Practices

 

 

Don't Miss the Forest for the Treeshttps://iaonline.theiia.org/2020/Pages/Don't-Miss-the-Forest-for-the-Trees.aspxDon't Miss the Forest for the Trees<p>​Findings, observations, opportunities for improvement — regardless of the term used, some auditors define themselves by how many they can produce on each audit. Even experienced auditors often are reluctant to issue audit reports without this information, with some going out of their way to find at least something to include, even if it's trivial. </p><p>But these practitioners are missing the forest for the trees. The errors or omissions identified during an audit should not be the focus of our work. Instead, auditors should fix their attention on what those errors say about the effectiveness of underlying controls and the strength of the overall control environment. </p><p>Internal auditors are responsible for assessing internal controls that contribute to the accomplishment of organizational objectives. According to The IIA's Definition of Internal Auditing, internal auditors do this by "bringing a systematic and disciplined approach to evaluate and improve the controls of the organization." Well-designed, operationally effective internal controls result in a higher likelihood that organizational objectives will be met.</p><p>Manual controls will always produce errors, regardless of how well they are designed, because of the human factor involved in their execution. Internal auditors should bear this in mind when encountering isolated or minor errors. Of course, higher-than-expected error rates could indicate that controls are not operating as effectively as intended — either because they are poorly designed, or the person performing them needs additional training. Manual control activities are performed by employees trained to carry out this function and therefore tend to be the source of many control failures. And because controls can be designed as preventive or detective, errors and omissions identified during an audit are those for which either there were no preventive controls in place or the preventive controls were ineffective. That should be the auditors' focus, not the errors themselves. </p><p>Internal auditors risk losing credibility with their primary stakeholders, and any hope of becoming their trusted advisor, when they consistently report on trivial issues that could be addressed outside of a formal audit report. If the impact of the audit observation does not pass the "so what?" test, it should not be included in the report. Ultimately, the audit committee wants to know that management is on track to meet its objectives — information on the effectiveness of the internal control system provides that assurance. If auditors are not speaking to the board and audit committee about the effectiveness of that system, they are not fulfilling their responsibility to their primary stakeholders. </p><p>The errors, omissions, or areas of noncompliance that auditors detect when reviewing transactions are not an end in themselves; they are the means to an end. When engagements are performed correctly, the end consists of providing information that both management and the board can use to increase their effectiveness and better position the organization for success. </p>Michael Lewis1
Adding Value 2.0https://iaonline.theiia.org/2020/Pages/Adding-Value-2.0.aspxAdding Value 2.0<p>​In the current environment of cost-cutting and changing priorities, internal audit will be challenged to demonstrate its value to the organization. Yet, the value of internal audit is hard to fathom. If the audit function's core value lies in helping the organization reduce risks, how does it quantify and report on losses averted when risk events did not occur? </p><p>As internal audit's value proposition expands beyond its traditional assurance boundaries, audit functions have an opportunity to rethink how they contribute to the business. While many facets may be intangible, internal audit can use recognized metrics to demonstrate its tangible value to audit committees and senior management.</p><h2>Current Notions of Value</h2><p>In communicating to the audit committee, many internal auditors have measured and shared work completed as a proxy for value delivered. They have used the quantity of audit projects performed, cycles covered, or number of issues raised and reported as key performance indicators (KPIs). </p><p>However, work completed does not necessarily correlate with value delivered and may distract stakeholders from the actual value delivered. It also is easy for internal audit to inflate such a single facet of quantitative data by sacrificing quality. For example, audit functions could limit the scope of reviews to increase the number of audits or the number of cycles reviewed.</p><p>Many internal audit functions use the balanced scorecard method to measure performance and communicate their value. It is a useful tool to translate internal audit strategy into actionable plans, with detailed metrics to show progress. However, most of the metrics commonly used in balanced scorecard or other forms of assessment relate to the execution of internal audit plans and may not measure value accurately.</p><p>Take for example the perceived quality of internal auditors based on their academic qualifications or years of experience. Although experienced auditors with strong academic achievements may be considered more likely to deliver value, this metric may not reflect the actual value those auditors delivered. Similarly, another common KPI is the completion of audits within budget, a metric that is important for cost control but does not measure value. </p><h2>What Is Valuable to Stakeholders?</h2><p>It is difficult to score a goal when one does not know where the goal post is. To provide and communicate value, internal audit must first identify what its key stakeholders — the audit committee and management — deem valuable. </p><p>While internal audit reports functionally to the audit committee, the discussions and agreement with senior management about its value proposition are no less important. Senior management is closer to the business and provides powerful independent feedback on internal audit to the audit committee.</p><p>Given the profession's advancement over the past decade, the value of internal audit is no longer limited to the recommendations auditors provide. Likewise, discussions of value should go beyond assurance over internal controls. Internal auditors can assess what stakeholders find valuable in several ways.</p><p><strong>Review Stakeholder Topics</strong> As the chief audit executive (CAE) prepares to discuss value drivers with the audit committee and senior management, a good starting place is to review recent communications. Requests by the audit committee and senior management or seemingly run-of-the-mill interactions that were not captured by current metrics may indicate value drivers.</p><p><strong>Seek Feedback</strong> Formal discussions with the audit committee and senior management about the value proposition should take place at least annually. Common methods for gathering feedback include electronic surveys of individual stakeholders, face-to-face or phone interviews, and facilitated focus group discussions with the audit committee and senior management. These discussions can be conducted separately or jointly.</p><p>Where practical and meaningful, a focus group discussion involving the CAE may be preferred. Unlike a survey, this interactive format can uncover an individual's blind spots, encourage cross-pollination of views, and build consensus among stakeholders. </p><p>If conducted well, surveys or discussions with middle or lower management following each audit can provide timely responses. These clients often are the original and unfiltered source of feedback for senior management. Responses about what internal audit did and did not do well can enable the department to fine-tune its value proposition and better match the value management seeks, which can change throughout the year. The responses also are a great source of information for the CAE's annual discussions with the audit committee and senior management. </p><p><strong>Discuss Value</strong> During the discussions about internal audit's value, CAEs and their auditors should note that there is a fine line between proposing suggestions or alternative views and appearing to promote their self-interest. Even in situations where management's requests seem unreasonable or irrelevant, internal audit should ask questions to clarify the intent of the proposal rather than reject the notion outright and be seen as defensive. </p><p>Where there is material misalignment, the feedback can be a golden opportunity for internal audit to identify an expectation gap. While it is uncomfortable to hear negative feedback, it is important to interpret it correctly and constructively to retain the client's trust and enable a more collaborative partnership. Otherwise, clients may decide that internal audit will not act upon their feedback. </p><h2>Acknowledgment-based Metrics</h2><p>Once internal audit has agreed with its stakeholders on the value proposition, it should develop metrics on a reciprocity basis. This means the metric should not be a measurement that is determined solely by internal audit but