Practices

 

 

Audit With Acumenhttps://iaonline.theiia.org/2020/Pages/Audit-With-Acumen.aspxAudit With Acumen<p>Board and management stakeholders want internal audit to demonstrate greater business acumen. They want auditors to have a broad understanding of the organization, as well as anticipate how to help the organization achieve its objectives.<br></p><p>That means auditors need to see beyond their area of expertise and responsibility. They must be agile to act proactively and congruently with the organization's way of doing business. By recognizing these expectations, internal audit can show that the department is an excellent place to develop business acumen. </p><h2>Fit Business Needs</h2><p>Organizations expect all senior managers to have the business acumen to lead their areas of responsibility and support broader organizational success. Managers should be able to anticipate and act on ways to add value to the organization and its stakeholders. </p><p>Likewise, internal audit needs to identify the best ways for the function to develop business acumen that fits the organization's needs. It can't take a one-size-fits-all approach, though, because business acumen will vary by industry, type of business, and the kind of service a business unit provides. For example, internal audit will require different aspects of business acumen than business lines, such as sales and production, or support services such as finance and security. </p><p>Moreover, internal audit's assurance role in relation to other assurance roles within the organization impacts the kind of business acumen it needs. Developing business acumen can enhance internal audit's risk-based coverage of the organization's main lines of business, as well as the first two lines of defense.</p><p>In developing business acumen, internal audit should not be seen as narrowly focused rule-followers who avoid innovation and taking risks. Chief audit executives (CAEs) should ensure the audit staff understands the capabilities of the organization's first two lines of assurance, as well as the business' main products and services. Their strategy for establishing business acumen should involve human resource activities, such as hiring, promotions, and career planning, as well as professional development activities. </p><h2>Enabled by the Standards</h2><p>Internal audit's use of business acumen must reinforce, and not compromise, auditors' professional competence. The <em>International Standards for the Professional Practice of Internal Auditing </em>place great importance on risk-based planning — multiyear, annual, and engagement — to ensure that services are strategic and add value. Having business acumen enables internal audit to proactively plan and adapt all forms of audit activity to anticipate the organization's assurance needs. This capability goes far beyond simply repeating cyclical coverage or responding to senior management requests. </p><p>There is no trade-off between demonstrating business acumen and conforming to the <em>Standards</em>. On the contrary, internal audit can build business acumen on a sound understanding and innovative implementation of the <em>Standards</em> and associated guidance. </p><p>CAEs have used a variety of methods and approaches to attune their staff to the business needs of their organizations. The examples in the boxes that begin on page 41 demonstrate how business acumen can work in internal audit. These examples are based on four perspectives adapted from the Balanced Scorecard strategic planning and management tool: governance, client, internal processes, and innovation and learning. The boxes substitute governance for the Balanced Scorecard's finance measure. CAEs should plan, track, and report to the board and management on initiatives in each of these areas.</p><h2>Internal Audit's Acumen</h2><p>CAEs are likely undertaking some or many of these initiatives, as well as some others. To get the attention and mutual understanding needed, annual internal audit plans and year-end reports should include a formal strategy on investments in building staff capabilities to better respond to the emerging needs of the organization. This approach can foster productive discussions and improved understandings with management and the audit committee.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>Governance<br></h2><p>These examples can improve mutual understanding, enhance business capabilities, and strengthen relationships at the governance level of the organization:</p><ul><li>Have the CAE actively participate in regular meetings of the audit committee operational governing body.</li><li>Assign individual audit managers to each of the major lines of business as account managers.</li><li>Build the internal audit universe on top of the organization's strategic objectives.</li><li>Conduct organizationwide internal audits in support of key corporate activities such as internal communications.<br></li></ul> <br> </td></tr></tbody></table><h2>Client</h2><p>These examples can improve mutual understanding, improve business capabilities, and strengthen relationships with the organization's business units:</p><ul><li>Base multiyear, annual audit, and engagement plans on the organization's corporate and business risk profiles. </li><li>Include strategic upside risks of opportunities and strengths in annual internal audit plans to complement the traditional focus on key downside risks of weaknesses and threats.</li><li>Reinforce the role of other internal assurance functions (second line of defense), such as risk management and financial control, by auditing their processes. </li><li>Invite business units to link the timing of audit engagements to their business information needs, such as in support of future financial approval submissions for major initiatives or new programs. </li><li>Provide information on assessment criteria well in advance of an audit engagement when there are known shortcomings, to enable managers to take corrective action before the audit.</li></ul><p> </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>Internal Processes<br></h2><p>These internal audit processes can improve mutual understanding and business capabilities, as well as strengthen client relationships throughout the organization:</p><ul><li>Report more deeply on audit findings by avoiding a narrow-minded approach to audit issues. For example, reports should discuss the broader implications and possibilities of findings, such as their impact on broader business objectives. Internal audit also should show how findings link to implications for other business purposes and recommend reducing inefficient internal controls.</li><li>Submit periodic status reports on the internal audit plan's implementation and adjust them during the year to better address emerging business assurance needs.<br></li><li>Issue periodic reports on significant operational risks based on analyses of internal audit findings within the organization or across the industry.</li><li>Offer to provide consulting and research services in conjunction with individual engagements.</li><li>Invite internal audit team members to meet the audit committee and observe its discussion of their individual engagements.<br></li></ul> <strong><br></strong></td></tr></tbody></table><p></p><h2>Innovation and Learning</h2> <p>These examples of innovation and learning can improve mutual understanding, enhance business capabilities, and strengthen relationships:</p><ul><li>Assign talented employees from other business units to short-term engagements within internal audit. This practice can develop those employees, as well as bring their insight to audit staff members. </li><li>Send talented internal auditors on developmental, nonaudit assignments within business units. This practice can help those auditors build business acumen and pass their knowledge to the teams with whom they work. </li><li>Bring internal auditors from field offices to work at headquarters.</li><li>Train new managers on internal audit's role and areas of expertise such as management control and risk management.</li><li>Participate in professional associations other than internal audit, such as risk management, IT, security, and fraud prevention. Such groups can help auditors keep abreast of leading practices and share lessons learned with audit colleagues.<br></li></ul>Basil Orsini1
