joel Baier, with giving him feedback on his work and sharing his own experiences — and the mistakes he had made along the way. “What was most valuable to me was him sharing what didn’t work for him, what the mistakes were, and what he learned from that,” Peterson says. <br></p><h2>Prepared to Succeed</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Sound Advice</strong> <br>Emerging Leaders past and present offer some tips for new entrants to the profession. Their core message is simple: Master the soft skills.<br><br><strong>Get a Mentor </strong>New auditors can learn much from audit leaders and other experienced co-workers, including how to communicate with clients about sensitive issues and how to protect their independence and remain objective. “Whenever I had some issues or questions regarding internal auditing, Olga was there to help with advice,” says Maja Milosavljevic of her mentor Olga Antic. Sometimes the best mentors will come from outside the profession, such as audit clients, company executives, and board members. “In interacting with executives and board members, you’re learning from some high-powered and experienced people,” Derrick Li says.<br><br><strong>Build Relationships</strong> Interactions with audit clients are opportunities for internal auditors to demonstrate how audit services can provide value, Seth Peterson says. But to get to that point, clients need to see auditors as people. Peterson recommends breaking the ice by getting involved in company volunteering activities. “You’d be surprised by what you can learn about someone from volunteering with them,” he says. “They see you as something other than an auditor.”<br><br><strong>Learn From Mistakes</strong> For new auditors, mistakes come with the territory. A bad client meeting can serve as a teachable moment — so can feedback from superiors. Auditors can learn from mentors’ and audit leaders’ mistakes, as well. As Andrew Loyack of Ahold Delhaize says, auditors shouldn’t have to touch the stove to know they’ll get burned. Above all, be resilient, he advises. “If you get knocked down, pick yourself up and learn from your mistake,” he says. <br><br><strong>Network</strong> When she speaks to college students about the profession, Kayla Brown stresses the same thing: networking. She should know — she landed an internship through a contact of one of her professors. Brown’s boss at that internship referred her to a colleague who became her boss at Carters. “Even if you love your current job, you never know when your circumstances might change,” she says. Networking helps on the job, as well. Khristi Ferguson of AccuAccounts reached out to fellow internal audit leaders in other Caribbean countries to share challenges and to get advice. “That helped a lot, just getting started,” she says.</td></tr></tbody></table><p>Those tough early conversations have shaped how Peterson leads his current team at The First National Bank in Sioux Falls. There, his focus is on having audit clients see internal auditors as people — and vice versa — which “helps people open up and lets us do our job more effectively,” he says.<br></p><p>That’s a lesson Derrick Li has taken to heart over the years. Li is director of internal audit and performance improvement at Translink, the public transportation authority for the Vancouver, British Columbia, region. As a young auditor, “you have to go in with a customer-first mentality,” he explains. “Otherwise, you come in as young and inexperienced, and you’ll quickly be shown the door.”<br></p><p>Li learned to be client-centric when he worked for outsourced internal audit clients while he was at professional services firm BDO. Because most of their internal audits were one-off engagements, internal auditors needed to develop future business by demonstrating the value that internal audit can provide business units. It’s a mentality he took with him to future internal audit jobs. <br></p><p>Another lesson Li learned from his audit consulting days was the value of preparation. One of his first internal audits at BDO was a board governance review for a large public company that had received poor governance ratings. For this review, Li interviewed board members who were top corporate executives. These could have been daunting exchanges for a new auditor, but Li came in prepared to ask the right questions. “You may not know as much as the people you’re auditing, but doing that prep work and demonstrating that knowledge can go a long way,” he stresses.<br></p><p>Upon leaving BDO, Li became a CAE at a succession of public sector organizations in Vancouver, each one more complex and with greater operating revenues. Unlike many young auditors, he didn’t have a CAE to teach him the leadership ropes. In his current position at Translink, he’s the youngest member of a staff of eight internal auditors, and he’s instilled them with that twin focus on the client and being prepared. His team has moved from primarily conducting financial compliance audits to doing performance, risk, and even Lean Six Sigma engagements. “Audit clients will quickly see if you’re all talk,” he says. “You’ve got to demonstrate quickly that you’re able to deliver. And if you make promises, you’d better commit to keeping them.”<br></p><h2>Changing Mind-sets</h2><p>Developing those client relationships can be challenging for new auditors at a time when they are just beginning to develop their “people skills,” says Maja Milosavljevic, senior auditor with EY in Belgrade, Serbia. Starting her career at the National Bank of Serbia, she learned the importance of developing a strong network throughout the organization, as well as having a good internal audit methodology. She observed how her mentor, Olga Antic, organized audit engagements and approached audit clients. “From my first projects, I learned how complex and detailed the work of internal audit can be and how important it is to have a good audit methodology to rely on,” Milosavljevic says.<br></p><p>From Antic, she learned how to gain her clients’ confidence, even when they were sometimes afraid of being audited. And she learned fundamental principles of working — including the International Standards for the Professional Practice of Internal Auditing — that she applies today. One big lesson was how to maintain her independence and objectivity. Antic advised her that “there are no strict rules for every situation internal auditors may find themselves in,” Milosavljevic recalls. “It is up to me to find an adequate solution for every situation I find myself in to preserve my independence and objectivity.”<br></p><p>Antic encouraged Milosavljevic to obtain her Certified Internal Auditor designation, and after a year she moved on to Erste Bank, where she advanced to senior internal auditor before landing her current job this year. Still, Milosavljevic struggles to convince audit clients that she is a trusted adviser, rather than a controller, in a country where internal audit is still a relatively new profession. “Looking back, I wish I had known that the mind-sets of people could be changed,” she says. “I would advise my younger self to always be persistent and polite with people when trying to influence their mind-set, because it is a process that requires time, but gives long-term results.”<br></p><h2>Youth Takes the Lead</h2><p>Like Milosavljevic, Khristi Ferguson has had to win over audit clients early in her career, but sometimes she’s had to convince her colleagues, as well. After working in external audit at Deloitte and KPMG following graduation from college, Ferguson moved into internal audit when she joined The Bahamas government as an internal audit director.  <br></p><p>Government, with its entrenched bureaucracy and potential for corruption, turned out to be a particularly challenging first internal audit job. One of Ferguson’s first larger audits was an operational review of the general post office. There, she found hardly any controls in place, operations that were ad-hoc, and audit clients who didn’t understand their strategic direction and purpose, much less what the auditors were doing there. “I spent most of my time with management, assuring them that this is not a ‘gotcha moment,’” Ferguson says. Instead, she wanted to get an overall view of operations and advise management of the regulations they needed to follow. “Some didn’t even know those rules existed,” she recalls.<br></p><p>Despite her external audit background, there was a learning curve for Ferguson. The Bahamas government has 72 ministries and departments, all with diverse conditions. At times, she had as many as seven audits in progress, covering a range of industries such as aviation, finance, utilities, and transportation. For each engagement, she had to develop specific expertise quickly. “How are you going to become an expert in aviation if you have nothing to do with planes?” she says. “You’ve got to find those rules and regulations, and you have to become an expert overnight.”<br></p><p>Then there was her staff, which comprised a mix of veteran internal auditors and young auditors with little formal training. Ferguson arranged training quickly with help from The IIA. She also upgraded the department’s technology by adding data analytics software, and she drafted one of the auditors who had a technology background to become the department’s IT audit specialist.<br></p><p>Rather than focus on financial audits, as auditors had done before, Ferguson focused her department on operational reviews that would reveal problems and opportunities for improvement. Clients resisted at first, but she convinced some of them quickly once they saw that her department was uncovering issues that they could fix before they were found by the auditor general or external auditors. Others took more convincing. “Some were just staunch and didn’t want to hear anything,” she says. “And then when they saw the audit report, they said, ‘you were right.’”<br></p><h2>Onward and Upward  </h2><p>Ferguson and Milosavljevic are proving that talented auditors are increasingly in demand. For Ferguson, that has meant launching her own business, AccuAccounts, which provides internal audit and consulting services for small companies in The Bahamas. <br></p><p>Another auditor with a new job is Andrew Loyack, who recently joined Zaandam, Netherlands-based Ahold Delhaize, whose U.S. division operates supermarkets along the East Coast. It’s a chance to bring his internal audit skills to the retail industry after eight years in the financial sector with outsourced internal audit provider Financial Outsourcing Solutions (FOS). <br></p><p>Loyack’s first job was a natural progression after studying accounting and management information systems at Shippensburg University of Pennsylvania and interacting with internal auditors during internships. He was struck at first with how much the auditors interacted with clients. Being an outsourced internal auditor was unique in that Loyack worked with lots of different small community bank clients. “It was hard to keep track of all the contacts that I had,” he says. “It wasn’t just separate audits, it was separate organizations and risk appetites.” <br></p><p>Having so many diverse clients made communication a necessity. “It was daunting at first because I was communicating directly with C-level management,” he explains. “Getting to the point where I was comfortable approaching them with questions and concerns was something I would never have fathomed right out of college.”<br></p><p>Those early experiences taught Loyack the value of learning how his clients and co-workers prefer to communicate and learn. He also observed how his mentor at FOS, Lisa Steen, worked through issues with clients. Her best advice for Loyack was to “always maintain that professional, valued adviser position,” he says. <br>Loyack also took advantage of FOS expanding its use of internal audit technology to share his IT knowledge with co-workers. That knowledge-sharing mind-set follows Loyack as he enters the next phase of his career at Ahold, where he is an IT internal auditor. “The things I went through at my first job — the trouble I had where I could have communicated better or more frequently — are things that I already have in the back of my mind so I don’t have to fall into the same potholes,” he says. <br></p><p>It’s those early lessons and experiences that can shape young auditors professionally as they move forward in their careers. And that forward movement is a key point: Like their peers in other professions, today’s young auditors aren’t standing still. They’re eager for new challenges and new opportunities.</p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Digital Audit Natives </strong><br>Today’s young auditors are digital natives, so one expects them to be naturals with technology. That was true for Maja Milosavljevic — senior auditor with EY in Belgrade, Serbia — at her first job. “I was more advanced with technology than my more experienced colleagues,” she says. She recalls that the combination of her technology skills and her co-workers’ business knowledge strengthened the audit team. But “there could have been more technology at that time that would have made audit work even more efficient,” she says.<br><br>Auditors craving more modern audit technology don’t always find it smooth sailing. For Khristi Ferguson, who led an internal audit department at The Bahamas Ministry of Finance, it was a matter of work styles. Younger auditors preferred communicating by email. “Technology was more their friend than a foe,” Ferguson notes. The more experienced auditors would get in a car and drive to talk to someone. Ferguson had to bring both camps together so the newer auditors could share how to use technology in their audits and the veteran auditors could teach their new co-workers about the government. “Both sides saw value,” she says. “Did it mesh right away? No, not at all.”<br><br>Being adept with technology and helping co-workers get up to speed can help new auditors advance in their careers. In Andrew Loyack’s case, it led to a new job as an IT auditor with Ahold Delhaize, after working in an operations and compliance audit role at his former employer, Financial Outsourcing Solutions. When he started his previous job, originally as an IT auditor, most audits were done manually, but within three years, the audit function was strongly digital and looking to expand its data analytics capabilities. Loyack took a personal interest, developing a mind-set that he’s carrying over to his new position. “I’m a big knowledge-share person,” he says. “Even if I know something, I want to make sure everybody knows it.”</td></tr></tbody></table><p></p>Tim McCollum1