also includes acknowledgment and affirmation by management. </p><p><strong>Talent</strong> An increasingly recognized value internal audit provides is a talent pipeline. Many organizations have either actively recruited internal auditors to join their business functions or included internal audit as a rotational stint in their management trainee programs. If management does not perceive this as valuable, it would not offer these positions to auditors. Correspondingly, the number of auditors who are offered business function positions is a good indicator of value generated and acknowledged by the organization. </p><p><strong>Training</strong> Well-established internal audit functions often train process owners on risks and controls, but management may not always consider this valuable. One way to assess and report on this value is to collate information on the number of attendees and their feedback. Using a consistent grading scale to compare across time and regions, such feedback could indicate the value the training provided. </p><p><strong>Process Improvement</strong> Many organizations practice the Six Sigma approach of reducing defect rates in a product, process, or service. To measure internal audit's value, management could adopt this methodology by comparing the error rates of processes before and after business units have undertaken remedies recommended in an internal audit report. For example, Six Sigma practitioners can compare the error rate or near-miss rate of dispensing medication at a pharmacy before and after it has implemented a maker-checker control that internal audit suggested. Conversely, management may only measure error rates for processes that it considers to be key risk factors, as error rates of other processes would not demonstrate value. </p><p><strong>Consulting</strong> High-performing internal audit functions often are involved in value-enhancement projects such as IT system design discussions and pre-acquisition due diligence. Internal audit's participation in these consulting projects are typically at management's request, which indicates that management realizes internal audit's value. </p><p><strong>Analytics Expertise</strong> Another source of value is internal audit's use of analytics. Auditors often share the insights gleaned from these techniques with management following the completion of an audit. As this becomes a standard practice, many internal audit functions have progressed to coaching and transferring these techniques to management, which is a convincing sign of value. </p><h2>Communicating Value</h2><p>The unique environment of each organization and the dynamic role of its internal audit function mean that there are far more ever-changing sources of value. To stay relevant, internal audit should keep the communication channels open and check in periodically with the audit committee and management about any shifts in the goal post. </p><p>To maintain credibility, internal audit must not cherry-pick its metrics. It should not just report regularly on metrics that are under its direct control and report selectively on all other positive information only on an ad-hoc basis. </p><p>A good practice is to set relevant metrics for each of the agreed-upon value drivers based on acknowledgment-based results and confirm them with the audit committee. For example, rather than the number of training sessions conducted for management, internal audit could monitor training feedback from attendees. Instead of using the number of audits performed with data analytics, the department could use the number of data analytics scripts adopted by management.</p><p>Internal audit should provide these metrics to the audit committee and management periodically, regardless of the actual score. Moreover, it should provide them before beginning the annual management survey of internal audit to facilitate a more accurate assessment. Then, internal audit should report the results of the annual management survey and the metrics together to the audit committee to give a full picture of the value the department has delivered.</p><p>Where internal audit has fallen short of certain KPIs or its metrics are not up to par, it should not appear defensive or attempt to boost numbers in the short run. Instead, auditors should understand the underlying value proposition. For example, if the number of internal auditors hired by business units decreases, the CAE should pause in promoting the team to the business owners. During this time, the CAE should ask management if the type of skills that the business is seeking has evolved or if the audit staff's training is sufficient for auditors to add value to the business. </p><h2>Convincing Stakeholders</h2><p>In the current business climate, the risk landscape of organizations is changing at an unprecedented rate, as are the expectations of internal audit's key stakeholders. To deliver a greater level of value, internal audit needs to reconsider its value proposition from a blank slate, starting with stakeholders' current expectations both now and in what may be a radically different future. A candid, open, and consistent approach to identifying, agreeing upon, and reporting on internal audit's value proposition can make the most persuasive case for the function's value. </p>Nicodemus Tan1
Brand Awarenesshttps://iaonline.theiia.org/2020/Pages/Brand-Awareness.aspxBrand Awareness<p>Here's a quick marketing lesson. An organization's success is closely tied to its brand, and determining the public's awareness of a brand is best achieved through four measures: aided recognition, unaided recognition, aided consideration, and unaided consideration. Aided recognition measures how many people recognize a brand when it is presented to them. Unaided recognition measures how many include the brand when asked for the names of organizations that provide similar goods or services. Aided consideration measures how many say they would use the brand when it is presented as an option. Unaided consideration measures how many name the brand, unprompted, when asked where they would turn for a particular good or service.</p><p>That last measure is marketing's holy grail. When a brand achieves unaided consideration, it means people know the brand and consider it when making their choices. For example, when people shop for insurance, on average they call three companies. Insurance companies, therefore, want to be among the top three brands in unaided consideration.</p><p>Suppose a person walks into the C-suite and asks one of these four questions:</p><ol><li>"Have you heard of the profession of internal audit?" (recognition)</li><li>"Which departments help organizations achieve their objectives?" (unaided recognition)</li><li>"When you want to ensure your objectives are being met, would you turn to internal audit?" (aided consideration)</li><li>"Who would you turn to for help in ensuring your organization's success?" (unaided consideration)</li></ol><p>How would your internal audit department fare? Are you in the top three? Does the C-suite even know you exist and that you can help?</p><p>These are the hard questions auditors must be willing to ask. Even when we brag that our clients come to us for help, what does that really mean? Do they only come when there is potential fraud, when there is a control breakdown, or when adding internal audit to the project team seems like the friendly thing to do? That's a nice start. But we need to consider whether internal audit is top of mind for our clients and if including us in all efforts toward achieving success is second nature for them. Do they realize that the ultimate service we provide is helping the organization succeed?</p><p>We have to market ourselves, constantly pushing the value we provide. Sometimes these efforts are explicit — "Look what we've done!" Other times the approach is more subtle — providing quality that cannot be ignored. But we must ensure that everyone sees that value and becomes increasingly aware of internal audit's capabilities. We have to reach the point where we not only crack the top three, but we are far and above everyone else at the No. 1 spot. <br></p>Mike Jacka1
