Practices

 

 

No More Excuseshttps://iaonline.theiia.org/2017/Pages/No-More-Excuses.aspxNo More Excuses<p>Recent surveys show a continuing gap between what executive management and board members expect, and what internal audit delivers. Audit professionals insist they want to close that gap. So, why isn't it happening?</p><p>People are not comfortable with change, often hiding their resistance under a veneer of excuses. If it weren't for one reason or another, they say, they could change. Internal audit is no different. Several excuses, from specific to more general, are evidence of a department that may not be willing to accept the risk of — and need for — change.</p><p>It takes too long to issue audit reports with corrective action. Sorry, no matter what you think, the audit is not complete until the client agrees on corrective action. You can say you issued the report, you can say you hit your milestones, and you can say the department is successful because departmental metrics are being met — but until agreement is reached with the client, nothing has happened. Find out why you have trouble establishing that agreement, find the root cause of the problem, and then solve it. Be an auditor.</p><p>We report to the audit committee; we don't need to report administratively to the CEO. Reasons for this one abound. For example, the CEO doesn't have time, internal audit has a better relationship with a different member of the C-suite, or the current relationship has no impact on the department's effectiveness. Unfortunately, without direct communication with the CEO, internal audit does not have access to the strategic information necessary to accomplish its objectives, is not considered an equal with others in executive management, and is fooling itself if it thinks it can become a trusted advisor. </p><p>We don't have time for [blank]. Fill in the blank with just about anything. We don't have time for training, for nonfinancial audits, for special requests, for anything out of the ordinary. To prove there is always time for something important, try reducing your audit schedule by one audit — just one audit. First, you may notice no one really misses it. More importantly, notice you now have time to accomplish that project you didn't have time for.</p><p>You don't understand, we just can't do that. Try explaining what it is we don't understand. In the process, you will realize that you are just making excuses. You can, indeed, do it. You just have to get past the fears — fear of your superiors, fear of lost security, and the fear of trying something new.</p><p>The primary impediment to progress is resistance to change. And internal auditors must recognize that their excuses are nothing more than a subterfuge that allows change avoidance. Just as internal audit refuses to accept clients' excuses, it must recognize and eliminate the excuses that keep the department from moving forward.</p><p>What excuses are you making that keep you from effecting real change? </p>Mike Jacka1
Many Ways to Learnhttps://iaonline.theiia.org/2017/Pages/Many-Ways-to-Learn.aspxMany Ways to Learn<p>​​<span style="font-size:12px;">A standard 40 hours of training annually was o​nce considered sufficient for maintaining internal auditors' professional skills and knowledge. Today, 40 hours is not nearly enough to keep pace with ever increasing stakeholder expectations and the host of emerging risks organizations confront. For these reasons, internal auditors face continual pressure to supplement their training with continuous learning and development. But with budget cuts and time constraints, it can be difficult to make the case for an increase in training resources when, historically, 40 hours per year was the norm.</span></p><p>So what is a dynamic and enthusiastic internal auditor to do with minimal or nonexistent resources and a significant desire to learn? Three no-cost options, while not a substitute for professional, more robust training, can help practitioners hone their skills and supplement formal training options. </p><h3>Individual Learning and Development </h3><p><strong>What?</strong><strong> </strong>Canvas Network — an assemblage of courses from universities and colleges worldwide. <br><strong>For Whom? </strong>The professional seeking coursework in a wide variety of subjects, ranging from Business Ethics for the Real World (from Santa Clara University) to Foundations of Evidence-based Practice in Healthcare (from The Ohio State University).<br><strong> Commitment? </strong>Canvas suggests two to three hours per week, per course. A course can last approximately 10 weeks. <br><strong>Format? </strong>Online; some courses are self-paced, while others are offered in a specified semester.<br><strong> </strong><strong>Benefits? </strong>With a multitude of offerings, Canvas provides opportunities to explore new industries (e.g., pharmaceuticals, aviation) and gain technical expertise (e.g., collaborative knowledge services).  </p><p>Having personally completed a Canvas course (Exploring the Student Affairs in Higher Education Profession, from Colorado State University), I can attest to the course's interesting and high-quality instruction, which consisted of weekly modules comprising lectures, reading, and videos. </p><h3>Collaborative Study</h3><p><strong> </strong><strong>What? </strong>Discussion Group<br><strong> </strong><strong>For Whom? </strong>The professional seeking thoughtful conversation about instructional media — such as Ted Talks, podcasts, and books — with internal audit colleagues who seek a more informal learning environment.<br><strong> Commitment? </strong>Preferably, meetings should be held once per month — more often if participants are interested and available. A few hours of preparation would be required before meeting for participants to read, watch, or listen to materials.<br> <strong>Format? </strong>Preferably in person, although discussions could occur online if participants are interested and available.<br><strong> </strong><strong>Benefits? </strong>A discussion group can be designed exactly to participants' needs and interests. For those interested in a book club, internal audit (think the IIA Bookstore), career development, or business books could be the topic of discussion. For those who enjoy learning via speeches, a selection of Ted Talks could spark conversation; or industry podcasts may be a better option — especially for participants with lengthy commutes.</p><h3>Rotating Technology Instruction</h3><p> <strong>What?</strong><strong> </strong>Training Team — a collaborative team consisting of participants who train each other on topics of interest, particularly well-suited for technology training. Teaching and learning technology can be more effective when it is both hands-on and interactive; a training team accomplishes both as it encompasses live instruction and encourages ongoing dialogue about technology. Unlike other topics, technology is constantly evolving — training teams are designed to help keep pace with these changes and promote strengths among those teaching and learning.<br><strong> </strong><strong>For Whom? </strong>The professional seeking brief yet personalized instruction with internal audit colleagues about emerging and current technologies.<br><strong> Commitment? </strong>Preferably, meetings should be held once per month — more often if participants are interested and available. For those offering instruction during the meetings, preparation could take upward of eight to 10 hours.<br> <strong>Format? </strong>Preferably in-person, although demonstrations could occur online if participants are interested and available.<br><strong> </strong><strong>Benefits? </strong>A training team can be designed exactly to participants' needs and interests. Group members can compile a list of technologies, programs, and systems that they would like to learn about or teach (e.g., Instagram, Google Analytics tools, and programming in R). They would then agree on who will teach each topic and set up a learning schedule. For those who enjoy technology, or recognize that their skill level could be improved,<strong> </strong>this format offers a flexible and unique way to share an interest or passion, as well as gain new ideas and information. </p><h3>Lifelong Learning</h3><p>These three learning platforms offer a variety of ways to keep pace with the speed of internal audit and the risks organizations face, supplementing more traditional, equally important internal audit learning methods such as conferences and seminars. Many more such resources are available online and via in-person collaboration with peers. The IIA, for example, offers free webinars to IIA members on a regular basis and opportunities to collaborate face-to-face through local chapters and institutes. </p><p>How a practitioner chooses to proceed depends on his or her goals (e.g., focusing on technical skills, improving public speaking) and schedule. By prioritizing continuous learning; setting a realistic, individualized, and intentional plan; and executing that plan,​ every internal audit professional can grow, develop, and even have fun along the lifelong learning journey.</p>Christine Hogan Hayes0
Key Stakeholder Surveyshttps://iaonline.theiia.org/2017/Pages/Key-Stakeholder-Surveys.aspxKey Stakeholder Surveys<p>​Requirements for a quality assurance and improvement program (QAIP) are outlined in IIA Standard 1300. An integral part of any QAIP should be to help ensure an internal audit department is addressing expectations through the use of surveys. However, audit departments often limit the use of surveys to management in the area in which assurance or advisory activities are performed and miss an opportunity to obtain feedback from other key stakeholders, including the audit committee and executive management.</p><h2>Management Surveys</h2><p>Audit departments should have a process to survey management at the conclusion of assurance or advisory activities to help identify opportunities for improvement. Questions should be objective and geared toward adherence to the <em>International Standards for the Professional Practice of Internal Auditing</em> to help minimize subjective responses. In addition, rather than asking "yes" or "no" questions, respondents should be provided a scale ranging from "strongly agree" to "strongly disagree" or a number range such as 1 through 4. Including space to write comments to further elaborate on each of the ratings will provide greater insight into management's perspective.  </p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​ <p> <strong>Assurance & Advisory Survey </strong></p><ul><li>The objective, scope, and timing of the assurance or advisory activity was clearly communicated. </li><li>The team clearly communicated ongoing status as well as evolving issues throughout the assurance or advisory work. </li><li>Appropriate areas of risk, including your specific concerns, were considered.</li><li>At the conclusion of planning, the audit team demonstrated an appropriate level of industry and technical knowledge.</li><li>The team demonstrated independence and objectivity in performing the assurance or advisory work.</li><li>The team demonstrated courtesy, professionalism, and a constructive and positive approach and was able to establish effective working relationships.</li><li>The disruption of activities was minimized as much as possible by the team.</li><li>The assurance or advisory work consumed the amount of your and your team's time that you anticipated at the beginning of the review or less.</li><li>Issues identified were constructive, accurate, mutually agreed upon, and communicated timely.</li><li>Recommendations were creative, reasonable, actionable, and addressed the root causes of problems.</li><li>The report was clear, accurate, and issued timely.