It's All in the Delivery's-All-in-the-Delivery.aspxIt's All in the Delivery<p>​If there is anything worse than getting bad news, it may be delivering it. No one relishes the awkward, difficult, anxiety-producing exercise of relaying messages that may hurt, humiliate, or upset someone with whom the deliverer has a relationship. And it is often a thankless task. This was recognized at least as far back as Sophocles, who wrote in the tragic play Antigone almost 2,500 years ago, “Nobody loves the messenger who brings bad news.”<br></p><p>Physicians — who are sometimes required to deliver worse news than most professionals ever will — often engage in many hours of classwork and practical experience studying and role-playing how to have difficult conversations with patients and their families. They know that the message, itself, may be devastating, but how they deliver it can help the patient and his or her family begin to process it. <br></p><p>Internal auditors are in the fortunate position of not having to deliver news that is quite so shattering. Nevertheless, there is no question that certain audit observations can be difficult to convey and to receive. Learning how to prepare for and deliver such messages can create a better internal auditor.<br></p><h2>Laying the Groundwork</h2><p>Preparation to deliver difficult messages should begin well in advance, even before there is any bad news to deliver. “If the first time you see the client is to tell them about a problem, that in itself is a problem,” Theresa Grafenstine, inspector general of the U.S. House of Representatives in Washington, D.C., says. “At that point, you have no credibility in their eyes and they have no basis to trust you. You’ve created an uphill climb for yourself. However, if you’ve invested time in building a relationship before that difficult meeting, they’re more likely to listen to you because they’ll understand your values, intent, and motivations.”<br></p><p>Robert Berry, executive director of internal audit at the University of South Alabama in Mobile, points out that many audit–client communication missteps are due to internal audit’s mismanagement of the evolution of audit exception to issue. “Where most auditors fail is that they don’t bring management into the fold until an exception becomes an issue,” he explains. “We can’t afford to leave clients out of the process until the end.” <br></p><p>Berry’s solution is continuous communication via weekly updates to clients from the moment exceptions are noted. Communication starts at the lowest pertinent level in the organizational chain, with the person who owns the process that is under review, and his or her supervisor. Then, as the audit progresses, that upward reporting continues to the highest level of accountability for the issue. In his experience, this approach tends to engage clients in investigating the exception items and working with the auditor to determine if the exceptions are truly issues.<br></p><p>However, despite best efforts in building relationships and staying in regular contact with clients, some meetings will involve conveying difficult news. In those cases, preparation is critical to accomplishing objectives while dealing with fallout.<br></p><p>Being fact-based is the best approach, according to Alyssa Martin, partner in charge of Risk Advisory Services and executive partner at Dallas-based Weaver LLC. “Be fair and factual,” she says. “I find when those receiving the message typically become upset, it’s because they think they aren’t being looked at objectively. Focusing on facts helps with that.” <br></p><p>Before presenting to clients, internal auditors should ask others whose judgment they trust to review all the deductions and conclusions they’ve drawn on the facts to test whether their arguments hold up.<br></p><p>Rod Winters, retired general auditor for Microsoft in Seattle and former chairman of The IIA’s Global Board of Directors, suggests focusing on process as well as content. Process is professionally performing the work, self-preparation for delivering the message, explaining the conclusions in meaningful and realistic ways, and anticipating the consequences and possible response of the person receiving the message. Content is having the right data and valid conclusions so the message is correct and complete. <br></p><p>Self-preparation involves considering the type of person who is receiving the difficult message and determining the best approach. Some people want to hear the bottom line first and the supporting information after that; others want to see a methodical building of the case item by item, with the conclusion at the end. Some are best appealed to via logic; others need a more empathetic delivery. Discussions guided by the appropriate approach are more likely to be productive. Martin’s company goes as far as to tailor its message delivery to personality preferences by using personality profiles like the DISC approach, which characterizes individuals as one of four types with a predominant trait: Dominance, Influence, Steadiness, and Compliance. The individual’s category tends to drive how he or she wants to receive information, interacts with others, and values things and people. When there is critical information that has to be understood and accepted, Martin considers tailored delivery critical.<br></p><h2>During the Discussion</h2><p><img src="/2016/PublishingImages/seago-what%20not%20to%20do.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;width:420px;height:627px;" />Once the groundwork has been laid, it’s time to have the discussion (see “What Not to Do” at right). If this part of the process is mishandled, it can render all the careful preparation moot, so it is important to remember to:<br></p><ul><li>Seek opportunities to balance the discussion by recognizing the processes that are working well and those areas that are not. </li><li>Offer to help or ask how you can help address the issues raised in the discussion. </li><li>Make it clear that you understand the client’s challenges. If feasible, suggest some possible causes for the problem; it may make the client feel better and enable him or her to focus on fixing the problem. </li><li>Maintain open body language, recommends Manny Rosenfeld, senior vice president of Internal Audit, MoneyGram International Inc., in Dallas. Avoid crossing your arms, don’t place your hands over your mouth or on your face, and keep your palms facing each other or slightly upwards instead of downwards. Don’t lean forward or it will seem extra aggressive. Breathe deeply and evenly. If possible, mimic the body language of the message recipient, as long as the recipient is remaining calm. If the recipient begins to show signs of defensiveness or strong aggression, and your efforts to calm the situation are not successful, you might suggest a follow-up meeting for both of you to digest what was said and consider mutually acceptable options.  </li><li>Use self-deprecating humor, if it comes naturally to you. It can help defuse a sensitive situation.</li><li>Present the bottom-line message three times in different ways so people have time to absorb it.</li><li>Let the client vent. Berry warns against a tendency to interrupt the client’s remarks to “explain why we believe we are right.” He says allowing the client time to vent frees him or her to get down to business afterward. </li><li>Focus on problems with the process, not people problems. </li><li>Demonstrate empathy. Take time to think about what’s going through the person’s mind and help him or her think through the issue and how it occurred, what’s going to happen next, and how it will be resolved. Empathy can turn an adversary into a partner.</li></ul><p><br></p><p>“The goal is to get the problem fixed, not persecute somebody,” Rosenfeld says. “Let the client know that your main objective is not to make him or her look bad. You just want to help improve an important area for the company.”</p><h2>When It’s Not a Discussion</h2><p>By the nature of the job, internal auditors cannot limit delivery of bad news to face-to-face discussions; sooner or later, it must be delivered in written form, primarily via the audit report.<br></p><p>“If the audit report is the first time a client is seeing something in writing, that is the first and biggest mistake,” Berry notes. “Verbal updates are great, but periodic written updates go a long way.”<br></p><p>Once the report is in the client’s hands, many internal auditors offer the client the opportunity to request minor changes to the report, under strict conditions. Winters has done so, and explains, “I have great respect for operating management and the pressures it is under. I like to give them as much input into the report as possible, as long as it does not change the conclusion, blunt the clarity of the message, or deflect ownership of the issue.” Grafenstine echoes that approach, noting: “Auditors use certain terms so often that we become insulated against them. We forget it is possible to deliver the same message another way.”<br></p><p>That other way may involve minimizing the use of emphasizers in the report and verbally. For example, use “inacurate” instead of “very inaccurate” or “critical” instead of “highly critical.” Understatement can help keep emotional responses in check .<br></p><p>Many internal audit departments include a management response section in audit reports, even going so far as to help management craft the response based on internal audit’s understanding of the board’s perspective. This means focusing on what happened, what is going to be done about it and when, and how the board will know the issue is resolved. Working with managers on this part of the report may help them feel that their job is to resolve the issue, not fight it. <br></p><h2>Avoiding the Pitfalls</h2><p>Delivering difficult information is a minefield, and there are ample opportunities to take a wrong step and see explosive results.<br>“Internal auditors are used to giving bad news and can become very good at it,” Martin says. “But it makes people uncomfortable, so the internal auditor, in turn, becomes uncomfortable.” She says the most common errors internal auditors commit in their communications arise as a result of their desire to avoid conflict and discomfort. The two errors she cites: softening communications (e.g., offering excuses for why the failure occurred and avoiding the tough, straightforward language that is needed to get a message across) and reading the written report to the client. “When you are reading, you are not communicating.”<br></p><p>Another area that can represent a pitfall is failure to keep the verbal report and the written report in sync. In the face-to-face meeting, it is human nature to be empathetic, soften the message, and smooth over some of the rough edges that are in the written report. However, this sort of softening in the meeting can make the written report, with all the direct language intact, an unpleasant surprise, and can cause the recipient to feel betrayed or tricked.<br></p><p>Grafenstine notes the difficult task of finding a balance between empathy and getting the message across. “My approach is not to beat around the bush,” she says. “Be direct, but not accusatory.” She also points to the importance of understanding the culture of the organization. For example, she notes, words that are perfectly acceptable in one place may not be so elsewhere. “In my case, a good example is the term ‘e-discovery.’ In most places it’s fine, but its potential impact on protections provided under Article 1 of the Constitution gives it a completely different meaning on Capitol Hill.”<br></p><p>Emotional intelligence — understanding how to read people and relate to them — also helps in delivering difficult messages effectively. This is not an innate trait for many people, and it is a difficult one to learn, as are many of the so-called soft skills. Yet they are critical to the practice of internal auditing. <br></p><p>“In my experience, auditors rarely get in trouble over their technical skills because those are easier to master,” Rosenfeld says. “They get in trouble over insufficient soft skills. College degrees and professional certifications are all aimed at the technical skills. Sadly, very little is done to help auditors with the equally critical soft skills.”<br></p><p>Watching a mentor deliver difficult messages or deal with emotional people is also an effective ways to absorb good practices. Role-playing of potentially troublesome presentations to a friendly group (say, the internal audit staff) is another way to exercise one’s skills. <br></p><p>Delivering bad news is largely a matter of practice and experience, and it’s not something internal auditors have the choice to avoid. As Winters explains, “At the end of the day, you need to deliver the news and ensure they understand it. But your underlying objective is to ensure the issue is remediated, the associated risk is understood and effectively mitigated, and you have built an appropriate relationship going forward so you can do your job objectively and effectively.”  </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Setting the Standard on Communications</strong><br>This excerpt from section 2400 of The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> addresses appropriate practices relating to communication. The newly revised version of the Standards, including the wording below, becomes effective Jan. 1, 2017. Refer to the Standards for additional detail.<br><br><strong>2400 – Communicating Results</strong> Internal auditors must communicate the results of engagements. <br><strong>2410 – Criteria for Communicating <em>International Standards for the Professional Practice of Internal Auditing</em></strong> Communications must include the engagement’s objectives, scope, and results. <br><strong>2410.A1</strong> – Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided. An opinion must take into account the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. <br><strong>2410.A2</strong> – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications. <br><strong>2410.A3</strong> – When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. <br><strong>2410.C1</strong> – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client. <br><strong>2420 – Quality of Communications</strong> Communications must be accurate, objective, clear, concise, constructive, complete, and timely. <br><strong>2421 – Errors and Omissions</strong> If a final communication contains a significant error or omission, the chief audit executive must communicate corrected information to all parties who received the original communication.</td></tr></tbody></table><p></p>Jane Seago1