Innovation in a Time of Crisishttps://iaonline.theiia.org/2020/Pages/Innovation-in-a-Time-of-Crisis.aspxInnovation in a Time of Crisis<p>​<span style="text-align:justify;">The global economy has been severely impacted by the COVID-19 pandemic, with a speed of onset that has taken the world by surprise. Hardly a short-term event, experts agree that businesses will continue to feel the negative impact of COVID-19 for some time. The imperative of "flattening the curve" to contain the spread of the virus has caused significant global disruption, with business volumes and revenue in decline and further contraction expected throughout 2020 and beyond. Organizations are already experiencing a loss of customers, liquidity crisis, supply chain disruption, and employee reductions and layoffs. </span></p><p style="text-align:justify;">Organizations worldwide have taken swift, proactive measures in response to these challenges. Many, for example, have launched COVID-19 crisis management teams focused on addressing the immediate needs of customers and employees. Senior management teams are also undertaking exercises in stress testing of strategic, financial, and operational scenarios, and some forward-looking organizations have started planning for a post COVID-19 business resumption scenario. Given expected reductions in core revenue streams, executives are likely to focus on specific revenue loss-mitigation steps as well as scenario planning for high-impact events, such as the possibility of a second wave of COVID-19. Simultaneously, they will try to shore up profitability by sustaining as lean an operating cost structure as possible, with greater digital enablement and variable resourcing while enhancing resilience.</p><p style="text-align:justify;">Workforce reductions through layoffs and furloughs are likely to have a material adverse impact on business processes, weakening internal control structures and rendering them potentially inadequate to fulfill business objectives and effectively mitigate risks. Reduced workforces operating remotely with minimal face-to-face contact for extended periods make organizations more vulnerable. In these circumstances, organizations will continue to witness a marked increase in fraud, financial crimes, and cybercrimes, with many scammers attempting to take advantage of a vulnerable population already stressed by the crisis. </p><p style="text-align:justify;">These challenges call for an innovative internal audit response and present a unique opportunity to reimagine internal audit's role in the organizational value chain. We asked several internal audit leaders within financial institutions about their departments' practices since the crisis began. Several innovative approaches, including those shared by these leaders,<strong><em> </em></strong>can enhance value for the organization and help clients recognize the importance of internal audit during these trying times. <br></p><h2>Engaging in Crisis Management Solutions</h2><p style="text-align:justify;">Audit committees and key stakeholders rely on internal audit to provide broad, as well as targeted, assurance and consulting support to weather upcoming challenges. Chief audit executives (CAEs) need to work collaboratively with the audit committee and C-Suite as they plan a series of possible mitigation actions in a thoughtful and deliberate, yet flexible manner based on the evolving situation. Audit executives we spoke to mentioned that their function is participating directly in their organization's COVID-19 crisis management committees and response teams. They have helped shape organizational responses, such as by helping to ensure crisis communications are delivered in an appropriate, transparent manner to customers, stakeholders, and society at large. </p><p style="text-align:justify;">A key factor for stakeholders' decision-making is the speed of the risk escalation and the quality of the impact analysis. Therefore, internal audit's experience in risk identification and holistic assessment can help better evaluate the short-term and long-term implications of crisis decisions.</p><p style="text-align:justify;">Audit executives also mentioned that COVID-19-related reviews have been added to the audit plan, including remote work activities, changes to frameworks to allow for client concessions, and commitments made to clients. These topical reviews are completed within very short time frames — some in a few days — to promptly inform of, and escalate, any issues.   <br></p><h2>Supporting Employees, Stakeholders, and Customers </h2><p style="text-align:justify;">The crisis presents many opportunities for the audit function to act as trusted advisors and help the organization maintain core functions, support customers, manage key risks, and remain resilient. One audit executive mentioned that internal audit's first area of focus was on the safety and well-being of audit employees, quickly implementing work-from-home practices, allowing flexible working arrangements to enable home-schooling, and supporting those who are self-isolating. Prioritizing client needs, many audit functions scaled back on traditional assurance work and relaxed timelines for audit issue remediation to create breathing room for business areas to serve their customers. Going beyond business as usual, others demonstrated flexibility and commitment to their stakeholders, helping to do pre-checks on the closing process for quarterly financial statements, pushing validation and other remediation efforts, and providing enhanced business monitoring. While important and time-sensitive audits continue to progress, the scope of these audits was also revisited to focus on top risks.  </p><p style="text-align:justify;">Certain parts of the organization are experiencing unprecedented levels of activity and resource challenges, such as IT functions that need to meet significant infrastructure requirements and massively scale remote work for digital enablement, customer service, and operational support. Resource pressures will only increase with a growing number of personnel on sick and emergency leaves — or on flexible work arrangements — and limited workforce mobility due to travel and immigration restrictions. Organizations will need support in recalibrating business plans and reforecasting demand, revenues, costs, and profitability in a post-pandemic world, assessing key risks and questioning and challenging assumptions. Temporarily lending expert resources to the business, with appropriate safeguards, will create and enhance the value of internal audit. Such activities may cause potential conflicts of interest in the future and need to be carefully addressed and appropriately managed. </p><p style="text-align:justify;">Significant resource savings could be achieved from greater collaboration with the first and second lines of defense, external auditors, and regulators. Internal audit can facilitate the articulation of comprehensive risk assessments and coordinated actions to avoid coverage duplication.<br></p><h2>Finding New Ways of Working </h2><p style="text-align:justify;">Internal audit will need to consider how the pandemic continues to impact work approaches, collaboration, and interactions with stakeholders. "COVID-19 has put a spotlight on the appropriateness of the remote work environment and the productivity that can be realized in a truly effective remote environment," said one CAE. "At the same time, it is highlighting how important in-person interactions are, and that certain benefits cannot be fully replicated no matter how robust the virtual environment."   </p><p style="text-align:justify;">Reflection on challenges and successes associated with remote workforces will help shape strategic initiatives, including maintaining a lean physical footprint and extending remote working arrangements long-term or even permanently. This new working model will require extensive use of automation tools and frequent touch points with audit teams, clients, and stakeholders. In this scenario, internal audit should assess the impact of remote working on audits of entities and business units that are in different locations, with limited ability to conduct face-to-face interactions, interviews, walkthroughs, etc. Increased reliance on cloud-based IT infrastructure seems inevitable in this remote, digital work environment. Already, the use of teleconferencing tools such as Zoom, WebEx, and Skype has proliferated, but these platforms may also introduce security risks. If data and records to be tested are not digitized or available electronically, internal auditors will need to consider if alternative verification procedures can be performed remotely given the lack of access to the physical documents or data. They also should examine whether this leads to a scope or coverage limitation and consequently a reduced degree of assurance.<br></p><h2>Agile Planning and Delivery Models </h2><p style="text-align:justify;">The COVID-19 crisis has provided an opportunity to rethink<strong> </strong>internal audit planning processes. The traditional multiyear coverage model and long execution cycles will prove too rigid to respond in a volatile environment. Stakeholders will demand flexibility with respect to scope, coverage, delivery channels (i.e., memos, maturity assessments versus traditional reports, etc.), timing, and escalation methods. Implementing an agile approach in the audit planning and delivery model will help maintain focus on key priorities in rapidly changing conditions and allow for fast reprioritization of work. Agile discovery processes can help quickly assimilate evolving facts and emerging risks into audit planning considerations. Shorter, more collaborative audit engagements will facilitate quicker delivery of actionable insights, enabling rapid corrective actions. One CAE at a global organization has an agile audit approach throughout the audit lifecycle to provide the same level of assurance in less time.  The CAE also highlighted "the impact of workforce disruptions on culture and compliance environment" as a key new risk facing the organization.</p><p style="text-align:justify;">Audit functions will need to redefine their methodology, workflows, and processes to make them flexible and adaptive to higher impact scenarios. Consensus is emerging around some initial priority areas for internal audit attention in the post-pandemic environment, including:</p><ul><li>Business resiliency and continuity planning, especially embedding lessons learned.