</li><li>The assurance or advisory work resulted in an enhanced awareness of business risks and controls in my department. </li></ul></td></tr></tbody></table> <p>Just as action is expected by audit clients when control concerns are noted from audits, the chief audit executive (CAE) should take action if the response from a survey question falls below established expectations. For example, any score that is less than 3 on a 4-point scale should result in a follow-up. The process may include contacting the respondent or head of the area to obtain further information and reiterate the department's commitment to quality. Action may involve updating a department manual as well as communicating existing or enhanced procedures to all auditors to help avoid shortcomings in the future.</p><p>In addition, survey results should be shared with the audit committee and executive management as part of a balanced scorecard to measure the department on the basis of cost, quality, and timeliness. Survey results can be an effective measurement of quality for the department and should be paired with other quality metrics. </p><p>Despite efforts to create objective questions, it is often difficult to avoid correlation between the audit opinion rating and the survey results. It is common for audits with satisfactory ratings to receive high opinion scores while audits with unsatisfactory ratings receive low survey scores despite efforts to adhere to department policies and the <em>Standards</em>. Management is human and may use the survey as an opportunity to praise or criticize the audit team, regardless of how the team actually performed. </p><h2>Key Stakeholder Surveys </h2><p>Managers over the areas where assurance or advisory activities are being provided are not the most important customer of the audit. First and foremost, internal audit serves the needs of the audit committee, followed closely by executive management. To ensure it's meeting key stakeholder needs, the department should have a mechanism in place such as a "Key Stakeholder Survey" (see below). </p><p>By surveying key stakeholders, the audit department can assess whether it is addressing Standards 2010: Planning, 2110: Governance, 2120: Risk Management, and 2420: Quality of Communications. The audit committee and executive management are in the best position to provide insight into the effectiveness of the department in addressing these standards as they consider the overall audit plan and results communicated throughout the year. While survey questions related to these standards can be asked of management over each audit area, key stakeholders see the broader value audits bring to the organization as a whole.</p><p>Using another department such as Communications or a third party and making the survey anonymous will improve the chances that key stakeholders will be more candid. Survey results should be shared with the audit committee, executive management, and external audit. Scores that are less than desirable, or comments that may indicate improvement opportunities, should be discussed along with action plans. These plans should be tracked with progress reported periodically to the audit committee and executive management.</p><h2>Create a Repeatable Process</h2><p>Performing key stakeholder surveys regularly, ideally annually, helps the CAE more quickly identify areas of concern rather than waiting for them to surface as part of an external quality assessment review or, worse yet, from complaints that may go to the audit committee regarding the department. </p><p>While many management surveys are performed at the conclusion of each assurance or advisory activity, these surveys may not provide feedback from the most important group of customers. Departments should create a repeatable process to survey the audit committee, executive management, and external audit and incorporate this into their QAIP. </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​<strong><br>Key Stakeholder Survey<br><br></strong>Statements should be ranked and opportunity for comment provided.<br> <ul><li>Internal audit is independent and objective in performing its work. </li><li>Internal audit possesses the knowledge and skills, such as insurance industry knowledge and technology skills, needed to perform its responsibilities.</li><li>Internal audit understands company business operations and strategy.</li><li>The audit plan is risk-based.</li><li>I receive adequate updates on the progress of achieving the audit plan.</li><li>Internal audit evaluates risk exposures and the adequacy and effectiveness of related controls regarding: </li><ul><li>Achievement of strategic objectives. </li><li>Reliability and integrity of financial and operational information. </li><li>Effectiveness and efficiency of operations and programs.</li><li>Compliance with laws, regulations, policies, procedures, and contracts.</li><li>Safeguarding of assets.</li></ul></ul><ul><li>Internal audit adequately assesses and provides appropriate recommendations for helping improve the governance process at the organization, including: </li><ul><li>Promoting appropriate ethics and values within the organization. </li><li>Ensuring effective organizational performance management and accountability. </li><li>Communicating risk and control information to appropriate areas of the organization.</li><li>Coordinating the activities of and communicating information among the board, external auditors, and management.</li></ul></ul><ul><li>Internal audit reports and communications are clear, accurate, and issued timely.</li><li>The conclusions reached in audit reports and the opinions rendered are appropriate.</li><li>Internal audit shares information and coordinates activities with other internal and external providers of assurance and advisory activities to ensure adequate coverage and minimize any duplication of efforts.</li></ul></td></tr></tbody></table>Seth Davis1
The Dynamics of Interpersonal Behaviorhttps://iaonline.theiia.org/2017/Pages/The-Dynamics-of-Interpersonal-Behavior.aspxThe Dynamics of Interpersonal Behavior<p>​Often described as a soft skill, building strong interpersonal relationships between internal auditors and their wide variety of stakeholders is vital for a function’s success. Audit work entails listening, understanding, questioning, explaining, and, sometimes, dealing with sensitive information or challenging people’s cherished beliefs. Yet, internal auditors seem to focus their training and continuing education on developing and improving an array of formidable technical skills, seldom paying the same level of attention to sharpening their relationship skills. </p><p>Many auditors seem to expect verbal and written communication techniques, active listening and body language traits, and conflict-resolution skills to develop of their own accord — an approach they would never take in building their technical auditing abilities. This occurs even though effectively gathering information from a wide array of sources is germane to the role, and communicating audit findings forms part of the function’s requirements under The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em>. An audit department that fails to listen and communicate is unlikely to best serve the needs of its stakeholders. </p><p>One symptom of a lack of rapport can be seen where audit functions fail to deliver their findings in ways that stakeholders find useful. That suggests and entrenches a lack of understanding about the role of audit and what it can deliver. Agile departments tend to be more in tune with management and the board. They adopt a range of communication formats that better suit the needs of stakeholders, especially in areas such as strategy and emerging risk, where full-blown audit reports may not be as timely or relevant. </p><h2>Soft Is Hard </h2><p>When it comes to understanding the full range of people skills that need to be developed, part of the challenge for anyone in business — not just auditors — is that the terminology is not widely agreed to, says Manny Rosenfeld, senior vice president of internal audit at MoneyGram International in Dallas. Soft skills can be hard to define precisely, but are usually taken to include verbal and written communications, presentation skills, conflict-management skills, leadership, team building, and an ability to assess corporate culture. </p><p>In addition to being critical business skills, the ability to form and maintain effective interpersonal relationships is a life skill that some people seem naturally better at than others, says Rosenfeld, who co-authored <em>People-Centric Skills: Interpersonal and Communication Skills for Auditors and Business Professionals</em> (Wiley). “Technical skills are easy to teach, but if you are really interested in developing good people-centric skills, it can take a lifetime to master,” he says. </p><p>That is no reason for complacency. While Rosenfeld is skeptical that everyone can be taught full proficiency in certain areas of interpersonal relationships — such as effectively managing teams — all auditors should seek to make progress in the basics. He says there is tremendous potential for developing these skills over time, especially for somebody motivated to succeed. He prefers to talk about interpersonal relationships, because auditors can too often focus on higher-level soft skills — such as report writing and making presentations — while overlooking some of the more fundamental aspects of dealing effectively with people.</p><p>“Building trust is absolutely essential in creating successful interpersonal relationships,” Rosenfeld says. “Most people can cultivate trust over time, but auditors need to do it in a few days if they are to conduct a suitable audit.” </p><p>This lack of time makes it imperative that auditors become consciously aware that they are trying to build trust. Keeping promises on deadlines, actively listening to feedback, and delivering on audit’s stated goals all help. Trust can be further augmented by showing respect for the opinions of others, he says. That can be difficult because the culture of the audit team or the business may not always be one of openness and mutual respect. He says auditors need to have an open mind and assume that management is trying to do a good job and that differences of opinion between auditor and client can arise simply because they are approaching the same facts from different perspectives. </p><p>The most junior auditors need to start learning these techniques from day one. “These skills often receive little attention until auditors become managers,” Rosenfeld says. “But chief audit executives [CAEs] should turbocharge learning for the team in this area because it’s not something people can learn overnight and it is crucial to success.”</p><h2>It's All About Strategy</h2><p>Jim Pelletier, The IIA’s vice president of Professional and Stakeholder Relations, agrees that building effective relationships with audit clients in the business should not be left to chance. “While auditors will have a strategy that will look at how we will use our expertise to deliver an effective audit, we don’t often plan our communications in the same way,” he says. “Why not?”</p><p>The group dynamics at work during an audit make this type of planning crucial. Management often views the audit team as a group of outsiders coming to find fault and criticize its work. That can make them overly defensive. In dealing with the arrival of this “outside group” of auditors, the inside group in the business will tend to exaggerate the differences between themselves and the auditors.</p><p>“It’s like the situation among sports fans,” Pelletier explains. “In our minds, we ‘dehumanize’ the other team, the players, and their fans, which allows us to rationalize using negative stereotypes, name calling, and insults.” While this is often playful among competing fans, Pelletier says, it can manifest in uglier ways in the office. By negatively labeling auditors as snitches or worse, individuals can then more easily rationalize treating auditors differently. “Many auditors have been lied to or purposefully given misleading or incomplete information,” he says. “This is not acceptable human behavior, but the rationalization brought out by the dynamics between in-groups and out-groups makes it feel okay.”