Three Rules to Audit Byhttps://iaonline.theiia.org/2020/Pages/Three-Rules-to-Audit-By.aspxThree Rules to Audit By<p>Success as an internal audit professional starts with understanding the basics: risk, controls, planning, testing, interviewing, documentation, reporting, etc.<br> It also requires soft skills such as communication, business acumen, critical thinking, and emotional intelligence. But for the internal auditor who is looking to provide real added value and make a positive impact, those are only table stakes — the bare minimum for getting into the game without being ignored, dismissed, or pigeon-holed as the kind of auditor no one wants to know.</p><p>Any internal auditor who wants to be a part of a successful audit future — as well as the future of his or her organization — would do well to follow three rules, listed in reverse order of importance.<br></p> <strong>Make Them Care.</strong> We often believe the value of our work is self-evident. That does not mean our clients understand or agree. It is our responsibility to learn what they care about and align our objectives with those needs. Through that alignment, we need to ensure everyone is working toward the same successes. And an important corollary: If we do not care about our product, organization, or department, then we will fail. How is the client supposed to care when we don't? <br> <strong><br>Be a Marketer.</strong> Every internal auditor is in marketing. We are selling the audit, the issues, the report, the need for time with us, the value of our department, and ourselves. Everything we do must include a focus on how we promote our services, the profession, the department, and us, the professional internal auditors.<p><strong><br>Have Fun. </strong>Enjoying the work should be our No. 1 priority. I have seen too many internal auditors — skilled, talented, effective internal auditors — who fail because they have lost their internal audit joie de vivre (or perhaps it's joie de l'audit). If you are not having fun — if you cannot be excited about what you are doing — you cannot do your best work. In fact, you probably can't even do good work. Not every minute must be rainbows and unicorns. But every task, project, and opportunity should contain at least a glimmer of possibilities, of excitement — of fun. If we cannot do that, it does not make us bad people, but it probably makes us bad auditors.<br></p><p>And one final note — these recommendations are for every single internal auditor, from those cracking open their first audit program to those who remember working with cuneiform characters on clay tablets. We need to know them when we're first starting out, and we need to be reminded of them every day we work in the profession. We are at our best when we care, when we market, and when we have fun.  <br></p>Mike Jacka1
Editor's Note: The Responsible Internal Auditorhttps://iaonline.theiia.org/2020/Pages/Editors-Note-The-Responsible-Internal-Auditor.aspxEditor's Note: The Responsible Internal Auditor<p>​Do you know a young internal auditor who is making a difference? Since 2013, <em>Internal Auditor</em> has been recognizing up-and-coming auditors from around the world who are advancing the profession in our annual "Emerging Leaders" article. </p><span><p>How are they making a difference? The internal audit professionals chosen to be Emerging Leaders rise to the top based on their business acumen/leadership skills, innovative thinking, community service, and service to the profession. These well-rounded individuals care about their communities, understand their organizations, and are always looking for new and better ways to do their jobs — three areas of focus in this issue. </p><p>Our cover story, <a href="/2020/Pages/The-Responsible-Organization.aspx">"The Responsible Organization,"</a> considers internal audit's role in environmental, social, and governance (ESG) reporting. Paul Sobel, chair of The Committee of Sponsoring Organizations of the Treadway Commission, says internal audit needs to consider the value proposition around sustainability. "Internal audit needs to look at what future investor, regulatory, and stakeholder expectations are likely to be regarding sustainability risk management and reporting and push for management and the board to move in line — or ahead — of them," he says. </p><p>Every year, a common trait of our Emerging Leaders is their understanding of the importance of innovation in their organizations and in their departments. In <a href="/2020/Pages/An-RPA-Road-Test.aspx">"An RPA Road Test,"</a> author Rick Wright takes readers through a pilot robotic process automation (RPA) program at his company, YRC Worldwide. "Audit leadership saw RPA's potential … as a critical piece of internal audit's strategy," Wright says. "Automating portions of the standard terminal audit program could free up valuable staff resources, allowing more focus on other value-added services."</p><p>Finally, in this issue, we tackle the important topic of business acumen, an area in which Emerging Leaders excel. In <a href="/2020/Pages/Audit-With-Acumen.aspx">"Audit With Acumen,"</a> author Basil Orsini offers four examples of business acumen in internal audit based on perspectives adapted from the Balanced Scorecard strategic planning and management tool. He writes, "Internal audit can build business acumen on a sound understanding and innovative implementation of the <em>Standards</em> and associated guidance." </p><p>As your internal audit team's expertise grows in the areas of ESG, innovative thinking, and business acumen, who stands out? Now is the time to nominate them for <em>Internal Auditor</em> magazine's 2020 Emerging Leaders and give them the recognition they deserve. Visit InternalAuditor.org to make your nomination. Nominations are open through May 18. </p></span>Anne Millage0
Update: The Pressure of Pandemicshttps://iaonline.theiia.org/2020/Pages/Update-The-Pressure-of-Pandemics.aspxUpdate: The Pressure of Pandemics<h2>​How can internal audit functions support business continuity during pandemics? </h2><p>Once a pandemic like the coronavirus (COVID-19) has occurred, there is little an auditor can be involved in as major audit activities should be reduced due to the possibility of transferring infection between auditor and client. Additionally, the client’s focus may be on the response and recovery of its critical business functions.    </p><p>While the outbreak is occurring, the audit team can focus on possible breakdowns in controls of processes as business functions operate from a remote or alternate location, or even from home. The key is to strengthen the controls to minimize the potential for errors resulting from manual interventions and the possibility of fraud. It is important to note that the observance of noncompliance with existing protocols should be based on its materiality so that the organization can respond and recover in the shortest possible time.</p><p>Business continuity plan reviews are typically predetermined by a business continuity management policy. The frequency of review and updating is usually annual. During a pandemic, like any other disruption, these reviews may need to be conducted more frequently when an audit client’s environment has frequent staff turnover, or if outsourcing or transferring business functions to a third party results in an interdependency risk.</p><p><br></p><h2>Audit Plans Ignore Key Risks</h2><h3>Cybersecurity and third parties are among omissions, Pulse says.</h3><p>Internal audit departments are leaving key risks out of their audit plans, The IIA’s 2020 North American Pulse of Internal Audit reports. The survey of 630 chief audit executives, directors, and managers reveals a glaring disconnect between high risks and audit priorities.</p><p>Take cybersecurity, rated a high risk by more than three-fourths of respondents. Cybersecurity is the Pulse’s top risk, yet almost one-third say it’s not included in the internal audit plan. Another disconnect is third-party relationships — more than half of respondents rate it a high risk, but less than half include it in the audit plan.</p><p>Then there is sustainability risk, which only 10% include in their audit plan. Although only 6% of respondents rate sustainability a high risk, there is growing investor interest in it (see <a href="/2020/Pages/The-Responsible-Organization.aspx">“The Responsible Organization”</a>). That also was the case for another rising investor priority — governance and culture — which less than half of respondents include in their audit plan.</p><p>Such shortfalls in risk coverage were noted in The IIA’s OnRisk 2020 and American Corporate Governance Index studies, says IIA President and CEO Richard Chambers. “The Pulse shows just how serious the problem is, and its impact on sustainability, operational efficiency, and culture,” he says. </p><p>In addition to missing top risks, one in five are performing below the midpoint (level 3) of the Internal Audit Ambition Model, a maturity scale developed by IIA–Netherlands and LKO/NBA. Those functions aren’t conforming with the <em>International Standards for the Professional Practice of Internal Auditing</em>. </p><p>The good news is more than half of respondents say their department is performing at the top two levels of the five-level model. Twelve percent rate themselves at the top level (Optimizing), while 40% are at Level 4 (Managed). Such functions support strategic risk management, long-term planning, and continuous improvement. </p><p><strong>— T. McCollum<br></strong></p><p><br><strong></strong></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​The State of AI</strong></p><p>U.S. technology company decision-makers have high hopes and some concerns for artificial intelligence.