Opening and Closing Meetings and Closing Meetings<p>​Imagine attending an opening meeting for a scheduled audit. The audit topic is somewhat controversial and there has been pushback on the review’s timing. The auditor-in-charge worked hard to find time to get everyone to attend (8-10 people). The meeting is held in a huge conference room, so people are waving across the room and jokingly asking, “How’s the weather over there?” There is anticipation mixed with nervousness and anxiety as the auditors introduce themselves. The auditor-in-charge turns on the projector and forwards through the 12 slides in the opening meeting slide deck in about five minutes. She asks if there are any questions (there are none) and thanks them for their time. The group proceeds to exit the conference room feeling deflated. Everyone thinks, “What was the point of that?”</p><p>Now imagine attending a closing meeting for a different audit that went well. The clients are engaged with the issues internal audit finds and want to use the audit to help drive improvements in their business. The meeting is held in a huge training room set up with circular tables suitable for 36 people. The auditor-in-charge had difficulty aligning everyone’s schedules, so the meeting is held at 4 p.m. on Friday. Six of the 18 people call in to attend the meeting while the rest sit at the back of the room. Unfortunately, the auditor-in-charge shows up just five minutes before the meeting starts and has multiple issues with the technology — he neglects to bring an adapter for the laptop and doesn’t know how to use the projector. As a result, the meeting starts 15 minutes late. Two slides in, the meeting is derailed by someone on the phone asking a question, resulting in a five-minute side conversation between the auditor-in-charge and the person on the phone as the others disengage into side conversations or checking their phones and laptops.</p><p>Many times, internal audit takes opening and closing meetings for granted and just goes through the motions to conduct them. The difference between meetings that are successful and meetings that are not is preparation and clear objectives. Internal auditors can follow guidelines that will ensure these meetings are informative and engage their audit clients.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Conducting Effective Meetings </strong></p><p>Because the opening meeting can set the tone for the audit and the closing meeting is a crucial last step in the audit process, internal auditors can benefit from tips to run the meetings in the most professional manner possible. </p><ul><li><strong>Consider your appearance at the meetings.</strong> Because internal audit is positioning itself as a competent team of professionals, they should look the part and dress appropriately. </li><li><strong>Never sit opposite the clients in an “us vs. them” setup.</strong> The audit team should mingle to make the meeting more collaborative.</li><li><strong>Don’t use “auditee” or other internal audit jargon with clients or other meeting participants.</strong> The only people who use those words are auditors.</li><li><strong>Never read directly from the slides or the audit report.</strong> Points should be made as if the auditor is having a conversation. Use the slide deck and audit report as a guide, not a crutch. If an auditor is unable to do that, then he or she has not prepared well enough for the meeting.</li><li><strong>Remarks should be addressed to the most senior (nonaudit) person in the room.</strong> This is simply good etiquette.</li><li><strong>Be culturally sensitive.</strong> In the U.S., staff members present their own findings as a development opportunity. In other countries, the senior member of the audit team is expected to do so. There may be some other cultural etiquette for meetings, as well. Internal auditors should always research cultural norms if they are presenting in another country.</li><li><strong>The auditor-in-charge should stand up during the meeting, if appropriate.</strong> Standing reinforces that he or she is facilitating the discussion. </li></ul></td></tr></tbody></table> <p> <strong>Prepare for the Meeting</strong> The meeting room should be visited the day before the meeting to make sure it is appropriate for the number of people attending and that the auditor running the meeting understands how to use the technology in the room. If the auditor-in-charge is uncomfortable speaking in front of people, he or she should rehearse the entire meeting.</p><p> <strong>Make Your Objective Clear</strong> A meeting must have a specific and defined purpose. Before sending that calendar invitation, ask yourself: What do I want to accomplish? This should be shared ahead of time with the client.</p><p> <strong>Consider Who Is Invited</strong> Think about who really needs to be in the meeting. When people feel that what’s being discussed isn’t relevant to them, or that they lack the skills or expertise to be of assistance, they’ll view their attendance as a waste of time. If there are any doubts about certain attendees, make them optional and let them decide whether to attend.</p><p> <strong>Stick to the Schedule</strong> Create an agenda (or slide deck, in this case) that lays out everything that will be covered in the meeting, along with a timeline that allots a certain number of minutes to each item, and email it to people in advance.</p><p> <strong>Be Assertive</strong> If one person is monopolizing the conversation — the fastest way to derail a meeting — call him or her out delicately. For example, “We appreciate your contributions, but let’s get some input from others.” Establishing ground rules early on will create a framework for how the group functions. Internal audit is in charge of the meeting. Discussions of risk ratings, for example, can be a derailer that the auditor should consider discussing outside of the meeting.</p><p> <strong>Start on Time, End on Time</strong> Knowing that time is valuable, do not schedule any meeting for more than an hour. Sixty minutes is generally the longest time people can remain truly engaged. A <em>Harvard Business Review</em> article, “The 50-minute Meeting,” suggests allowing 10 minutes of the 60 minutes for travel and administrative time. And if only 30 minutes is needed, don’t schedule an hour.</p><p> <strong>Ban Technology</strong> Laptops and smartphones distract people from being focused on the meeting or contributing to it. Instead, they’ll be sending emails or surfing the web.</p><p> <strong>Note Action Items and Follow-up</strong> So that everyone is on the same page, a follow-up email highlighting what was accomplished should be sent within 24 hours to all who attended. Document the responsibilities given, tasks delegated, and any assigned deadlines.</p><p>If opening and closing meetings seem repetitive and boring, consider the actors who perform in some Broadway plays for years. They strive to do every performance, even the 873rd, with the same passion as the first. They polish and perfect it each time. Clients deserve the best from internal auditors, and there will always be someone in the room who hasn’t seen the slide deck or been through an audit before. The right preparation can make these meetings valuable and productive for auditor and client.</p>Scott Feltner1
Building the Audit Function the Audit Function<p>​Building an internal audit function from the ground up may seem like a daunting task, but taking a measured approach and prioritizing what should be done first can ease some of the difficulties. Handling these initial steps with care also helps build trust in organizations that may have no experience with internal audit or may be suspicious of its motives. By selecting key areas of focus and seeking to make "quick wins," chief audit executives (CAEs) can soon win over management and the rest of the business, and establish a solid foundation for the audit function.</p><h2>The Lay of the Land </h2><p>Alyssa Martin, partner in charge at risk advisory services firm Weaver in Dallas, is no stranger to setting up internal audit functions from scratch. She says she typically sets up around three or four functions per year on behalf of clients, and that she has established — or "reconstituted" — more than 20 in her career to date. </p><p>Martin says the reason behind the organization's decision to set up an audit function can provide vital clues about what it will look like and how it will be resourced. Potential reasons include regulatory requirements; past governance failures that impacted operations; financial incentives such as improving processes, increasing efficiency, and minimizing potential frauds; or pressure from a large customer to provide it with more assurance. "The different circumstances behind the move to set up an internal audit function can influence the way it is developed, what its scope is, and what budget and resources it will have," she says. </p><p>The way in which internal audit will operate also needs adequate consideration, Martin adds. If, for example, the function comprises a head of internal audit who oversees a fully outsourced team, that individual must be a strong leader with lots of experience. He or she must be able to take charge and establish what the function's priorities should be, as well as determine what expertise the organization needs to obtain quickly. </p><p>Martin says internal audit needs a "sponsor" within the organization to champion the function and to send a message to the board and the rest of the organization that internal audit is a key player in ensuring effective governance and sound practice. Moreover, CAEs need to liaise and establish good working relationships with key second-line assurance functions in the business, particularly the chief risk and compliance officers, as well as maintain communication with the chief financial officer (CFO). "Internal audit can't act in isolation, and especially not when it is a new department," she says. "It needs to establish key partnerships with other functions in the business to see how they operate, how they view risk, and to learn their approaches."