Specialist or Generalist? or Generalist?<p>​The saying, “a jack of all trades is a master of none, but oftentimes better than a master of one,” provokes debate between specialists and generalists. This discussion extends to many fields, including internal auditing. </p><p>As internal audit’s role continues to grow, today’s practitioners are asked to do far more than their traditional responsibilities around operational assurance and regulatory compliance. This paradigm shift is particularly evident in The IIA’s Pulse of Internal Audit survey. The inaugural 2011 report lists fraud investigations, financial reporting, controls, compliance, and ethics investigations as the top areas of responsibility outside of traditional roles. In contrast, the 2019 report illustrates internal audit’s growing involvement in other key areas including cybersecurity, enterprise risk management, cost/expense reduction, and third-party risk.</p><p>Internal auditors are not only expected to broaden their scope of services, but also deepen them. Most audit functions believe they are falling short technically in key areas, as evidenced by lower competency ratings (scale of 1–5 with 5 as highly competent) in cybersecurity and IT audit (2.9), data analytics (2.9), and technical accounting standards (2.5-2.9) in Protiviti’s 2019 Internal Audit Capabilities and Needs Survey. </p><p>These seemingly conflicting qualities of depth and breadth raise an important question frequently asked by chief audit executives (CAEs) and practitioners alike: Is it better to specialize or generalize? </p><h2>The Practitioner</h2><p>First and foremost, the practitioner’s interests and career goals should guide any decision on specialization. On one hand, experienced practitioners may become specialists over time, whether intentionally through career planning, mentorship, technical training, and workload, or unintentionally through trial, error, and, ultimately, success within certain disciplines. Alternatively, audit new hires may find generalization appealing as it provides a means to learn various aspects of the business and explore alternate career options, or identify opportunities for future specialization within internal audit.</p><p>While audit new hires may be more likely to start their careers as generalists, audit leaders should not deter them from exploring specialization. As academic institutions and continuing professional education providers expand their offerings in highly technical areas such as cybersecurity and data analytics, new hires can enter the audit workforce with skills best suited for specialist roles.  </p><p>Regardless of experience level, practitioners may already have expressed specific interests or disinterests that will help department leadership better align projects with the appropriate resources. For instance, a new audit staff member may not have a specialization, but wants to limit his or her workload to IT audit and consulting projects. While smaller audit functions may not have the headcount or budget to allow for specialists, audit leadership must continuously engage their staff, understand their career aspirations, and foster their interests through mentorship and continuing education. If leadership does not facilitate these conversations, auditors should initiate the dialogue and ensure they receive opportunities to pursue their career interests.  </p><h3>The Department</h3><p>Every internal audit team is unique with respect to size, role, collective experience, and expertise. Therefore, a prescriptive ratio of specialists to generalists does not exist. Nonetheless, CAEs and auditors should have a clear understanding of their department’s mission, and the current risks and needs of the stakeholders they support. For example, an audit department of four at a mid-sized private company with relatively low compliance risk may emphasize versatility, and operate as interchangeable parts to support one another and respond to the dynamic needs of its stakeholders.</p><p>Alternatively, a large international corporation with an audit staff of 50 may have more defined and consistent roles for its team members, including designated subject-matter experts based on country, business unit, or discipline. </p><h3>The CAE</h3><p>Whether the emphasis is on agility, expertise, or some combination, every CAE will have a different vision for the depth and breadth of the department’s workload. Because this vision can be shaped by the goals, interests, and skills of the staff, needs of the organization, and size and role of the function, CAEs should benchmark these items against the long-term goals of the department. For instance, if the department has established itself as a trusted compliance watchdog, but the CAE has longer-term ambitions of growing its advisory wing, the CAE should establish a formal strategy that encompasses recruiting, training, project mix, and stakeholder engagement to ensure these goals are achieved.</p><p>Furthermore, an opportunistic CAE with the optimal combination of resources and corresponding organizational needs may counter the specialist/generalist question by asking, why not both? While it seems contradictory to be a specialist and a generalist, CAEs can recruit and develop a diverse staff that includes both to ensure expertise and flexibility to respond to dynamic organizational needs.