</p><ul><li><strong>88%</strong> — Companies should implement an ethics policy to govern their AI work.</li><li><strong>69%</strong> — Governments should regulate AI.</li><li><strong>62%</strong> — AI adoption is moving at an appropriate speed across the technology industry.</li><li><strong>61%</strong> -— Existing employees are prepared for AI adoption.</li><li><strong>37%</strong> — AI could replace their positions.</li></ul><p><br></p><p>Source: KPMG, Living in an AI World 2020 Report: Technology Insiders</p></td></tr></tbody></table><h2>Boards Fall Short on Diversity Efforts</h2><h3>A U.K. report shows failure to prioritize board ethnicity.</h3><p>Fewer than half of Financial Times Stock Exchange (FTSE) 250 companies mention ethnicity in their board diversity policy, according to research from the U.K.’s Financial Reporting Council (FRC) and Cranfield University’s School of Management. The report, Ethnic Diversity Enriching Business Leadership, also shows that most of the broader FTSE 350 lacks measurable ethnicity targets.</p><p>Only 14% of FTSE 100 companies — the U.K.’s largest publicly listed firms — set measurable objectives for board ethnic diversity; the proportion drops to 2% for the FTSE 250. Even where objectives are established, FTSE 350 companies have not made progress against them. The research also finds that while just over 10% of FTSE 100 firms plan to increase ethnic diversity in succession planning, most of these firms emphasize progression companywide, rather than at the top.</p><p>In light of the FRC’s report, the 2020 Parker Review, an independent report on the ethnic diversity of U.K. boards, recommends companies report on diversity of culture, geography, and nationality alongside ethnicity. </p><p><strong>— D. Salierno<br></strong></p><p><br><strong></strong></p><h2>Insider Threats Put Data at Risk</h2><h3>Human error is behind most data breaches, research says.</h3><p>Three-fourths of IT professionals say employees at their organizations have intentionally put data at risk in the last 12 months, according to research conducted by Opinion Matters for Egress, a data security solutions company. </p><p>Additionally, 78% say employees have accidentally done so. These insider threats pose a significant security risk to organizations, Egress reports.</p><p>The Insider Data Breach Survey 2020 polled more than 500 IT leaders and 5,000 employees at companies with more than 100 employees in Belgium, Luxembourg, Netherlands, the U.K., and U.S. It found that 41% of employees who have accidentally leaked information did so because of phishing emails. Nearly one-third caused a breach by sending an email to the wrong person, and almost half have received an email recalling information sent in error. </p><p>Egress CEO Tony Pepper explains that organizations and their security teams weigh the advantages of efficient communications against data security considerations. “Frequently they compromise on the latter,” he says.</p><p>Employee misconceptions about data ownership negatively impact information security, the survey shows. Two out of five employees don’t recognize that the organization owns its data exclusively, and only 37% say everyone is equally responsible for keeping it safe. “Employees want to own the data they create and work on, but don’t want the responsibility for keeping it safe,” Pepper says. “This is a toxic combination for data protection efforts.”</p><p>The more senior the employee, the less likely he or she is to accept data protection accountability liability — just 8% of directors say everyone shares responsibility, compared to more than half of clerical staff. Directors also are most likely to take data with them to a new job. Of those who intentionally broke company policy, 68% did so when they changed jobs, compared to the overall average of 46%. </p><p><strong>— S. Steffee<br></strong></p><p><br><strong></strong></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​The impacts from climate change and loss of nature could cost the global economy $9.87 trillion between now and 2050.</strong></p><p>The economy could lose $327 billion from damage to natural protections from flooding, storm surges, and erosion, while loss of carbon storage could cost $128 billion by 2050. </p><p>“Not only will losing nature have a huge impact on human life and livelihoods, it will be catastrophic for our future prosperity,” says Marco Lambertini, director general of WWF International.</p><p>Source: WWF, Global Trade Analysis Project, and the Natural Capital Project, Global Futures</p></td></tr></tbody></table><h2>No. 1 Cybercrime: Email Fraud</h2><h3>Hackers target company employees in record numbers.</h3><p>Business email compromise accounted for more than half of total reported U.S. cybercrime last year, according to the Federal Bureau of Investigation’s (FBI’s) 2019 Internet Crime Report. These scams, which typically involve a criminal mimicking a legitimate email address, resulted in more than $1.7 billion in losses in 2019. They were responsible for nearly 24,000 complaints made to the FBI’s Internet Crime Complaint Center (IC3) last year.</p><p>Many compromised emails are CEO fraud, where an email sender impersonates an executive within the company. The email requests payment that appears legitimate but actually directs funds to a criminal. </p><p>IC3 also reports an increase in complaints that involved diversion of payroll, where hackers mimic an employee requesting an update to his or her direct deposit information. The change then routes that employee’s paycheck to a scammer’s account.</p><p>Last year saw the largest number of cybercrime complaints since 2000. </p><p><strong>— D. Salierno</strong><br></p><p></p>Staff0
My First Audit Committee Meetinghttps://iaonline.theiia.org/2020/Pages/My-First-Audit-Committee-Meeting.aspxMy First Audit Committee Meeting<p>​"You need to know how to better communicate with the audit committee!"</p><p>That was what the audit partner told me after I attended my first audit committee meeting. At the time, I was a new manager at a large CPA firm. Two days prior, my supervisor had asked me to present at the meeting because another auditor had become ill.</p><p>I knew the current status of the audit, and my part of the discussion — just 10 minutes on the overall agenda — was limited to technology risks. Even though I received no briefing, no background information, and no advice, I thought, "What could go wrong?" Well, something did. Not surprisingly, things did not go as I expected. </p><p>During the meeting, several members fired questions at me before I could even finish my presentation. I responded poorly to one of them, and it got worse from there. I became nervous, and I assumed they wanted direct answers — if I did not know something, I just told them "I don't know." That was the truth, but it did not make a good first impression.</p><p>I learned some valuable and lifelong lessons that day. Thinking about what went wrong helped me with future meetings, and it eventually made me a better internal auditor. Three takeaways, in particular, may be helpful to practitioners about to attend their first audit committee meeting, as well as those who have prior experience and want to improve.<br></p><h2>Establish Trust</h2><p>Internal auditors should establish a trusted relationship with committee members — before their first meeting. Over time, I learned to get on the committee chair's calendar as soon as I began working with a new organization, as well as each time the committee chair changed.</p><p>Auditors shouldn't wait to schedule this meeting; the sooner the better. And they should be sure to inform other executives or leaders about it — especially their direct supervisor. Auditors need support from these key individuals before the meeting takes place. </p><p>Other ideas for establishing trust are simple: Be honest, listen before you act, admit your mistakes and learn from them, don't blame others, be transparent, respect others, keep your promises, and seek ways to help your audit committee members.   <br></p><h2>Play by the Rules</h2><p>Auditors need to learn the organization's audit committee protocol. They can start by asking others who have experience with the committee for their perspective and help. Auditors could ask, for example, what committee members know about the organization's governance, risk, and controls. Why were they appointed to the audit committee? The answers to these questions can shed light on committee protocol and rules of engagement.   </p><p>Some audit committee members know little about the business, governance, risk, controls, and committee protocol. Others serve years on the audit committees and have a deep understanding of these areas. Auditors can gauge these factors and adjust how they engage and interact with committee members accordingly. Are certain topics better discussed outside the audit committee? Gaining a better understanding of how the committee operates can help auditors gain confidence in their ability to communicate in a manner that will be impactful. </p><p>Practitioners can benefit from the assistance of a mentor, coach, or trusted advisor when seeking reliable information about committee protocol. Ideally, this individual should have a deep understanding of the audit committee. What concerns do committee members share? What unites them? What divides them? By studying these dynamics and asking lots of questions, auditors can improve their ability to work with the committee members. </p><p>I found over my career that understanding protocol goes a long way toward fully engaging with the audit committee. Some committees hold formal, controlled meetings where there are no surprises and nothing is left to chance. Others maintain flexible agendas, room for impromptu discussion, and time to delve into tough questions. Internal auditors should realize that no two committees operate the same way. <br></p><h2>Learn How to Report Bad News</h2><p>No one likes to hear bad news, including the audit committee. There are many ways to communicate sensitive issues, but what works best? Unfortunately, I learned the hard way that reporting bad news to the committee without providing advance warning often does not go well. </p><p>An audit committee member once asked me, for example, how our audit team can possibly keep up with the technical demands of business disruption and innovation. "We cannot," I answered. And of course, this was bad news to the committee. </p><p>"Competition, higher pay, and signing bonuses offered by other organizations means the turnover rate on the team is high," I added. "The top highly technical audit team members, especially, tend to get hired away."</p><p>The committee members did not respond well to this news. They wanted to hear solutions, not just problems. And they were right to be concerned.</p><p>In hindsight, we should have discussed this topic first outside the audit committee. But it came up unexpectedly at the end of the meeting, and I was unprepared. A better answer might have been: "Good strategic question. Let me gather hard data first before I answer you. If I need help to solve this, can I count on your support?" Framing the response this way turns the question into an opportunity to solve a strategic challenge. Lesson learned.  </p><p>A significant issue raises the temperature of the room, and the confrontation can get brutal. Auditors should learn how to deliver bad news — before they actually need to do it. <br></p><h2>Further Preparations</h2><p>In addition to considering these three key areas, internal auditors can take several steps to prepare for their first committee meeting: </p><ol><li>Find out what the audit committee thinks of internal auditors. </li><li>Determine whether the audit committee sees internal audit as valuable.</li><li>Get senior executives' impressions of the audit committee and its value.</li><li>Ask for coaching and feedback from other stakeholders, such as the board secretary or someone in the legal function.</li><li>Practice and rehearse your audit committee presentation.</li><li>Compare your presentation to other audit committee presentation materials. Are they comparable in terms of quality, depth, and substance? </li><li>Learn how to recommend cost-effective solutions to issues raised. </li><li>Determine what key risks and key insights the committee sees as strategic and impactful.</li><li>Understand the committee's risk tolerance levels.</li><li>Get to know the committee members as much as possible and develop trusted relationships with them.</li><li>Learn to engage the committee — don't just read the audit report.</li><li>Focus on insights, value, and forward-looking initiatives.</li><li>Anticipate potential questions and prepare your responses. </li><li>Learn how to handle negative feedback on your reports, conclusions, or recommendations.<br></li></ol><h2>Don't Get Caught Off Guard</h2><p>Careful preparation is key to successful audit committee meetings — it calls for deliberate, sustained action, working with key stakeholders and members of the committee itself. Practitioners can seek informal advice through their organization or their personal networks, though formal training is available as well. Either way, it's important for auditors to be proactive and not just assume everything will go well in their first meeting.</p><p>Don't make the same rookie mistake I did by walking into the meeting cold. Knowing what you're going to say, anticipating what you might be asked, and developing relationships can make the difference between a poor showing and a great first impression. Even if pressed for time, I should have at least asked others what to expect, what the protocol is, and what to prepare ahead of the meeting. Armed with that knowledge, I could have walked into my first audit committee meeting informed, prepared, and confident.<br></p>Steve Mar1
Drunk and in Charge of a Bicyclehttps://iaonline.theiia.org/2020/Pages/Drunk-and-in-Charge-of-a-Bicycle.aspxDrunk and in Charge of a Bicycle<p>​In his excellent book<em> Zen in the Art of Writing</em>, science-fiction author Ray Bradbury features an essay titled “Drunk, and in Charge of a Bicycle.” Bradbury uses the essay to discuss his approach to writing, including this choice snippet:<br><span class="ms-rteStyle-BQ">“That is the kind of life I’ve had. Drunk, and in charge of a bicycle, as an Irish police report once put it. Drunk with life, that is, and not knowing where off to next. But you’re on your way before dawn. And the trip? Exactly one half terror, exactly one half exhilaration.” </span></p><p>What if we were to perform our audits that way? What if we started without knowing everything? What if we had an idea of how to approach a risk, but found ourselves on our way before dawn without knowing where we were headed? What if we simply trusted our intuition, our skills, and our professionalism to lead us to the correct destination? Imagine auditing with no hours spent preplanning on preplanning, no interminable meetings about the meeting about the meetings, no second-guessing before the first guess has been made, and no excruciating detail of dotting every “i” and crossing every “t.” Instead, engagements would involve exploring the mostly unknown and learning what we do not know, what we need to know, and what will provide the most value to the organization.</p><p>And here’s another quote from Bradbury’s essay: “By the time many people are fourteen or fifteen, they have been divested of their loves, their ancient and intuitive tastes, one by one, until when they reach maturity there is no fun left, no zest, no gusto, no flavor.” </p><p>In spite of what some people say about the internal audit profession, it can be a lot of fun. I’ve been in it for more than 30 years — no one without masochistic tendencies of a type I cannot fathom stays in a profession that long unless they are having fun. And I’m still having fun because there is still so much to learn, so much to explore, and so much potential and opportunity.</p><p>Practitioners would do well to quit trying to make sure everything is perfect and instead just enjoy the job. Most of the fun I have had in internal auditing came when I was exploring. And I’m willing to wager the bicycle mentioned above that, upon close examination, that’s when the majority of internal auditors have the most fun too. An important part of that fun is diving into the work, without fear or worry. As nature essayist John Burroughs advised, “Leap and a net will appear.”</p><p>Some of my best work as an auditor, and some of the most fun I had, came when I was not enmeshed in the details — when I was allowed to experiment, explore, and leap, letting the work lead where I least expected. In other words, it occurred when I was, metaphorically, drunk and in charge of a bicycle. </p>Mike Jacka1