Breaking Through Through<p>​What if you were told that gender diversity increases overall corporate revenue? In fact, a 2016 study by EY and the Peterson Institute for International Economics found that although female CEOs neither underperform or outperform male CEOs, an increase in the share of women in top management positions “from zero to 30 percent would be associated with a 15 percent rise in profitability.” And according to Ilene Lang, former president and CEO of Catalyst Inc., a nonprofit organization that promotes inclusive workplaces for women, “Research continues to show that diversity well managed yields more innovation and is tied to enhanced financial performance — factors good for all employees.” Yet, the number of women in leadership positions continues to significantly lag that of men. <br></p><p>I recently facilitated a session on the topic of women in internal auditing at The IIA’s International Conference in New York City. The session, Women Rising — Succeeding in Internal Audit and Leadership, was led by three female internal audit leaders: Jenitha John, CAE for FirstRand Bank in Sandton, South Africa; Bethmara Kessler, former CAE and now senior vice president, integrated global services, at Campbell Soup Co. in Camden, N.J.; and Dominique Vincenti, vice president, internal audit and financial controls, at Seattle-based Nordstrom. The conversations among the women highlighted that, although the skills needed by female and male internal auditors are virtually the same, women in the profession may face particular challenges.  <br></p><p>Follow-up conversations with the three women, as well as other experts in gender equality, point out the challenges women continue to face in working toward the C-suite. <br></p><h2>Lack of Support</h2><p>Not surprisingly, all of the 50 or so attendees at the IIA session were women, even though it’s been shown that women’s initiatives, to be successful, need the support of senior leaders, most of whom are men. According to Lang, “The preponderance of men in leadership means their efforts are necessary to advance change in the workplace.” Yet men are sometimes reluctant to participate in women’s initiatives, according to Engaging Men in Gender Initiatives: What Change Agents Need to Know, a Catalyst study by Jeanine Prime and Corinne Moss-Racusin. <br></p><p>One of the reasons is the erroneous belief that gains for women result in losses for men, known as a zero-sum mentality. Some organizations may inadvertently foster this mentality by focusing on individual performance and unduly increasing competition, rather than focusing on initiatives that raise corporate performance as a whole, according to the Catalyst study. <br></p><p>“Support from male leaders, in the form of mentorship (career advice and insights) and sponsorship (awareness and access to growth and visibility opportunities), is integral to our ability to systemically and sustainably impact the career progression of women,” Kessler says. “Helping them realize the impact their partnership can have on the success of female talent is an effective method for soliciting their involvement and generating buy-in.”<br></p><p>Encouraging sponsorship and deploying strategies to bridge the female confidence gap should be a key imperative for senior leadership, John adds. Leadership must support the unconscious bias dialogue among its workforce to tackle gender-conscious conversations, and have open and courageous discussions about the ways men and women can support each other going forward. <br></p><p>Adequately communicating the benefits that flow to everyone from diversity and inclusion is an important step toward achieving support for women in the workplace. Rewarding individuals who provide support for diversity and inclusion through acknowledgement and bonuses tied to overall performance can also go a long way.  <br></p><h2>Exclusion</h2><p>Another reason men sometimes don’t participate in women-focused initiatives in the corporate setting is because they are not included or encouraged to from the beginning. “Men should be enthusiasts for the achievement of gender equality and women’s rights,” John says.  According to Joelle Jay, an executive coach specializing in leadership development, women’s sponsorship programs must involve men and start with data to successfully show quantifiable results of moving women into leadership positions. Women’s initiatives “that aren’t backed by action amount to little more than the revving of an engine with the parking break firmly engaged,” Jay says. Mike Kaufmann, chief financial officer of Cardinal Health, was quoted in The Wall Street Journal saying, “If you want to change the numbers, you have to get men involved.” Kaufmann led the women’s network at Cardinal Health, and has won awards for his support of women in the workplace.   <br></p><p>“Early engagement, regular iteration of results (qualitative and quantitative), and celebrating and communicating successes can be effective in maintaining program support and momentum,” Kessler says. “It’s also a path to drawing in additional support. As word and visibility of the return on investment spreads, executives will want to be associated with business and talent impacting results.”<br></p><p>Ensuring that men play an integral part in the planning, and share in the success of women’s initiatives, are critical to achieving desired program goals. Champions of gender initiatives need to get and maintain active male support from the C-suite, and from all levels of leadership in the organization.  <br></p><h2>Apathy</h2><p>Men sometimes don’t participate in or support women’s initiatives because of apathy, according to the Catalyst study, or a sense that these issues don’t apply to them. However, the reason some men are advocates or champions for gender diversity is that they possess a strong sense of fairness. “Men who were committed to the ideal of fairness were found to have more personal concerns about issues of equality in general and were more aware of gender bias in the workplace and likely to take action,” according to the same study.<br></p><p>“At Nordstrom, we help men in the workplace connect with gender diversity challenges on a more personal basis,” Vincente says. “They have sisters, wives, or daughters and they care about their success.”<br></p><p>Kessler also says that finding a personal connection can be an effective method in combating apathy by helping men generate empathy and connect to the cause. “Do your research and engage him in conversation — does he have a daughter? A wife? Are there women who have played an influential role in his life?,” she asks.<br></p><p>The Gender Consciousness Program at FirstRand is sponsored by the CEO and deputy CEO. As John explains, “The ultimate goal of the program is learning enough about the differences between men and women to effectively access and connect with FirstRand’s talent across the organization. Part of that goal is embedding Stephen Covey’s quote, ‘Strength lies in differences and not in similarities.’”<br></p><p>Training, education, and communication on the causes of gender bias, and the positive reasons why some people do support diversity, inclusion, and fairness, are key to overcoming this misconception. <br></p><h2>Our Own Worst Enemy</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Breaking Boundaries</strong><br>International Conference attendee Johanna Salo, internal audit director at UPM in Helsinki, shares the top 10 lessons learned from “Women Rising — Succeeding in Internal Audit and Leadership.” These lessons are for anyone looking to break down gender barriers and succeed in his or her career.<br><br><ul><li><em>Be you.</em> Rather than adapt others’ expectations for your current role, be yourself. </li><li><em>Seize the moment. </em>While going with the flow, stay alert to understand defining moments in your life.</li><li><em>Integrate your life.</em> Internal audit is not a 9 to 5 job, so learning how to integrate your personal and professional life, by setting boundaries and priorities, is important.</li><li><em>Earn respect.</em> Politics are present in every company, so internal audit’s success often depends on sales and conflict management capabilities.</li><li><em>Stay behind facts.</em> Validate people, but stay independent and objective when delivering messages.</li><li><em>Be realistic and practical.</em> Remember to think critically and get to the root cause to make a difference.</li><li><em>Forget silos. </em>The best way to provide assurance is to have a holistic risk view of the organization.</li><li><em>Think context before issue.</em> Consider the magnitude of issues vs. overall context and related dependencies. Optimize efficiencies rather than pinpoint single deficiencies already known by management.  </li><li><em>Rethink reporting. </em>No matter what is intended in written communications, the reader may perceive it differently. Interactive issue remediation can go a long way to make sure you are both on the same page.</li><li><em>Aim at destination with gratitude.</em> Climbing the organizational ladder is often harder for women, so embracing each step with gratitude makes the journey more important than the destination.</li></ul></td></tr></tbody></table><p>Besides the lack of support from their male colleagues and male senior leaders, women are also holding themselves back. In a recently released Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study report, Women in Internal Auditing: Perspectives From Around the World, women assessed themselves lower than men in the 10 internal audit core professional competencies: professional ethics; internal audit management; application of the International Professional Practices Framework; governance, risk, and control; business acumen; communication; persuasion and collaboration; critical thinking; internal audit delivery; and improvement and innovation.     <br></p><p>Particularly, women rated themselves much lower than men in internal audit management and business acumen. However, lest anyone jump to the conclusion that women are not as well represented in leadership ranks because they actually lack these competencies, consider that research has proven that women consistently rank themselves lower than men. <br></p><p>In fact, Stanford University sociologist Shelley Correll conducted a study where both male and female participants were required, in 20-item rounds, to determine how much white or black appeared on a screen to assess their “contrast sensitivity ability,” a completely fictional skill. Unbeknownst to participants, there were no right or wrong answers, as the amount of black and white were equal in all 20 rounds. However, men assessed their “contrast sensitivity ability” higher than women, and expressed an interest in pursuing a career requiring this ability more often than women.  <br></p><p>“Confidence is a critical, yet often underrated skill with women,” Kessler says. “They tend to believe they either have it or they don’t, which isn’t true. It should be practiced and cultivated along with resilience, which women are usually more apt to focus on.”<br></p><p>Helping women, and their male colleagues, understand that this phenomenon exists, as part of the agenda of a women’s support or initiative program, is a positive step in addressing this issue.  <br></p><h2>A Double Standard</h2><p>In a 2014 Pew Research Center survey on women and leadership, four in 10 survey respondents say that women must do more to prove themselves than their male colleagues. <br></p><p>“The double standard is tough,” Kessler says. “First, because it is a real and not wholly imagined phenomenon, but also because part of it is within our own minds. The first step in combating it is in realizing that you do not need to strive for perfection or absolute alignment to aim for or achieve goals — there are many roads to the same destination.”<br></p><p>One of John’s life mottos is, “Competence builds confidence.” She ventures into unchartered territories, learns as much as she can, and shares her wisdom and opinions. “I also complemented my audit career by becoming a nonexecutive director on boards, which didn’t go unnoticed,” she says. “Learning how to change setbacks into setups will help women overcome any obstacles along their journey.” <br></p><p>Quantifying the number of men vs. women promoted at each level, and setting goals to ensure equality in criteria and rates of promotion, is fundamental to resolving this issue.<br></p><h2>Gender Bias</h2><p>During the session at the International Conference, panelists John, Kessler, and Vincenti discussed another challenge women face: the motherhood penalty. Coined by sociology researchers Correll and Stephen Bernard, it implies that if two equal candidates are presented, the mother is less likely to be recommended to be hired, and would be paid approximately US$11,000 less in salary if she was. Other challenges faced by professional women include a clash of family and work priorities, stereotyping and bias caused by gender norms, lack of social connectivity or inclusion in networks, and lack of sponsorship or mentors. <br></p><p>These issues may be addressed through training, education, and communication; acknowledging that these issues exist; and appealing to all leaders’ sense of fairness to achieve resolution.<br></p><h2>Closing the Gap</h2><p>The CBOK study found that although women in internal auditing are making advances, there continues to be a gender gap, particularly in the more senior ranks. According to the study, women comprise 44 percent of internal audit staff, and only 33 percent of directors and senior managers.<br></p><p>Although some progress has been made in achieving gender diversity in the internal audit profession, in general, the pace has been slow. Initiatives to achieve gender diversity are key, as is tracking the quantifiable success of such programs, to addressing the gender gap. Finally, showcasing female role models in the internal audit profession, like Kessler, John, and Vincenti, may provide inspiration to those looking to advance their careers.  <br></p>Nancy Haig1