</p><h3>The Organization</h3><p>As a shared service, internal audit has an obligation to provide value to its varied internal stakeholders. Often, an organization’s copious needs may not be fully met by internal audit’s finite resources. As a result, audit departments should use enterprise risk assessments, materiality, and stakeholder feedback to identify the most pressing organizational needs and impactful project opportunities. </p><p>Additionally, organizations without dedicated departments or subject-matter experts in disciplines such as enterprise risk management, data analytics, and cybersecurity may be more inclined to seek out internal audit to help address needs in these areas. This is provided that the audit team has specialists with the requisite expertise and availability. For instance, a large company with a robust data analytics department may be less likely to engage internal audit to perform similar work than a smaller organization without a dedicated analytics function. Nonetheless, internal auditors can still provide value under those circumstances by assisting the analytics department with tasks such as validation of the completeness and accuracy of the data sets used and providing context to analytical results based on their knowledge of the business. </p><h3>Align Talent With Needs</h3><p>Internal audit’s expanded role has afforded today’s CAEs and practitioners new opportunities with respect to the depth and breadth of their workload, but it also presents new challenges and decisions around the merits of specialization versus generalization. These decisions should not be made in a vacuum, but rather through careful and informed considerations, including practitioner goals and interests, audit department size, role and vision, and organizational needs. But regardless of whether one is a “jack of all trades,” a “master of one,” or a hybrid of the two, internal auditors can maximize their value by aligning their talents and workload with their stakeholders’ needs.  <br></p>Jack Pelikan1
Editor's Note: Enjoy the Ride's Note: Enjoy the Ride<p>​No profession stays the same. If it doesn’t evolve, it doesn’t survive. In today’s changing business world, continuous skills development is key to succeeding. Professionals need to hold on tight, as keeping skills current can be a dizzying ride. </p><p>Take magazine publishing, for example. Last week, I interviewed IIA President and CEO Richard Chambers for a <a href="/Pages/videos.aspx?v=385087401">video</a> for Ten years ago, hosting a video would not have been part of my job description. Once solely a print-based industry, magazine publishing has transformed into a mix of print and digital to address the many ways readers consume content. Digital magazine publishing requires a different set of editing skills, as well as knowledge of apps, video, podcasts, etc. From someone who is evolving with the profession, it has been, and continues to be, a fun and challenging experience. </p><p>The same can be said about the internal audit profession. Once a profession of ticks and ties, today’s internal auditors are consultants and advisors to their organizations on topics ranging from strategy to cybersecurity. Their required skills have grown immensely. “There is a redefinition of capabilities grounded in three dimensions: business acumen, analytics acumen, and technology acumen,” says Mike Maali, a partner at PwC, in <a href="/2020/Pages/Forming-Todays-Internal-Audit-Function.aspx">“Forming Today’s Internal Audit Function.”</a>  </p><p>In the same article, author Russell Jackson compares staffing internal audit with all of those requisite capabilities to solving a Rubik’s Cube. “But just as a Rubik’s Cube can be solved, there is a solution for internal audit department staffing,” he writes. </p><p>According to Chambers, focusing on the gaps is the start of that solution. “What it really involves is constantly looking at your capabilities as an internal audit department compared with the risks that the organization faces and the demands that are being placed on it,” he says in our recent video interview. He tells me departments then need to develop talent internally or come up with a good sourcing strategy to address the gaps. </p><p>That strategy could involve <em>gig</em> employees, temporary hires brought on for a project or to address a specific short- or long-term need, or some other limited solution. “We’re seeing more organizations using rotational or guest auditor programs to engage professionals with diverse areas of expertise outside of internal audit to help address the varied challenges that core internal audit work presents,” says Sandy Pundmann, U.S. internal audit leader at Deloitte, in <a href="/2020/Pages/The-Evolution-of-Talent-Management.aspx">“Eye on Business.”</a> </p><p>This issue is chock-full of advice from experts on how audit functions and internal auditors can grow and expand their knowledge to thrive in today’s business environment. As in other professions, it’s a challenging proposition. My advice? Enjoy the ride. <br></p>Anne Millage0