</p><p>Martin also notes the importance of building a good relationship with the audit committee, management, and the organization in general, and she stresses the need for audit heads to understand the audit universe and identify which activities are a priority for internal audit's involvement. "Find out where internal audit needs to be active first and what skills and experience you need to have to make a good impression straight away," she says. "You have to choose where you can make an immediate impact first to gain trust with management and the organization."</p><p>The head of internal audit also needs to look closely at the budget he or she has been given. "A low budget impacts hiring choices and what you can realistically do," Martin says. "It also means that you have to prioritize areas that need the most work or immediate focus." She advises audit leaders not to complain about receiving less funding than expected, noting that effective use of allotted resources can allow for quick wins and help build confidence with managers who control the purse strings, thereby making them more likely to agree to additional funding later.</p><h2></h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​</strong><strong>Set the Standard</strong></p><p>Anyone setting up a new audit function should be familiar with The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>. Several standards, in particular, are especially relevant to the process:</p>1000 — Purpose, Authority, and Responsibility<br>1110 — Organizational Independence<br>1200 — Proficiency and Due Professional Care<br>2000 — Managing the Internal Audit Activity<br>2020 — Communication and Approval<br>2030 — Resource Management<br>2040 — Policies and Procedures<br>2050 — Coordination and Reliance<br>2060 — Reporting to Senior Management and the Board<br>2230 — Engagement Resource Allocation<br></td></tr></tbody></table><h2>Obtaining Buy-in</h2><p>Arif Zaman, head of internal audit at real estate company Emaar Industries and Investments based in Dubai, United Arab Emirates, was formerly a risk advisor at a consulting firm where he helped large corporate clients set up or reconstitute internal audit functions. Zaman says the experience taught him what a "good" internal audit function should look like, and what constitutes best practice. </p><p>Having board buy-in from the start is essential to the success of any internal audit function, Zaman says. "Once you have board backing, you can then get approval for the internal audit framework and reporting structure, which will allow internal auditors to maintain their independence and objectivity," he explains.</p><p>Like Martin, Zaman says internal audit must know who will champion the audit function — usually the second line of defense functions like compliance or risk management. He adds that, to maintain independence, internal audit should report to the audit committee or directly to the board. Once the reporting line is defined, the head of internal audit should ensure that three documents are drawn up quickly:</p><p></p><ul><li>An audit committee charter to define the role and responsibilities of the committee (with board approval).</li><li>An internal audit charter to define the scope, role, responsibilities, and reporting structure of the internal</li><li>audit function.</li><li>The standard operating procedures, which are policies and procedures that cover the annual audit plan, approval process, engagement plan, audit execution, audit reporting, follow-up, reporting, and quality assurance.</li></ul><p> <br> </p><p>According to Zaman, understanding the business, how it operates, and — crucially — its culture, also are key steps to successfully setting up an internal audit function. "It is very important to be acquainted with the culture and business acumen of the company," he says. "It gives a general idea of the company's risk maturity and its control environment. It also provides useful insight about how an internal auditor should determine his or her approach and how to pitch the internal audit department framework within the organization."</p><p>Zaman also notes the importance of considering the culture of the country in which the organization operates. "Internal audit is nothing new in countries like the U.S., U.K., or elsewhere in Europe," he says. "These countries have an understanding and appreciation of what internal audit can provide. But in developing markets, awareness of what internal audit is supposed to do, and what it is capable of, can be quite low."</p><p>To help gain trust in the organization, Zaman says it may be best if internal audit has a pragmatic — rather than dogmatic — mindset. He stresses that flexibility may be necessary, as a "by the book" approach may intimidate business units and deter them from coming forward and reporting problems. "You want to establish a culture of openness and transparency that encourages people to come forward with concerns, rather than reinforce the stereotype of internal audit being an internal policeman," he says. </p><p>Zaman also agrees with Martin that achieving quick wins early on can help turn people's attitudes around in the auditors' favor. He warns against starting with sweeping, ambitious objectives such as advising an overhaul of the way the organization is run or recommending controls around every single business process. Instead, Zaman suggests looking at simple ways to help cut costs and increase efficiencies, being sure to quantify the immediate and long-term cost savings. "Concentrate on just doing the main audit work you need to do first and where you know you can succeed," he says.<br></p><p>It is also important for internal audit to show that it is open and collaborative, notes Randy Pierson, internal audit manager and invalid traffic compliance leader at The Nielsen Co. in Oldsmar, Fla. “Audit needs to avoid being siloed," he says." You want to make sure that you are getting all the information that you need so that you can understand the risks to the business and whether they are being controlled. The best way of doing this is to build up trust within the organization.”</p><p>Like Zaman and Martin, Pierson also advises making a good impression quickly through small but effective changes to improve practices, cut costs, etc., but also by working with subject matter experts throughout the business to get a better sense of operations and the risks they face.<br></p><h2>Working Within the Perimeter<br></h2><div>Leslie Krepa, a retired former head of internal audit living in the United Kingdom, does not believe that any auditor sets up a function from scratch in reality. “There are always perimeters setting out what you are able to do and what you will need to look at — the job description/internal audit terms of reference will have done that at the outset," she says. "The board, and especially the audit committee if there is one, will have expectations of what they want to see done, and they will have a budget in mind as well. Heads of internal audit will, however, usually have overall control about how the work is done, how the budget is spent, and how the function is set up, but management will have a very clear view about what they want prioritized, particularly as they took the decision to establish an in-house function in the first place.”</div><div><br></div><div>Krepa warns heads of internal audit not to rush into anything. She advises, for example, that CAEs avoid the mistake of presenting an audit plan to key stakeholders during their first week in the position, lest they want to be told to come back when they learn the business. Krepa suggests first visiting key departments, getting to know stakeholders, and visiting office sites. "Look at what is going on with your own eyes — the key early on is to listen and observe and not say very much," she says.<br></div><div><br></div><div>Krepa also advises audit heads to spend time with external audit. “Audit committee chairs rely on external audit to give them an independent view of risks to the business, and chances are that they have already asked for external audit’s opinion on what you are doing," she says. "Having external audit on your side at the beginning could be a real help in winning other key stakeholders over.”<br><br></div><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​Quick Checklist*</strong></p><p>Several activities should be considered when establishing an internal audit function:</p><ul><li>Identify key internal and external stakeholders and obtain a clear understanding of their expectations. </li><li>Communicate the role of internal audit to the board, audit committee, executive management, and the rest of the organization. </li><li>Ensure that there is a functional reporting line to the audit committee and — ideally — an administrative reporting line to the CEO. </li><li>Put an internal audit charter in place — one that is approved by the audit committee.</li><li>Conform with The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>.</li><li>Prepare an internal audit strategic plan that considers the organization’s objectives and key risks as well as any gaps within its assurance framework. </li><li>Assess the organization’s risk maturity to help determine the internal audit strategy and approach.</li><li>Agree with management on an annual internal audit plan that is approved by the audit committee.</li><li>Agree with management on budgets (financial and staffing).</li><li>Coordinate internal audit work with that of other assurance providers (internal and external).</li></ul><p> <br> </p><p> <em>*A version of this checklist originally appeared in the Chartered Institute of Internal Auditors guide, How to Set up a New Internal Audit Activity. Adapted with permission.