Client Feedback Feedback<p>​Feedback from clients can serve as validation of the auditor’s analysis of data, compilation of information, approach to the audit and observations, and acceptance of the recommendations.  <br></p><p>Auditors should seek feedback in a way that helps improve their audit performance. Feedback is more effective when it reinforces what the auditor did right instead of wrong, and it allows him or her to judge what needs to be changed during the course of the audit. Moreover, feedback is best when it relates to a specific observation, data analysis, or audit query; is timely; and is delivered appropriately. It should be to the point, constructive, and provide relevant details, as any gap will lead the auditor in an unwanted direction. <br></p><p>Though feedback can be given at any time, there are steps internal auditors can take to ensure that the feedback they receive is useful and constructive.<br></p><h2>Frequency and Stages of Feedback</h2><p>Client feedback can be given regularly during the audit or as requested by the auditor, and it is a normal part of any audit. Practitioners document client feedback and use it as a foundation for the next level ofn audit review or incorporate it into the audit report, itself. Useful feedback can help steer auditors in the right direction and increase audit effectiveness. There are several times when it is appropriate to ask for feedback. <br><br><strong>During the Opening Meeting</strong> The first step toward transparency and positive participation with the audit client is establishing clarity around the objective and scope of the audit, tentative duration of review, and initial records and details that are required during the kickoff meeting. The meeting gives the client an opportunity to raise questions and ask for clarifications, if any, from the auditor. It’s important that the client leave the meeting with a clear understanding of the process and realistic expectations so the audit starts off on the right foot. <br></p><p>When the auditor is explaining the objectives in the kickoff meeting, he or she also should reference how the reports or management requests will be used to review certain areas to gauge whether relevant processes or controls need to be strengthened. The client’s participation and feedback in this discussion will help finalize the scope of review and determine acceptance, ownership, and accountability.<br></p><p>Clients should recognize that their enhanced performance, through the auditor’s recommended corrective measures, will help in achieving their department’s objectives. So establishing an honest understanding of audit objectives and respective roles of auditor and client should take place before the start of the audit.<br><br><strong>During the Audit</strong> The auditor applies different approaches and techniques during the audit review and communicates verbally and in writing when an issue arises. The client’s responses, actions, reactions, and behavior are the kind of feedback an auditor should look for when the audit is being conducted. After explaining the scope and objective of the audit in the kickoff meeting, the auditor should ensure that the review is being conducted within the same scope, without any intention to find mistakes, errors, or fraud. <br></p><p>If the client feels any sense of negativity about the audit, he or she may withdraw and be reluctant to provide information or feedback. The end result may mean extra effort by the auditor, lack of confidence by the client in the audit process, and nonparticipation of the client in the process of improvement.<br><br><strong>Closing Meetings</strong> These meetings occur when the audit is drawing to a close and the observations, root causes, rating of observations, and corrective measures need to be finalized. The type of feedback will differ in content and style based on who the client is (e.g., department heads or executives).  <br></p><p>The details of targets and responsible staff are also discussed and finalized during this meeting. Getting feedback in the closing meetings should go smoothly if the auditor has been transparent in his or her approach to, and conducting of, the audit. To ensure useful feedback is received during this stage, auditors need to clearly present observations, explain the referenced documents and records, and make sure the supporting data analysis is understandable and relevant to the audit. <br></p><h2>Overall Feedback</h2><p>Though auditors get feedback at different stages of the audit, and from different levels of management, in many organizations clients provide overall feedback on the performance and value added by the internal audit function. After the audit report is finalized, the client may give feedback on the audit techniques used, the auditor’s understanding and knowledge of the area audited, and the auditor’s communication and presentation skills. The list of points for feedback can be elaborate enough to enhance auditor/client participation and, ultimately, audit effectiveness. Organizations may even require that the auditor rate different clients on defined criteria, which could include providing relevant records and details timely, and implementation of corrective measures as planned. <br></p><p>A post-audit questionnaire (see this sample <a href="/2016/PublishingImages/Pages/Client-Feedback/Client%20Feedback%20Questionnaire.pdf" target="_blank">Client Feedback Questionnaire.pdf</a>) can be given to the client to rate internal audit on the pre-audit kickoff interaction, the execution of audit review, and the finalization of review. Questions may include:<br></p><ul><li>Was the audit team considerate of issues raised by the client in deciding period of review and availability of staff and other resources?</li><li>Did the auditor have adequate knowledge of the processes, systems, and relevant controls of areas under audit?</li><li>Were observations supported with relevant detail and documents?</li><li>Were final observations well-presented and concluded with the concerned client?</li></ul><p><br></p><p>Honest feedback from clients can lead to improvements in the effectiveness of systems, controls, and governance. Internal auditors should consider the feedback and show a willingness to change in areas where improvement is needed, while being strong enough to stand by their assessments and findings.  <br></p><h2>Working Together</h2><p>Client feedback on different aspects of the audit sets a benchmark, or highlights the gaps, in management’s acceptance of internal audit performance. Clients expect to have the opportunity to give their perspective, a process that helps to gain their commitment in supporting audit activities and working with internal audit to achieve organizational goals. Adopting and implementing a collaborative approach to feedback and highlighting the aim of supporting clients in improving organizational performance ensures a positive experience for all involved. <br><br><strong><em>A version of this article first appeared in the December 2014 issue of </em>Internal Auditor Middle East<em>, the magazine of IIA United Arab Emirates. </em></strong></p>Lalit Dua1
On the Rise: 2016 the Rise: 2016<p>​A career in internal auditing today is not the same as a career in internal auditing as little as five years ago; responsibilities grow, areas of emphasis shift, and technology advances. And that’s just the way this year’s Emerging Leaders like it — they excel when challenged and appreciate new opportunities to add value. These outstanding practitioners have different geographies, educational backgrounds, motivations for entering the field, and professional ambitions. But there’s much that connects them, too. They value the development and networking opportunities afforded by active involvement in The IIA and other professional organizations; they love to learn, especially about technology; and they value the key role internal audit often plays in strategic planning and business operations. And in addition to their commitments professionally, many are engaged on a civic and community level. Collectively, the achievements of these 15 practitioners bode well for the future of internal audit, and for the organizations they serve.​</p><h2> <img src="/2016/PublishingImages/Chris-Eidd.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />​Chris Eidd, CIA, CPA</h2><p> <strong><em>29, Senior Internal Auditor </em></strong></p><p> <strong><em>Builders FirstSource, Dallas</em></strong></p><div>I wish we could get more young people involved.” That’s how Chris Eidd wants to change the internal audit profession, and he puts his money where his mouth is every day. Teresa Conover, a professor and director of executive programs at the University of North Texas (UNT), says Eidd’s genuine love for the profession encourages students to seek internal auditing as a career path when the UNT graduate shows up on campus for one of his many “get the word out” visits. He volunteers as a guest speaker for the UNT Seminar in Internal Auditing course — on the topic of interviewing techniques, among others — and as a “professional in residence” for the Student Investment Group Live Audit, working with a different student team each semester. Additionally, he serves on the UNT Internal Audit Advisory Board. What gets him so excited about his work? “I love how the profession is evolving to help support business and still cover compliance requirements,” he says, noting that when he started, “internal audit” mostly meant “Sarbanes-Oxley testing.” Now, he gets involved in a variety of projects ranging from due diligence to fraud investigations to litigation support. No matter what the subject is, he always tries to manage up and down — pushing staff to meet their goals and deadlines, and pushing managers to get replies and to request support when they need it. Managing up also means making your boss’s job easier. If he or she has too many messages to manage, don’t leave another one; talk in person. “That’s the best way to move the ball forward,” Eidd says. </div><h2 style="text-align:right;">Grace Sharpley, CPA<img src="/2016/PublishingImages/Grace-Sharpley.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>27, Internal Audit Manager</em></strong></p><p style="text-align:right;"> <strong><em>AutoZone, Memphis, Tenn.</em></strong></p><p>Grace Sharpley is delighted about the development of her profession and what she sees as its future. “While assuring control effectiveness and looking for ways to deliver insight are key to the work we do,” she says, “projects should allow auditors to be change agents.” Increasingly, Sharpley adds, they do. She says the level of exposure she has to movers and shakers has come as a pleasant surprise, allowing her to develop business relationships with them that produce requests for her team to “provide guidance on risks and controls as strategic decisions are being made.” That work, the University of Notre Dame graduate emphasizes, is energizing — and it’s always changing. There isn’t a “typical” internal auditor anymore, she says, noting that her team now includes colleagues with backgrounds in accounting, finance, international business, data analysis, IT, and law. Also outdated, according to Randy Horton, internal audit director at AutoZone, is the notion of internal auditors hedging their bets in reporting findings and trying to stay under the proverbial radar. He says that Sharpley, who was promoted to audit manager after just over a year, will have none of that. “Reiterating what leadership is already aware of does not reflect well on the department,” Horton says. “She drives her team to be able to constructively answer why the audit results are important and why the recommendations should be implemented.” If it sounds like she gets a lot done, it’s in part because she never slows down. “Most people on my floor at work know this already,” she says, “but I always walk very quickly. I can’t help it. Probably because there are always a lot of things that are not checked off on my to-do list!”</p><h2> <img src="/2016/PublishingImages/Jenny-Wei.