Where There's Smoke There's Not Always Fire There's Smoke There's Not Always Fire<p style="text-align:left;">How often have you noted significant anomalies during an audit or investigation, only to learn that each area of concern had a legitimate explanation? However objectively we approach a given task, it's natural for our thoughts to bend to incongruities captured in raw data. What we can't justify immediately, we often suspect irrationally and leap headfirst into an auditor's nefarious abyss: What are they hiding, how can we reveal it, and when do we expose the truth?  </p><p style="text-align:left;">Most auditors have likely either witnessed or participated in this behavior at one point in their career. But are we doing enough to address it? Given the speed of technology, ease of communication, vulnerabilities of data, and general lack of privacy, it's imperative that internal auditors look before they leap. We need to understand that any needless, careless, and unsubstantiated conversations, communication, and banter may have adverse consequences. </p><p style="text-align:left;">An audit investigation executed some time ago serves as an excellent example of why our professionalism, objectivity, and investigative skills are critical for accuracy and accountability — and necessary to avoid jumping to conclusions.<br></p><h2>The Fraud That Really Wasn't</h2><p style="text-align:left;">The assignment involved an audit of a foreign third-party service provider, prompted by a tip that something was amiss. Initially, the auditors looked at numerous data points. They began with low-hanging fruit — the invoicing process.</p><p style="text-align:left;">A query of the provider's invoicing revealed common irregularities, including absence of information, lack of agreed rates, omission of details for charges, and the appearance of inflated charges. As the team gathered and analyzed more data, the lead auditor discovered numerous redundant invoices with differing sums. <br></p><p style="text-align:left;">The team also found that there was no current contract with the service provider, and that the provider did not maintain a physical office in the country. What's more, the review had revealed an invoicing discrepancy of nearly $3.5 million. The audit team, certain they had uncovered a major fraud, embarked on fanatical "gotcha" quest: The communication was lively, the chatter was loud, and the conspiracy theories ran wild. </p><p style="text-align:left;">The hastily drawn conclusion: A shell company had been formed with intent to defraud. The auditors informed management, affected departments, and legal. Everyone was on alert. </p><p style="text-align:left;">Case solved? Not exactly. Management realized the chaos had compromised the audit's integrity and objectivity. The scope had been lost, conclusions weren't confirmed, and costs were bloating. The audit was then reassigned. </p><p style="text-align:left;">The incoming team was tasked with performing the same audit. However, it had no vested interest in either party, and it wasn't exposed to the prior atmosphere. The goal was simple: Conduct a comprehensive audit and investigation (per the original scope), sequester noise, analyze the facts, and find the disconnects, if any.  </p><p style="text-align:left;">The new team confirmed that invoicing was, indeed, a mess, noting the same issues as the previous auditors. But how it got to that point had yet to be explored. </p><p style="text-align:left;">The auditors found zero omission of key metrics on the service provider's invoices. However, they did notice a limitation in the amount of data the client's accounts payable system could process. The service provider was unaware of this issue, and the accounts payable team never questioned the lack of substantiating evidence. </p><p style="text-align:left;">The internal auditors then met with the service provider's accounting team, which showed them a spreadsheet it used to create and calculate invoices. Upon close examination, internal audit found that the spreadsheet's calculation formulas were incorrect. </p><p style="text-align:left;">The auditors also found that the client's invoicing receipt system did not allow the service provider to tag an original invoice for errors. Instead, invoices were cancelled and reissued under a new date and number. The difference in amounts spotted by the previous auditors was due to the fluctuation of the foreign exchange rates at the time of resubmittal. Moreover, the service provider was performing work based on an expired contract — of which neither the client nor the provider was aware. </p><p style="text-align:left;">Lastly, the provider's lack of a physical office in the country where the work was performed and sourced proved to be a nonissue. The provider used a shared office space that had no impact on its day-to-day operations. </p><p style="text-align:left;">With these details revealed, reports were then filed and accusations of fraud were put to rest. The service provider relationship remained fully intact; case closed. And of course, this outcome differed vastly from the gloomy picture depicted by the original auditors. <br></p><h2>Don't Trigger a False Alarm</h2><p style="text-align:left;">It's imperative that we remind ourselves — as well as new colleagues, trainees, and graduates — about the importance of differentiating fog and smoke, and prematurely yelling "fire." As internal auditors, we must conduct business in the most objective and professional manner.  When we panic, our clients panic. </p><p style="text-align:left;">There will always be red flags — poring over an area long enough inevitably reveals them. How we approach, analyze, and communicate issues is what can often differentiate a legitimate finding from a false alarm.<br></p>Galina Seliounina Guidry​1