Forming Today’s Internal Audit Functionhttps://iaonline.theiia.org/2020/Pages/Forming-Todays-Internal-Audit-Function.aspxForming Today’s Internal Audit Function<p>​Staffing an internal audit department capable of meeting the myriad and multiplying mandates imposed by a growing group of stakeholders is like solving a Rubik’s Cube. The logistical difficulty of making multiple moving parts on more than one plane match up — at the same time — characterizes the way chief audit executives (CAEs) struggle to line up the right mix of talent with their organizations’ evolving technical, analytical, and operational needs. But just as a Rubik’s Cube can be solved, there is a solution for internal audit department staffing.</p><p>The solutions are unique to each situation, but alignment is key in all cases. “The internal audit function must first align its focus and staffing plans with the organization’s broader goals and strategies,” says Mike Maali, internal audit, compliance, and risk solutions leader at PwC LLP in Chicago, “then with the specific objectives of the internal audit department, itself.” </p><p>But aligning staffing isn’t simply a matter of hiring expert data analysts. Often, the work ahead requires core audit competencies, the basic capabilities every department is called upon to muster. So, audit leaders may need to add traditional, frontline practitioners to their rosters, too. And everybody in every position must be nimble and quick. Companies often change business models, and some of the new models lack regulatory conventions. Internal auditors must be able to zoom in to see every point in detail, and zoom out to view the matter from a strategic angle.</p><h2>Staffing the Right Talent</h2><p>The essence of the CAE’s hiring challenge is determining the right mix of IT and business expertise, sharpened interpersonal skills, and audit fundamentals the department requires. “Finding the right people for an internal audit department is extremely hard,” says Robert Berry, principal at consulting company That Audit Guy based in Mobile, Ala. Stakeholders, he adds, hear about the latest tools to use — blockchain, for example — and want internal audit guidance before they know with any clarity what they want from the technology. Do you staff to conduct research that’s not going to be very relevant? </p><p>The evolution of the profession — and its professionals — can intensify the challenge. “It requires new internal auditors with different backgrounds to evaluate new operational and emerging risk areas,” says Yulia Gurman, CAE at Packaging Corporation of America in Lake Forest, Ill. “Schools are producing more ambitious internal audit graduates, and the profession is attracting experienced candidates from other industries from a variety of backgrounds.” The profession has evolved beyond evaluating compliance and reporting risks, she adds. A growing number of companies hiring internal auditors now emphasize emotional intelligence and professional skills as much as, if not more than, technical skills. </p><p>The CAE’s task is to understand the organization’s key risks, internal audit standards and requirements, and stakeholder expectations, then assess whether the current staff has sufficient skills and expertise to provide the level of assurance required. “You also need to understand the complexity of the business and the size of internal audit teams at similar organizations,” says Stacey Schabel, American audit director at Jackson National Life Insurance Co. in Lansing, Mich., “because they directly link to your consideration of the levels, organization, and shape of your team.” She maintains an inventory of team members’ experience in audit and risk management and all critical focus areas, certifications supporting their expertise across focus areas, and professional backgrounds. “Mapping their skills and experience supports audit planning and detailed resourcing, including when to engage external expertise you don’t have on your team,” she says.</p><h2>Audit Staffing Dos and Don’ts</h2><p>Competency catalogs like Schabel’s lay the groundwork for more strategic department staffing. Experts offer tips for ensuring internal audit departments have the people they need.</p><p><strong>Make sure the basics are in place.</strong> “A core set of internal audit skills must be addressed,” Berry stresses. Department staffers must know how to document work, draft reports, and communicate with clients. That’s always been the case for traditional businesses with established internal audit processes, but basic audit skills are even more important, Maali notes, for cutting-edge companies with untested business models and the firms those companies do business with. “Technical and analytic skills sets shouldn’t be overlooked, considering the complexity of some models,” he says. “Unknown things can happen when businesses are ahead of regulations, so foundational capabilities are really important.”</p><p>Schabel’s department also performs U.S. Sarbanes-Oxley Act of 2002 testing for the insurer’s Financial Reporting team. “While our risk-based plan focuses extensively on strategic risks and organizational innovation,” she says, “Sarbanes-Oxley testing is valuable as it is good training ground for new auditors and offers additional leadership opportunities for the team.”</p><p><strong>Don’t get stuck in yesterday’s definition of the basics.</strong> What constitutes fundamental competencies changes over time, Maali says. “There is a redefinition of capabilities grounded in three dimensions: business acumen, analytics acumen, and technology acumen,” he says. “They form the baseline set of capabilities we expect all auditors to exhibit.”</p><p>Business acumen generally applies to basic internal audit areas of influence, including operational processes, compliance, and controls. Kamal Uddin Gazi Jishan, internal audit manager at Ali Bin Ali Holdings in Qatar, calls it “a crucial competency because business managers value the advice and services of an internal auditor who ‘speaks their language.’” </p><p>Technology acumen applies to the emerging tools being used — blockchain, artificial intelligence, Internet-of-Things — and, Maali notes, “internal audit needs capabilities relevant to their implementation or to ongoing monitoring and evaluation.” </p><p>Analytics acumen applies to staff members’ ability to master new audit techniques leveraging different sources of data. “Big data drives the need for a baseline of analytics capabilities,” Maali adds.</p><p>More advanced analytic skills may be mandated by stakeholders’ expanding corporate visions. “If it’s a broader set of risks beyond financial and compliance into operations and strategy,” Maali cautions, “you’re going to have a hard time meeting some of those expectations if the team isn’t appropriately skilled.” That expertise may come from inside the company or outside hires, or consulting firms with internal audit capabilities.</p><p><strong>Tailor hiring practices to help achieve organizational goals.</strong> “First, we need to know what is happening in our company, industry, peer groups, and the macroeconomic environment,” Gurman says. “Any changes or big strategic initiatives may require unique skills that our team members don’t currently possess.” That’s an ongoing evaluation, she emphasizes. In all areas, not just hiring, it’s key to making sure the internal audit department stays relevant to stakeholders’ needs and has the right tools to address risks and provide valuable insights to management and the audit committee. </p><p>Maali notes that, to date, existing internal audit competencies have typically been able to meet audit committee needs, and both sides generally have shared an understanding around them. While they’re often still grounded in their fundamental responsibilities, Maali says “boards are getting much more focused on emerging technology risks,” including cybersecurity and data protection concerns, especially operating in the cloud. Berry agrees that most changes to the profession are driven by changes in stakeholder expectations. “We see boards and management asking about technological processes, and everyone is concerned with personal data.”</p><p>In some cases, organizational objectives require specialized skills. Many companies, Maali points out, are undergoing digital transformations, for example. “Is your team equipped to operate in that environment?” he asks. </p><p>One company he cites is changing its business operating model and will be organized completely differently as a result. “That should cause internal audit to really examine how it’s organized,” he says. “Take your cue from what’s happening with the business and make sure you’re properly aligned.”</p><p><strong>Sync hiring strategy to departmental objectives, keeping in mind the changing shape of internal audit’s ambit.