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jenny Wei, CIA, CPA, CA</h2><p> <strong><em>29, Manager, Risk Advisory</em></strong></p><p> <strong><em>Deloitte, Edmonton, Alberta</em></strong></p><p>Jenny Wei learned early on the value of data analytics — especially how it can be integrated into internal audit workflows to make the function more effective. Now she’s known for her expertise in that increasingly critical area. Farah George Araj, senior manager at Deloitte, notes that Wei leveraged data analytics during internal audit engagements, “using her business understanding and leveraging the skills of specialists to incorporate data analytics and data visualizations into her projects throughout planning, execution, and reporting to deliver better insights to clients.” One example: the vendor audits her firm’s Contract Risk and Compliance service conducts. Using data analytics, Wei and her team can review 100 percent of spending, target review on the highest-risk areas, and identify with better precision what happened in the entire population. “Data analytics can be used to identify risks at an enterprise level,” the University of Alberta graduate says, “and drive the identification of emerging risks that management may not have seen.” Given her druthers, Wei would “increase the speed of innovation in the profession.” She would call on internal auditors to “become innovative thinkers and propose more creative solutions for management — including being innovative in improving the way internal audit functions.” Wei also focuses on the human side of the profession, serving on the board of IIA–Edmonton, helping raise funds and increase membership for the chapter. Moreover, Wei promotes internal audit certification and awareness through presentations at her alma mater and, on the job, has encouraged team members to join The IIA and pursue the Certified Internal Auditor designation. And she makes sure to explain to clients the importance of professional certifications and the application of IIA standards. </p><h2 style="text-align:right;">​Ambrose Opolot, CIA, ACCA<img src="/2016/PublishingImages/Ambrose-Opolot.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /><br></h2><p style="text-align:right;"> <strong><em>29, Risk and Audit Coordinator</em></strong></p><p style="text-align:right;"> <strong><em>Toyota Uganda Ltd., Kampala</em></strong></p><div><p>W​hen Ambrose Opolot discusses stakeholder expectations — noting that they’ve “increased, become varied, and are at times conflicting” — the Makerere University graduate knows what he’s talking about. Opolot was tasked with starting an internal audit function from scratch after convincing company leadership of the advantages of bringing the discipline in house. Josepha Tibenderana, head of internal audit at Umeme Ltd. and Opolot’s mentor and former boss, notes that Opolot’s role as head of the function has expanded to include overseeing risk management and coordinating with other assur​ance providers. “He has ably managed the expectations of his clients,” Tibenderana says, adding that Opolot has been invited to Toyota’s South Africa regional office to present to the internal audit leadership team there. Says Opolot: “Now I have to prove the value and benefit I have to add to the organization, and also mentor individuals who have just started out in internal audit.” That suits him just fine: He says he appreciates being considered a trusted adviser and enjoys internal audit’s consulting role because it involves telling management how well systems and processes are working. That requires him to make recommendations for improvement — which is exactly the type of communication he advocates for bridging any expectation gaps his stakeholders may have. “Implementation of necessary improvement requires developing trust-based relationships throughout the business,” he says. His role as a business partner will be increasingly important in the future, he says, because technology advances and economic globalization lead to “change that is both predictable and unpredictable.” Internal audit, he adds, must adapt as needed to meet the growing challenges of identifying, assessing, monitoring, and controlling risk. </p><h2> <img src="/2016/PublishingImages/Jaimie-Yang.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Jaimie Yang, CIA, CPA, CISA</h2><p> <strong><em>25, Senior Auditor</em></strong></p><p> <strong><em>CEC Entertainment, Irving, Texas</em></strong><br></p><p>One of the tricks you learn after spending as much of your free time on a flying trapeze as hobbyist Jaimie Yang is using your body to maximize the swing. In fact, maximizing is something she excels at on the ground, too. As an example, when Yang sought to maximize her ability to extract and analyze data on her own for audit planning and fieldwork, she took the initiative to enroll in a local community college course on SQL — a programming language designed for managing data. David Price, senior director of internal audit and risk management at CEC Entertainment, notes that Yang excels at maximizing specific processes, too. She streamlined processes for training, test work, reporting, and metrics for an annual inventory audit that took about 470 hours and reconfigured it as a 250-hour project. And during another engagement, Price says, “she was able to identify five main drivers for US$18 million in absolute value adjustments.” The University of Texas at Dallas graduate also maximizes available professional education options. She participated in the school’s Internal Auditing Education Partnership program and took full advantage of its connection to The IIA; she was actively involved with the Dallas Chapter and the student chapter, working as a volunteer for an annual fraud conference and for the Dallas Chapter’s Annual Super Conference. Yang also served as an internal audit intern during grad school. She wishes more managers recognized what internal audit can accomplish. “I’d change our relationship with clients so they better understood what we’re doing — and why,” she says. “With better client input, we can be more effective at helping the company progress.”</p><h2 style="text-align:right;">Roland Stautzenberger, CIA, CRMA, CCSA<img src="/2016/PublishingImages/Roland-Stautzenberger.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>27, Auditor</em></strong></p><p style="text-align:right;"> <strong><em>Farmers Insurance, Austin, Texas</em></strong><br></p><p>When Roland Stautzenberger looks to the future, he sees internal auditors with strong data skills and even stronger technological expertise auditing, say, a company’s artificial intelligence division or its digital currency transactions. Moreover, the University of Texas at Austin graduate says that stakeholders will expect internal audit functions to focus more on future risks as they incorporate those new technologies. That should help make his audit wish come true: to see an end to the common stereotypes some people have about the discipline and instead see audit departments viewed as business partners throughout the enterprise. Indeed, he advocates including “collaborating with internal audit to achieve organizational objectives” as part of every job description at every company at all levels. But he adds: “This role would have to be earned by each internal audit department, not just be given outright.” Audit functions must track, measure, and report the value they provide, he emphasizes. That helps them adjust as needed to keep improving and adding value, and it shows the rest of the organization the many benefits internal audit brings to the table. One example is a project he completed while treasurer of The IIA’s Austin Chapter, where he currently serves as president. Dan Clemens, head of Internal Audit Planning and Operations at Farmers Insurance, explains that Stautzenberger “implemented new financial processes, creating transparency of the chapter’s finances, for which he received the chapter’s President’s Award in 2014.” The processes, Stautzenberger says, included additional reports to the Board of Governors, such as financial report breakdowns on every chapter event, and new reconciliation processes that help ensure all payments are accounted for at each event — including purchase orders, checks, credit card payments, and receivables. </p><h2> <img src="/2016/PublishingImages/Ann-Gripentog.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Ann Gripentog, CIA, CPA</h2><p> <strong><em>28, Internal Audit Manager</em></strong></p><p> <strong><em>Station Casinos LLC, Las Vegas</em></strong></p><p>Ann Gripentog likes to spread the word about internal audit. Her boss at Station Casinos, Melissa Warstler, senior internal audit director, calls her “our No. 1 cheerleader regarding the profession.” She lauds the way the University of Nevada at Las Vegas (UNLV) graduate “is always encouraging everyone to pursue certification and understand the benefits.” She adds that Gripentog “is not afraid to tell someone her professional opinion” when she works with operations departments — including gaming, accounting, and food and beverage — to educate them on risk and why certain areas need to be audited. In return, Gripentog appreciates being able to “dive deep into the company’s processes.” In so doing, her boss adds, she takes charge of her assignments and takes ownership — and sets an example for others. Gripentog spends a lot of time communicating the benefits of internal audit to students as well, attending recruitment events on campus and working with the UNLV accounting department to promote internal audit — often taking the opportunity to explain the difference between internal audit, external audit, and accounting. Interns are a special focus, too. She calls herself lucky because she was able to complete hiring for Station Casinos’ internal audit internship program, adding that she likes working with individuals early in their careers. “I get to take these new young professionals and mold them into auditors,” she says. “Within our internship program, I’ve seen a lot of the interns move to full-time positions, and it’s nice to feel that you’ve helped them grow.” As these and other audit professionals move forward, one change she foresees is enhancing the balance between helping management improve operations and remaining independent. <br></p><h2 style="text-align:right;">Matt Kozlowski, CIA, CRMA<img src="/2016/PublishingImages/Matthew-Kozlowski.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>29, Senior Manager</em></strong></p><p style="text-align:right;"> <strong><em>Protiviti, Houston</em></strong></p><p>Matt Kozlowski has developed a unique view of leadership as he’s attempted to “emulate the traits of the strongest leaders” he’s encountered. A leader’s most important role, he says, is setting the right example — that means never being “too busy,” and it means never hesitating to roll up your sleeves and get into the details. The Louisiana State University graduate emphasizes that “the best measure of a leader is the success of his or her team members.” Kozlowski also says leaders need to stress to their internal audit teams that any interaction between colleagues and clients must be a positive one that promotes the profession. In 2015, he was asked to be a facilitator at Protiviti’s internal Consultant Challenge School, where he helped advise consultants about the internal audit profession using real-world examples. Based on his success, he has been invited to return this year. Kozlowski always takes advantage of opportunities to spread the word about internal auditing, in fact, pointing out that one change he would make to the profession would be getting practitioners more involved throughout the business. “Too often, we default to only working with the finance or accounting departments,” he says, “when in reality risk exists across the organization.” Accordingly, internal auditors need to build relationships throughout the enterprise to serve as trusted advisers, he says. One area where internal audit can help is in providing guidance on the implementation of the Committee of Sponsoring Organizations of the Treadway Commission’s 2013 Internal Control– Integrated Framework. His work in that area, says Tyler Chase, a managing director with Protiviti, has helped drive an enhanced control environment for his clients without having to implement a slew of tactical one-off controls. </p><h2> <img src="/2016/PublishingImages/Erica-Burnham.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Erica Burnham, CIA</h2><p> <strong><em>28, Internal Audit Supervisor</em></strong></p><p> <strong><em>Raytheon Co., Waltham, M​​​ass.</em></strong></p><p>Erica Burnham’s audit expertise and extensive business education help her see well beyond internal audit’s borders and into the far corners of the company. “The course work I completed for my MBA has taught me to think more strategically and understand the interconnectedness of business operations,” she explains. Burnham says she gains from that a better understanding of the impact ​​a control weakness or process recommendation can have not only on the audited area, but on business operations across the organization. Indeed, the Bentley University and University of Massachusetts at Amherst graduate says she’s been surprised to see how much value internal audit can add to an organization; she left school thinking internal auditors were focused on controls and compliance — and little else. Now she recognizes the contributions of internal audit in areas such as identifying enterprise synergies to achieve cost savings, developing dashboards for functions to help them better monitor their operations, and using data analytics and Six Sigma principles to identify root causes of business issues. Moving forward, she expects that big picture approach to increase in value to her clients, because an organization’s ability to identify, understand, and adapt to emerging risks will grow in importance. “Auditors, while maintaining independence, must be respected and creative business partners who can see around the corner, identify emerging risks, and help management address them,” she says. Joseph Motz, senior manager at Raytheon, adds that Burnham is “exceptionally supportive” of The IIA, of company programs promoting the profession, and of internal audit-related activities at her alma mater. </p><h2 style="text-align:right;">Kristine Tkachenko, CIA, CISA<img src="/2016/PublishingImages/Kristine-Tkachenko.