Use Your Head Your Head<p>The need for internal auditors to understand and apply critical thinking seems self-evident, especially with research showing the importance chief audit executives (CAEs) place on this skill. It’s also made an outstanding showing in The IIA’s annual Pulse of Internal Audit survey over the years. In 2018, 95% considered critical-thinking skills essential to their function’s ability to perform its responsibilities.<br></p><p>Unfortunately, while everyone agrees that critical thinking is important, they find it hard to define exactly what it is. If you ask 10 CAEs, you are likely to get 10 different answers. And at the core, those answers boil down to nothing more than internal auditors using their brains.</p><p>Fortunately, The Foundation for Critical Thinking provides a more practical definition: “The intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action.”</p><p>Using this definition, the Foundation for Critical Thinking developed an outline for critical thinking based on eight elements, described in the book, <em>The Thinker’s Guide to Analytic Thinking</em>, by Linda Elder and Richard Paul. Following is a framework for internal auditors’ use of critical thinking based on these elements.</p><h2>Thinking Critically </h2><p>Critical thinking requires understanding the purpose of the individual task toward determining the question to be answered. It also involves recognizing the various points of view brought to the task, as well as the assumptions, concepts, and theories upon which the work will be based. Information is gathered, leading to inferences or preliminary conclusions, which come together to provide final conclusions and consequences.</p><p>Thinking critically about the audit process means thinking critically about audit engagement tasks. This requires evaluating the tasks, such as interviews, functional tests, and risk assessments to better understand not only how they are completed, but also how critical thinking was used and how it can be used more effectively in the future. Some people consider critical thinking to be “thinking about how you think.” <br></p><p><strong>Understand the Purpose</strong> Identifying the objective of an audit engagement is fundamental. But the first step in critical thinking applies this concept to each activity conducted within the audit, providing guidance for the critical thinking that follows. The objective of an interview might be to learn the interviewee’s understanding of the process, the purpose of a test might be to ensure the organization is compliant with a specific regulation, and the goal of a meeting might be to confirm all parties understand the audit process. These objectives are often assumed, but critical thinking requires the auditor to be able to articulate them.<br></p><p><strong>Determine the Question</strong> The point of critical thinking is to come to a conclusion regarding a question or problem. Therefore, to think critically, internal auditors need to determine, based on the previously defined purpose, what question the individual task (test, interview, process documentation, etc.) will answer. Does this person understand his or her role in the accounts payable process? Is there a more efficient way to ensure new hires are appropriately vetted? Does the data support the effectiveness of controls? The question can be specific or broad, based on the detail of the work being done and the individuals involved. But it should align with the task’s purpose, as well as the overall purpose of the engagement.<br></p><p><strong>Understand Your Points of View</strong> Everyone approaches a situation with points of view, both positive and negative. Effective critical thinking requires understanding how they impact the ensuing analysis. Internal audit’s point of view might be that the department helps the organization achieve its objectives. However, because of internal audit’s focus on risks and controls, it also may approach engagements with a point of view that is skewed toward risk aversion or ignores missed opportunities as part of an assessment. For this reason, it is important to also consider other points of view and, as appropriate, include them in the analysis. <br></p><p><strong>Determine Assumptions</strong> Effective critical thinkers step back to determine the assumptions — beliefs we take for granted at subconscious or unconscious levels — being made to adjust for them. These can be positive (everyone in the organization is working toward success, or the client sees internal audit as a partner) or negative (the department being reviewed has never run well and will continue to run poorly, or no one in the organization sees the value of internal audit). Any of these could be true, but they should be evaluated to determine if they are accurate and what impact they will have on the analysis. <br></p><p><strong>Identify Concepts and Theories</strong> Concepts, theories, and principles help make sense of things. They are different than assumptions, which are ideas and beliefs brought to a project. Concepts and theories are the additional information and ideas that may be needed to conduct the analysis. Some of this information may already be known, such as control frameworks or standards for internal auditing. Others may require additional research, such as applicable laws and regulations or best practices in the industry. Ultimately, the internal auditor should confirm that, in every audit task, he or she understands the concepts and theories needed to answer the question being asked.