</strong> Sometimes, the department’s goals also may require specific skills. A department that relies heavily on data analysis to meet its goals, for example, will require specialists in data analytics. There are, Schabel notes, several facets to consider when determining what skills your team needs: </p><p></p><ul><li>Business objectives and key risks to accomplishing them. </li><li>Organizational risk appetite and strategy. </li><li>Audit needs assessment requirements, such as ratings and cyclicality. </li><li>Organizational and regulatory changes and focus areas. </li><li><p>Future vision — if it’s digital advancement, for example, internal audit may need specific new expertise.<br></p></li></ul><p>“Having a seat at the table so we are aware of the strategic vision and direction of the organization is key,” she adds.</p><p>The paradigm hasn’t changed completely, Maali says, but “in the last 12 to 18 months, there’s been a shift toward migrating some of the Sarbanes-Oxley testing activity outside internal audit and into the controllership of the organization.” Citing the three lines of defense refresh, he agrees with The IIA’s focus on efficient testing and achieving the lowest total compliance cost that doesn’t sacrifice effectiveness. “It points out the need for collaboration across the three lines,” he says, “especially as the complexity of risk and the speed of business processes really rise.”</p><p><strong>Build a team that can manage risks rather than adjusting your audit plan to match current staff’s skills.</strong> “Scope your audit plan to the risk, then get the right capabilities to do it,” Maali says. For example, an internal audit leader with little knowledge of cloud audits might work with a cloud audit expert to “get at the real risks and how to audit them.” Where staffing gaps exist, he adds, companies usually build capabilities with existing people to the extent they can, then “supplement with strategic hires that accelerate the transformation of the skills.”</p><p>Jishan’s company’s human resources policies generally encourage internal hiring, but transfers to internal audit are rare. “It’s likely the opposite will occur,” he says, “whereby an internal auditor is found to be the best fit candidate for a finance or management role.” </p><p>But employees from other departments often have skills that can be fine-tuned to internal audit through professional education, thus enhancing their candidacy, Berry says. That includes courses in “at least two different industries,” he adds — internal audit and the company’s. “We have to be knowledgeable about audit standards and how to apply them on the job,” he adds, “but also about the industry we operate in.”</p><p>University curricula are being redefined, Maali says. “People are coming out of school now with a clearly different level of skills from just two or three years ago,” he explains. “The aptitude level is higher, and that translates into people very ripe for learning new things.” </p><p>Look for that to translate into passion for the profession, Jishan advises. “The sense of adding value to the business is the driving factor for a career-centric internal audit professional.”</p><p><strong>Don’t be limited by outdated impressions of the profession.</strong> The profession moved away from primarily verifying financial statement and activities many years ago, Berry notes, leading to “different flavors of internal auditors.” An engineering firm may hire a former engineer as an internal auditor, he explains, or a hospital may hire a former nurse. </p><p>Gurman and her team now search in an expanded pool that includes professionals with engineering and psychology degrees, to name just two. She’s also hired people with no internal audit experience, but a strong interest in joining the profession — adding their own valuable skills to the mix. </p><p>The deep expertise needed for specific projects can be found outside the organization, Maali says. “Balance specific needs with how much of the expertise is routinely needed,” he adds. For areas you don’t do much business in, only in an occasional audit, it might be worth it to lean on an external party for expertise. “Build it when it makes sense,” he adds, “and buy it when you have a targeted use.” </p><h2>People Skills Outweigh Technical Skills</h2><p>The challenges facing internal audit departments continue to expand as the profession’s influence spreads throughout their organizations; but they can be managed with the growing diversity of talent available for hiring. Indeed, the human side of staffing — how the department functions when the team is complete — should be paramount, Schabel emphasizes. “The most effective, successful, and healthy teams have diverse backgrounds, knowledge and expertise, strengths and weaknesses, and ways of working,” she says. That encourages individuals to hone their teamwork, conflict resolution, and interpersonal skills. So does getting out of the cubicle occasionally, Berry adds. “Cutting-edge tools can’t replace periodic contact with audit clients.” </p><p>Faced with two well-qualified candidates for one job opening, one of whom has an edge in technical skills, the other in people skills, Gurman says the hiring decision would be easy. “Technical skills most, if not everyone, can learn if they really want to,” she explains. “People skills are much harder to develop.” Internal audit activities require all kinds of interaction with a variety of departments and people with very different personalities, she points out — and the interaction isn’t always about delivering good news. Hiring decisions need to facilitate developing strong positive relationships with audit clients and colleagues throughout the organization. “Strong emotional intelligence and effective professional skills become even more critical, as internal auditors advance into department manager positions,” Gurman adds.</p><h2>Lining It Up</h2><p>Pressures on the profession continue to mount, as internal audit’s role evolves into more strategic planning and operational consulting functions, and as practitioner preference pivots to positions that involve closer contact with colleagues, managers, and C-suite executives. At the same time, advances in technology demand both highly developed analytical skills and command of basic internal audit functions. For CAEs with jobs to fill, “Hire some numbers pros” has been replaced with “Staff to the company’s strategic goals.” </p><p>Diverse candidates for the increasingly diverse positions CAEs offer makes that mandate easier to accommodate. Professionals from a variety of fields are drawn to internal audit — some looking for old school “box checking” jobs, others with their eyes on “trusted advisor” responsibilities — and, more often, they’re already skilled at both analytics and politics, moving back and forth with ease between crunching numbers and presenting proposals to board members. CAEs will face staffing challenges again and again. The talent is out there. The trick is finding it — and hiring it. </p>Russell A. Jackson1
Seeing the Bigger Picturehttps://iaonline.theiia.org/2020/Pages/Seeing-the-Bigger-Picture.aspxSeeing the Bigger Picture<p>​Among questions children ask of adults, perhaps the most common is, "Why?" When told, "Clean your room," "Do your homework," or "The sky is blue," children often respond "But why?" Then as we age, our innate curiosity decreases and conformity and harmony become a greater priority. We fear asking why may be interpreted as provocation, disrespectful, or even a waste of time. Our worries intensify, and the desire to fit in can overwhelm our curiosity.</p><p>For internal auditors, asking why is vital to professional development and success. It helps us understand the organization — not only our role in it, but the greater purpose we serve and contributions we provide. Asking why is necessary for seeing the bigger picture of our work. </p><p>Effective internal auditing requires a questioning mindset. Audit leaders, of course, need to communicate project goals and explain how they serve client objectives and contribute to the organization. Even so, encouraging employees to ask why, as well, helps them obtain a better understanding of each assigned task and a greater appreciation for its significance. Plus, increased engagement empowers and motivates employees, helping ensure everyone is energized and focused. </p><p>Individual empowerment enables employees to take ownership for their work, thereby cultivating a sense of pride. They view project success not just as a win for the organization, but as a personal achievement. Continuously encouraging employees to ask why and provide feedback helps sustain that sense of pride. And by doing so, managers provide team members a voice on decisions that affect projects. The resulting employee buy-in can lead to improved work quality and interpersonal relationships, and better alignment with client needs. </p><p>Asking why can also increase camaraderie and collaboration. When auditors inquire about how each person's role impacts a project or client, they develop a better appreciation for other members of the team. Increased awareness of team members' roles can foster mutual respect and enhance cohesion. And when employees respect one another, it stimulates knowledge exchange as team members become more comfortable sharing ideas with one another, thereby helping to reduce team conflict and nurture employee growth. </p><p>While visiting the National Aeronautics and Space Administration headquarters, U.S. President John F. Kennedy asked a janitor what he did at the agency. The janitor replied, "I'm helping put a man on the moon." The janitor realized his part in accomplishing the overall objective. To some people, the janitor was cleaning the building, but he understood his role in helping make history. This greater understanding illustrates the depth of commitment and sense of purpose employees can possess when they see the bigger picture — often stemming from a sense of curiosity and a willingness to ask why.  <br></p>Nira Kohli1