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>29, Senior Auditor, Research Compliance</em></strong></p><p style="text-align:right;"> <strong><em>University of Toronto</em></strong><br></p><p>Kristine Tkachenko focuses on high-tech and on high-touch in her internal audit work. The biggest change coming to the profession is technological, says the University of New Brunswick graduate, such as the ability to work remotely and advancing information-sharing technologies. On the high-touch side, Tkachenko is becoming an expert at using social media applications, such as LinkedIn and Twitter, to reach out to potential new IIA members. Her first mentor, Tony Stanco, director of audit at Ontario Tire Stewardship, says she effected “a significant increase in IIA–Toronto’s social media usage for advertising events, which was demonstrated by the success of the chapter’s winter 2015 Members’ Evening event and an overall increase in event participation.” That event, which focused on “Capital Projects: Improvement Through Internal Audit,” reached its registration capacity in just two days, Tkachenko says. She’s chair of IIA–Toronto’s Membership and Social Media Committee, and she stresses a social emphasis as part of career-building. “My advice to young people new to the profession is to be open and have fun with all the opportunities internal auditing has to offer,” she says. One of the greatest opportunities, she stresses, is networking — especially with mentors. And she encourages her colleagues to think outside the mentorship box, noting that the most successful mentorships often come from unexpected places. “The opportunities through The IIA and the networking it offers enrich your life,” she says, because each individual you interact with brings a unique set of experiences from different stages of life and career. </p><h2> <img src="/2016/PublishingImages/Ryan-Singer.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Ryan Singer, CIA</h2><p> <strong><em>27, Business Risk Manager</em></strong></p><p> <strong><em>Crowe Horwath LLP, Columbus, Ohio</em></strong></p><p>Crowe Horwath’s Ryan Singer, a graduate of Miami University in Ohio, has a reputation for innovative thinking. As Wayne Gniewkowski, a principal at Crowe Horwath, puts it, “Some people look at a process and do it the same as everyone has in the past — Ryan looks at a process and determines how he can do it to best use his skills.” Sometimes that means a simple change of format; sometimes he changes the process entirely. In all cases, it means an emphasis on client service, during an engagement and after. Singer says continuous client service is critical in delivering value, noting that “clients face problems every day.” He calls on internal auditors to “provide support for clients and their problems even if it extends outside the parameters of what’s generally considered standard procedures.” Gniewkowski adds that Singer emphasizes making himself available to his team to ensure that past and current clients are “still receiving quality service.” Part of that service is the result of advances in internal audit technology, and Singer notes that those advances will have the biggest effect on the profession moving forward. But the aspect of internal audit he likes best is not the hardware and software — it’s the humans who make it work. Singer says he’s “worked with terrific people both inside and outside the firm,” and he stresses that meeting new people and learning from them are among the best aspects of his job. Indeed, a major change he’d make to internal auditing is doing a better job of presenting the profession as an alternative to external auditing and tax accounting studies on college campuses. </p><h2 style="text-align:right;">Dariel Dato-On, CIA, CISA<img src="/2016/PublishingImages/Dariel-Dato-on.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>26, Senior, Risk</em></strong></p><p style="text-align:right;"> <strong><em>EY, Dallas</em></strong><br></p><p>During his relatively short time as a practitioner, Dariel Dato-on has learned a key lesson about client engagements: “There are not always clear-cut answers to many of the problems we face in the internal audit profession,” he says. By contrast, he recalls from his days as a student that every question in the classroom had an answer and every problem had a solution — a state that doesn’t exist in the real world. And that’s a good thing. “Solving problems where there is not an obvious answer,” the University of Texas at Dallas graduate comments, “is what I’ve enjoyed doing the most.” That’s apparent, notes Joseph Mauriello, director of the Center for Internal Auditing Excellence at UT Dallas, who says Dato-on “has the keen ability to parse through the subterfuge and offer effective and efficient solutions.” One example is his streamlining and redesign of the online resume book system for the UT Dallas student IIA organization, Mauriello says — a solution that reduced upload and administration times and simplified the process for future students. And Mark Salamasick, executive director, audit, at the University of Texas System, notes that Dato-on is “one of the most technical IT auditors in the marketplace today,” lauding him for running several websites, building computers, and writing software for online programs. Dato-on, he adds, is solution-oriented and comes up with “creative and automated ways” to solve business problems. When the solution must be discovered, because it’s not evident, internal auditors need to be extra careful to ensure their clients understand that ultimately they have their and the company’s best interests in mind, Dato-on explains. “We as a profession are definitely moving in the right direction,” he says. And his own forward movement has a soundtrack: Dato-on plays classical piano for recreation and for, he says, “whomever is willing to listen.”</p><h2> <img src="/2016/PublishingImages/Robin-Brown.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Robin Brown</h2><p> <strong><em>30, Lead Consultant, Risk Advisory Services</em></strong></p><p> <strong><em>Dixon Hughes Goodman LLP, Atlanta</em></strong></p><p>Robin Brown wants to make sure she’s never in a data breach situation where the board of directors asks, “Where were the internal auditors?” That’s why she urges all practitioners to gain experience in evaluating and testing the IT systems that support their companies’ operations. And as cloud computing and social media continue to expand, she advises becoming more aware of the cybersecurity space, how to test it, and how to prepare the organization for a data breach. “A data breach of any size is inevitable,” the Randolph-Macon College graduate says, “but the way a company identifies, contains, and responds to it directly impacts its success.” She also sees the need for enhanced use of data analytics for identifying key trends, leading indicators, and areas of risk to the business. These tools, she notes, can be used both to definitively evidence exceptions to internal controls and processes and to automate some of the more routine audit steps. In one recent example, reports Seth Peterson, assistant vice president and internal audit manager at The First National Bank in Sioux Falls, Brown used analytic tools during an inventory management process assessment to identify and isolate forklift drivers and inventory cycle counters who circumvented established procedures, impacting inventory accuracy. Management used her findings to identify repeat offenders and establish opportunities to retrain or release company employees, says Peterson, a 2013 Emerging Leader who reached out to Brown to collaborate after seeing her in an Audit Channel video. It’s one of the ways, he adds, that Brown shows she’s passionate about the audit profession. Ask Brown about another passion, and her artistic side emerges: “If I weren’t in internal audit, I would be in New York City trying to make it on Broadway,” she says. “Musical theater is my passion. Singing, dancing, and acting are in my blood.”</p><h2 style="text-align:right;">Jamie White, CPEA, CESCO<img src="/2016/PublishingImages/Jamie-White.jpg" class="ms-rtePosition-2" alt="" style="margin:5px;" /></h2><p style="text-align:right;"> <strong><em>30, Managing Consultant, EHS Performance and Risk Management</em></strong></p><p style="text-align:right;"> <strong><em>Trinity Consultants Inc., Raleigh, N.C.</em></strong></p><p>Jamie White is a highly specialized auditor, the kind who works for various clients to conduct environmental health and safety (EHS) audits. She says the biggest change she faces in her work is the impact of smaller companies becoming part of larger ones through mergers and acquisitions, requiring practitioners to audit to higher conformance standards. White’s colleagues say she already does. Bill Qualls, executive director at ResponsibleAg and chair of The IIA’s Environmental, Health and Safety Audit Center Advisory Board, explains that White is a member of Trinity’s EHS Performance and Risk Management Business Line, which assists each of the company’s 50 offices globally in developing and executing EHS audit opportunities. White, a graduate of the University of New Hampshire and the University of Illinois and vice chair of the EHS Center Advisory Board, “offers training classes on EHS auditing,” Qualls notes, “mentoring compliance staff new to auditing and serving as an on-call resource to each company employee who has a question or requires advice on EHS auditing and compliance.” For White, it’s all in a day’s work. “I’ve become very comfortable as an auditor and can easily and comfortably engage professionals at all levels, from an hourly employee up to a CEO of a multi-billion-dollar oil and gas giant,” she says. In fact, she emphasizes that communication skills, a key aspect of internal audit effectiveness, have become one of her biggest assets. She credits her parents for what she calls her “ambitious nature” — noting that her father advised her not to be a wallflower and to expand her horizons. Now when she sees an opportunity, she takes it, or volunteers for it, or learns from it. “It’s important to put yourself out there,” she counsels, “because it’s the best way to grow.”</p><h2> <img src="/2016/PublishingImages/Kayla-Brown.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Kayla Brown, CPA</h2><p> <strong><em>26, Senior Internal Auditor</em></strong></p><p> <strong><em>Carter's Inc., Atlanta</em></strong><br></p><p>Kayla Brown embraces technology, but makes sure her emphasis remains on the human side of internal audit. Technology has dramatically changed the way internal auditors perform, she says, noting that it may be impossible to even imagine the changes coming in the future — changes that should considerably improve audit efficiency. “But it is still so important to establish relationships with individuals in the business,” she advises. “Don’t just email process owners. Pay a quick visit if they are in the same office, or make a phone call.” She leverages in-person relationships to show that internal auditors can be business partners — not telling clients what they’re doing wrong, but providing recommendations for improvement. That’s made easier by her emphasis on operational audits, because they provide such a clear view of so many aspects of an enterprise’s operations. Brown stresses the importance of career-long networking — even when a new position isn’t the goal — and encourages college students to get involved in activities on campus, such as case competitions and conferences, to promote their personal brand. No matter the specific industry, she adds, relationships are always key. That’s a message she regularly relates to campus audiences at her alma mater Kennesaw State University, and at Georgia Tech, to encourage students to consider the internal audit profession, says her mentor William Mulcahy, CEO at Mulcahy Consulting. In addition, she’s active in The IIA’s Atlanta Chapter, particularly its mentor–mentee program, he says. As her mentor in that program, Mulcahy credits Brown’s efforts in increasing overall chapter membership.<br></p><p> <br> </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong>Meet the Judges</strong><br><br>According to this year’s judges, the qualities that define Internal Auditor’s 2016 Emerging Leaders include “forward thinking through greater use of technology,” as one judge puts it, and “finding a way to give back to their communities and their profession.” The judges, a distinguished group that includes two past Emerging Leaders, also point to the honorees’ innovation, creativity, flexibility, and collaboration. <br> <br>Pam Jenkins, CIA, CPA, CRMA, vice president, Global Audit Services, Fossil Group; vice chairman, professional development, IIA North American Board of Directors. As a group, Jenkins says, this year’s Emerging Leaders are impressive in part because of their “determination to make internal audit a trusted business partner and adviser, and not simply a fact-checking function.”  <br><br>Mike Joyce, CIA, CRMA, vice president, chief auditor & compliance officer, Blue Cross Blue Shield Association; vice chairman, finance, IIA Global Board of Directors. “Today’s Emerging Leaders will be tomorrow’s experienced leaders,” Joyce says. That experience will be critical moving forward, he adds, because internal audit is “under increasing pressure to identify emerging risks and trends rather than rely on identifying root causes for historical events.” <br> <br>Derrick Li, CIA, CRMA, CPA, CA, director, Internal Audit & Performance Improvement, TransLink: South Coast British Colombia Transportation Authority; 2014 Emerging Leader; blogger. Internal audit, like the business environment, is constantly changing, Li says. “This year’s Emerging Leaders will need to help ensure audits focus on the current and future issues relevant to the business.”<br><br>Charlotta LÖfstrand Hjelm, CIA, QIAL, chief internal auditor, Lansforsakringar AB; vice chairman, professional certifications, IIA Global Board of Directors. Hjelm is impressed with this year’s honorees — their talent, their knowledge, and their inspiration. “If they have accomplished this much by age 30,” she says, “anything is possible in the future.” <br> <br>Laura Soileau, CIA, CRMA, CPA, partner, Postlethwaite & Netterville; 2014 Emerging Leader; blogger; IIA Publications Advisory Committee member. Soileau says this year’s Emerging Leaders are “very impressive” — as they’ve all shown creativity and innovation, and often found new ways to approach routine challenges and opportunities. <br> <br>Benito Ybarra, CIA, chief audit and compliance officer, Texas Department of Transportation; vice chairman, content, IIA North American Board of Directors; IIA Publications Advisory Committee member. In addition to abundant professional certifications, Ybarra notes that this year’s Emerging Leaders demonstrate a “high degree of social responsibility through their volunteer and ambassador activities.”</td></tr></tbody></table></div>Russell A. Jackson0