<br></p><p><strong>Gather Information</strong> At the core of critical thinking is information, which is the lifeblood of internal audit work. Without it — data, evidence, and facts — there is nothing on which to base inferences and conclusions. Information should be applicable to the purpose and the question being asked, and the points of view, assumptions, concepts, and theories can result in the need for additional information. Many audit processes — interviewing, testing, process analysis, etc. — also are methods for gathering information.<br></p><p><strong>Recognize Inferences</strong> Analysis should begin when the audit engagement starts, with the auditor immediately drawing inferences and preliminary conclusions. This involves constructing hypotheses regarding what is occurring, then subjecting them to further analysis. For example, an initial interview may infer that a process is well-understood and controls are effective. Subsequent testing proves that controls are not working as designed and significant delays and errors are occurring. It is not that the initial inference was incorrect. Rather, the initial inference provided a base to identify the need for additional information. <br></p><p><strong>Provide Final Conclusions and Consequences</strong> This is the final step in the critical-thinking process. The testing, interviewing, reviewing, and analyzing lead to conclusions that answer the question and satisfy the purpose of the audit task. The conclusions also should provide direction on how to proceed — more testing, more interviews, additional data gathering, or completing the audit engagement. </p><h2>The Audit Process</h2><p>The preceding descriptions show how every stage of an audit engagement can be evaluated with an eye toward using effective critical thinking. However, specific issues related to the elements of critical thinking should be considered within every audit task. <br></p><p><strong>Risk Assessment</strong> One cause of the Great Recession was the subprime mortgage crisis. Analysts believe the complicated nature of these securities resulted in few people understanding how they actually worked or the impact of the associated risks. The lesson is that sufficient information should be gathered in the risk assessment process to ensure the intricacies of the process, as well as the associated risks, are understood. If the auditor does not feel comfortable with his or her understanding of how things work and how they might go wrong, then the audit task should not proceed until more information is obtained.</p><p>The subprime mortgage crisis also points to another important part of critical thinking in the risk assessment process: One reason the crisis was allowed to escalate was that everyone was benefiting. And people seldom question success. When a process or product is succeeding, the unconscious assumption is that risks are well-controlled. This leads to the inference that risks are mitigated and no further reviews are needed. Stated this way, we can see the fallacy. But it only becomes obvious when viewed through the lens of the critical-thinking framework.<br></p><p><strong>Interviewing</strong> A good interviewer confirms the answers given answer the questions asked and support the overall purpose of the interview. In addition, because people, even internal auditors, have personal agendas, the interviewer should safeguard that no assumptions about the validity of answers intrude on inferences being drawn. <br></p><p>Inferences will be made during the interview regarding how new information may have changed the structure of the interview, the subsequent information gathering, the purpose of the interview, and, in rare cases, the purpose of the engagement. Navigational change can come from any task within the audit process.<br></p><p><strong>Process Documentation</strong> As with interviewing, information gathered during process documentation may result in navigational changes. And it is important that the internal auditor not look only at what is presented. Taking off the blinders — watching what else is occurring — may result in inferences and preliminary conclusions that change the focus of the audit. For example, if the auditor is working in a warehouse and notices an unmarked van occasionally picking up a box or two, it may represent a significant issue requiring follow-up. Even something as simple as a large pile of papers on a desk may indicate an issue that needs to be addressed. <br></p><p><strong>Testing</strong> Entrepreneur and author Seth Godin notes, “Connecting the dots … is more essential than ever before. Why, then, do we spend so much time collecting dots instead? [A] big bag of dots isn’t worth nearly as much as [a] handful of insight.” The volume and accessibility of data has resulted in including as much data as possible in every test. Critical thinking requires understanding why specific data is needed — how it supports the purpose of the test, itself, and of the audit engagement. A 100% sample may not be required, no matter how easy it is to retrieve. Being awash in data can actually inhibit the critical-thinking process. Never gather data just because you can; gather data because it supports what you are trying to achieve.