</li><li>COVID-19-related disclosures and public commitments.</li><li>Employee, customer, and stakeholder safety and health considerations.</li><li>Cybercrime and cybersecurity controls.</li><li>Data protection in remote working conditions.</li><li>Fraud and financial crime prevention and detection.</li><li>Recalibrating business plans and targets.</li><li>Digital product and service delivery.</li><li>Scenario planning and stress testing.</li><li>Capital, cash flow, and liquidity projections.  <br></li><li>Unwinding of COVID-19 waivers and concessions.</li><li>Geographic, supply channel, and vendor concentration risk mitigation.</li><li>Legal and contract risk and commercial disputes.</li><li>Business interruption claims due to economic impacts.</li><li>Integration of business resiliency, pandemic planning, and crisis management benchmarks in executive compensation plans.</li><li><p>Recalibrating employee performance and compensation metrics.</p></li></ul><p style="text-align:justify;">One CAE mentioned implementing flash reports to provide quicker insights to management in response to stakeholder expectations and higher appetite for agility. Another CAE used innovative solutions for continuous auditing — promptly testing activities that monitor COVID-19-related processes for completeness, accuracy, and timeliness. Other CAEs said they introduced enhanced business monitoring processes to provide real-time feedback on risks.</p><p style="text-align:justify;">Extensive use of data analytics — leveraging artificial intelligence, machine learning, and robotic process automation — will be key to support internal audit's agile approach. "Internal audit functions must have access to their organizations' data in order to function at the highest level, and a portion of the audit plan should be focused on ensuring the integrity of that data," said a former head of<em> </em>internal audit and compliance functions at a global consulting firm. "Continuous monitoring of data can drive conversations with management and the C-suite, if anomalies are found, fostering communication and stronger relationships." </p><p style="text-align:justify;">Another CAE also highlighted the value of a more flexible, responsive approach: "The importance of internal audit has never been greater, and so we developed a process to more frequently report audit project status and escalate potential roadblocks or issues to the executive leadership team. We also conducted real-time health checks, prioritizing high-risk areas of the company, to provide timely assurance that processes are working as expected. These health checks consider trending risks — e.g., considering how work from home may impact the control environment." </p><p style="text-align:justify;">The environment will present new trends in terms of business volumes, revenue, cost, and other financial and operational risk metrics. As a consequence, analytical procedures that rely on historical data comparisons and trend analysis based on budget or prior year numbers may be unreliable. Considerations for "minimum acceptable controls" in severely stressed control environments and business processes are being developed and monitored.<br></p><h2>Looking Ahead</h2><p style="text-align:justify;">Some need-based, short-term innovations and improvements implemented by internal audit directly as a result of the crisis are likely to sustain and become the "new normal." Flexible, remote work arrangements with less face-to-face interaction will likely continue, and a much larger talent pool could potentially become available unencumbered by geographic "physical presence" limitations. Learning from the upheaval caused by COVID-19, audit teams will need to embed consideration of remotely possible, high-impact Black Swan events in their risk assessment processes. Specifically, at several global financial institutions, there is an increased focus on emerging risks, or external threats, such as climate change, which like the COVID-19 pandemic are continuously developing and hard to measure. Now more than ever, it is important to keep abreast of these risks and consider how to provide audit coverage for them.</p><p style="text-align:justify;">Audit departments can help organizations hone their risk-sensing capabilities to better identify market signals, especially critical shifts in the business environment with risk impact. Audit executives say that stakeholders will continue to expect thought leadership and proactive engagement from internal audit to help the business remain safe yet commercial. Internal audit's support and partnership with other functions during the crisis could result in increased mutual appreciation for other's positions, greater empathy, reduced conflict, and enhanced cooperation. As one CAE put it, the situation presents "an opportunity to at least partially hit the reset button on aspects of the function that currently don't practically align with being a trusted advisor and partner." <br></p><h2>Reshaping the Future</h2><p style="text-align:justify;">COVID-19 will continue to cause irreversible changes in many areas of society, including some that are yet unforeseen. While there are extraordinary challenges, there are also unprecedented opportunities for internal audit to support the organization and its clients, redefine ways of working, and enhance the influence and impact of audit with innovative methodologies and tools. Internal audit is uniquely positioned to anticipate these changes and to help shape future business vitality and health.</p><p style="text-align:justify;"><em>Numerous audit leaders shared their perspectives for this article, including Demi Agrotis, head of audit, Commercial Banking, Lloyds Banking Group; Nancy Haig, principal consultant, PIACLLC; Scott Kenney, chief audit executive, Moody's Investor Services; Eleonora Pechenik, Citi chief auditor, Spread Products and Markets Operations, Institutional Clients Group; Gavin Pickering, U.S. chief audit executive, Rabobank; and Patrick Simonnet, U.S. chief audit executive, Bank of China. </em><br></p>Elena Dobinda1
Building a Great Teamhttps://iaonline.theiia.org/2020/Pages/Building-a-Great-Team.aspxBuilding a Great Team<p>It seems as though internal audit is one of those functions where the actions of just one person on the team tend to shape the perception of the full team — especially if those actions are negative. When it comes to internal audit, it is imperative that all team members are able to competently represent the function, as well as the profession. Seen as a group, and held to a high standard of integrity and objectivity, internal auditors must earn the trust and respect of their stakeholders. So, how can we build a great team, where each individual is skilled, professional, and personable, regardless of whether there are only a few members or more than 500?</p><p>Great internal audit teams embrace diversity, have the right skills, support team members, and understand that each team member is a leader in the organization. Great team leaders promote training and attainment of the Certified Internal Auditor (CIA), implement a Quality Assurance and Improvement Program (QAIP), and ensure work conforms with the<em> International Standards for the Professional Practice of Internal Auditing.</em></p><p>Working this year as chair of The IIA's North American Board, I will be reminding practitioners of the responsibility to become their professional best to enhance their internal audit teams. This is important, as our members represent and serve not only their organizations, but also the profession. </p><h2>Diversity Is Key</h2><p>An important key to building a great team is having diverse team members — diverse in maturity, experience, thought, culture, background, interests, and skills. I have always been able to assemble the most diverse teams. How? Because I always choose the candidates who have the competencies needed to perform in the role, the capacity and interest to want to learn, and a demonstrated ability to work as a team member. Looking for differences among these candidates, rather than similarities, helps build a great team. It is important to provide these criteria and rationale to all who are involved in the hiring process, so all can learn what is truly valued. </p><h2>What Skills Are Important?</h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​From Team Player to Team Leader</strong><br><br>When I began my career, I did not know what an internal auditor was. I was offered a position as an internal auditor at JPMorgan Chase & Co. (formerly Chemical Bank) in New York City after graduating from Wagner College in Staten Island, N.Y., with a Bachelor of Science degree in economics/business administration. At that time I had no idea what the work would entail. All I knew was that it was one of two positions offered to recent college graduates that would expose them to many different areas of the bank (the other being credit training), and that it was supposed to be a stepping stone into a position in bank operations.