The Art of Recommending Art of Recommending<p>​One of the ways internal audit adds value to the organization is through the recommendations communicated in internal audit reports. But recommendations also can become a point of contention with management, as they may suggest additional procedures for staff or offend management if not presented correctly. Therefore, auditors should take care to communicate with the various stakeholders how their recommendations will help fix gaps and mitigate risks. The stakeholders will evaluate whether the recommendations being provided are worth the investment of time and resources required to implement them (cost vs. benefit).</p><h2>Recommendation Types</h2><p>Broadly, a recommendation is either a suggestion to fix an unacceptable scenario or a suggestion for improvement. Most internal audit reports provide recommendations to fix unacceptable scenarios because they are easy to identify and are less likely to be disputed by the process owner. However, recommendations to fix gaps in a process only take the process to where it is expected to be and not where it could be. Internal audit’s value lies not only in providing solutions to existing issues but in instigating thought-provoking discussions. Recommendations also can include suggestions that will move the process or the department being audited to the next level of efficiency. When recommendations aimed at future improvements are included, internal audit reports become a tool in shaping the strategic direction of the department being audited. </p><h2>Internal and External Sources</h2><table class="ms-rteTable-default" cellspacing="0" style="width:91%;height:171px;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;height:240px;"><p> <strong>Sources of Recommendations</strong></p><p> <strong>Internal</strong></p><ul><li>Process owner walkthroughs.<br></li><li>Critical reading of documented procedures.<br></li><li>Practices followed by other departments or locations within the organization.<br></li><li>Prior internal audit reports on the area currently being audited.<br></li><li>Results of current testing.<br></li><li>Recommendations in other internal audit projects. <br></li></ul><p style="margin-bottom:0px;margin-left:6px;font-size:9px;line-height:normal;font-family:helvetica;min-height:11px;"> <span></span> <br></p><p> <strong>External</strong> </p><ul><li>IIA research materials.<br></li><li>Other professional and industry literature.<br></li><li>Networking with industry peers.<br></li><li>Procedures followed by other organizations.<br></li><li>Vendor-provided education on new technologies and services related ​to the process being audited.</li></ul></td></tr></tbody></table><p>An auditor should draw recommendations from both inside and outside the organization (see “Sources of Recommendations” at right). Internal sources of recommendations are easier to locate; however, they require a tactful approach as process owners may not be inclined to share unbiased opinions with internal audit. External sources may not be as easily accessible — an internal audit function should invest in providing its staff with access to research libraries and professional networks to facilitate access. </p><p>It is a good practice to jot down recommendation ideas as soon as they come to mind, even though they may not find a place in the final report. Even if internal audit testing does not result in a finding, the auditor may still recommend improvements to the current process.</p><h2>Documentation</h2><p>Internal audit should spend sufficient time brainstorming potential recommendations and choosing their wording carefully to ensure their audience has complete </p><p>understanding. Recommendations should be written simply and should:</p><ul><li>Address the root cause if a control deficiency is the basis of the recommendation.  <br></li><li>Address the department rather than a specific person.<br></li><li>Include bullets or numbering if describing a process that has several steps.<br></li><li>Include more than one way of resolving an issue identified in the observation, if possible. For example, sometimes a short-term manual control is suggested as an immediate fix in addition to a recommended automated control that will involve considerable time to develop.<br></li><li>Position the most important observation or risk first and the rest in descending order of risk. <br></li><li>Indicate a suggested priority of implementation based on the risk and the ease of implementation. <br></li><li>Indicate any repeat findings. If the recommendation needs to be modified, provide an updated recommendation in the report. <br></li><li>Explain how the recommendation will mitigate the risk in question.<br></li><li>List any recommendations separately that do not link directly to an audit finding but seek to improve processes, policies, or systems. <br></li></ul><h2>Management Feedback</h2><p>Recommendations will go nowhere if they are not valued by management. Therefore, the process of obtaining management feedback on recommendations is critical to make them practical. Ultimately, process owners may agree with the recommendation, agree with part of the recommendation, and agree in principle, but technological or personnel resource constraints won’t allow them to implement it. They also may choose to revisit the recommendation at a future date as the risk is not imminent, or disagree with the recommendation because of varying perceptions of risk or mitigating controls.</p><p>Management in the public sector could be averse to recommendations because of public exposure of their reports. Therefore, internal audit should clearly state in its reports if the recommendations do not correspond to any errors but are suggested improvements. More recommendations do not mean there were more faults with the process, and this should be communicated to the process owners.</p><p>Management responses should be added to the recommendations with identified action items and implementation timelines whenever possible. Whatever management’s response, a recommendation should not be changed if it dilutes internal audit’s objectivity and independence and becomes representative of management’s opinions and concerns. It is internal audit’s prerogative to provide recommendations, regardless of whether management agrees with them. Persuasive and open-minded discussions with process owners are important to achieving agreeable and implementable recommendations.</p><h2>A Complex Journey</h2><p>The journey of a potential suggestion to a recommendation is complex and is influenced by every stakeholder and constraint in the audit process — be it the overall tone of the organization toward change, its philosophy toward internal audit, the scope of the internal audit, views of the process owner, experience and exposure of internal audit staff, or available technology. However, an internal auditor must realize that every thought may add value to the organization and deserves consideration within the internal audit team. Internal audit departments should deliberate about the process and ask at the end of every audit: Does it align with the organization’s strategy and direction? Is it up to par with what is seen elsewhere? What is its relevance today and in the future? </p>Anupam Goradia020
Keep Your Promises Your Promises<p>R​ecently, I saw a sign in a hotel elevator that said, “Your satisfaction is more than a goal, it’s a promise.” It was just one in a slew of aphorisms that seem to permeate today’s customer-focused environment. However, this one caught my eye because it made an interesting distinction — goals versus promises.<br></p><p>Consider some of the stated (and unstated) goals internal auditors establish with customers. At the outset of an engagement we talk to them about what we will accomplish, what we need from them, and what they can expect in return. Generally, the discussion results in goals like providing immediate updates on issues and concerns, getting the customer’s input throughout the process, and using the customer’s time efficiently. It also usually results in specific timelines for the ongoing completion of the engagement.  <br></p><p>However, we underestimate the significance of this customer interaction if we think of the agreed items as simply goals. They are promises — and this is not a trivial distinction. Goals are aspirational; promises (if your word actually means anything) are immutable.<br></p><p>Take, for example, the date the report will be issued. How often is the final report actually issued on the date agreed upon at the outset of the audit? Does it often occur on a revised date? Maybe the testing takes longer than anticipated, or the client goes on vacation, or certain interviewees are unavailable, or more report rewrites are required than expected, or (fill in the blank with your favorite reason/excuse). Besides, the customer is often consulted and everyone agrees on the revised schedule, right?<br></p><p>I’m sorry, but poor planning is not a viable excuse for going back on a promise. And if every audit engagement includes breaking a promise as simple as the date of final report issuance, what is the customer to think about all those other promises? “You say there will be open communication, but how often will I be surprised by something? You say you will keep me advised on progress, but how often will periodic updates be cancelled? You say you will use my time efficiently, but how many times will my staff and I answer the same questions and provide the same information?”<br></p><p>In my former role, my team provided the audit customer with a document that specified, among other items, the background, time frame, and scope of the upcoming audit. Externally it was called the Terms of Condition. Within my group we called it our contract. It represented a binding agreement with, and promise to, our customer.<br></p><p>Internal auditors are only as good as their word. And it is a slippery path to begin saying there are extenuating circumstances that mean we can go back on that word. Something as simple as a report issuance date can be the start of that slide, and it should be viewed as a serious breach of commitment.</p>Mike Jacka1
Taking the Lead in Nonfinancial Reporting the Lead in Nonfinancial Reporting<p>B​y December, governments across Europe will need to have translated the European Union’s (EU’s) 2014 Directive on nonfinancial reporting into their national rule books. Formulated in response to the perceived short-termism that contributed to the global economic and financial crisis in 2007, the rules mandate that Europe’s top 6,000 companies disclose in their annual report and accounts how they are discharging their social, environmental, and ethical duties.<br></p><p>“Disclosure of nonfinancial information is vital for managing change towards a sustainable global economy by combining long-term profitability with social justice and environmental protection,” the 2014 Directive says. “In this context, disclosure of nonfinancial information helps the measuring, monitoring, and managing of undertakings’ performance and their impact on society.”<br></p><p>Who benefits most from this additional reporting burden? Nicolas Bernier-Abad — who is in charge of seeing the rules come to fruition at the European Commission’s Directorate General of Financial Stability, Financial Services, and Capital Markets Union — told internal auditors at a recent event organized by the European Confederation of Institutes of Internal Auditing in Brussels that nonfinancial reporting was “pro-business.” “The aim is not to create a new report, but to add content to the existing management report regarding environmental and social obligations, action to counter corruption and bribery, and in respect of human rights,” he said. He added that for executives and boards to understand what is going on in their own organizations, these issues had to be spoken about in the same way as one would talk about profit and loss. <br></p><p>While an estimated 2,000 companies in Europe already produce and use such information, the new Directive will set in motion the biggest compulsory reporting project of its kind. It is likely to help standardize what has been a growing trend globally during the past 10 years. The movement to provide more comprehensive reporting on matters that do not fall under the financial reporting remit has gathered ste​am under a range of titles — such as integrated reporting, corporate social responsibility reporting, and sustainability reporting — but thus far there is no agreed-upon approach or methodology to capture these disparate topics under a single reporting framework or set of standards.<br></p><h2>A More Serious Document</h2><p>European internal auditors who have been involved in developing nonfinancial reporting mechanisms tend to agree with Bernier-Abad’s assessment. While the reports do give investors, environmental pressure groups, and others a larger and more detailed window into the business’ operations, management also wins.<br></p><p>“In general, if you look at the development of sustainability reports in companies, there is a move away from producing a marketing document and toward producing a much more serious document where the company discloses how they perform in certain areas,” says Mark Jongejan, vice president, Group Internal Audit at the Danish brewer Carlsberg. <br></p><p>Internal audit not only assesses the accuracy of the specific key performance indicators to be disclosed in the report but has helped build an awareness within the company about the relevance of this type of reporting. “To be able to develop good strategies, you need reliable data,” he says. “The internal audits we performed in this area have enabled us to have discussions with management on how you organize the whole governance process around nonfinancial reporting, the roles and responsibilities needed, what kind of tools to deploy, and how you train your people in the organization.”