</p><h2>Report Writing</h2><p>Much of internal audit’s focus on critical thinking centers on report writing, when all the inferences and conclusions come together for presentation to the client. But everything that goes into the report — the data gathering, the process descriptions, the conclusions — should have occurred long before the report is drafted. If critical thinking is applied throughout the internal audit process, one of the biggest struggles in report writing can be eliminated.</p><p>The overall purpose of report writing needs to be understood and some additional questions need to be addressed, such as what is the purpose of the report, who is the report for, what does the reader care about, and what is internal audit trying to say? Answering these questions — reviewing the assumptions that are being made about reports — will give the internal auditor a better grasp of the content to include.</p><h2>Thinking About How You Think</h2><p>Thinking about how you think is the first step every internal auditor should take. A good exercise is to take a specific task — an upcoming interview, functional test, or walk-through — and work through the critical-thinking framework. This will help auditors see the good and bad habits they use in the thinking process and allow them to build on their strengths and work on their weaknesses. Continue this exercise and, eventually, an increased awareness of how critical thinking is used in all situations will develop. And it will make auditors, audit departments, and the profession better. <br></p>Mike Jacka1
The Lines of Independence Lines of Independence<p>A lead auditor comes to work one day and is instructed to do an audit engagement with another auditor. However, the lead auditor is aware that the indicated team member is not independent with regard to the underlying audit subject. The prudent and diligent lead auditor presents this information to the relevant superior and asks that the team member be replaced. Yet, not only is the compromised auditor left on the engagement, but the lead auditor is then instructed not to share this information with anyone and to conduct the audit engagement as initially planned. What should the lead auditor do?</p><p>Standard 1100: Independence and Objectivity says internal auditors are expected to be objective and independent in performing their professional duties. However, there isn’t always specific guidance on how they should behave in situations that put ethical pressure on them. The first question is whether the auditor is even able to recognize such a situation. Once that is determined, the next relevant question is who can the auditor escalate the issue to. In such instances, the auditor may be afraid of losing his or her job by speaking up about these kinds of issues.</p><p>Several suggestions may help internal auditors deal with challenging ethical situations while protecting their own independence.</p><h2>Start From the Beginning</h2><p>Internal auditors are obligated to adhere to The IIA’s Code of Ethics, the principles and expectations that govern the behavior of auditors in conducting their work. The Code of Ethics comprises integrity, objectivity, confidentiality, and competency. Although these principles are general in their nature, each has minimum requirements for conduct and behavioral expectations. Ultimately, they set the tone for the ethical practice of internal auditing. Thus, understanding and keeping in mind the requirements outlined in the Code of Ethics is an excellent starting point for every internal auditor in preserving his or her independence and conducting ethical audit engagements (see The IIA’s implementation guidance on the Code of Ethics released in early 2019).</p><h2>Speak Up<br></h2><p>Presenting the situation realistically, based on facts, and with all the relevant details, can help auditors protect themselves. Internal auditors derive objective conclusions based on facts in their everyday work. By not speaking up, auditors can inadvertently become collaborators and supporters of ethical violations, which can impair their own independence. Regardless of the specific circumstances, auditors should be aware that working on an engagement with another auditor whose independence is impaired weakens the independence of all involved auditors and the entire audit engagement.</p><h2>Ask for Advice</h2><p>Some ethical problems may not have an obvious solution. One good option may be to ask colleagues with more experience for advice. Without necessarily presenting the underlying situation with complete details, auditors can get valuable advice on how to protect themselves and create a win-win situation for everyone involved. Additionally, auditors might find it useful for their own professional development to listen to the experiences of their colleagues. Hearing about ethical challenges that others have faced can help auditors recognize the indicators of independence impairment.