</em></p></td></tr></tbody></table><h2>Replacing a Previous Function</h2><p>Seidu Sumani, senior vice president, head of internal audit, at MFS Investment Management previously set up an internal audit function at another investment management firm in Boston after it was sold by its U.S. parent company. "The organization had previously been served by a group internal audit function, so management had a mature view of what internal audit did and the value it could add," he says. </p><p>With management buy-in already a given, Sumani had to work out quickly which departments and processes needed audit focus first, as well as demonstrate that he and his newly appointed team understood the business and the risks it faced. "I needed to establish what my priorities were very quickly, and what skills and experience I would need for my team," he says.</p><p>Sumani notes that it can be a struggle for heads of internal audit to assert their authority at the beginning. Budgets can often be decided by the CFO, for example, and if they are too low, audit heads need to deliver a compelling case about why they need more resources so early on. Sumani advises an assertive approach. "Disagreements with senior management can become quite common, quite tense, and quite political," he says. "But you have to be firm — yet persuasive — and be able to demonstrate that you have the knowledge and experience to back up what you are asking for."</p><p>For example, Sumani notes that he was given a budget for seven team members and was advised to outsource the IT audit function. Instead, he wanted an experienced IT auditor, which can be an expensive hire. "In the end, I was able to get what I wanted but it was not an easy argument to win," he says. There was also pressure on him to deliver results quickly, though he wasn't convinced that the areas management wanted internal audit to address first were in fact the riskiest or the best use of audit's limited resources. "So I took a risk-based approach, which was risky for me because results were not as quick," he says. "However, the results were more appropriate and in the end the stakeholders appreciated that."</p><p>Sumani also recruited someone who had more business experience than audit experience — two years in audit but a wealth of financial services experience; plus he had worked within the business. The new hire could "speak the same language" as managers in different departments, understood how they worked, and knew the key risks their departments faced, as well as how they addressed them. "As a result, we gained management's trust very early on," he says. In fact, he hired three people from within the business based on their knowledge of organizational processes and their ability to learn internal auditing quickly.</p><p>Sumani warns against hiring certain staff members just because management wants them on the team. "Choose your own team and hire who you need or want," he says. He also advises against letting management dictate what internal audit should be doing, emphasizing that it's the audit leader's job to prioritize which areas need the greatest resources and immediate focus. "If internal audit wants to show it is independent, it needs to assert that independence from the beginning," he says. "However, if you're going to ask for more resources and go up against management, be sure you can do what you say you are going to do."</p><h2>The Right People</h2><p>Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, also emphasizes the importance of staffing-related decisions early on. "Any new internal audit function will live or die by the people it has on its team," he says. "The question you need to ask is whether you want more low-level people who can do the nuts and bolts work effectively and can cover a lot of basic audits across the business, or do you go for high-level people who are willing to get their hands dirty, do the low-level work as well, but who can cover less ground?" He notes the answers depend largely on management's expectations, adding that staffing decisions can have ramifications down the road as internal audit matures.</p><p>Tarling says CAEs who are asked to manage a completely outsourced function can enjoy certain advantages. He points to the increased ease of saying that audit reports received are inadequate or requesting that a particular partner or subject matter expert lead an engagement, as well as leverage in negotiating additional services.</p><p>Regardless of team composition, Tarling, like Sumani, advises a firm, proactive approach. "If you are in charge of a fully outsourced function, or if you cosource, then make sure you flex your muscle and get exactly what you want," he says.</p><h2>A Solid Foundation</h2><p>Setting up internal audit from scratch will always present challenges, but taking a steady and realistic approach that involves management buy-in from the start will make the process a lot easier. And to build trust and avoid confusion or conflict, it is also important to remember that internal audit must define its scope and terms of reference from the outset. Management will be more likely to respond favorably if positive early impressions are made, and more likely to trust internal audit's judgment going forward.</p><p></p><div><br></div><div><em>Visit</em><a class="vglnk" href="" rel="nofollow"><span><em> </em></span></a><a href="" target="_blank"><em></em></a><em> for IIA suggestions and resources on setting up a small internal audit function.</em> <br></div>Neil Hodge1
GAM 2019: Leadership and Change 2019: Leadership and Change<p>​<span style="font-size:12px;">In Tuesday's General Audit Management Conference general session, Mike Evans, award-winning author, speaker, and executive consultant, led a lively discussion on Leading Change: Achieving What Matters Most. </span><span style="font-size:12px;">Evans offered several takeaways for every audit leader who is trying to embrace change and lead by example:</span></p><ul style="text-align:left;"><li><span style="font-size:12px;">He said today's business world is basically a "brawl with no rules." What are you doing to ensure your place in this environment?, he asked the audience.</span><br></li><li><span style="font-size:12px;">Brand "you" is the way others see you. We are all being scrutinized at any given moment. "People will tolerate what you say," Evans said. "They will act on what you do." Leadership, he added, is the congruency between what you say and what you do.</span><br></li><li><span style="font-size:12px;">How do your employees, colleagues, boss, customers, friends, and family view you? The only way to know is to ask them. "You may think you're demonstrating a particular brand when, in fact, you're not," Evans said.</span><br></li><li><span style="font-size:12px;">In today's economy, you are distinct or extinct. You must grow, innovate, and embrace change, and be nimble, agile, resilient, and focused. "Clinging to the status quo is not an option," Evans said, offering as examples: Blockbuster (which had a chance to purchase Netflix and passed on it), Payless Shoes, Kodak, and Nokia. Evans defined all of these companies as "short-termed, inwardly focused."</span><br></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Evans asked the audience how can they grow, adapt, innovate, and reinvent themselves and turn disruption into opportunity. "If you fight [disruption], you're going to find it a losing battle," he said. He presented a "new world of work survival kit" that included:</span></p><ul style="text-align:left;"><li><span style="font-size:12px;">Mastery — best/absurdly good at something. Focus.</span><br></li><li><span style="font-size:12px;">Managing to legacy — all work = memorable, braggable wow factor.</span><br></li><li><span style="font-size:12px;">Unique selling proposition — present a remarkable point of view in 10 words or less.</span><br></li><li><span style="font-size:12px;">Networking obsession.</span><br></li><li><span style="font-size:12px;">Entrepreneurial instinct.</span><br></li><li><span style="font-size:12px;">CEO/leader/business person.</span><br></li><li><span style="font-size:12px;">Master of improvement.</span><br></li><li><span style="font-size:12px;">Sense of humor</span><br></li><li><span style="font-size:12px;">Comfortable in your skin.</span><br></li><li><span style="font-size:12px;">Intense, unrelenting appetite for technology.</span><br></li><li><span style="font-size:12px;">Embrace marketing: You are your own chief storytelling officer.</span><br></li><li><span style="font-size:12px;">Obsessed with renewal — learn every day.</span><br></li><li><span style="font-size:12px;">Outwork/over deliver.</span><br></li><li><span style="font-size:12px;">Excellence always.</span></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Evans encouraged the audience to cultivate a culture and mindset of:</span></p><ul style="text-align:left;"><li><em style="font-size:12px;">Playing to win.</em><span style="font-size:12px;"> Evans said there is a big difference between playing to win and playing not to lose. Leaders need to be crystal clear on the expected result.</span><br></li><li><span style="font-size:12px;"><em>T</em></span><em style="font-size:12px;">aking accountability</em><span style="font-size:12px;">. In a peak performing culture, accountability is broader than your job description. Best practices of taking accountability, Evans said, include recognizing realities, accepting ownership, creating solutions, and exercising action.</span><br></li></ul><div><br></div><p style="text-align:left;"> <span style="font-size:12px;">Ideas, speed, talent, distinction, leadership = success in this new brawl-with-no-rules world, Evans told the audience. </span></p>Anne Millage0