<br></p><p>In the beverage industry, one big challenge is how to reduce water usage. “To be able to develop a good strategy and to set clear objectives for the coming three to four years, you have to know where you are at this point in time,” he says. “You need accurate data. You need good nonfinancial reporting systems.”<br></p><p>While the EU Directive is making nonfinancial reporting the norm for European companies like Carlsberg, there has been less pressure in the U.S. to go down this route, not least because the Sarbanes-Oxley Act of 2002 focused many businesses and their internal auditors on providing assurance primarily around financial controls. But that does not mean U.S. auditors are not engaged in such projects. <br></p><p>“Outside of the many U.S.-based multinational companies that are talking about this, the terminology really hasn’t caught on here yet,” says Jim Pelletier, IIA vice president, Professional Solutions. “Auditors who are taking a risk-based approach and are looking at the major objectives of the organization are likely to be hitting these areas — they’re just not calling it the same thing.”<br></p><p>Pelletier says the focus on nonfinancial reporting also marks a turn away from providing assurance on the traditional, historical performance of the company, to a view that looks ahead at the potential big risks that could impact the organization. Given the range and variety of risks that pose a threat today, it makes sense that many of those are nonfinancial in nature. In that sense, nonfinancial reporting is an acknowledgement that risk-based auditing has a crucial role to play in the long-term success of each organization.<br></p><h2>Integrated Thinking</h2><p>Silvio de Girolamo, group chief internal audit and corporate social responsibility officer at the food and beverage group Autogrill in Milan, Italy, is a contributor to the 2015 IIA report, Beyond the Numbers–Internal Audit’s Role in Nonfinancial Reporting. He says in many organizations — his own included — nonfinancial reporting has proved its worth to management in specific areas and has grown in stature from this success. <br></p><p>His experience at Autogrill mirrors that of Jongejan’s at Carlsberg. “When you begin to measure what is happening in these areas, you can start to manage those processes that you did not manage in the past and improve on them,” de Girolamo says. But there is an opportunity for internal audit to play a defining role in how nonfinancial reporting is to be developed because of the lack of prescription on how it should be implemented. <br></p><p>“Internal auditors can play a defining role by becoming change agents within their businesses,” he says. He accepts the move into these areas is a challenge for internal auditors, given their traditional focus on financial controls, but is confident that the profession can help promote integrated thinking in the businesses they serve. <br></p><p>“We need to argue that the company has to put in place a methodological approach to manage these areas, not just as a collection of individual problems, but as something more integrated and interconnected,” de Girolamo says. That involves a recognition of the importance of the organization’s social role and impact, and a proactive way of seeking out effective solutions that are good for both the company and its stakeholders.<br></p><p>Internal audit is positioned to achieve this objective — what he calls integrated thinking — because it can take a helicopter view of the entire organization that could help it move from dealing with its social reporting in an ad hoc manner to something more holistic. But he also admits that not all CAEs will be in a position to jump to this higher level of operation immediately. <br></p><p>“Internal audit’s role depends very much on the maturity level of the company in nonfinancial reporting,” he says. Internal auditors can perform an advisory role or an assurance role — or something in the middle. That can entail supporting management in understanding which kinds of reporting systems are going to be most effective, helping it improve those systems, or providing assurance when they are well-established. <br></p><h2>Rise to the Competency Challenge</h2><p>The role is not without its challenges. The most important of these is filling the competency gaps within internal audit, itself, according to Mentes Albayrak, audit coordinator at the Turkish conglomerate Anadolu Group and IIA–Turkey vice chairman. <br></p><p>He says auditors have two kinds of competency: process and content competencies. “Internal auditors have the right process competencies for effective nonfinancial reporting, such as the ability to communicate with stakeholders, extensive knowledge of how to perform an assurance engagement, and knowing the <em>International Standards for the Professional Practice of Internal Auditing</em>,” he says.<br></p><p>But there are differences in the way internal auditors need to apply these competencies when it comes to nonfinancial data. While auditors have the information and knowledge about how to decide on materiality when it comes to financial controls, for example, the issue of materiality for nonfinancial controls also entails reaching out to stakeholders.<br></p><p>“Internal auditors need to understand what information is relevant to the business’ key stakeholders, and understand what is significant to them and how much it matters,” Albayrak says. “Unlike deciding materiality on financial controls, this involves exercising a much greater degree of professional judgment.” <br></p><p>Decisions on materiality over nonfinancial reporting issues should be systematic, transparent, and accountable. “That means when management or stakeholders ask about your methods or systems of determining materiality, you have a system in place and can give a comprehensive answer to that question,” he says.<br></p><p>That requires a more outward-looking approach — one that entails internal auditors reaching out to their stakeholders and engaging in communication. For auditors who have been focused largely on financial controls, that could be a big shift in emphasis. Nonfinancial reporting requires auditors to understand the finer points of communication. When it comes to working on issues such as culture, auditors are asking people to share their opinions and feelings — rather than merely collating facts and figures, says Tea Enting-Beijering, one of several CAEs within the Netherlands’ Central Governmental Audit Services directorate within the Ministry of Finance. <br></p><p>“When we started our nonfinancial auditing project, we selected auditors who already had strong communication skills, and we invested in more education for them,” says Enting-Beijering, who is CAE for the Ministry of Infrastructure and Environment. She selected a handful of people out of the 600 auditors on the team. Her objective was to look at the organization’s culture because the standard financial audits could not pick up on how changes to its working practices were impacting the business. <br></p><p>Developing good listening skills and creating an atmosphere with the right level of intimacy and trust was key. “If there is not enough trust, it is difficult to get people to share their opinions and feelings,” she says. Communicating the audit findings with those involved also needed to be handled with sensitivity because people need to feel they have been listened to and their concerns have been taken seriously.<br></p><p>She says the audits have given managers a much clearer picture of how their work fits into and impacts the wider ministry. It also has helped the audit team provide advice on how processes can be improved and how things can be done better. “The most important thing is that we are now having conversations in the organization that are very good and are leading to real change,” she says. <br></p><p>While communication is key, Albayrak says, the biggest challenge in filling internal audit’s competency gap is in what he calls content competency. “In nonfinancial reporting, you’ll have environmental issues, ethical issues, noneconomic issues, and sometimes macro-economic issues that form the content of the report you are working on,” he says. “It isn’t possible for an internal auditor to know everything. We need to establish the information on which to provide assurance, but we can’t have competency on the content of all areas.”<br></p><p>Albayrak’s solution is similar to de Girolamo’s: Provide integrated assurance, or combined assurance, by creating a multidisciplinary team of experts from across the organization and beyond. If no party has the full spectrum of competencies required to provide assurance on nonfinancial reporting, then the various parties involved in this assurance process should be coordinated effectively.<br></p><p>“Internal auditors are best positioned to provide that coordination,” he says. “We have the process competencies, we have the general outline of what content competencies are needed, and we have a general knowledge from the work in our own organizations about what environmental, human resources, social, and ethical issues the business faces.” <br></p><p>That gives internal audit the ability to form an effective, multidisciplinary team, coordinate that team, and get the input needed from management, or external consultants, to ensure all of the relevant technical content goes into the process. A 2015 paper, Combined Assurance: One Language, One Voice, One View, written by Sam Huibers and published by the Internal Audit Foundation’s Global Internal Audit Common Body of Knowledge (CBOK) research project, outlines how this approach can bring disparate parties together to provide a single statement on assurance that unites their perspectives. But while two out of three European organizations taking part in the 2015 CBOK practitioner survey said they were aware of this approach, just over half (53 percent) of North American respondents said they were — below the 59 percent global average. <br></p><h2>Create a Consistent Approach</h2><p>The headline figures emerging from the CBOK study may be more a matter of semantics. Just as some U.S. internal auditors are engaging in many of the areas that in Europe go under the heading of nonfinancial reporting, so does The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 <em>Internal Control–Integrated Framework</em> provide support for those working in this area, says COSO Chairman Robert Hirth. Every U.S. stock exchange-listed company uses the framework to comply with Section 404 of the Sarbanes-Oxley Act of 2002, covering internal control over external financial reporting. “But all forms of reporting are a specific control objective area in the COSO framework,” Hirth says, “and that reporting is defined as being internal, external, financial, and nonfinancial reporting.”<br></p><p>The aim is to create a consistent approach and common language for evaluating all forms of internal control and all forms of reporting, he says. That requires CAEs who are implementing nonfinancial reporting to start at the top. “Get management and, as needed, board and audit committee buy-in and agreement that validating this nonfinancial reporting is valuable, desired, and makes sense against other priorities and resource constraints — some companies have a lot of resources, others have very little,” he advises. <br></p><p>Next, identify the most critical, important nonfinancial reporting that should be validated and audited. “This means that there will likely end up being lots of nonfinancial reporting that doesn’t make the cut — at least for now,” Hirth says. “Determine which internal and external information falls into scope.” For example, internal reporting on diversity or employee evaluations may be important and external reporting on sustainability or corporate social responsibility may also be just as important. CAEs need to include all of those critical areas in their plan.<br></p><p>Finally, he says, internal audit needs to involve and engage the first line of defense processes and people who produce the reporting information. “Also, look at how you can leverage information systems to generate the information with a higher level of accuracy and integrity, and try to eliminate the manual production of this information,” he advises.<br></p><h2>Conquer the Big Stuff</h2><p>There are likely to be a few sticking points to audit involvement in nonfinancial reporting, particularly defensiveness among those people preparing the reports, as they may never have had their work challenged or audited in the past. “Deal with this professionally, but don’t back down if the information is truly important,” Hirth says. In addition, there may be a lack of controls related to the reporting involved, and internal audit’s main role in that case is to identify the important gaps. “There’s a danger of doing work on information that doesn’t really matter,” he says. “Don’t chase the little stuff. Chase and conquer the big stuff.”<br></p><p>The need to boost their skills, competencies, and even head count in this area is a huge challenge ahead for the profession. In addition to creating audit departments that are more risk-based, forward-looking, and willing to reach out to stakeholders, they also will have to work more collaboratively than ever to succeed. <br>Worried? De Girolamo isn’t. He thinks nonfinancial reporting will be the next catalyst to grow both the stature and size of the internal audit profession. “It’s a big challenge for sure, but one internal audit is more than ready to meet,” he says.</p>Arthur Piper11704

  • TeamMate_Jan2017_Prem 1
  • IIA TeamDevelopment_Jan2017_Prem 2
  • IIA PerformanceAuditing_Jan2017_Prem 3



Six Steps to an Effective Continuous Audit Process Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Managing an Internal Audit Career: How Do You Know When It’s Time to Go?’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2015-03-30T04:00:00Z2015-03-30T04:00:00Z
Understanding the Risk Management Process the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audit From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z