<p>For me, though, it was the start of my internal audit career. Even then, our CAE, the late Richard Hulbert, was focused on risk. He encouraged us to read the Federal Register each day to understand the rules that would impact the organization and what corresponding changes (policies, procedures, etc.) would need to be implemented. He also encouraged us to read <em>The Wall Street Journal</em> daily, and if something had gone wrong at another institution, he expected us to examine our bank's internal operations to understand what controls (and yes, that was the word we used, even then) would need to be implemented to prevent a similar situation. </p><p>I loved the work, the continuous learning, and the focus on all kinds of risks inside and outside of the organization. I was promoted several times, and enjoyed hiring and helping others succeed. I was encouraged to pursue my first certification, the Chartered Bank Auditor, and my first MBA (management and finance), all while I was at the bank — and that's how it began. </p><p>I later earned my CIA when I decided I wanted to pursue my earlier interest in health care, and spent some time in internal audit in that industry. I found that leadership and internal audit skills were also transferable to the pharmaceutical and professional services industries. </p><p>My internal audit career has taken me around the globe, and I have had the opportunity to visit approximately 30% of the world — with hopefully more travel to come! In my last role, as head of internal audit and compliance for a global consulting firm, I was able to implement an internship program with a local college that continues today. I am a current participant in The IIA's Emerging Leaders Mentoring Program, and I am hopeful that I will have further opportunities to mentor others and introduce them to a career that can be both fun and fulfilling.<br></p></td></tr></tbody></table><p>One of the most important skills for internal audit professionals, at all levels, is communication. All team members should be skilled in oral and written communication, including interviewing, report writing, and presentation. Team members also should demonstrate the ability to think critically and objectively to identify issues and potential actions to resolve those issues. </p><p>Additionally, team members must keep abreast of changes in their organization, industry, and profession. Today's important risk areas include cyber, privacy, anti-bribery, and corruption — but these risks will constantly evolve, and others will emerge. That is why the focus should be on individuals' desire and ability to be continuous learners. </p><p>Also, it's important to have team members with skills and interests in different areas. For example, I have always gravitated toward regulatory compliance, and enjoyed monitoring changes in laws and regulations that affected my organization. This may be because I began my career in the financial services sector, which is highly regulated. However, I have worked with other team members who equally enjoyed learning everything they could about IT, accounting proclamations, business processes, contracting, etc. The trick is to harness these diverse interests to build the team, while ensuring all have the right competencies. </p><h2>The Right Credentials</h2><p>Obviously, because we are in the internal audit profession, the CIA is the premier certification to demonstrate an understanding of what we represent and how we go about our work. Other certifications and licenses also may be important to demonstrate that the individual has the initiative and drive to continue learning, and to demonstrate his or her skill in a particular area of interest. These include the Certified Fraud Examiner, Certified Information Systems Auditor, Certified Compliance and Ethics Professional, Certified Public Accountant, etc.<br></p><p>Again, those differing and specific interests will add to the effectiveness of the team as a whole. If a team member is not ready to pursue the CIA credential, participating in the annual internal quality assessment can be a great way for the individual to at least learn the <em>Standards</em>. </p><h2>Speaking of Quality</h2><p>I am a firm believer that a QAIP, when implemented appropriately, can be a positive factor for both the team and the individual. The QAIP can help ensure that work is being performed in accordance with the <em>Standards</em>. It also can provide support if there are questions about the internal auditors' independence and objectivity. </p><p>Internal client surveys highlight how and where the function is adding value, as well as areas of improvement, for either the team as a whole or for an individual. Additionally, having a QAIP in place sends the message to clients that the internal audit function cares about how its work is performed. Also, if an external assessment is performed, we have a good answer when we get the question, "Who audits the auditors?" </p><h2>Opportunities for Learning<br></h2><p>Once team members have been hired, it is imperative that each individual receives training to help develop specific areas of strength and interest. The IIA provides numerous opportunities through conferences, seminars, customized on-site programs, chapter programs, and webinars. </p><p>Additionally, individuals should be expected to learn as much as possible from others in the organization. In fact, CAEs may assign individual team members as liaisons to specific departments or functions, particularly where they have an interest. Team members should be encouraged to continuously read and perform external research and share this information with business leaders, resulting in valued professional relationships with key stakeholders. </p><p>Team meetings are another valuable source of learning and training for internal audit functions. All team members should be encouraged to speak up and openly share their successes and challenges. Others should share how they have overcome similar challenges. Hot topics or emerging risks can be assigned to individuals who can research them and present their findings during team meetings, thus practicing their presentation skills. </p><p>CAEs also can rotate the leadership of team meetings among those who are in the process of developing their management skills. Those individuals should plan the meetings, including developing the agenda and facilitating the discussion among team members. The CAE should train the potential leader to be inclusive and supportive of other team members, so that the right environment will continue in the future.</p><p>Training should occur during the execution of each project. CAEs should allow team members, to the extent possible, to pick the projects that they would like to perform. Some team members are anxious to learn about a new area, while others may be content to audit something they may have previously reviewed — because they know they don't currently have the expanded bandwidth. Allowing for and understanding when team members want to grow, or when they need to temporarily scale back, creates an environment where all feel supported. Consequently, that feeling evolves into loyalty, engagement, and productivity. </p><h2>When It Goes Wrong<br></h2><p>Mistakes happen. But, before they do, CAEs should teach their teams how to address mistakes. If team members feel supported, and able to communicate, they will speak up when a report or comment needs to be retracted. </p><p>CAEs should be certain team members know that they've taken the right action by acknowledging and communicating the error. They should include them in making the correction, while acknowledging that as the leader, the CAE is ultimately responsible for any mistakes made by the team. The CAE should share the retraction or other resolution to ensure he or she is sending the message that this is the expected action when an error occurs. </p><h2>Learning From Conflict<br></h2><p>Unfortunately, more than once, a team member has come to me upset about treatment received from a "higher-up." My response is to objectively look at the situation as one would an audit observation. First, the auditor should go over the facts. Could he or she possibly have done something incorrectly, or unprofessionally? If the answer is no, further examination of the situation is required. Could the individual exhibiting the bad behavior be under stress that may have caused an inappropriate reaction, especially if the person is acting out of character? In those cases, I advise the team member to allow the situation to cool down and to re-approach the person with my support, if he or she feels capable. I encourage the team member to attempt to resolve the conflict, anticipating that he or she may need to acknowledge what previously occurred, accept responsibility, if warranted, and be proactive in seeking resolution. </p><p>If, on the other hand, there is no excuse for the behavior, and the person has a reputation for behaving or responding inappropriately, I will call out the behavior. Together, the team member and I will identify exactly what was inappropriate about the behavior, and we will discuss the best course of action for addressing the situation. In most cases, the root cause of inappropriate behavior is bullying, which I then offer to address for the team member, to ensure he or she feels supported. </p><h2>Everyone Is a Leader</h2><p>One of the most important messages for internal audit team members is to know that, regardless of title or position, each team member is a leader. Whether team members are aware or not, their behavior is being observed and assessed by others, and the expectations are high. Internal auditors, more than anyone in the organization, are expected to act professionally and with courage, humility, and integrity at all times. They are expected to be good communicators, analytical problem-solvers, and highly competent, as well as exhibit a passion for the profession. </p><h2>More Than Ever</h2><p>Especially in these challenging times, internal auditors must come together as a strong team. Internal audit functions need to assist their organizations as new strategies, objectives, processes, and procedures are developed — putting forth a team of trusted, competent, and valued professionals. <br></p>Nancy Haig0