GAM Workshop Highlights Pulse Report Findings Workshop Highlights Pulse Report Findings<p>​<span style="font-size:12px;">The IIA kicked off its General Audit Management (GAM) pre-conference sessions on Sunday in Dallas-Fort Worth, Texas, featuring a workshop on The Institute's </span><a href="" style="font-size:12px;">2019 North American Pulse of Internal Audit: Defining Alignment in a Dynamic Risk Landscape</a><span style="font-size:12px;">. The session, held exclusively for members of The IIA Audit Executive Center, was facilitated by IIA President and CEO Richard Chambers and IIA Managing Director, CAE Solutions, Harold Silverman.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers began the workshop with a review of demographics from this year's Pulse report, noting that the survey's 512 respondents consist of 87 percent chief audit executives (CAEs) and 13 percent directors/senior managers. More than 40 percent, he added, have five or fewer years' CAE/director experience, and 25 percent have six to 10 years' experience.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers noted this is a marked change, with longer CAE tenures reported in past years. He suggested the change could be due to reliance on rotational CAE models.</span></p><p style="text-align:left;"><span style="font-size:12px;">O</span><span style="font-size:12px;">rganization types represented in the report include publicly traded (31 percent), financial services (30 percent), public sector (19 percent), p</span><span style="font-size:12px;">rivately held (10 percent), and nonprofit (10 percent). Most audit functions fell in the four to nine (37 percent) and 10 to 24 (26 percent) employee range.</span></p><p style="text-align:left;"><span style="font-size:12px;">"We're continuing to see growth in the profession in this country," Chambers told the CAE audience. Twenty-six percent of all respondents' functions experienced a staffing increase in 2018.</span></p><p style="text-align:left;"><span style="font-size:12px;">Chambers noted that, on average, four risk areas comprise the bulk of audit plans: financial reporting, including internal control over financial reporting (ICFR) and non-ICFR (22 percent); IT and cyber (17 percent); operational (16 percent); and compliance (16 percent).</span></p><p style="text-align:left;"><span style="font-size:12px;">He also cited the report's finding that 91 percent of audit functions at publicly traded companies report functionally to the audit committee, board, or equivalent. He said it was alarming, however, to see that 75 percent of audit functions in publicly traded companies are reporting administratively to the chief financial officer. "I thought we had broken away from that trend a few years ago," he told attendees.</span></p><p style="text-align:left;">Chambers and Silverman then began group discussions around four key risk areas identified in the Pulse report: emerging and atypical risks, cybersecurity and data protection, third-party risks, and board and management activity.<br></p><h2>Emerging and Atypical Risks</h2><p style="text-align:left;">"Internal audit has an opportunity to step up and play a role in helping companies identify and stay abreast of emerging and atypical risks," Chambers told the audience.<br></p><p style="text-align:left;">The session attendees discussed how internal audit can remain agile in addressing emerging and atypical risks, with one CAE noting that he dedicates a certain percentage of hours in the audit plan to being agile and responding to new requests.<br></p><p style="text-align:left;">Attendees also discussed how they communicate to — and get buy-in from — stakeholders when seeking to modify internal audit plans due to emerging and atypical risks. "We need to be agile in that we need to be ready to respond," Silverman noted, "but we're not changing our plan because something is new." It may be new, but not as important, he explained. <br></p><h2>Cybersecurity and Data Protection </h2><p style="text-align:left;">Silverman noted that 70 percent of CAEs say potential reputational damage from inappropriate disclosure of private data is a high or very high concern. It is one of the most significant events that a CAE or organization will encounter, he said. <br></p><p style="text-align:left;">There is a gap, however, between actual and desired assurance over readiness and response to cyber threats, according to the Pulse findings. CAEs report a 36 percent effort gap, and 51 percent of CAEs say lack of cyber expertise within the internal audit staff is an obstacle to addressing cybersecurity risk. <br></p><p style="text-align:left;">Silverman questioned internal audit's confidence to assess this area. When dealing with chief information officers, chief information security officers, and even CEOs, he said, internal audit hasn't done enough to show how it can add value in this area, so it doesn't have the respect of those groups.<br></p><h2>Third-party Risk</h2><p style="text-align:left;">Silverman also discussed Pulse findings pertaining to third-party risks. He said that 21 percent of CAEs describe third-party selection processes as ad hoc, weak, or nonexistent. Additionally, 48 percent of CAEs say third-party monitoring processes are ad hoc, weak, or nonexistent. Despite these findings, the average audit function allocates only about 4 percent of its resources to third-party risk assurance.  <br></p><h2>Board and Management Activity</h2><p style="text-align:left;">Finally, the audience considered materials shared with the board and if internal audit is assessing whether they are complete, accurate, and timely. Fifty-seven percent of CAEs say they rarely or never discuss with the board and management the quality of information given to the board. <br></p><p style="text-align:left;">Silverman questioned whether boards have time to review the materials they receive and whether management teams are being completely forthright with boards regarding those materials. "Are they presenting a balanced perspective that shows not only risks in 2019 but thinking forward to 2020 and 2021 and what strategies are in place to get there?" he asked.<br></p><p style="text-align:left;">Only 49 percent of Pulse respondents strongly agree that management provides the board with all pertinent information related to risk, not just information that is supportive of the views of management. Fifteen percent somewhat or strongly disagree with that perspective. <br></p>Anne Millage0
The Forward Looking Auditor Forward Looking Auditor<h2>​Why is it so important for internal auditors to add foresight to their job description?</h2><p> <strong>Stewart</strong> Disruptive technologies and the trends impacting business are expected to intensify in coming years, making markets even more dynamic, competitive, and opportunistic. Successful organizations will need to be agile and accelerate their decision-making in an environment where prolonged periods of rapid change will be the new norm. Internal audit will have an opportunity to help management better evaluate its preparedness to deal with future events and the “what if” scenarios that will most likely impact the business. If successful, internal auditors have an opportunity to inform and shape the critical decisions that their management teams must make. The reality is that most professions — internal audit included — are about to go through tremendous change. Many internal audit functions will need to transform themselves to provide foresight and serve in this new capacity. The real question is whether those currently in the profession will recognize the opportunity, prepare themselves, and rise to the occasion or whether the transformation will be led by an influx of new talent who may be viewed as more equipped to embrace change. I suppose it will be a combination of both, and each of us will decide our future to the extent we are willing and prepared to embrace change.</p><p> <strong>Pundmann</strong> The No. 1 thing I hear from key internal audit stakeholders — namely, chief financial officers, audit committee chairs, and CEOs — is they need new chief audit executives (CAEs) to come into their roles ready to not only provide assurance, but also to advise and anticipate risks. Internal audit must be proactive. That said, assurance activities are critical, and we’re seeing more capabilities like automated assurance help internal audit do block-and-tackle analyses of control effectiveness. Taking those learnings, analyzing them, and using them to identify risks before things actually happen is what sets standout, forward-thinking internal auditors and CAEs apart from the rest.<br></p><h2>How can providing foresight help the organization compete?</h2><p> <strong><img src="/2019/PublishingImages/EOB-Sandy-Pundmann.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Pundmann</strong> It’s important for internal auditors to take what they’re seeing from a historical perspective and apply it to the future of the organization. If they can identify an emerging risk or trend early and communicate that insight to stakeholders, they can help the business gain competitive advantage. Whether an organization is launching a new product or service or implementing a new technology system, internal auditors should be involved early to assure appropriate steps are taken, anticipate risks, and advise on controls and processes. Things change so fast — it’s important to ensure necessary capabilities and controls are built into major efforts long before launch time, and the organization maintains a regular pulse throughout the planning.