</p><p>By labeling auditors as police, for example, the inside group is creating a distance that protects them from personal harm. Pelletier cites psychologist Thomas Szasz, who said: “Every act of conscious learning requires the willingness to suffer an injury to one’s self-esteem. That is why young children, before they are aware of their self-importance, learn so quickly.”</p><p>If this is correct, then auditors represent a threat to a client’s self esteem. Pelletier argues that to overcome this obstacle, auditors need to put empathy at the center of their communications strategy. “We have to acknowledge that whatever people may say to the contrary, being audited feels personal to the client,” he says. “Instead of being in denial about this, we must recognize that is a natural, negative psychological reaction that derives from the very nature of our role.”</p><p>Displaying empathy entails making sure you can see things from the perspective of those on the receiving end of the audit — and demonstrate that you care and are truly there to help. “Making the audit feel more like a partnership will help diffuse negative situations,” Pelletier says. “Those will still arise, but instead of reaching for the hammer every time, we should try the handshake.”</p><h2>Team Interaction Is Key</h2><p>Wendy Bedwell, assistant professor of psychology at the University of South Florida in Tampa, says good interpersonal skills are at the heart of creating effective audit teams. How well a team cooperates, handles conflict, and solves problems are all predicated on how well team members interact with one another, she says.</p><p>Bedwell says people who perform well generally actively listen to others, have good nonverbal skills — such as using the right body language in different situations — and develop an ability to be assertive without coming across as pushy or aggressive. While she says that how a person tends to interact with others is partially a character trait, she also says it is a skill that any auditor can develop. </p><p>It is an area in which CAEs can play a key role. The first step is to measure the interpersonal skills of each auditor. “There are several ways CAEs can measure interpersonal skills,” Bedwell says. “Just asking people how they see themselves and observing them when they are in everyday work situations is a great place to start.”</p><p>She says it is relatively easy to see who is not as competent a listener or talker on the team, and who has assertiveness issues or exhibits poor body language. With more senior staff members, she advises, observe how they handle conflict and solve problems that arise within the team. </p><p>“When observing staff members interacting, leaders absolutely cannot interrupt what is going on,” she says. “It’s natural to want to jump in, give advice, or sort out problems. But it will be much more useful in the long term to diagnose the issues and create a training program to address shortcomings.”</p><p>The CAE must create the right environment for positive change. “You are setting up expectations and creating a discussion on how to improve skills, so it is important to present it as a new initiative and as something vital to the success of the team,” Bedwell says. “You need to be clear that you do not expect everyone to be perfect, but like with any skill, practice can lead to improvements.”</p><p>While coaching can be effective, she says, people can also learn from their peers. Putting a good and poor communicator together can be useful. If there are people with excellent interpersonal skills, Bedwell says it may be worth making them champions and providing them with opportunities to demonstrate their skills. Role playing, practice, and feedback on areas of weakness can result in rapid improvement if the environment is supportive. “For this to really work, the CAE must create alignment between the development of interpersonal skills and the evaluation and reward systems in place,” she says. If those are correctly aligned, behaviors will continue to improve. If not, “that’s where most initiatives fail.”</p><h2>Learn to Listen</h2><p>“When CAEs are working to improve the communication skills of their team, they must remember that we don’t all communicate in the same way,” says Sarah Blackburn, vice chair and chair of the risk and assurance committee at NHS Digital in London, and past-president of the Chartered Institute of Internal Auditors. “We have to build something that is receptive and understanding of the way people prefer to contribute.” For example, she says, some people prefer to listen and digest information during a meeting, so the CAE needs to find different mechanisms — email or social media platforms — where team members can make their contributions in a way that suits them best.</p><p>She also says the CAE must set the tone and provide a model for the behavior he or she wants to promote by becoming as good at listening and communicating as possible. That involves reaching out to the business to ask for feedback on both his or her personal performance and on how well the team is doing.</p><p>“As an audit committee chair, I get a lot of feedback from management on audit work,” she says. Common complaints include auditors not listening, acting like the police, not taking the time to understand the business’ challenges, and writing reports about the audit process rather than focusing on what is valuable to management.</p><p>“A good CAE will take the opportunity to listen to the audit committee chair, management, and the external auditors,” she says. That kind of listening will pay massive dividends to the audit team’s ability to serve stakeholders well and communicate valuable insight to the top team, she adds.</p><h2>Welcome Feedback</h2><p>“A good indicator of the effectiveness of an audit function and its leadership is how good they are at getting feedback on their performance and having mechanisms in place to act on the results,” says Richard Gossage, managing director at the coaching and communications consultancy Copper Bottom Enterprises in Amersham, U.K. “CAEs should have networks of people such as the audit committee chair, the lead partner of the external audit firm, and others, who they recognize as giving accurate and objective feedback and be rotating around that group regularly.”</p><p>In accordance with the <em>Standards</em>, an external quality survey would provide good information on how internal audit’s communication is perceived.</p><p>Because the audit report is the function’s judgment on a particular issue communicated to management or the board, feedback on how well the information was gathered and the results communicated should be standard, he says. Quite often, good audit work and analysis can be ruined at the last moment by poorly written reports that fail to convey the relevance of audit findings to the intended audience.</p><p>“The fundamental cause of a lot of poor audit reporting is that the audit team can no longer see the forest for the trees,” Gossage says. “The report becomes a justification of the work that’s been done and the knowledge of the auditors, which is the symptom of a failure to understand your audience. Auditors fail to realize that the report is part of the ongoing dialogue with their audience.”</p><p>Gossage advises auditors to learn to see their reports as enabling tools for the business — not ends in themselves. That can require a shift in mindset and a willingness to try different types of communication. Being clear about the purpose of each communication and having a firm grasp of stakeholder expectations will make planning and delivering it much more effective, he says. </p><h2>An Empowering Excercise<br></h2><p>Developing sound interpersonal relationships is a difficult but crucial task for internal auditors. It can make the difference between effective and ineffective audits and audit teams. That is not something that should be left to chance — even though it often is. Building trust, demonstrating empathy, listening, seeking feedback within the team and among stakeholders, and acting to improve shortcomings are all important steps along the way. It may not be easy, but, as Gossage says, “it is a surprisingly empowering process.” </p><p> <br> </p>Arthur Piper1
Speaking Outhttps://iaonline.theiia.org/2017/Pages/Speaking-Out.aspxSpeaking Out<h2>​What challenges do internal auditors face when speaking out about fraud or misconduct at the executive level?</h2><p><strong>WILLIAMS</strong> One of the hurdles internal audit may face is gaining an appropriate level of support from senior management or the audit committee. Due to established relationships and common reporting structures, it may sometimes be easier for senior management or the audit committee to side with the executive. One tactic senior management might use is to avoid denial of the facts, focusing instead on helping the executive minimize the incident by painting the matter as “gray” rather than “black and white.”<br></p><p><strong>GROCHOLSKI</strong> Let’s assume the fraud or misconduct has been investigated by the chief audit executive (CAE) and proven. The first challenge would be the CAE’s lack of experience in dealing with these tough matters. Let’s face it, we hope not to have a lot of experience in this area. But should it happen, the CAE needs to dig deep and develop a plan to determine who needs to be involved, who needs to know about it, how to pursue it, and when — not whether — to inform the audit committee. Have courage: These matters can involve the highest and largest personas in the company. Be thorough: One sign of incompleteness may water down the entire issue. Anticipate reactions: Clearly communicate to the executive’s superiors — and/or the audit committee — the results of your investigation and anticipate how they may react.<br></p><h2>How can internal auditors find courage, despite these challenges?</h2><p><span id="DeltaPlaceHolderMain"><span><strong><img src="/2017/PublishingImages/Greg-Grocholski.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" /></strong></span></span><strong>GROCHOLSKI</strong> First, “finding courage” should have been considered before taking the CAE role. Courage is a fundamental requirement of the job. The audit committee can help immensely in supporting the CAE through the matter. At the end of the day, the CAE’s reputation, too, is on the line in terms of how well he or she maintained confidentiality, avoided character assassination, and professionally managed the matter. Depending on the issue, CAEs need to think through the legal implications — such as potential crimes and required disclosures — and this will sometimes force courage on the CAE.<br></p><p><strong>WILLIAMS</strong> Auditors should realize that doing the right thing is not always easy. They are frequently put in positions where they must exhibit courageous behavior, and they should be ready to demonstrate unwavering commitment to an ethical environment. The audit profession is founded on ethical standards, and there are resources auditors can reference as they fulfill their responsibilities. They can leverage the company’s code of business conduct, code of ethics, internal audit and audit committee charters, and other governance policies, while resources such as The IIA’s <em>International Standards for the Professional Practice of Internal Auditing</em> offer further support. <br></p><h2>What should internal audit do if it encounters resistance when reporting the issue?</h2><p><span id="DeltaPlaceHolderMain"><span><strong><img src="/2017/PublishingImages/Dan-Williams.