Home Workhttps://iaonline.theiia.org/2020/Pages/Home-Work.aspxHome Work<h2>How should audit plans change when the entire organization is working from home?</h2><p><strong>Anunciacion </strong>There are two components to this: what's in the plan and how to execute the plan. First, the chief audit executive (CAE) will need to adjust the scope of the audit plan, which could mean an emergency meeting with the audit committee and executive management, or maybe a special session with the audit committee chair to reprioritize. What may have been important at the beginning of the year may not be critical today. The CAE should determine whether to remove, postpone, or even cancel engagements, and decide what can be accomplished given the timeframe and new realities of working from home. Second, how is internal audit going to complete the audits? If auditors can't visit a location, or if they can't do a walk-through in person, consider what technologies the organization has to assist with conducting the fieldwork. There are plenty of online meeting and collaborative tools that can help. If anything, this highlights the need for internal audit teams to be agile, and technology is a big part of that.</p><p><strong>Struthers-Kennedy</strong> CAEs have been actively promoting their ability to be agile and responsive to a dynamic work environment. Recent events provide an opportunity for audit leaders to "walk the talk" with their teams. Leaders need to apply tools and techniques to facilitate strong communication and increase the monitoring of company activities in a new and remote environment. On the topic of tools, many audit functions had been making concerted efforts to advance analytics and technology-enabled auditing. The need to make increased use of tools and data has never been greater. Internal audit functions should look for every opportunity to apply analytics and other techniques to enterprise data sets to help them accomplish their own risk assurance objectives, as well as provide any necessary support to the broader business.<br></p><h2>What key risks should internal audit functions be focused on during times of crisis?</h2><p><strong>Struthers-Kennedy</strong> Beyond the risk of degradation of the broad system of internal control driven by remote working and reduced workforces, two broad risk areas are notable on top of the recurring business risks to any company. The first area includes those looking to exploit the crisis through a fraud or data breach. Bad actors will look for any weakness in controls or oversight that may have been compromised in a time of crisis. In addition, well-meaning employees may now be working in ways that compromise privacy and data protection policies. The second area is in the rapid deployment of new processes and technologies, including changes made to existing technologies through emergency processes, to facilitate a remote workforce. A thorough — but appropriately rapid — assessment should be conducted to understand the potential exposures and related controls. On a broader and more sustained basis, audit functions must develop a more dynamic and responsive approach to risk assessment.</p><p><strong>Anunciacion </strong>If internal audit has a risk-based audit plan, the approach doesn't necessarily change as the key risks addressed should still align with the organization's strategic objectives. The crisis may force internal audit teams to look at risk much more broadly, such as at an enterprise level — a level or two beyond process-level risk. CAEs also may need to add audits that address areas where there was not risk coverage on the original plan, especially for teams that spend the majority of time on U.S. Sarbanes-Oxley Act or internal control over financial reporting testing. Areas such as business continuity, supply chain, IT, cybersecurity, and operations come to mind. <br></p><h2>How should internal auditors be thinking about independence and objectivity in a time of crisis?</h2><p><strong>Anunciacion </strong>Auditors are very well equipped to identify and assess risk and can help the company plan for any situation, but there's a line past design and operating effectiveness. Internal audit can't implement or make final decisions based on any recommendations; that is management's responsibility. Accordingly, CAEs might shift the plan from less compulsory or assurance type of audits to more advisory and consultative engagements. That type of perspective shows there are ways in which internal audit can maintain independence and objectivity while adding value to the organization.</p><p><strong>Struthers-Kennedy</strong> In these extraordinary times, audit functions should work to provide the best support and partnership possible, delivering on the core mission to protect the enterprise from undue risk while also focusing on bringing extra capacity and capability, which may in some instances result in direct support for core and critical business operations. Internal audit's skills and talent can be helpful in assisting the organization to manage through the crisis, whether those talents are applied to risk assurance activities or, in certain cases, hands-on operational support. Where audit is being asked to provide operational support, this should be done with approval of executive management and the audit committee, including a discussion and plan for how any objectivity or independence conflicts that may be created will be addressed. <br></p><h2>What types of training should internal auditors take advantage of when working from home?</h2><p><strong>Struthers-Kennedy</strong> The use of next generation tools, including those used for collaboration, automation, analysis of large and complex data sets, and methods such as agile and design thinking, are needed today. Auditors should take every opportunity to increase their knowledge and skills related to capabilities and features of platforms such as Microsoft Office 365 — which includes a wide ranges of features that are beneficial to remote work — collaboration tools, and data analytics and automation platforms and methods. There is no shortage of training material available online, much of which is high quality and free.</p><p><strong>Anunciacion </strong>This is a great time for auditors to knock out items on their laundry list — things that they may not have had time for in the past. Internal audit can do a self-assessment on its current methodology. Perhaps the CAE has been meaning to implement a quality assurance and improvement program — it's the ideal time to do that. Internal auditors should consider taking an online course on data analytics or other technical areas, so that when we do come out from this, they've gained knowledge to broaden their horizons.<br></p><h2>What can CAEs do during a pandemic to be better prepared when employees return to the office?</h2><p><strong>Anunciacion </strong>In the short term, it's all about focusing on team and employee morale. We don't always know what's going on in our staff's personal lives. CAEs should be sensitive to those unknowns. They may be experiencing a lack of childcare. Perhaps they have a friend or a relative who was diagnosed with the illness. They may be feeling some financial pressures. CAEs should be flexible in terms of demands and what they're looking for from their teams. Longer term, it's all about perspective. What concessions or modifications to the culture of the team will need to be made once they come back to the office? Is working from home going to be expected? How do CAEs incorporate what they've learned in preparation for future emergencies?</p><p><strong>Struthers-Kennedy</strong> It can be hard to focus on anything but the challenges and stresses of a crisis, but within this situation — and perhaps even because of it — there is plenty of innovation occurring and opportunity being revealed. Rapid deployment of collaboration technologies, cross-functional and cross-border teams coming together and working through complex situations and decisions in rapid fashion, making better use of data and tools where people and other resources are not available, and working in highly agile and responsive ways are all good examples. Through these pursuits, CAEs are building resiliency into their own departments. The workplace we return to may well be very different; therefore, it's critical the office of tomorrow is shaped to reflect elements of our remote world today.<br></p><h2>How will the COVID-19 experience influence remote working arrangements moving forward?</h2><p><strong>Struthers-Kennedy</strong> Concepts such as the "workplace of tomorrow," "NextGen auditing," and even "gig economy" have become commonplace in our vernacular in recent years, albeit with adoption still in early stages for many. The COVID-19 experience has brought them prominently into the spotlight, at the same time exposing those lacking the knowledge, skills, methods, or tools to adapt and deliver value in a fundamentally different environment. Moving forward, there is opportunity for every audit function to be the partner the business needs, and the time for NextGen internal auditing is now. </p><p><strong>Anunciacion </strong>What is going to come out of this is a greater appreciation for the soft skills that are required to be a successful auditor. One can be a highly proficient accountant or an extremely technical IT auditor, but those soft skills of relationship building, communicating, and building trust and credibility — those are so much more difficult to do remotely. There are parts of the job where internal audit has to be in the office, because that's where the data and evidence resides. But after all this is over, some team members may want to continue working remotely. It's going to force internal audit teams to be creative in how they strike that balance, and soft skills are a component of that.<br></p>Staff1