The Evolution of Talent Managementhttps://iaonline.theiia.org/2020/Pages/The-Evolution-of-Talent-Management.aspxThe Evolution of Talent Management<h3>​How should talent management strategies be evolving?</h3><p><strong>Pundmann</strong> Organizations are looking for consultative, critical-thinking advisors who understand all sides of the business — from strategy and finance to cybersecurity and culture risk management — for their internal audit teams. As organizations evolve, so do their talent strategies. We’re seeing more organizations using rotational or guest auditor programs to engage professionals with diverse areas of expertise outside of internal audit to help address the varied challenges that core internal audit work presents. Because of the variety of challenges internal auditors face, many leading organizations’ talent development strategies include internal audit as a key career development assignment. </p><p><strong>Aina</strong> Today’s business environment disruption is driven by technological advancements and generations that know technology and its rapid evolution as the norm. Talent management strategies need to demonstrate that the organization embraces, and is well-positioned to take advantage of, disruptive technologies. These strategies also need to evolve to a talent pool that thrives on change by providing a uniquely diverse set of experiences through opportunities within and outside the functions for which the talent was recruited. </p><h3>With the growing impact of digitalization, what new skills should CAEs be looking for in candidates?<br></h3><p><strong><img src="/2020/PublishingImages/Aina-Sam-cmyk.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Aina</strong> It depends on where chief audit executives (CAEs) see their organization and industry trending in terms of technology innovation and the associated regulations and risks that CAEs will need to audit. Though not new skills, adaptability, resilience, and innovation to facilitate change are critical for success. How have candidates demonstrated resilience amid change — system changes, policy changes, schedule/deadline changes, team changes, project changes, significant life changes, etc.? Have they driven change through innovation, not just by providing interesting findings and recommendations, but by improving the effectiveness of their own department? CAEs also should look for candidates with a broad understanding of business, with a consultative mindset. And, there is always an expectation that every function will do more with less through the use of technology. IT audit backgrounds are no longer restricted to traditional IT audit experience and information systems degrees. Rather, competence, skills, and experience in computer science/programming, data science and analytics, robotic process automation, cybersecurity, and privacy compliance are needed.</p><p><strong>Pundmann</strong> We’re seeing increasing demand for internal audit teams staffed with people with a diverse set of skills and “purple people” who combine the “red” skills of sophisticated data analysis and architecture backgrounds with the “blue” skills of business acumen, design thought, and political sense. CAEs are looking for analytics and digital capabilities, along with critical thinking and business acumen, and Agile, collaboration, and problem-solving skills. <br></p><h3>What importance should be placed on internal audit certifications in identifying potential candidates?</h3><p><strong><img src="/2020/PublishingImages/Sandy%20Pundmann%20photo%202015.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Pundmann</strong> While internal audit certifications are a relevant part of the discussion for internal audit staffing, it’s key to look at the full team’s composition. If all or none of the team has an internal audit background, there’s a problem. But, if the team comprises a mix of people holding various certifications — Certified Internal Auditor (CIA) for internal audit skills, Certified Public Accountant (CPA), Certification in Risk Management Assurance, and others — the team is likely well-positioned to help accomplish business objectives.</p><p><strong>Aina</strong> I hold the CIA, CPA, and Certified Fraud Examiner certifications, but my experiences, skills, and relationships are even more important. CAEs should be thinking outside the internal audit box, because the world is progressively eliminating that box altogether. The right talent will pick up on internal audit methodology and standards and can readily gain the required experience to achieve an internal audit certification; however, innovation, adaptability, commitment, accountability, and leadership are far more challenging to develop.<br></p><h3>How does the gig economy affect talent strategies?</h3><p><strong>Aina</strong> There’s a growing desire for greater flexibility in when and how people work, as evidenced by the gig economy. Coupled with the talent pool’s desire for diverse experiences, it’s another part of the disruptive business environment. Gig economy dynamics can manifest through more leaves of absence, flexible work arrangements, and turnover. CAEs should anticipate this and develop a methodology that adapts to these dynamics. They should embrace the gig economy impact by recruiting talent who can help them adjust their internal audit talent management approach to further explore, develop, and deploy strategies to engage and retain the current talent pool. Additionally, part of having a flexible internal audit team and talent management strategy should include strategic partners and trusted advisors who can promptly compensate for temporary or long-term skill gaps and manpower needs. </p><p><strong>Pundmann</strong> Internal audit groups use a mix of resourcing models to deliver their audit plans, and as specialization is in high demand, it’s easy to understand why. Eighty percent of the global CAEs Deloitte recently surveyed said specialists skills, which are a great use of a “gig” worker, drove their use of alternative resourcing models. For example, a full-time equivalent employee may not be needed for an environmental audit. Just-in-time resources, as the gig economy can provide, can help as expectations of internal audit become more complex.<br></p><h3>What retention strategies can CAEs implement to make their departments attractive to potential applicants?</h3><p><strong>Pundmann</strong> Increasingly more professionals — younger generations, but also the more experienced among us — are purpose-driven and want to make an impact. Internal audit offers that opportunity with every project that looks at some aspect of the business, evaluates it, and recommends what should be done. Learning a business through varied work in an independent, but team-based, role that affords the opportunity to communicate with the organization’s leaders is attractive to those interested in making a difference. </p><p><strong>Aina</strong> Involving internal audit in facilitating change while embracing and adapting to emerging technology risks will always be key. CAEs should recognize and reward innovation in their departments. That can naturally facilitate diversification of experience for top talent to keep them engaged. Organizations can further diversify the experiences available through rotational programs within and outside internal audit. Nimble and flexible methodologies and work environments are also attractive to a talent pool that would rather not get boxed in. Finally, a family feel in the function, where the office isn’t just a job but rather a place where they feel at home, can go a long way in retaining personnel. Quality of life is a strategic talent influencer in today’s business environment. <br></p><h3>What are some best practices for developing existing team talent?</h3><p><strong>Aina</strong> On-the-job training and learning are far better retained and engrained than classroom and coaching. Therefore, rotational programs go beyond talent retention and into developing existing talent. Coordinating opportunities for existing talent to work with personnel in other functions who possess skills and competencies that internal audit lacks, enables them to bring back the knowledge to benefit internal audit. Additionally, CAEs should challenge existing team members with new projects and opportunities. </p><p><strong>Pundmann</strong> Leveraging Agile principles is great for developing existing team talent. CAEs build on new ways of engaging teams such that the team collectively has the knowledge, but the group iterates solutions and reflects on lessons learned after projects close. It helps develop critical-thinking skills. Of course, it doesn’t hurt to have a robust training and development program to nurture the team, as well. If the organization is moving to the cloud or is pursuing another major change, internal audit needs training to get up to speed on it. <br></p>Staff1