</p><h2>Create Ethical Safeguards</h2><p>There are no rules that can help auditors preserve their independence in every situation they may encounter while doing their jobs. Being unaware of their impaired independence does not excuse auditors from responsibility. On the contrary, it is up to all auditors to recognize the situation they are in and to adequately protect themselves. With the right approach to engagements, auditors can eliminate the possibility of compromising their independence. </p><p>Some examples of situations that may adversely affect auditor independence include:</p><ul><li>Intimidation by management that makes the auditor concerned about his or her job.</li><li>Personal relationships outside of the office with the CEO, chief financial officer, senior managers, chief audit executive (CAE), other auditors, or employees in the area being audited. <br></li><li>Accepting gifts or favors from co-workers who may expect something in return.</li><li>Assigning auditors to assurance engagements in their previous employment area less than one year after transitioning into internal audit.</li><li>Expecting auditors to make business decisions and perform nonaudit-related operational tasks.</li><li>Basing auditor compensation on the number of audit findings during engagements.</li></ul><h2>Escalate the Issue</h2><p>One effective way to deal with an ethical dilemma in which there is a threat to an auditor’s independence is to escalate the issue. In the case of the lead auditor letting the audit supervisor know of a compromised team member and the supervisor keeping that auditor on the engagement, the lead auditor should ask the supervisor why he or she wants to move forward with that auditor. If there is good reason, the lead auditor should remind the supervisor that the <em>International Standards for the Professional Practice of Internal Auditing</em> requires that the impairment be disclosed to relevant parties. If escalating the issue to the direct supervisor does not help, the next step should be to escalate it within the audit department. If the CAE then does not address the issue, the lead auditor should consider the harm lack of independence might cause. If it is significant, other escalation possibilities should be considered. Whistleblowing systems and ethics hotlines, which are generally present in organizations today, can help auditors report any questionable situations they are dealing with without direct confrontation.</p><h2>Long-term Implications</h2><p>If an internal auditor is confronted with a situation that impairs his or her independence or that of a team member, and none of the actions taken has resolved the issue, then he or she should consider the long-term implications. As a last resort, an auditor can resign from the job. If an auditor’s independence were found to be compromised and he or she was working unethically, the auditor could not only be fired, but he or she could also lose all professional credibility, which can be difficult to regain.</p><h2>The Basis of Board Trust</h2><p>The IIA defines <em>internal auditing</em> as an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Boards of directors rely on internal audit to provide them with reliable information for effective decision-making. This information is most trusted when it comes from an internal audit function that demonstrates its independence.   <br></p>Maja Milosavljevic1
Internal Auditors Should Be Brave Auditors Should Be Brave<p>"You can’t say that!”<br></p><p>My boss, the chief audit executive (CAE), was telling me to change the audit report. For the second year in a row, my team found that accounting was not performing important reconciliations on time. As a result, financial reporting could be materially misstated and significant fraud might go undetected.</p><p>Rather than simply advising on-time completion of reconciliations, the audit team had performed a root cause analysis. They found that, due to cost-cutting, staffing in the unit responsible for the reconciliations had not only been reduced but also tasked with numerous special projects. The unit lacked sufficient people to meet its responsibilities without significant overtime, which management would not approve. Even if it did, the level of overtime would inevitably lead to burnout and the loss of valuable employees. Although we had found deficiencies relating to reconciliations, the staffing issue might affect the performance of other important controls.</p><p>The draft audit report explained that insufficient resources had elevated the unit’s risk level and recommended adding permanent staff or contractors at month-end. The CAE, however, was reluctant to include that information. He said that his name was on the audit report, and he refused to recommend an action he was sure management would ignore. In fact, management would be angry that we had questioned its cost-cutting strategy. We delivered the report without identifying the root cause and merely recommended completion of the reconciliations.</p><p>The original report was correct, explained the business risk, and recommended appropriate corrective actions. But perhaps because he feared how management would react, the CAE kept part of the story — part of the risk — to himself. The CAE, in other words, was not brave.