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" /></strong></span></span><strong>WILLIAMS</strong> Internal audit should discuss the situation with its direct administrative reporting manager and make its case as to why the executive’s actions should be further assessed. This may require special handling, depending on who the executive is and the specifics around the organization’s formal/informal reporting structure. If met with resistance, internal audit should explain the significance of the compelling observations gathered and the obligation to elevate the matter if it is not vetted with an appropriate level of attention. Incremental escalation then generally includes separate discussions with other executives — general counsel, the chief financial officer (CFO), the CEO — relevant to aligning on investigative actions and next steps. If internal audit is still not getting support, it should let the executive team know that it has no choice but to discuss the matter directly with the audit committee chair. <br></p><p><strong>GROCHOLSKI</strong> CAEs report to the audit committee for a reason — for independence. The CAE needs to investigate the matter and discuss it with the audit committee. Resistance from executive management needs to be vetted during the investigation and raised to the audit committee immediately if it prevents the CAE from doing what needs to be done. <br></p><h2>How can CAEs build relationships to ensure they have support when they need it?</h2><p><strong>GROCHOLSKI</strong> Relationships involve trust, and trust is built over time. CAEs need to demonstrate within their engagement with management and the audit committee that they can be trusted. If you are trusted, if you are professional, if you are seen as objective — and not pursuing an agenda — I firmly believe, based on my own experience, you will have the support when needed. Executive management has a stake in this as well, as this will be a time when they, too, need to display courage, demonstrate tone at the top, and walk the talk — not just talk the talk. <br></p><p><strong>WILLIAMS</strong> The optimal time to prepare for an incident like executive fraud and misconduct is when you are not in the middle of the incident. Building a relationship with management and the audit committee chair can help ensure internal audit has the support of the organization when it needs it. Get to know them on a professional and personal basis. Strive to lead by example, demonstrating consistent integrity. Let your engagements and your ability to compromise when appropriate demonstrate that you are a business person who wants to drive value and help the organization achieve its goals. <br></p><h2>What are some tips for reporting a major incident that involves senior management?</h2><p><strong>WILLIAMS</strong> Internal audit should use a predetermined escalation and response playbook or policy, if one exists. This document should include a communications cadence that can be used depending on the nature of the incident and who is involved. For example, it should consider formal hierarchy, informal hierarchy, long-standing relationships between other executives, and external auditor expectations.<br></p><p>In general, a good first step is for internal audit to discuss the facts with the general counsel and ethics and compliance officer. This will help ensure consideration of attorney–client privilege. If the general counsel is involved, or has a conflict of interest in the matter, then discuss the matter with the CFO, CEO, or similar executive instead and gain alignment on next steps. Communication with other executives early on may also be necessary, but should always be done on a need-to-know basis. Internal audit should also communicate timely with the audit committee chair, bringing him or her up to speed on the facts and circumstances. The general counsel and audit committee chair should help determine whether an external firm should be engaged, and by whom, to maintain the independence of an investigation. Internal audit’s interactions with senior management and the audit committee should address communications with the independent auditor to determine the impact of the matter on its audit of the organization’s financial statements and related financial reporting controls. <br></p><p><strong>GROCHOLSKI</strong> Follow internal investigative protocols first, even if that includes discussing the matter with the executive vice president of legal, IT, or human resources, or the CEO or CFO. Everyone should understand an investigation serves two purposes — each being equally vital: to prove or disprove the matter. Next, determine when to inform the audit committee chair or the entire committee. Conduct nonintrusive data gathering and see what the data is telling you. Pull additional data if necessary to further prove or disprove initial analysis. All along, document what you do in a way that will serve you well should the matter be referred to external forensics or external legal firms to either continue investigating or because the audit committee wants them to validate your work and conclusions.<br>There are two stages: 1) observing/hearing about it and 2) proving it. Each stage has its challenges. In the first stage, you may need to look at data, emails, expense reports, or contracts to investigate the matter; you may even have to interview employees. A challenge here may be in just accessing the data/people, as you may need legal, IT, or executive management to be aware of the need to do so. Plan ahead, there may be resistance. Be aware that you will be closely watched to see how you work through this maze of politics, sensitivities, and dealing with large personas in the company. </p>Staff1
Opportunity From Disruptionhttps://iaonline.theiia.org/2017/Pages/Opportunity-From-Disruption.aspxOpportunity From Disruption<p>​Disruptions affect us all, whether they are internal, such as new technology implementation, or external such as new business models, new forms of competition, or regulatory changes. These significant, quickly developing, and potentially unanticipated events create risk and opportunity that demand the attention and resources of the business. <br></p><p>Unlike other risks, the speed at which disruptive events can appear and with which the business needs to react, doesn’t lend itself to the notion of internal audit having a year or two to identify related risks, understand them, get projects on an audit plan, and conduct the audits. If auditors don’t help the business address disruption-related risks as they occur, the business will charge ahead, potentially increasing risk or bypassing opportunity. <br></p><p>Stakeholders view internal audit’s involvement in disruptive events as necessary and meaningful, and their expectations of practitioners continue to rise. The more auditors do, the more stakeholders realize what internal audit is capable of doing, and the more stakeholders ask of them. PwC’s 2017 State of the Internal Audit Profession study indicates that the vast majority of stakeholders would like internal audit to be more involved: 77 percent of board members and 68 percent of management say the profession’s level of involvement in disruption is not sufficient. This presents an opportunity for internal audit to deliver increased value by being involved early in the process and bringing a risk mindset to the business as it sets its strategy and tactics. <br></p><p>Early and consistent involvement in disruption requires internal audit to get ahead of disruption and be flexible and responsive as it occurs (see “Rethinking Internal Audit” at right). To do so, the department needs to build certain traits into its DNA to create the agility needed. Agile internal audit functions are those that are adding significant value in areas of disruption by demonstrating six traits. <br></p><h2>1. Be Forward Thinking </h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Rethinking Internal Audit</strong><br><br>With stakeholder expectations evolving, internal audit leaders need to help their internal audit functions think differently and push beyond standard objectives and deliverables. To paraphrase Albert Einstein, one can’t keep doing the same things over and over again and expect different outcomes. Audit leaders must think more strategically about where they are operating today and what their ideal state would be by asking themselves:<br><br><ul><li>Is the internal audit function doing anything different today than it did three years ago? </li><li>Are those differences marginal or more transformative? </li><li>Is internal audit realizing value from those changes? </li><li>Should audit leaders rethink how they are measuring the department’s value? </li><li>Is transformation and disruption within internal audit required to remain relevant to the business?</li></ul><br>One thing that distinguishes internal audit functions that have developed the agility to embrace disruption is that they appear to have a broader view of what is deemed an “auditable risk” than their less agile peers. This is evidenced by their consistent involvement across many disruptors. These functions are twice as likely as their peers to be involved in less traditional, but high-value areas such as helping the organization respond to operational disruption, changes in business strategy, brand and reputation incidents, and digital innovation. They also are far more likely to be involved early in the disruption and strategic business decision-making cycle. They do more to help their organizations proactively manage disruption before processes are fully developed. Moreover, they provide a point of view around disruptive events beyond identifying existing process or control gaps, and they are twice as likely to assist in identifying the potential for a disruptive event to occur.<br></td></tr></tbody></table><p>The key to becoming agile is being more proactive than reactive. That means staying on the forefront of potential business disruption and recognizing that priorities may change quickly during the year — 84 percent of agile internal audit functions are mindful of disruption risk and include the possibility as part of audit plan development (vs. 50 percent of less agile survey respondents), according to the State of the Internal Audit Profession study. <br><br><strong>Use a Strategic Planning Process </strong>Define how the department will change its processes, technology, and talent to keep pace with the business. This process is more than an administrative “nice to have;” it’s a road map to internal audit’s vision. These changes will take time, budget, and stakeholder buy-in. <br><br><strong>Think Differently About Internal Audit’s Risk Assessment Process</strong> Many organizations are doing away with a robust, annual risk assessment interview/survey process and incorporating more frequent processes such as semi-annual or quarterly assessments. Consider whether internal audit interacts enough with key stakeholders throughout the year to keep a more real-time view of likely disruptions and the top risks to the business. <br></p><p><strong>Reassess Internal Audit’s Risk Universe</strong> This assessment can confirm whether the risk universe captures emerging risk areas and more holistic risk topics that may not yet be embedded within company operations. If the universe is merely capturing everything that exists within the organization today, it is hard to anticipate what disruption-related risks could be coming. These risks, by nature, are ones that may not have an “owner” yet, and therefore are often missed in functionally organized risk universes. One way to mitigate omitting key risks is to formally link the risk universe to the organization’s strategic goals. <br><br><strong>Create Flexibility in the Audit Plan</strong> If there is no room left in the plan after accounting for recurring activities, then it is difficult to find time for more value-added, risk-based projects aligned to disruptive risks. Allocate a percentage of the audit plan to more proactive and strategically aligned audits, of which disruptive events are a part. Also, allocate a portion of the plan to ad-hoc, management requests, or a “buffer” category to gain flexibility during the year as issues arise.