Specialist or Generalist?https://iaonline.theiia.org/2020/Pages/Specialist-or-Generalist.aspxSpecialist or Generalist?<p>​The saying, “a jack of all trades is a master of none, but oftentimes better than a master of one,” provokes debate between specialists and generalists. This discussion extends to many fields, including internal auditing. </p><p>As internal audit’s role continues to grow, today’s practitioners are asked to do far more than their traditional responsibilities around operational assurance and regulatory compliance. This paradigm shift is particularly evident in The IIA’s Pulse of Internal Audit survey. The inaugural 2011 report lists fraud investigations, financial reporting, controls, compliance, and ethics investigations as the top areas of responsibility outside of traditional roles. In contrast, the 2019 report illustrates internal audit’s growing involvement in other key areas including cybersecurity, enterprise risk management, cost/expense reduction, and third-party risk.</p><p>Internal auditors are not only expected to broaden their scope of services, but also deepen them. Most audit functions believe they are falling short technically in key areas, as evidenced by lower competency ratings (scale of 1–5 with 5 as highly competent) in cybersecurity and IT audit (2.9), data analytics (2.9), and technical accounting standards (2.5-2.9) in Protiviti’s 2019 Internal Audit Capabilities and Needs Survey. </p><p>These seemingly conflicting qualities of depth and breadth raise an important question frequently asked by chief audit executives (CAEs) and practitioners alike: Is it better to specialize or generalize? </p><h2>The Practitioner</h2><p>First and foremost, the practitioner’s interests and career goals should guide any decision on specialization. On one hand, experienced practitioners may become specialists over time, whether intentionally through career planning, mentorship, technical training, and workload, or unintentionally through trial, error, and, ultimately, success within certain disciplines. Alternatively, audit new hires may find generalization appealing as it provides a means to learn various aspects of the business and explore alternate career options, or identify opportunities for future specialization within internal audit.</p><p>While audit new hires may be more likely to start their careers as generalists, audit leaders should not deter them from exploring specialization. As academic institutions and continuing professional education providers expand their offerings in highly technical areas such as cybersecurity and data analytics, new hires can enter the audit workforce with skills best suited for specialist roles.  </p><p>Regardless of experience level, practitioners may already have expressed specific interests or disinterests that will help department leadership better align projects with the appropriate resources. For instance, a new audit staff member may not have a specialization, but wants to limit his or her workload to IT audit and consulting projects. While smaller audit functions may not have the headcount or budget to allow for specialists, audit leadership must continuously engage their staff, understand their career aspirations, and foster their interests through mentorship and continuing education. If leadership does not facilitate these conversations, auditors should initiate the dialogue and ensure they receive opportunities to pursue their career interests.  </p><h3>The Department</h3><p>Every internal audit team is unique with respect to size, role, collective experience, and expertise. Therefore, a prescriptive ratio of specialists to generalists does not exist. Nonetheless, CAEs and auditors should have a clear understanding of their department’s mission, and the current risks and needs of the stakeholders they support. For example, an audit department of four at a mid-sized private company with relatively low compliance risk may emphasize versatility, and operate as interchangeable parts to support one another and respond to the dynamic needs of its stakeholders.</p><p>Alternatively, a large international corporation with an audit staff of 50 may have more defined and consistent roles for its team members, including designated subject-matter experts based on country, business unit, or discipline. </p><h3>The CAE</h3><p>Whether the emphasis is on agility, expertise, or some combination, every CAE will have a different vision for the depth and breadth of the department’s workload. Because this vision can be shaped by the goals, interests, and skills of the staff, needs of the organization, and size and role of the function, CAEs should benchmark these items against the long-term goals of the department. For instance, if the department has established itself as a trusted compliance watchdog, but the CAE has longer-term ambitions of growing its advisory wing, the CAE should establish a formal strategy that encompasses recruiting, training, project mix, and stakeholder engagement to ensure these goals are achieved.</p><p>Furthermore, an opportunistic CAE with the optimal combination of resources and corresponding organizational needs may counter the specialist/generalist question by asking, why not both? While it seems contradictory to be a specialist and a generalist, CAEs can recruit and develop a diverse staff that includes both to ensure expertise and flexibility to respond to dynamic organizational needs.</p><h3>The Organization</h3><p>As a shared service, internal audit has an obligation to provide value to its varied internal stakeholders. Often, an organization’s copious needs may not be fully met by internal audit’s finite resources. As a result, audit departments should use enterprise risk assessments, materiality, and stakeholder feedback to identify the most pressing organizational needs and impactful project opportunities. </p><p>Additionally, organizations without dedicated departments or subject-matter experts in disciplines such as enterprise risk management, data analytics, and cybersecurity may be more inclined to seek out internal audit to help address needs in these areas. This is provided that the audit team has specialists with the requisite expertise and availability. For instance, a large company with a robust data analytics department may be less likely to engage internal audit to perform similar work than a smaller organization without a dedicated analytics function. Nonetheless, internal auditors can still provide value under those circumstances by assisting the analytics department with tasks such as validation of the completeness and accuracy of the data sets used and providing context to analytical results based on their knowledge of the business. </p><h3>Align Talent With Needs</h3><p>Internal audit’s expanded role has afforded today’s CAEs and practitioners new opportunities with respect to the depth and breadth of their workload, but it also presents new challenges and decisions around the merits of specialization versus generalization. These decisions should not be made in a vacuum, but rather through careful and informed considerations, including practitioner goals and interests, audit department size, role and vision, and organizational needs. But regardless of whether one is a “jack of all trades,” a “master of one,” or a hybrid of the two, internal auditors can maximize their value by aligning their talents and workload with their stakeholders’ needs.  <br></p>Jack Pelikan1

  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3