</p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​On the Horizon</strong></p><p>Pundmann and Stewart say internal audit should be aware of, and ready to address, several emerging risks, including:</p><ul><li>Cybersecurity</li><li>Data and cognitive analytics</li><li>Artificial Intelligence</li><li>Robotic process automation</li><li>Blockchain</li><li>Culture</li><li>Third-party </li><li>The rapidly changing strategies of competitors</li><li>Threats from alternative products and innovative business models</li><li>Generational and social trends</li><li>Climate change</li><li>Geopolitical changes</li><li>Government intervention and regulation</li><li>Competition for investment dollars</li><li>Fierce competition for talent</li></ul></td></tr></tbody></table> <p> <strong>Stewart</strong> In the future, the success of an organization may be determined more often by an ability to anticipate change, to make the right decision within a compressed time frame, and to execute ahead of the competition. An ability to quickly contemplate the potential risks and benefits of multiple “what if” scenarios will become key to effective decision-making and execution. Internal audit has an opportunity to transition from its past of monitoring historic transactions and controls through more recent efforts to establish continuous monitoring where errors or deficiencies can be quickly corrected, toward a future of what might be termed predictive monitoring, theoretical monitoring, or simply forward-looking assessments, where outcomes can be anticipated, competing ROIs validated, and changes made proactively to enhance execution and improve outcomes. Those organizations that make the best decisions and execute on those decisions in this new paradigm will have an advantage over their competition.<br></p><h2>What can internal auditors do to shift to a focus on foresight?</h2><p> <strong><img src="/2019/PublishingImages/EOB-Shawn_Stewart.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Stewart </strong>Internal audit professionals must become more aware of, and educated on, business trends, disruptive technologies, the movements of competitors, and alternatives and must be able to anticipate forward-looking risks. This will require greater industry perspective, stronger interactions between internal audit and the business, greater leverage of subject-matter experts, and advanced risk identification techniques. Internal audit must shift from the traditional and conventional to being more strategic and focused on what might impede the organization’s most important business objectives.</p><p> <strong>Pundmann</strong> Technology can help a lot. In the future, most internal audit functions will tap risk sensing, predictive analytics, robotic process automation, cognitive computing, machine learning, and — someday — artificial intelligence to help them look to risks and opportunities on the horizon.</p><h2>What is the risk if internal audit doesn’t provide forward-looking assessments?</h2><p> <strong>Pundmann</strong> Internal auditors who don’t offer forward-looking insights may diminish their relevance and their level of impact and influence within the organization. Internal auditors need to be proactive and anticipatory to help their companies gain and maintain competitive advantage. New technologies can help give internal auditors broader and deeper views into the risks they help manage, helping them deliver both insight and foresight. </p><p> <strong>Stewart</strong> An ability to adequately and quickly contemplate the potential risks, benefits, and capabilities of the organization to achieve its objectives for multiple “what if” future scenarios will become so important in decision-making that a failure to have this foresight will not be an option for most organizations. This will be particularly true for areas deemed to be most critical to the organization’s success. Management and audit committees will see value in the objective perspective in forward-looking assessments that internal auditors can provide and will seek to transform internal audit functions so they are capable of providing this foresight. Internal audit functions that fail to make this transition likely will find themselves in a less favorable position in the value chain of their organization, will have to deal with an unfavorable contrast to the more advanced internal audit functions of their peers, likely will see more of their budgets and opportunities repurposed to other functions that can support this need, and may ultimately be deemed obsolete and prime to be replaced. </p>Staff1
7 Practices for Better Audit Outcomes Practices for Better Audit Outcomes<p>​When it comes to ensuring successful audit outcomes, the two parties involved — the auditors and the auditees — must be committed to active cooperation. Throughout my career, I have followed certain principles that, when consistently adhered to by both parties, have resulted in successful audits. </p><p>I have worked in the U.S. Air Force Audit Agency and in the Office of Inspectors General (OIGs) of both the U.S. Postal Service and Department of Transportation. Since 2010, I have served as the director of the U.S. Government Accountability Office (GAO) OIG Liaison Office for the U.S. Department of Homeland Security (DHS). In my current position, I facilitate nearly 250 GAO and various OIG performance audits at one any time across DHS. </p><p>These seven principles, along with approaches DHS uses to implement them, can easily be used by other organizations seeking to improve their audit outcomes.<br></p> <h2>1. Believe Audits Make Things Better<br></h2><p>This foundational principle requires auditors and auditees to believe in the work they are doing and remember that it’s not just a job. Auditors and auditees must do the best they can with a view that the results of their efforts will add value to something greater than themselves. For many at DHS, believing this translates into knowing that audit’s efforts are helping make the department’s programs, operations, and activities more effective, thereby ensuring the U.S. and its citizens are safe and resilient against terrorism and other hazards. </p><p>Tone at the top in both the audit and audited organization is crucial to successfully implement this principle. For example, senior leaders in the audited organization must have processes in place to demonstrate a personal awareness of, and an active interest in, the audits occurring within their organization. To facilitate this, DHS assigns a priority of 1, 2, or 3 to each audit using broadly defined criteria supplemented by professional judgment and experience. Criteria include considering the level of taxpayer funding in a particular program or initiative and the significance of potential violations of statutory or regulatory requirements. Priority 1 audits warrant secretary or deputy secretary of DHS attention; Priority 2 audits are those that can be monitored at the component or headquarters directorate level, such as by the administrator of the Federal Emergency Management Agency; and Priority 3 audits are considered less critical and can be monitored at the program office level. The priority assigned to an audit is subject to change, depending on circumstances, as the audit progresses through its life cycle.<br></p> <h2>2. Understand and Respect Audit Independence </h2><p>Arguably, one of the least understood audit standards is the U.S. Generally Accepted Government Auditing Standard of Independence, which establishes a foundation for the credibility of the auditor’s work. Independence allows audit opinions, findings, conclusions, judgments, and recommendations to be impartial and viewed as such by reasonable and informed third parties. Independence requirements relating to the audit organization and individual auditor — including what independence of mind or in appearance means — and how professional skepticism is correctly defined, can be difficult to fully understand. When auditees have trouble with these or other aspects of independence, they usually just need to learn more about the concept. It is more problematic when auditors do not fully understand what independence is and is not. </p><p>During my more than 30-year career, I have seen instances of auditors knowingly or unknowingly misapplying the independence standard as leverage in an attempt to get whatever they wanted, thereby impeding successful audit outcomes. For example, some auditors have told auditees that if they did not immediately produce exactly what they asked for, or let the auditors come and go throughout the organization whenever they wanted, then the auditee was impinging on audit independence. This is quite an overreach. One way DHS mitigates misunderstandings about independence is through an annual joint DHS-wide town hall meeting hosted by the DHS under secretary for management with the inspector general and attended by audit staff, agency leadership, and program officials. The meeting’s question-and-answer format provides an opportunity to openly discuss topics such as independence and, more importantly, to correct misunderstandings. Without audit independence, the value of an audit is considerably diminished; auditors and auditees need to be in sync on independence and why it is needed.</p><h2>3. Be Open and Transparent<br></h2> <p>There should be no secrets when working with auditors. Honesty is the best policy, even if being less than open and transparent may seem more expedient in the short term. Making sure there are no surprises at the end of an audit goes a long way toward ensuring successful audit outcomes. The audit life cycle can be long, sometimes taking a year or more from research, announcement and entrance, fieldwork, summarization, report writing, exit, and management response, to final report publication. Ample opportunities exist throughout the life cycle for auditors and auditees to allow the truth to wander. This may involve something the auditor wants to know, such as how a specific aspect of an internal control system might actually be functioning, or something the auditee wants to know, such as what findings and recommendations the auditor might be thinking about including in the final report.   </p><p>DHS designates an executive-level senior component accountable official (SCAO) for audit activities within each component and headquarters directorate. SCAOs have wide organizational influence — typically at the chief of staff level — and also are responsible for, and have authority over, their respective organization’s audit activities. The SCAO enables and assists program officials, audit liaisons, and others with all aspects of the audit process, including helping to resolve issues that could endanger open and transparent relationships with auditors. For example, SCAOs have mediated disputes concerning what sensitive records may be shared with GAO and OIG auditors.  <br></p><h2>4. Be Responsive<br></h2> <p>Successful audit outcomes require a commitment to work collaboratively with the other dedicated professionals involved with the audit. Responsiveness means reacting quickly and positively, and generally reflects how much someone cares about something. For example, consider how auditors and auditees respond to information requests from one another. </p><p>One way to help ensure success is to set clear expectations for these interactions and adhere to them. Senior departmental leaders at DHS have consistently articulated expectations for the entire workforce regarding cooperation with GAO and OIG, including their contractors. To maximize effective implementation of this guidance, auditor-to-auditee communication is streamlined and, as a matter of practice, audit issues are addressed at the lowest organizational level possible, trusting and empowering staff and elevating matters to more senior leadership only when necessary. This involves a certain degree of risk — for example, sometimes auditors do not receive the most fully informed response to their questions — however, DHS has found the risk to be acceptable given other controls implemented to balance the risk for the benefit of both parties.</p><h2>5. Stay Engaged<br></h2> <p>Early and continuous involvement can be difficult, especially for auditees, because audits can require significant time and are not part of their primary day-to-day responsibilities. However, if auditees believe audits make things better, they will give them an appropriate level of attention among competing mission-related priorities and demands. Likewise, auditors should be mindful that continuous and effective communication with auditees ultimately enhances the flow of information and exchange of ideas. Auditors also need to be understanding about responsiveness lag when other auditee duties occasionally take precedence over the audit. </p><p>One way DHS engages with GAO and OIG during the audit life cycle to help ensure successful outcomes is through a standardized technical comments process for communicating and documenting management feedback on auditor statements of fact, notices of findings and recommendations, and discussion or draft reports. Auditors receive and consider these comments, seek clarification when needed, and make changes to work products, as they deem appropriate. The comments are not intended to substantively alter audit findings, conclusions, or recommendations. Instead, they are meant to strengthen work products by improving accuracy and context, preventing the inadvertent disclosure of sensitive information, helping validate actionable recommendations, and minimizing the number of disagreements. As a result of this process, DHS officials rarely find themselves questioning audit report narratives once published and distributed to the U.S. Congress and the public, including the media. Rather, conversations focus on what is being done to implement recommendations.<br></p><h2>6. Prepare Detailed Management Responses to Audit Reports</h2> <p>Management responses can contribute to successful outcomes if they clearly document management’s position on the findings and recommendations, identify the corrective actions that will be taken (with estimated completion dates), and assign responsibility for those actions. Auditors generally include management responses verbatim in an appendix to final reports, which are then widely distributed inside and outside the organization. Well-written management responses represent an opportunity to demonstrate how seriously the auditee takes audits. Also, when considered with the auditor’s evaluation and analysis of the response — which provides additional audit perspectives on management’s comments and is included in the final report — management responses provide a good roadmap for recommendation closure and the resolution of disagreements.  </p><p>DHS requires a written management response for all audit reports with recommendations. Responses must: </p><ul><li>Clearly state agreement or disagreement (concur or non-concur) with individual recommendations. Partial concurrences are not allowed and it is acceptable to non-concur as long as the rationale for doing so is included. <br></li><li>Specifically identify the organization and office responsible for taking the corrective action, such as the U.S. Customs and Border Protection Office of Field Operations. <br></li><li>Outline what will be done to implement the recommendations — including proposing alternative corrective actions if program officials believe these would be more effective. This is typically stated in terms of actions completed, ongoing, or planned, being sure to address all aspects of each recommendation. <br></li><li>Include an estimated completion date for each action, which can be up to 12 months beyond the estimated date of the final report, or longer if interim milestones are included at approximately six-month intervals.  <br></li></ul><h2>7. Actively Follow up on Recommendation Implementation </h2><p>DHS and its auditors view audit follow-up as a shared responsibility and an integral part of good management. This view has significantly improved and facilitated positive interactions among auditors and auditees. DHS devotes substantial attention to taking corrective actions on audit findings and recommendations, a practice that is essential to improving operational effectiveness. This requires sustained leadership commitment at the highest levels. For example, the DHS deputy secretary and/or the under secretary for management meet with the SCAOs every two months to review and discuss the status of ongoing audits, open recommendations, and related performance measures. Senior leadership also receives various periodic audit status reports in between these meetings, including a biweekly Priority 1 report.  </p><p>If DHS management commits to an action in an audit response, it does its best to follow through on that commitment timely. DHS also strictly adheres to a practice of not closing any GAO and OIG audit recommendations without first reaching agreement with the auditors. This provides Congress and the public added confidence that appropriate actions have been taken to implement these recommendations or otherwise resolve any disagreements. As a result, DHS averages less than one recommendation annually that requires formal resolution.  </p> <h2>A Positive Approach </h2><p>Successful audit outcomes do not just happen. The participants must believe audits make things better and be mindful of the six other principles for ensuring successful outcomes. Moreover, auditors and auditees have a fundamental responsibility to ensure that the resources expended on audits provide a positive return on investment for stakeholders.   </p><style> p.p1 { line-height:12.0px; font:18.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } </style>Jim H. Crumpacker1
We Are Not Auditors Are Not Auditors<p>How do you respond when asked, “What do you do for a living?” It shouldn’t be tough, but answering that question can be an exhausting exercise in diplomacy and obfuscation. If you say that you are an auditor, almost inevitably the person then asks, “Oh, do you work for the Internal Revenue Service?” Or some may just suddenly disappear in search of what they believe will be a more interesting conversation — such as the rate of moss growth on redwoods or observations on the drying of paint. Even if they don’t run away, their eyes have usually rolled to the back of their head by that point as they check out of the conversation, mentally filing your mug shot in The Hall of Individuals With Whom I Will Never Talk Again. All because of one word — auditor.</p><p>English comedian and actor Stephen Fry once said, “We are not nouns, we are verbs. I am not a thing — an actor, a writer — I am a person who does things — I write, I act — and I never know what I am going to do next. I think you can be imprisoned if you think of yourself as a noun.”</p><p>And therein lies the problem. We describe ourselves as a noun. We make ourselves a thing. And by thus naming ourselves, we become that thing. We are auditors. We conduct audits. We perform audit work. We produce audit reports. We are part of an audit department. Our identity and our future become inextricably intertwined with the concrete solidity of a thing that has been named.</p><p>Instead, we need to define ourselves as verbs. We need to identify with what we do, not what we are. And that means we need to describe ourselves to others by talking about what we do, not what we are. The next time someone asks what you do for a living, try one of these:<br></p><p><em>“I work with executive managers to help ensure they achieve their objectives.”</em></p><p><em>“I help streamline processes to ensure management succeeds.”</em></p><p><em>“I provide oversight to help the organization succeed.”</em></p><p><em>“I work with management to help eliminate problems before they occur.”</em></p><p>Any one of these will lead to a better conversation, speak to the value internal auditing can provide to an organization, and keep the other person from scuttling away like a lobster confronted with a pot of boiling water.</p><p>I am not suggesting that we no longer use the title <em>auditor</em>. But we have to identify ourselves in a way that helps us and others understand we are free to be more. We provide assurance; we consult; we advise; we fulfill the mission, principles, and definition of internal auditing that help establish who we are. When we realize we are not just auditors — when we make the transition away from being a noun — we are free to be the verbs that describe the real value we provide. <br></p>Mike Jacka1