President's Message: Evolving to Meet Your Needshttps://iaonline.theiia.org/2020/Pages/Evolving-to-Meet-Your-Needs.aspxPresident's Message: Evolving to Meet Your Needs<p>From its first issue in 1944, <em>Internal Auditor</em> magazine has chronicled the advances, the challenges, and the evolution of internal auditing. Through these pages, we have witnessed the profession rise from a focus almost exclusively on financial matters to its establishment as a major force in governance and crucial to organizational success.</p><p>More than ever, <em>Internal Auditor</em> readers are hungry for information when and where they need it most. That shows in increased readership of magazine and online-exclusive content on InternalAuditor.org, launched in 2008. In fact, since the coronavirus was designated a pandemic by the World Health Organization, visits to the magazine's website have surged 13%.</p><p>In response to reader expectations, the magazine is focusing its energy and resources where they are of most value to you — on developing and delivering timely and relevant content. To do that, we will be suspending the print edition after this issue. This is a natural progression, one that we have been examining for a long time, as readership habits turned to more on-demand interests. For those of you who have grown comfortable receiving the magazine in print form, that format will continue to be available for online viewing or through download. In addition, your subscription will not be affected, as it remains an important benefit of membership in The IIA.  </p><p>Rest assured, <em>Internal Auditor'</em>s highly experienced team of editors and writers will continue to work tirelessly to keep you, the magazine's readers, up to date on the latest developments, especially those around COVID-19 and how they are impacting internal auditing. In this issue, for example, the magazine features several articles related to COVID-19, providing valuable information to practitioners who are moving forward during these difficult times.<br></p><p>The cover story, "<a href="/2020/Pages/Navigating-the-Crisis.aspx">Navigating the Crisis</a>," considers how internal auditors can help management address short-term risks while keeping an eye on what lies farther down the road. You'll also want to read <em>Internal Auditor</em>'s online exclusives, including "<a href="/2020/Pages/Responding-to-the-Crisis.aspx">Responding to the Crisis</a>," a look at The IIA's approach to business continuity. Also on InternalAuditor.org, the editorial team has started a COVID-19 Newswire, with daily updates as organizations turn to the next phase of the crisis.</p><p>Our commitment to members and subscribers has never wavered. We pledge to work toward providing indispensable information to professionals who want to keep pace with the diverse, dynamic field of internal auditing. And we look forward to you joining us online to see what's coming over the horizon.<br></p>Richard Chambers0
Divided Board Loyaltieshttps://iaonline.theiia.org/2020/Pages/Divided-Board-Loyalties.aspxDivided Board Loyalties<p>​An organization's board of directors is essential to good governance. It can provide an independent, authoritative voice on key decision-making, help guide strategic thinking, and contribute to organizational integrity. But lack of true independence can dampen that support. Board priorities may teeter between what's good for the organization and what executive management or shareholders would prefer, which often may be at odds. Divided board loyalties can be detrimental to organizational governance, and particularly to the internal audit function.</p><p>In a worst-case scenario, the board of directors may try to influence internal auditors' activity indirectly or steer policies to best match shareholders' interests, resulting in a loss or weakening of internal audit value and independence. Moreover, because the organization's top management answers to the board, internal audit's independence could be further impaired in situations where the CEO also serves as a board member. It also introduces the possibility of ethical lapses and other wrongdoing. </p><p>Of course, effective oversight — and internal audit — requires a qualified audit committee. In part, the committee should help ensure that internal auditing is not influenced by top management. And according to IIA Standard 1110, internal audit achieves organizational independence effectively "when the chief audit executive reports functionally to the board." But given its positioning as a sub-unit of the board, and the board's responsibility for appointing audit committee members, the committee may still show allegiance to executive priorities — even when they conflict with effective governance practices. If the board's support of internal auditing is weak, the audit committee's support, in turn, may also fall short. </p><p>Boards of directors focused exclusively on shareholder interests, emphasizing share price and profit generation, may believe their only responsibility is to increase the organization's value. In fact, with today's hyper-competitive global market, companies face more and more pressure to increase profits, potentially at the expense of following regulations or company policies. And if internal audit's reporting might negatively impact those priorities, then the risk of its findings being discarded or ignored are heightened. That risk is further exacerbated with audit committee members also serving on the full board, as they may be more inclined to agree with boards or executives who deprioritize the need for effective governance.</p><p>Still, many organizations — particularly in the public sector — do not have audit committees or the equivalent of a board-level presence. Oversight structures that include a board and audit committee, while flawed, at least provide a measure of governance assurance and support for internal audit independence. But auditors need to be aware that the potential for divided board loyalties is a risk in nearly every organization, and the possibility of compromised oversight is a very real one. <br></p>Aysha Al Shamsi1
Audit With Acumenhttps://iaonline.theiia.org/2020/Pages/Audit-With-Acumen.aspxAudit With Acumen<p>Board and management stakeholders want internal audit to demonstrate greater business acumen. They want auditors to have a broad understanding of the organization, as well as anticipate how to help the organization achieve its objectives.<br></p><p>That means auditors need to see beyond their area of expertise and responsibility. They must be agile to act proactively and congruently with the organization's way of doing business. By recognizing these expectations, internal audit can show that the department is an excellent place to develop business acumen. </p><h2>Fit Business Needs</h2><p>Organizations expect all senior managers to have the business acumen to lead their areas of responsibility and support broader organizational success. Managers should be able to anticipate and act on ways to add value to the organization and its stakeholders. </p><p>Likewise, internal audit needs to identify the best ways for the function to develop business acumen that fits the organization's needs. It can't take a one-size-fits-all approach, though, because business acumen will vary by industry, type of business, and the kind of service a business unit provides. For example, internal audit will require different aspects of business acumen than business lines, such as sales and production, or support services such as finance and security. </p><p>Moreover, internal audit's assurance role in relation to other assurance roles within the organization impacts the kind of business acumen it needs. Developing business acumen can enhance internal audit's risk-based coverage of the organization's main lines of business, as well as the first two lines of defense.