<br></p><h2>2. Be Inclusive</h2><p>Driving collaboration often falls upon internal audit because of its unique vantage point within the organization. When done well, this responsibility makes it easier for both management and the audit committee to understand the broader risk landscape and delineate between the lines of defense. It also unites the lines of defense in addressing disruption-related risks as they materialize. Given the organization’s size, maturity, and industry, the internal audit function may be serving across multiple lines of defense at the same time. But even then, there is an opportunity to promote a common risk universe and risk language by: <br></p><ul><li>Inventorying all of the organization’s various second-line or risk-oriented functions within the first line. Understand what other risk assessments are being performed by those teams and if there is opportunity for alignment. </li><li>Adjusting the frequency and nat-ure of communications between the second-line functions to understand whether any overlap or duplication exists, as well as whether there are opportunities to transition certain risk activities back to the second line.</li><li>Reassessing how the department audits the second line of defense and whether that could impact the “reliance” strategy internal audit places on such functions. Some internal audit functions adopt criteria where partial or full reliance can be considered over certain risks monitored by the second line to free up time for internal audit to focus on high-risk, strategic, or disruptive topics. </li></ul><p></p><h2>3. Be Business Minded</h2><p>Stakeholders and chief audit executives (CAEs) agree that internal audit functions should comprise future business leaders. Business acumen positions internal audit functions to help their organizations manage disruption. The question that many organizations struggle with is: Do you hire auditors and teach them the business, or do you hire from the business and teach them how to audit? In either scenario, the ultimate goal is to develop business-minded professionals who operate true to internal audit’s mandate and professional standards. Internal audit should: <br>Evaluate the training and development balance among general soft skills, internal audit methodology and approaches, IT technical skills, and business acumen. Some internal audit functions have embedded auditors within the business as it is developing new projects and services to bring a risk-and-controls mindset, while concurrently learning more about the business. <br>Build business acumen through the recruitment of diverse backgrounds, degrees, and certifications to promote more organic knowledge sharing among the team. <br></p><h2>4. Be Flexible by Design </h2><p>Alternate audit procedures and reporting options allow flexibility in delivering important messages to management and the board without the burden of self-imposed constraints. Methodologies are helpful, but internal auditors need to reflect on whether their actions are focused on risk understanding and reduction or self-imposed protocols. Many internal audit functions are adding value — particularly in the area of disruptive risks — through assurance and consulting activities such as delving into the likelihood of specific risks to their organization and assessing the organization’s readiness to respond to emerging risks. Several use the term <em>health checks</em> for these services. <br><br><strong>Inventory the Categories of Projects in the Audit Plan</strong> Consider the mix of proactive/reactive evaluations, emerging/existing risk focus, short/long durations, and equal/variable coverage. Use the inventory to determine whether the mix embraces a risk-based and value-adding mentality. Some internal audit functions have difficulty breaking the historic cadence of hitting every location or every department in a set time frame, but the objective is managing risk where it is most likely to manifest, not ensuring full coverage. <br><br><strong>Evaluate the Nature and Timeliness of Internal Audit’s Procedures</strong> Assess whether they are tailored to project needs or predefined protocols. Do all projects have a similar planning and fieldwork duration? Does the department use the same testing techniques across every project? Is there such a long duration between when a project is identified, put on the audit plan, scheduled, performed, and reported that the relative risk has changed by the time it is ultimately reported on, reducing the project’s impact? If the audit committee requested an evaluation of a select risk topic by the following week, could internal audit mobilize, assess, and provide a point of view in time? <br></p><p>Expanding internal audit’s procedures can account for variation and support a risk-based, critical-thinking mentality. The PwC study shows that 73 percent of agile internal audit functions change course and evaluate risk at the speed required by the business, compared to 37 percent of less agile survey respondents.<br><br><strong>Rethink the Notion of Internal Audit Reports</strong> Some projects simply don’t require a full audit report, and others may not warrant a rating. Highly regulated industries have limits to this flexibility, but even in those situations, there is an opportunity to reflect on how protocols are set and whether they are focused on the importance of the message without being overly restrictive or bogged down in wordsmithing. <br></p><h2>5. Be Data-enabled</h2><p>The more data-centric businesses become, the more data analysis will become a primary internal audit skill. Analytics should be embedded throughout the audit life cycle in risk assessment, audit planning, fieldwork, and reporting to improve internal audit’s business insights. How much more is internal audit doing with data now than three years ago? What improvements has it realized? Is internal audit investing in the right resources and training to further advance its capabilities? Consider using data analytics to: <br></p><ul><li>Help internal audit teams understand traditionally unauditable risk areas, such as those associated with business disruptions, by analyzing trends and correlations that are not evident through process understanding or controls testing — allowing for more direct exception-based analysis. </li><li>Gain deeper insights that increase the value stakeholders perceive from internal audit projects, such as through expanded coverage, outlier identification, and more targeted root cause analysis.</li><li>Broaden coverage while reducing the need for on-site visits across geographically dispersed locations. This can provide a more comprehensive view of risks and comparable analysis not achieved through a rotational visit model.</li></ul><p></p><h2>6. Be Talent Ready </h2><p>Because of the changing risk landscape, keeping pace with the broader capabilities now needed within internal audit is difficult and highly competitive. Some organizations turn to third parties to close internal audit talent gaps, stay contemporary with evolving skill needs, and flex with business change. Others use internal resources to flex with business needs. Is internal audit’s current talent model agile? Do audit leaders know where their skills gaps or key dependencies are? Can internal audit respond quickly to a variety of risk needs or management requests, such as those related to business disruption?<br></p><ul><li>Identify opportunities to create more agility within internal audit’s overall talent strategy. Some of these departments employ a core team and leverage personnel from the business or cosource providers to flex up or down at select times or on specific projects.</li><li>Assess whether internal audit is leveraging its cosource providers in the most meaningful ways. Internal audit functions that add value are using sourcing in more substantive ways than simply accessing its capacity. </li></ul><p></p><h2>Changing with the Business</h2><p>Internal auditors don’t always give themselves enough credit for what they can contribute. At the end of the day, the profession’s role is to help identify and mitigate risk for the organization. Given the tumultuous business environment, that mitigation strategy may require more proactive and real-time evaluations of risk. Regardless of whether internal auditors are doing so to deal with disruptive forces or to improve existing activities, creating more agility in their operations is beneficial. <br></p><p>Internal audit remains one of the few departments that is able to take a holistic view across the business. That gives auditors a unique perspective from which to provide a point of view around risk management procedures. Perform a self-assessment. How agilely can the internal audit function operate? Where does the department stand in demonstrating the traits necessary to drive value for the business? Identify the steps internal audit plans to take this year, be aggressive with change, and continue to evolve </p>Jason Pett1
Internal Audit as Policehttps://iaonline.theiia.org/2017/Pages/Internal-Audit-as-Police.aspxInternal Audit as Police<p>​As internal auditors, we frequently hear our profession labeled as the organization’s police. The comment is made in a critical tone, often accompanied by descriptions of internal audit as a “gotcha” function that seeks to identify and highlight obvious issues. Many of us respond by offering examples of how auditors provide value-added services, form partnerships with the business, and provide recommendations that can improve and strengthen the overall control environment. And while citing this information can help educate clients about our wide variety of roles and responsibilities, I have begun to wonder whether disputing their characterization of the profession is truly effective, appropriate, and even accurate.<br></p><p>When confronted with the police comparison, should we seek to understand where this perception comes from? Auditors are trained to ask thoughtful, open-ended questions as part of our standard walk-throughs. Can we implement the same skills in conversations about the nature of our work? A client’s opinion about the profession may stem from an experience he or she had with an audit team in the past. By identifying what could have been executed differently, we can implement strategies in the current audit to help avoid such an experience from recurring. Or perhaps the client’s impression is based on internal audit’s portrayal in the media. By discussing what is happening at other companies, internal audit can facilitate dialogue about risk areas of concern that ultimately could be leveraged to improve audit planning and execution.<br></p><p>Simply disagreeing with clients’ perceptions of internal audit sets an adversarial atmosphere for the engagement. Is it necessary to disagree, or can we acknowledge their perspective? Then, rather than highlighting our consulting projects, special management requests, and continuous monitoring activities, perhaps we could explain the purpose of our work nondefensively.<br></p><p>Maybe audit clients are not that off base when characterizing internal audit as a policing activity. Similar to police who protect the communities they serve, internal audit aims to protect the organization by performing risk-based audits that cover financial, operational, and regulatory activities. Internal auditors are trained to identify red flags of fraudulent activity that could harm the organization, similar to a police officer who identifies criminal activity that could harm the community. Internal audit develops rapport with business units to build a foundation for strategic discussions, similar to police who forge positive relationships with schools and neighborhoods to strengthen the bonds of the community.<br></p><p>Although the profession has made considerable strides with its image among stakeholders, comparisons between internal audit and the police are still common. But such opinions do not have to be interpreted as negative or invalidating. Instead, they can be embraced and leveraged to facilitate candid discussions about audit objectives and organizational risk </p>Christine Hogan Hayes1