The Lost Art of Conversation Lost Art of Conversation<p>As auditors, asking questions is our bread and butter. Practitioners are expected to be curious, inquisitive, and even challenging when conducting engagements. But sometimes, despite asking what feels like a million questions, our audits don’t progress as we expect or hope. Reflecting on a recent failed attempt to find out what my four-year-old did at day care (“What did you do at day care today darling?” “Nothing, Mummy”), I realized this lack of progression can occur when we aren’t asking the right people the right questions — we need a different kind of audit conversation. </p><p>Problems can arise initially when conversations take place solely with internal audit’s designated client contact — typically the manager in charge of the area being audited. At a previous organization, I led a cash-related audit after my primary contact confirmed the process was critical enough to merit internal audit’s attention. But this individual oversaw the process under review — so of course it was considered important. A subsequent meeting with senior management revealed the cash process was a lower audit priority than my team and I originally thought. We could have obtained this information much sooner by holding additional conversations with someone who possessed a more objective point of view. </p><p>Even so, identifying the best individuals to speak with does not always guarantee the most relevant information will surface — the discussion itself also requires close attention. Auditors typically prepare questions in advance of client discussions, to make the best use of everyone’s time. While the process constitutes best practice, it also presents risks. The auditors may think the meeting is running efficiently as they work through each question, but they could miss the opportunity to explore risks through a more conversational, back-and-forth exchange. If the client simply answers questions with yes or no responses (or “nothing,” like my four-year-old), the information gathered may be unhelpful or misleading. </p><p>Auditors should occasionally give themselves permission to let the conversation roam and flow. When this happens, some of the topics clients want to discuss inevitably won’t conform to the auditors’ agenda. Letting the discussion take its course, however, might lead to new insight on what clients view as key risks or opportunities. </p><p>In chatting with my four-year-old, I’ve reconsidered the value of a stock question — asking what train he played with, for example, got a much more detailed response than the standard, “What did you do at day care?” Likewise, a stock question used in audit planning such as, “What keeps you awake at night?” sometimes leads to a useful answer, but often it yields nothing new. Auditors should experiment with different questions, using the audit team’s collective wisdom to come up with a variety of possibilities. The right approach to client conversations can significantly enhance internal audit’s value, turning a lost art into a productive tool for gathering information. <br></p>Liz Ormsby1
The Audit Committee Connection Audit Committee Connection<p>Trusted advisor relationships are all the rage nowadays. Consultants in various industries have made a case for their services as trusted advisors, and the term has become part of the lexicon of internal audit. But does anyone really know what it means? No listing for it can be found in a dictionary, though informal definitions include words like <em>mentor</em>, <em>guru</em>, and <em>go to</em>. Given the term’s nebulous meaning, why are internal auditors so determined to promote themselves this way? And without a universal definition, how do they know they have achieved trusted advisor status? <br></p><p>The answers can be found, in part, by examining internal audit’s relationship with the audit committee. The committee will always be internal audit’s primary stakeholder. Auditors owe it to themselves and the audit committee to maximize this relationship, and nothing characterizes its ideal state better than the phrase <em>trusted advisor</em>. This status is earned over time with painstaking attention to detail — it requires effective communication, strong relationships, and a willingness to facilitate organizational change. These overarching areas form pillars of trust with the audit committee, and by examining each closely internal auditors can help determine whether they’ve become trusted advisors. Failures may occur along the way, but these failures can help cement the trusted advisor relationship. Getting this relationship right is essential to the organization’s success.</p><h2>Presence and Voice</h2><p>Unlike the old adage that children should be seen and not heard, internal auditors need to be both seen and heard, loud and clear. They must have a presence in the boardroom, the C-suite, and wherever significant organizational decisions are made. But they shouldn’t be a fly on the wall — auditors need to provide insight and promote change. They also need to know when it’s appropriate to escalate an issue and push for resolution. </p><p><strong>Have an Opinion</strong> Internal auditors can’t just point to potential risks and opportunities. They serve as the eyes and ears of the audit committee, and committee members will frequently ask for their opinions. Auditors need to deliver opinions that are not only informed, but supported by facts and in line with the organization’s objectives. Trusted advisors don’t stop at explaining the risks and potential outcomes. When the audit committee asks internal audit’s opinion on the progress or potential impact of a key initiative, auditors should be well-versed enough to provide useful, relevant information. <br></p><p><strong>Engage With Passion</strong> Practitioners from the chief audit executive (CAE) down to the newest staff auditor need to be engaged and passionate about helping the organization achieve its goals. A passionate, energetic audit team elicits confidence from the audit committee and shows commitment to the organization. Internal auditors can demonstrate these qualities, for example, by immersing themselves in the organization’s activities and stepping outside their comfort zone. They need to bring enthusiasm and drive to everything they do — the audit committee will take notice in the internal auditors’ communications and actions, as well as the results they produce. <br></p><p><strong>The Right Cadence</strong> Nobody wants a reputation for “crying wolf,” but sometimes internal audit needs to be persistent to have its message heard. The audit committee needs to know internal auditors are doing their job, and at times that means delivering bad news. Early in my career, I expressed concern about a particular department’s culture and the risk of it losing a large percentage of employees due to poor morale. Similar to the boy who cried wolf, my message received lots of attention at first but not nearly as much upon subsequent warning. By the third time, my prediction about staff departures unfortunately came true. If I had developed the right cadence, my message would have achieved greater impact. Internal audit can’t have a trusted advisor relationship until the audit committee knows the auditors can gauge the appropriate frequency, tone, and timing for effective communications. <br></p><h2>Agents of Change</h2><p>While internal auditors may have a reputation for bringing awareness to important issues, how often are they the ones willing to take action and facilitate organizational change? In their capacity as advisors, practitioners can perform a great deal of change-oriented work without compromising their<br> independence. And nothing can solidify internal audit’s trusted advisor relationship with the audit committee more than demonstrating the audit function’s ability to drive positive change. <br></p><p><strong>Wield Personal Power </strong>The audit committee needs to know that internal audit can facilitate change based on its influence. However, influence can’t be achieved solely through positional power, or the authority held by virtue of one’s place in the organization’s hierarchy. It must come from personal power as well, drawing on personality, knowledge, and social skills. </p><p>Positional power strategies can only go so far — often, they are effective in the short term but damage relationships and create resentment over time. CAEs who use their personal power to exert influence are much more effective. It can be a powerful tool for helping drive organizational change, establish buy-in, encourage collaboration, and foster a more positive culture. Successful CAEs rely almost exclusively on personal power, but they can also draw on positional power if needed. When the audit committee sees the audit function leading change in the organization, driven by personal power, it will be more likely to view internal audit as a trusted advisor. </p><p><strong>Speak the Language</strong> Internal auditors need to show the audit committee they are multilingual, though not in the traditional sense of fluency in foreign languages. Organizations, and even individual business units, often have their own unique language, jargon, and culture. Suppose internal audit needs to speak with the external auditors, relay a message to the IT department, and then coordinate with the head of sales. Even in the most seamless environments, what are the chances that all of these functions can easily understand each other, much less effect organizational change initiatives? Internal auditors have a wide breadth of reach within the organization that enables them to connect the dots and interpret for others. They can synthesize what one area is trying to communicate into relevant information for another. Most importantly, internal auditors can relay those communications to the audit committee. They will know they’ve become a trusted advisor to the committee when they can interpret highly