</p><p>In developing business acumen, internal audit should not be seen as narrowly focused rule-followers who avoid innovation and taking risks. Chief audit executives (CAEs) should ensure the audit staff understands the capabilities of the organization's first two lines of assurance, as well as the business' main products and services. Their strategy for establishing business acumen should involve human resource activities, such as hiring, promotions, and career planning, as well as professional development activities. </p><h2>Enabled by the Standards</h2><p>Internal audit's use of business acumen must reinforce, and not compromise, auditors' professional competence. The <em>International Standards for the Professional Practice of Internal Auditing </em>place great importance on risk-based planning — multiyear, annual, and engagement — to ensure that services are strategic and add value. Having business acumen enables internal audit to proactively plan and adapt all forms of audit activity to anticipate the organization's assurance needs. This capability goes far beyond simply repeating cyclical coverage or responding to senior management requests. </p><p>There is no trade-off between demonstrating business acumen and conforming to the <em>Standards</em>. On the contrary, internal audit can build business acumen on a sound understanding and innovative implementation of the <em>Standards</em> and associated guidance. </p><p>CAEs have used a variety of methods and approaches to attune their staff to the business needs of their organizations. The examples in the boxes that begin on page 41 demonstrate how business acumen can work in internal audit. These examples are based on four perspectives adapted from the Balanced Scorecard strategic planning and management tool: governance, client, internal processes, and innovation and learning. The boxes substitute governance for the Balanced Scorecard's finance measure. CAEs should plan, track, and report to the board and management on initiatives in each of these areas.</p><h2>Internal Audit's Acumen</h2><p>CAEs are likely undertaking some or many of these initiatives, as well as some others. To get the attention and mutual understanding needed, annual internal audit plans and year-end reports should include a formal strategy on investments in building staff capabilities to better respond to the emerging needs of the organization. This approach can foster productive discussions and improved understandings with management and the audit committee.  <br></p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>Governance<br></h2><p>These examples can improve mutual understanding, enhance business capabilities, and strengthen relationships at the governance level of the organization:</p><ul><li>Have the CAE actively participate in regular meetings of the audit committee operational governing body.</li><li>Assign individual audit managers to each of the major lines of business as account managers.</li><li>Build the internal audit universe on top of the organization's strategic objectives.</li><li>Conduct organizationwide internal audits in support of key corporate activities such as internal communications.<br></li></ul> <br> </td></tr></tbody></table><h2>Client</h2><p>These examples can improve mutual understanding, improve business capabilities, and strengthen relationships with the organization's business units:</p><ul><li>Base multiyear, annual audit, and engagement plans on the organization's corporate and business risk profiles. </li><li>Include strategic upside risks of opportunities and strengths in annual internal audit plans to complement the traditional focus on key downside risks of weaknesses and threats.</li><li>Reinforce the role of other internal assurance functions (second line of defense), such as risk management and financial control, by auditing their processes. </li><li>Invite business units to link the timing of audit engagements to their business information needs, such as in support of future financial approval submissions for major initiatives or new programs. </li><li>Provide information on assessment criteria well in advance of an audit engagement when there are known shortcomings, to enable managers to take corrective action before the audit.</li></ul><p> </p><table cellspacing="0" width="100%" class="ms-rteTable-4"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><h2>Internal Processes<br></h2><p>These internal audit processes can improve mutual understanding and business capabilities, as well as strengthen client relationships throughout the organization:</p><ul><li>Report more deeply on audit findings by avoiding a narrow-minded approach to audit issues. For example, reports should discuss the broader implications and possibilities of findings, such as their impact on broader business objectives. Internal audit also should show how findings link to implications for other business purposes and recommend reducing inefficient internal controls.</li><li>Submit periodic status reports on the internal audit plan's implementation and adjust them during the year to better address emerging business assurance needs.<br></li><li>Issue periodic reports on significant operational risks based on analyses of internal audit findings within the organization or across the industry.</li><li>Offer to provide consulting and research services in conjunction with individual engagements.</li><li>Invite internal audit team members to meet the audit committee and observe its discussion of their individual engagements.<br></li></ul> <strong><br></strong></td></tr></tbody></table><p></p><h2>Innovation and Learning</h2> <p>These examples of innovation and learning can improve mutual understanding, enhance business capabilities, and strengthen relationships:</p><ul><li>Assign talented employees from other business units to short-term engagements within internal audit. This practice can develop those employees, as well as bring their insight to audit staff members. </li><li>Send talented internal auditors on developmental, nonaudit assignments within business units. This practice can help those auditors build business acumen and pass their knowledge to the teams with whom they work. </li><li>Bring internal auditors from field offices to work at headquarters.</li><li>Train new managers on internal audit's role and areas of expertise such as management control and risk management.</li><li>Participate in professional associations other than internal audit, such as risk management, IT, security, and fraud prevention. Such groups can help auditors keep abreast of leading practices and share lessons learned with audit colleagues.<br></li></ul>Basil Orsini1
Three Rules to Audit Byhttps://iaonline.theiia.org/2020/Pages/Three-Rules-to-Audit-By.aspxThree Rules to Audit By<p>Success as an internal audit professional starts with understanding the basics: risk, controls, planning, testing, interviewing, documentation, reporting, etc.<br> It also requires soft skills such as communication, business acumen, critical thinking, and emotional intelligence. But for the internal auditor who is looking to provide real added value and make a positive impact, those are only table stakes — the bare minimum for getting into the game without being ignored, dismissed, or pigeon-holed as the kind of auditor no one wants to know.</p><p>Any internal auditor who wants to be a part of a successful audit future — as well as the future of his or her organization — would do well to follow three rules, listed in reverse order of importance.<br></p> <strong>Make Them Care.</strong> We often believe the value of our work is self-evident. That does not mean our clients understand or agree. It is our responsibility to learn what they care about and align our objectives with those needs. Through that alignment, we need to ensure everyone is working toward the same successes. And an important corollary: If we do not care about our product, organization, or department, then we will fail. How is the client supposed to care when we don't? <br> <strong><br>Be a Marketer.</strong> Every internal auditor is in marketing. We are selling the audit, the issues, the report, the need for time with us, the value of our department, and ourselves. Everything we do must include a focus on how we promote our services, the profession, the department, and us, the professional internal auditors.<p><strong><br>Have Fun. </strong>Enjoying the work should be our No. 1 priority. I have seen too many internal auditors — skilled, talented, effective internal auditors — who fail because they have lost their internal audit joie de vivre (or perhaps it's joie de l'audit). If you are not having fun — if you cannot be excited about what you are doing — you cannot do your best work. In fact, you probably can't even do good work. Not every minute must be rainbows and unicorns. But every task, project, and opportunity should contain at least a glimmer of possibilities, of excitement — of fun. If we cannot do that, it does not make us bad people, but it probably makes us bad auditors.<br></p><p>And one final note — these recommendations are for every single internal auditor, from those cracking open their first audit program to those who remember working with cuneiform characters on clay tablets. We need to know them when we're first starting out, and we need to be reminded of them every day we work in the profession. We are at our best when we care, when we market, and when we have fun.  <br></p>Mike Jacka1

  • IIA GRC_July 2020_Premium 1
  • AuditBoard_July 2020_Premium 2
  • IDEA_July 2020_Premium 3