The Innovative Internal Auditorhttps://iaonline.theiia.org/2017/Pages/The-Innovative-Internal-Auditor.aspxThe Innovative Internal Auditor<p>​In today’s dynamic and disruptive world, most organizations are undertaking some form of fundamental transformation. Whether they are developing new products and services, refocusing on customer expectations, exploring new technologies, entering the next phase of their push to globalization, or simply seeking new efficiencies, radical change is now an everyday fact of life. Organizations and their internal auditors cannot afford to be static if they want to survive in this environment.<br></p><p>The fact that the rate of change is faster and more intense than ever has major implications for both companies and their internal auditors. It affects the nature of assurance that internal audit stakeholders are seeking, but it can also greatly enhance the speed and quality of the assurance we can provide.<br></p><p>Until recently, assurance was more focused on past events. But the rate of change means that the past is no longer a safe predictor of the future. In today’s environment, organizations are calling internal auditors to be more forward-looking. Boards want comfort that as they take their next steps, they can see the potential stumbling blocks and understand what they need to do to get around them. They see internal audit playing a vital role in their efforts to successfully navigate the fast-moving business environment. <br></p><p>That is great news for internal auditors, but it is also a challenge. Traditional auditing is undoubtedly right for many projects; however, when auditors need to deal with the uncertainties inherent in planned business strategies, it is an approach that is less relevant to the velocity of our current business environment. Internal auditors can build upon the steps they have taken to meet these new challenges by focusing more effort on innovation. That is why “Internal Audit Innovation” is my theme as chairman of the North American Board for 2017–2018. <br></p><p>I passionately believe that internal audit has a vital role to play in the success of our organizations. But I also believe that to be up to the task, we need to refresh our commitment to innovation in internal audit. We need to push further and harder on the steps we have taken so far in areas such as audit automation, data analytics, and rethinking our audit processes and methodologies, as well as taking the first steps toward the use of robotics in our audit work. Innovation must be at the core of internal audit’s remit if it is to keep pace with the developments in our own organizations and beyond. <br></p><h2>A Work in Progress</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>THE 2017-18 IIA North American Board Chairman</strong><br><br>Shannon Urban is executive director, Risk Advisory, at EY in Boston. With EY since 2001, Urban currently leads growth strategies at the firm as its Northeast Region Internal Audit and Internal Controls Competency leader. She has worked with internal audit departments of all sizes and in multiple industries, including financial services, health care, government, industrial products, and consumer products. <br><br>Urban has worked widely on innovation in internal audit, including on EY’s internal audit delivery methodology and tools to support internal audit engagements. Previously, she was audit manager at Fidelity Investments, and senior audit officer at State Street Corp., both in Boston, and senior staff auditor at Citizens Financial Group in Providence, R.I.        <br><br>Urban has been The IIA’s North American Board senior vice chair, a Global Board member, an Audit Committee member (2014–2015), and an Institute Relations Committee member (2011–2015). She has been active in The IIA’s Greater Boston Chapter as president (2002–2003), treasurer (2001), and a member of its Board of Governors. </td></tr></tbody></table><p>Many internal auditors are working their hardest to meet their stakeholders’ expectations with often constrained resources — including tight budgets, limited staff, and ever-changing competency demands. Even so, stakeholders seem to continually want internal audit to add more value. Most chief audit executives (CAEs) I meet really care about this issue. They speak with their various stakeholders, try to understand what they value, and modify their audit plans and strategies accordingly. But priorities change much more quickly than in the past, so it can be difficult to see how it is possible to keep doing more and still provide the baseline assurances stakeholders expect.<br></p><p>This is precisely why the innovation mindset is so relevant today. It says internal audit should be a work in progress. That processes are adaptable and open to rapid revision as circumstances change. That audit finds more forward-looking ways of working to adapt to stakeholders’ changing needs. And that technology is a great enabler when fully embraced.  <br></p><p>Many internal auditors have already embarked on this journey. But I am calling on everyone to turbocharge their innovation efforts. We can do an even better job of keeping ahead of the rapid developments both within our organizations and beyond if we make a conscious effort to embed innovation in our audit functions.<br></p><h2>Overcoming Obstacles</h2><p>Innovating internal audit can be great fun, and those who have done so successfully have reaped the rewards of enhanced risk coverage, deeper insight, and increased stakeholder satisfaction. They have made their organizations nimbler and less prone to surprises. They have often earned a seat at the top table where they provide objective advice and assurance where it is most needed.<br></p><p>But kick-starting an innovative audit culture can be difficult. Because most audit departments work with tight resources, they have little spare time, money, or people power. Working through a packed audit schedule, they may feel that they cannot devote the necessary time and energy to be strategic and innovate. <br></p><p>There is no easy answer to this dilemma. But I urge CAEs and everyone on the internal audit team to make a commitment to embrace innovation today. By making time for regular, meaningful conversations and creative thinking with each other, the rewards will come. Some auditors in a team may take a bit of persuasion that the effort is worthwhile. Some clients may have become comfortable with being audited in a traditional way. And in those cases, auditors will need to have the courage to drive change and insert themselves where they feel they can add value. It takes courage to innovate and to overcome old attitudes resistant to change, to think and act differently, and to show leadership and be an executive in the organization. But by becoming a catalyst for innovation in internal audit, auditors can become a catalyst for change in the organization at large.<br></p><h2>The Key to Innovation</h2><p>Even if the audit team is relatively small and cannot create a dedicated innovation center, the CAE can foster a culture of innovation in his or her team. After all, not all innovation aims to reinvent the world. <br></p><p>If I were starting on this journey today, I would sit down with my team and have an open conversation about what the difficult things in internal audit are — the things we spend the most time on. Where could we be more efficient? What are we not covering as well as we’d like? What is hard to do right now to meet the expectations of our stakeholders and to fulfill our mandate? The key to innovation is to turn the answers to these questions into actions. <br></p><p>Heads of audit also could reach out to other innovation hubs within the business and ask for help. Companies are innovating just to survive, so many organizations have developed techniques for driving innovation that audit could learn from. Give someone in your audit function a part-time responsibility to help the innovation process. And tap into that wealth of often unexploited talent — new professionals. Newer internal audit professionals who aren’t tied to tried-and-true ways of working can bring a fresh perspective and an openness to technology as an enabler of innovation.<br></p><h2>From Analytics to Robotics</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Innovation Action Points</strong><br><br><ul><li>Have the courage to think and act differently and challenge the status quo.</li><li>Commit to change and to an ongoing journey of discovery.</li><li>Challenge the assumptions you hold about the everyday processes that make up the audit function’s working practices.</li><li>Embrace existing technologies to get the full benefit from your investment in areas such as analytics.</li><li>Communicate findings faster and more effectively by questioning the need to produce an audit report for every project.</li><li>Explore how advanced analytics and robotics can help free up resources for more high-level audit thinking.</li><li>Create a culture of challenge in your department and involve newer members in the innovation process.</li><li>Get help from within other parts of the business that are focused on innovation.</li></ul></td></tr></tbody></table><p>Analytics have been around for a long time. But it is a nut most auditors have not fully cracked, or fully embraced, across the entire audit life cycle. It represents a great opportunity for innovation. Leveraging different types of analytical methods for risk assessment, planning, execution, and reporting can massively boost the efficiency and outcomes of our audit work. Auditors who have not yet innovated their processes in this area can make giant strides very quickly and, in doing so, improve the speed and depth of the assurance they provide.<br></p><p>The biggest conversation I am having in my firm and with cutting-edge internal audit functions is about robotics and what that means for our businesses. Robots, or bots, have moved from the factory floor to finance functions, shared service areas, and other professional areas of work. Internal auditors who take the time to find out what robotics means from a risk and control perspective are likely to be in for a pleasant surprise.<br></p><p>For example, some audit functions are investigating using bots for routine control testing work. They have found that bots can perform those tasks in a fraction of the time and for a fraction of the cost of a real person. So, while some consultants talk about robotics in terms of cutting head count and costs — auditors are beginning to explore how it can alleviate the perennial constraints of resources and budget. <br></p><p>Imagine if the internal audit team could build a series of bots to do all its routine control testing, how much time and how many resources that could free up to focus on higher brain-power auditing and advisory work. It could mean liberating resources to deliver those value-added projects stakeholders demand without sacrificing audit’s ability to provide assurance in traditional areas. I see this emerging innovative technology as an internal audit multiplier.<br></p><h2>Looking Close At Hand</h2><p>One of the most powerful tools for innovation in internal audit is fresh thinking. I am very encouraged by how many CAEs with whom I work are open and receptive to new ideas. They want to incorporate those ideas into their work, but with a busy work schedule, we all know how difficult it can be to turn ideas into action.<br></p><p>Fortunately, innovation can start from looking differently at those things that are closest at hand. When I was thinking about my theme, I realized that the way most internal auditors work has not fundamentally changed over the nearly 25 years I have been in the profession. Of course, the red pencils, hard copy ledgers, and ring binders are gone. We work on computers and smartphones. But most of us could not genuinely say that we are digital internal auditors, even though most of us live and work in a digital world.