technical or jargon-filled language and distill it into meaningful information that committee members can easily digest and act upon, creating the desired change in the organization. <br></p><p><strong>Be Proactive</strong> Taking on a project at the request of the audit committee is an easy decision. Almost all of the time, the answer needs to be yes. But trusted advisors go a step further by getting involved even before they’re asked. If auditors pay close attention to organizational developments, they can proactively assess emerging priorities before the audit committee requests their assistance. Questions often arise from committee members when the organization receives negative publicity — they want assurance that the organization is protected. Trusted advisors will take the initiative to evaluate the situation, consider it carefully, and present an objective picture to the audit committee in anticipation of its queries. </p><h2>Relationship Building </h2><p>Relationships play a key role in establishing trust. Without adequate familiarity and comfort with the CAE, members of the audit committee may not fully leverage internal audit’s capabilities. Several building blocks can strengthen audit’s relationship with the committee and provide confidence in its ability to deliver value. <br></p><p>Maintain Integrity Auditors’ integrity represents the foundation of their role as trusted advisors. The audit committee needs to have full confidence that audit practitioners are above reproach, their motives are pure, and they will act in the best interest of the organization. Without such assurance, a trusted advisor relationship cannot exist. When faced with situations that may damage relationships, hurt the organization’s bottom line, or reflect negatively on the audit function, practitioners must act in accordance with their core values. Some painful conversations may be required along the way, but the audit committee will appreciate internal audit’s commitment to integrity. <br></p><p><strong>Answer All the Questions</strong> When the audit committee asks questions, more pressing issues often lie beneath the surface. As trusted advisors, internal auditors must get to the root of questions — the underlying reasons behind them. For example, the committee may ask, “How receptive have departments around the organization been to implementing the new technology?” Is the question really about departments’ receptiveness, or is the committee seeking to understand whether the technology has been worth the investment, or if there is a holdout department that needs to be addressed? Or perhaps it’s seeking to probe an even deeper issue. Auditors will know they have achieved trusted advisor status when they answer all of the audit committee’s questions, both explicit and implicit. </p><p><strong>Back Words With Action</strong> Internal audit’s status as a trusted advisor is contingent on its ability to fulfill commitments to the audit committee — every time. Auditors commit to completing audit projects as part of the audit plan, and they must back that up. They commit to performing their work with the necessary skills, abilities, and expertise, and they commit to remaining independent and objective in the process. I recall a time when our team was struggling to complete the audit plan as promised in light of late-year turnover within the function. After completion of the plan, one of the audit committee members pulled me aside and told me the deck was stacked against us — that we shouldn’t have been able to complete the plan. I replied that we made a commitment and had no intention of falling short. Instant credibility was established, and the path to becoming a trusted advisor was set. Trusted advisors fulfill commitments and support their words with actions. <br></p><h2>Confidence and Trust</h2><p>Maintaining an effective relationship with the audit committee is vital to organizational success. When CAEs invest in that relationship and build a stronger connection, mutual trust and confidence is more likely to emerge. No one can become a trusted advisor overnight, but once achieved the benefits for both parties, and the organization as a whole, are well worth the effort.  <br></p>Seth Peterson1
Agile Planning Planning<p>In an age where extreme weather events, rapid technological change, and geopolitical turmoil are becoming more frequent — and in some cases, more catastrophic — organizations are increasingly having to react more quickly to high-impact events. Business interruption to companies' physical assets and supply chains caused by climate change, for example, can cripple production schedules. Risks that may have been categorized as unlikely but with a high impact — such as Brexit — can suddenly leap to the top of an organization's risk register overnight. Newly emerging risks that seemed nearly impossible, like the U.S.–China trade war, can result in priorities that have been mainstays of boardroom agendas for years being knocked off the critical list. Moreover, disruptive technological and other advancements may require organizations to pivot on short notice to either leverage new capabilities or manage new threats.<br></p><p>The message is clear: Risk planning needs to be more immediate and short-term — what may have been considered a priority risk three months ago may not look as bad on reflection. And as boardroom focus moves with changing, often disruptive circumstances, internal audit has to become more agile too.<br></p><h2>Shorter Time Horizons<br></h2><p>Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, believes that it is becoming increasingly common for chief audit executives (CAEs) in several industry sectors — particularly manufacturing, high-tech, and pharmaceuticals — to use six-month, or even three-month, audit plans. "Given the speed at which the nature of risk is changing, it is without doubt that some organizations' audit plans are focusing on only the next three to six months," Tarling says. "Manufacturers that use 'just-in-time' management, for example, will require internal audit to have a very flexible audit plan and approach, particularly in light of the uncertainty surrounding Brexit and the possibility of a 'no deal' scenario, as well as the U.S. trade war with China, which may impact sourcing."<br></p><p>Short-term planning has many advantages. For example, Tarling suggests that CAEs who use shorter term audit plans will be more capable of refocusing their efforts and resources than those organizations that have annual audit plans. <br></p><p>"CAEs who plan their work for three months at a time will know that they need to keep a tight control of their budgets and workload so that they have enough in reserve to adapt quickly to the needs of the business," Tarling says. "CAEs that use annual audit plans tend to allocate most of their budgets and resources up front, which leaves less capability for slippage or for change. That is no longer tenable for organizations that are more exposed to political and economic risks."<br></p><p>As a result, internal audit needs to be increasingly flexible in its planning, Tarling says, stressing that CAEs must build contingencies into their audit planning and budgeting to allow for swift changes in focus and resources. He adds that internal audit must be capable of reacting quickly to new business needs, and they need to proactively identify emerging risks or other priorities that may require greater focus and management oversight. "The function needs to be as flexible and agile as possible," he says.<br></p><h2>The End of Annual Plans</h2><p>Similarly, John Chesshire, chief assurance officer for the States of Guernsey, an island that is part of Britain and located in the English Channel, says the annual audit plan is becoming obsolete. "I dispensed with this formulaic approach a number of years ago and, like a growing number of CAEs, I now plan my team's mix of assurance, advisory, and other engagements on a much less rigid basis," Chesshire explains. He used to invest a great deal of time in annual planning, though often within weeks the plan would shift because of new priorities such as a local crisis or other sudden changes. Eventually he saw the relevance of an annual plan diminish and fade. <br></p><p>Quarterly planning offers several benefits for CAEs — particularly for those with small audit teams, Chesshire says. "With a more flexible approach we can be much more responsive to the changing risk landscape and ensure we add maximum impact at the right moment in our organization," he explains. "This is key when we may only realistically get one shot at an engagement on a particular high trajectory risk or issue."<br></p><p>Chesshire adds that his key stakeholders appreciate the approach, too. They see that it enables internal audit to add value by delivering services at the right time, precisely when they're needed. Plus, he says, it's fostered internal audit's credibility over the years and helped enhance stakeholders' trust in the audit function. <br></p><p>But Chesshire points out that his audit team doesn't just focus on "quick wins" or tactical tasks. "I seek to map every engagement back to our assurance universe and the risk-based subjects it contains," he says. "That way, I can demonstrate that a more responsive, agile service does not mean one that ignores the bigger picture or our core activities or gets pulled away from particular areas of risk by whoever shouts loudest."<br></p><h2>Agile Leadership</h2><p>While some industry sectors and particular types of organizations will be more exposed to changing risk priorities than others, internal audit functions everywhere will need to be able to demonstrate that they can react to changing circumstances and deliver assurance on newly prioritized risks quickly. CAEs need to be agile leaders — long-term, 12-month audit plans may well prevent them from achieving that.<br></p>Neil Hodge1

  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3