<br></p><p>Internal auditors have embraced technology to assist in achieving consistency and quality in our work. But we can go further and fully embrace technology the way our businesses are embracing it. That can be as simple as leveraging the tools that auditors use in their everyday work to their utmost capacity. <br></p><p>But not all innovation relies on technology. For example, not every risk needs a full audit or full audit report. I have worked with many clients to adapt their audit response to the risk, and to be flexible in how they define an audit. For example, they can carry out more remote monitoring, or they can do a design assessment of controls, rather than conduct a full audit. Sometimes, the equivalent of kicking the tires is enough. As we all know, getting an audit report finalized can take a long time because so much value is placed on that report. Yet The IIA’s <span id="DeltaPlaceHolderMain"><span><em>International Standards</em></span></span><em> for the Professional Practice of Internal Auditing</em> only requires us to communicate the results of our activities — and that can take various forms. Yes, sometimes a formal audit report is vital. But other forms of communication can be more effective, including, for example, issuing an executive memo, preparing and delivering a presentation, or providing additional training to deal with control weaknesses. These techniques can be more efficient and timely than an audit report that arrives three to six months after completing the work. <br></p><h2>The Only Option</h2><p>Innovation in internal auditing is both crucial for its growth and necessary in meeting the ever-changing needs of stakeholders. It is a messy, frustrating, and ongoing program that demands commitment and courage. And it is fun, surprising, and rewarding. All auditors can take a few easy steps to start, or reboot, their journey today. If we want to understand our stakeholders and serve them well in the future, embracing innovation is the only option.  </p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;">​As I assume the chairmanship of the North American Board, I am extremely grateful and humbled by this opportunity. My career has given me the chance to work with and learn from some incredible internal auditors, and I hope to continue to do that through this role. I would like to thank my employer, EY, for giving me the support and flexibility over the last several years to pursue my interest in IIA leadership opportunities, and for providing me tremendous opportunities to work with some of the leading thinkers on internal audit, risk, and controls. I am also deeply grateful to my husband Matt and sons Luke and Drew for their understanding and support as I pursue my career goals.<br><br>In addition to working toward our strategic goals for North America — focused on driving professionalism, advocacy, sustainable value, and The IIA as leader — I am also focused on two objectives that are personally exciting for me. First, I look forward to encouraging all practitioners to become more innovative in how we practice as internal auditors and to adopt a continuous improvement mindset. Second, I will be supporting our diversity and inclusion efforts to both promote success of women in the field of internal auditing and encourage more diversity in our volunteer organization and leadership structure.</td></tr></tbody></table><p></p>Shannon Urban0
Where AI Meets EQhttps://iaonline.theiia.org/2017/Pages/Where-AI-Meets-EQ.aspxWhere AI Meets EQ<p>​</p><p>For some time now, intelligence in the workforce has been a hot topic of discussion. Traditional intelligence measurements such as IQ have taken the sidelines as measurements and talk of emotional intelligence (EQ) and artificial intelligence (AI) take center stage. Across industries, experts tout the benefits of EQ​ and AI and predict their impact on the future of business. What does this mean to the average internal auditor, and where do these types of intelligence meet?</p><p>Individuals with high EQ easily recognize the emotions of others and understand how best to respond to those emotions. They also have command of their own emotions and use this ability to adapt and guide their behavior. For internal auditors, emotional acuity can be invaluable to stakeholder interactions, especially when negative responses to the audit process arise. High-EQ auditors project empathy and insight to help alleviate client concerns. They do this when the auditor and client are face-to-face, as emotionally intelligent people are usually very skilled at reading body language. For now, these and other activities requiring high EQ are best accomplished by humans. </p><p>At the same time, AI has quickly become an integral part of the average person's life. A study published in January 2017 by the Pew Research Center found that 77 percent of U.S. citizens own a smartphone, up dramatically from 35 percent in 2011. AI thrives in the smartphone environment where users simply speak into the device and ask for help — often without the need for any physical contact to activate the technology. Moreover, AI has become more and more common in the workplace, with organizations using it to analyze business data and increase the efficiency of customer interactions. The technology is advancing rapidly and, over time, is expected to transform the way businesses are run as more and more tasks become automated.</p><p>The human workforce is challenged to remain ahead of this curve. Predictions abound regarding which professions will be eliminated over the next few years by robots with AI. Through exercise and training to improve skills, the human workforce has an advantage over AI, at least for the near future, because humans have the capacity for both high EQ and high IQ. And while many believe IQ remains relatively fixed throughout an individual's life span, EQ is thought to be highly malleable. Therefore, it must become a focus of our continuing education and seen as a resource for improving professional relationships. </p><p>As EQ and AI gain further attention, coupled with the increase of robots in the workforce, internal auditors need to further develop skills that robots cannot replicate. Practitioners can seek opportunities to improve their EQ and look to better leverage EQ skills on audit engagements. During the audit process, for example, clients provide numerous nonverbal cues that auditors with high EQ can use to help pose targeted questions. Highly developed EQ enables auditors to better interpret client behaviors and remain attuned to their emotions.</p><p>With increased focus on EQ, interactions with clients should be more productive, and the improvements will help increase recognition of internal audit's value to the organization. In fact, value delivery is optimized when all types of intelligence — human and artificial — come together and complement each other. Making the most of intelligence resources will serve practitioners effectively and propel internal audit well into the future.</p>Adam P. Krick1
Under Siegehttps://iaonline.theiia.org/2017/Pages/Under-Siege.aspxUnder Siege<p>In 2016, the Houston Independent School District’s Board of Education suspended all of Chief Audit Executive (CAE) Richard Patton’s duties for “misconduct and other performance concerns” — according to the board’s public explanation. An outside attorney investigated what Patton points out is “a frivolous claim that I used district resources to scan approximately 10 pages of personal documents over a period of roughly two years.” Despite numerous requests to release the results of the investigation to the public, the district has not done so. After the investigation, Patton returned to work, but he says his duties and responsibilities were “diminished by the board in a number of ways.” Just before the suspension, his team worked on several internal investigations and cooperated with the U.S. Federal Bureau of Investigation and district attorney on matters those agencies had initiated. Because of what he calls clear retaliation and the reduction of duties — which, he notes, “seriously impacted the district’s audit charter and my team’s ability to comply with The IIA’s Code of Ethics” — he took legal action.<br></p><span><p>The sad reality is that public sector auditors can face retaliation — isolation, smear campaigns, diminution of duties, even suspension and termination — just for doing their jobs. If the fruits of the audit function’s labors conflict with an agency head’s political agenda, too often the political agenda wins and the auditor loses. The threat is so real, and the stakes so high, that many practitioners embroiled in sticky political situations have to inform their colleagues anonymously — or with the approval of a lawyer. That’s why Patton’s tale is attributed directly to him; all his comments have been approved by counsel so they don’t impact the ongoing litigation. <br></p><p>Solutions are few, but they do exist. If other practitioners know what to watch for and how to prepare for the worst, some may avoid the untenable situations their colleagues deal with. As an internal auditor under fire at a mid-level school district says, “Exposure of these issues may help someone else.” Ultimately, of course, some public sector auditors caught up in politics will simply have to fall on their swords. At the end of the day, the public servant trying to suppress the truth likely won an election or received an appointment from someone in office, so the auditor trying to tell the truth may be pressured to get on board or get out. But in many cases, targeted relationship-building and a firm grasp of the agency’s governance structure will go a long way toward avoiding catastrophe. <br></p><h2>POLITICAL MOTIVATION</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Protect Yourself</strong><br><br>Internal auditors with experience in political challenges offer these additional tips:<br><ul><li><strong>Know what to watch for. </strong>“Your first sign of trouble is when you are not provided freedom to conduct sensitive work activities,” Houston Independent School District’s former Board of Education Chief Audit Executive Richard Patton says. And an anonymous local school district auditor points to “a lack of communication, such as no or delayed responses to requests to meet or to provide documents” as a sign that trouble could be brewing.</li><li><strong>Watch the tone of a report when drafting it.</strong> “You can change two or three words in the header and not change the report,” Kip Memmott, audit director for the Oregon Secretary of State, says. </li><li><strong>Document, document, document. Verify, verify, verify.</strong> George McGowan, City of Orlando’s director of audit services and management support, urges thoroughly discussing each issue with the parties involved to understand the root cause. “Every engagement needs care and feeding,” he says. “Those being audited need to feel directly involved in both understanding and then resolving the issues.” </li><li><strong>Make sure that any time an audit involves criminal or fraudulent findings the appropriate authorities are brought in.</strong> Indeed, any time a situation becomes controversial, bring another auditor to take notes.</li><li><strong>Create a paper trail.</strong> This will back up your findings and the way you present them. </li><li><strong>Understand that going to the media has serious repercussions.</strong> Memmott states, “Going to the media will not protect you. In fact, it will backfire.” </li><li><strong>Have a thick skin.</strong> Auditor Steve Goodson advises, “Try to understand the situation from the many various perspectives. Be as flexible as you can.”</li><li><strong>Hire a lawyer. </strong></li></ul></td></tr></tbody></table></span><span><p>The political motivation to punish an auditor often involves information that’s incriminating to the person who ordered the audit in the first place — sometimes under a law or regulation. In one case, an audit investigation found evidence that a school board CEO had been less than honest about his credentials; in another, a culture audit — which, in law enforcement is often going to be politically sensitive — contained pretty damning results; and another uncovered fraud in a university’s program accepting bodies of people willed to science. Often, it’s a more mundane reason, like auditors looking into contracts or programs that executive directors don’t want exposed or, as in Patton’s case, assisting outside agencies in their investigations. Sometimes it’s as simple as an executive director who insists that the audit function in general has a “gotcha” mentality. In fact, one anonymous practitioner facing retaliation at a local school district says she has come to believe that “any audit that falls under the chief operating officer or chief financial officer’s (CFO’s) jurisdiction or any audit that makes a board look like it isn’t providing governance and oversight will be political.” <br></p><p>The means of punishing auditors vary as well, within fairly defined limits. The mid-level school district auditor reports to a superintendent who always threatens termination. There are also common reports of campaigns to discredit CAEs who ruffle the wrong feathers — including suspiciously conducted reviews of their performance — and practitioners being isolated, often by “people who were friendly a year ago,” as the mid-level school district auditor puts it, adding, “Maybe they’ve been told they need to stay away from me to protect themselves.” <br></p><p>Retaliation also often includes reduction of duties. Patton notes that the ethics and compliance function was totally removed from the CAE’s duties, and the audit management team received correspondence from the district’s lawyers to cease existing investigations. Patton says he also received a letter stating that work activities outside of the audit plan must be approved by the whole board before beginning. <br></p><p>Other auditors report not being allowed to fill vacancies and being ordered to stop conducting operational audits. In some cases, the audit plan is even pulled from the board’s agenda, executive leadership makes sure discussion is delayed or disrupted, or management and board members cease regular communications with the audit department. Auditor Steve Goodson was once in an all-too-familiar situation: A CEO at “a major Texas state agency” told him on the first day on the job — after he was hired by the board — that if he wanted to work there, he was to accept instructions only from the CEO, regardless of what the board instructed him to do. “He often directed which areas of the organization I would not be allowed to audit,” Goodson recalls. “These were some of the same areas the board had instructed me to audit, so I was in a tight spot. For four years, I worked hard to navigate and negotiate an appropriate path for the audit function.”<br></p><h2>DUE PROCESS</h2><p>Sometimes the retaliation is more subtle, and never really impacts the auditor. Kip Memmott, audit director for the Oregon Secretary of State’s Office, once worked for a county government body where he conducted a performance audit that, he reports, unearthed a lot of problems. The CFO he reported to didn’t want to ruffle any feathers, but told him to proceed if he wanted to and the problems would be fixed, but the report wouldn’t be issued. “I felt like my standing fell and communications were superficial from then on,” Memmott says. The happy ending was that the CFO departed soon after. <br></p><p>Mike Peppers, on the other hand, reports he has not “been in a situation in my 25-year career where I’ve had pressure to suppress something in a report.” The CAE at the Austin-based University of Texas System credits that mainly to his perception that public sector political retaliation “is a little less likely because so much of what we do is public, and it has been said that sunshine is the best disinfectant.” Much of his output is public record, he explains, and audit committee meetings are broadcast live on the internet. “My colleagues in private companies have trouble wrapping their heads around that,” he quips. <br></p><p>Peppers does, of course, recognize that political challenges exist. He recommends developing strong relationships with audit committees so they “completely understand the role of internal audit and realize the responsibility they have to encourage an open and ethical environment.” That may be in the agency’s or department’s charter, and if it’s not, the CAE needs to drive it, he urges. <br></p><p>“CAEs need to recognize the important elements of protection, and know their limits within them, so if a situation arises, they are prepared to have those tough conversations,” Peppers says. “The first conversation should not take place when there’s a problem.” Similarly, auditors should know the process for removing a CAE. “No one would want to make excuses for a bad CAE,” he says. “Any time a CAE needs to be removed, there needs to be a strong process in place for the action to be reviewed in the sunshine to make certain there wasn’t anything inappropriate” in how the termination was handled. While it’s probably the audit committee’s responsibility to ensure that’s the case, new internal audit hires should make sure, when they come into the role, that the process is clear. <br></p><p>Auditors who’ve been burned by political pressure agree. “It starts in the interview process,” the county-level school district auditor says. “I wasn’t told the truth when I interviewed. I should have been more cautious and said it was a deal breaker if I didn’t talk to the board. You have to square all of that up before you start. Once you’re hired, you don’t have a whole lot of places to go for help.” That anonymous auditor adds that you should definitely establish boundaries at the interview and make sure to vet the reporting structure at the place they’re going to work — and to walk away if you’re not comfortable. If you’re deceived, it’s a tough place to be. For his part, Patton even advises negotiating a contract that allows the audit department to have its own outside attorney.<br></p><h2>FORGING RELATIONSHIPS</h2><p>Once on the job, all auditors should build relationships with the people with whom they work, Memmott advises. Start by winning over staff, he suggests, to “learn who they are and get a feel for trends. Meet your colleagues, understand what they’re working on and the context they’re working in.” That should be clear from governance documents. Internal auditors should then use that insight to shore up potentially troublesome relationships and make sure the governance documents that define the internal audit function are known to, and understood by, everyone. Don’t assume anyone has read your charter, Memmott warns. “Try to make sure everybody is on the same page when something happens.” Take a look at past audit reports, too, he suggests. What do they look like? What have the responses been? Has there been a high level of agreement or disagreement? One sign of trouble, he notes, is terminated audits or bad or no responses to them. <br></p><p>Internal auditors also can improve their chances of surviving a political challenge by maintaining strong communications with management and showing through their work that they value being part of the team, says George McGowan, director, audit services and management support, for the City of Orlando, Fla. “Internal auditors are just as much managers over the quality of city services as those in the operating departments,” he says. “We need to demonstrate this level of care when we interact with managers. They need to know that we want the city to be successful in delivering its services and we don’t get any pleasure from pointing out flaws and troubles.” That doesn’t mean shirking duties, he emphasizes. “In the end, that responsibility does fall to us,” he notes, “and it is necessary to develop a record of the conditions we find as well as what can be done to change the outcome to a positive.”<br></p><p>When crisis arises, and with it the potential for political retaliation against an internal auditor whose revelations may have sparked it, smart practitioners will keep the lines of communication open, Peppers comments. Whenever the CAE sees that there’s going to be an audit that might result in reputational damage, he or she may err, unwisely, on the side of nondisclosure, he explains, adding, “But if the CAE is working with management through all of those times and keeping people informed throughout the process, that’s going to help down the line.” <br></p><p>Memmott agrees. “Right up front, let people know you’re not here to play ‘gotcha,’” he says, also calling for frequent updates. “If it’s communication overkill, they’ll tell you.” And auditors must do more than simply point out what’s wrong. You have to tell them how you can help them,  he urges. “If you can give them real examples, that helps.” And remember that people want to be told when things are working well, too. “If you do a lot of that,” he says, “you can clear out a lot of the conflict.” <br></p><p>Goodson also advises leaning on the <em>International Standards for the Professional Practice of Internal Auditing</em> and educating stakeholders about what it means to be an internal auditor and what that means as far as the particular circumstance. Essentially, assure stakeholders that you understand what you’re dealing with.<br></p><h2>HARD CHOICES</h2><p>The sad reality is that public sector auditors who are being victimized by political retaliation oftentimes have no choice but to resign. Says the local school district auditor, “It’s very difficult to make a change if the organization is dysfunctional. Sometimes you can make renovations to a house that will improve the functionality, but sometimes you just have to declare the house condemned and start over.” Memmott agrees. “I don’t think there is a lot of protection,” he points out, unless the practitioner is a mid-level or higher manager with civil service protection. And even then, he says, “you can make it tough for your boss to get rid of you, bloody everybody, and still lose.” And the bottom line is this: If the agency head is an elected official, the auditor needs to find a new job. It’s the elected official’s domain, but you can choose not to work in that environment. Auditing “requires that courage,” Memmott adds. “It’s a reality of the game. And the higher you go, the more you have to accept that you’re out there on your own.”<br></p><p>Whether a victim of the politics of internal auditing or one who’s avoided that frustration, “Never compromise your principles or do anything illegal,” the mid-level school district auditor stresses. Part of that is learning not to take the treatment personally. “You definitely have to reconcile those feelings and understand that you’re the one doing the right thing. Don’t try to fit in,” that anonymous practitioner in a difficult situation urges. “Otherwise, you make emotional, bad decisions when you need to stay on the right track. </p><p><em>Read </em><a href="http://bit.ly/2qOAAuU"><em>“The Public Sector Culture Conundrum”</em></a><em> from the American Center for Government Auditing (ACGA). Note that IIA public sector members are automatically ACGA members.</em> <br></p></span>Russell A. Jackson1

  • MNP_Natonal Can Conf_July2017_Premium 1
  • LockPath2_July2017_Premium 2
  • IIA_GRC_July2017_Premium 3

 

 

Managing an Internal Audit Career: How Do You Know When It’s Time to Go?https://iaonline.theiia.org/blogs/chambers/2015/managing-an-internal-audit-career-how-do-you-know-when-it’s-time-to-goManaging an Internal Audit Career: How Do You Know When It’s Time to Go?2017-07-17T04:00:00Z2017-07-17T04:00:00Z
Six Steps to an Effective Continuous Audit Processhttps://iaonline.theiia.org/six-steps-to-an-effective-continuous-audit-processSix Steps to an Effective Continuous Audit Process2008-02-01T05:00:00Z2008-02-01T05:00:00Z
Understanding the Risk Management Processhttps://iaonline.theiia.org/understanding-the-risk-management-processUnderstanding the Risk Management Process2007-05-01T04:00:00Z2007-05-01T04:00:00Z
Lessons From Toshiba: When Corporate Scandals Implicate Internal Audithttps://iaonline.theiia.org/blogs/chambers/2015/lessons-from-toshiba-when-corporate-scandals-implicate-internal-auditLessons From Toshiba: When Corporate Scandals Implicate Internal Audit2015-07-27T04:00:00Z2015-07-27T04:00:00Z