</p><p>It can be hard for internal auditors to tell their stakeholders, whether at the board level or in top management, what is putting the organization at greatest risk. It can be hard to say that control failures stem from insufficient staffing, inadequate pay, or imperfect leadership. It can be hard to say that the organization’s structure, processes, people, and methods are not agile enough to succeed in today’s dynamic world. But these are all truths that need to be told. If no one tells the emperor he has no clothes, he will carry on without them.</p><p>Internal auditors at every level are subject to all kinds of pressure that may inhibit them from speaking out. Yet if they are to be effective, they must be able to do so — even at great personal risk.</p><h2>The Ineffective Manager<br></h2><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​What is Bravery?</strong><br> </p> <p>Under ideal circumstances, the audit committee would help create an environment that enables the chief audit executive to be brave. But few board members will oppose an angry CEO or CFO in favor of a respected but more junior and expendable executive.</p><p>Internal auditors need to be brave, but not reckless. Several practices can help auditors take bold action when needed, including:</p><ul><li>Building trusted relationships with the top executives and each individual on the audit committee.</li><li>Planning the communication carefully, laying the groundwork for each discussion. Make sure your words are clear and unlikely to be misunderstood.</li><li>Communicating in person, one-on-one, and not relying on others to communicate for you.</li><li>Moving progressively up the organizational hierarchy, approaching each individual with an open mind and listening to his or her views — obtaining agreement and support before moving to the next level. Respect each individual’s needs and the implications of the situation for him or her personally as well as for the organization. Consider asking each of them to attend your meetings with more senior management, all the way to the board, as appropriate.</li><li>Listening and being prepared to modify your assessment if you’re wrong, even if it’s just moderating the language.</li><li>Talking with and listening to allies and others who can help you.</li><li>Ensuring no one is surprised, especially in front of others.</li><li>Building a reputation for maintaining professional integrity. Honesty, ethics, and professional responsibility should always be top of mind.<br></li></ul></td></tr></tbody></table><p>A few years later, when I served as CAE at another organization, I tasked my team with an audit of the Commercial Accounting function. Significant billing errors had been made, and our priority was to find out why.</p><p>When we interviewed the department head, a rising star at the company, he explained that errors had been made because his employees were incompetent. Not a single accountant had passed the CPA exam. As a result, he had to do all the challenging tasks himself, requiring him to work many hours each day and most weekends. Mistakes were inevitable. He asked that we recommend human resources change the job requirements to include a CPA or equivalent. </p><p>The audit lead asked me if we could make such a recommendation. His team confirmed that the department head was Commercial Accounting’s only CPA and that the function often needed to perform complex accounting tasks. I told him to speak with each of the Commercial Accounting staff members and form his own opinion on whether they were competent to perform the work. </p><p>The interviews went well. I was surprised to learn that the staff had many years’ experience in commercial accounting, including the more complex tasks the department head said they were not competent to perform. The employees were proficient, but their manager did not allow them to make decisions. In fact, he gave them simple assignments and never explained what he was trying to accomplish. Many of the employees were frustrated and considering leaving the company. </p><p>The department head was the root cause of the control failures. The audit team asked if we should indicate that in the audit report. I said there were better ways to communicate the results of the audit and our assessment — as well as our advice and insight — than the formal, written audit report. </p><p>I sat down with the division CEO, one of the top three executives in the company, and shared the facts. He told me he had suspected a management problem but hesitated to act because the corporate chief financial officer (CFO) favored the department head. He asked what I thought should be done — I refrained from recommending specific actions, in the interest of maintaining my independence.</p><p>We issued the audit report after discussing the situation with all senior parties. In the report, audit committee members saw an assessment that, while errors had been made, appropriate actions had been taken. I shared the rest of the story with them at the next audit committee meeting, with additional comments from the division CEO and the corporate CFO.</p><p>Was this an act of bravery? Looking back, I can say that while it was difficult to tell senior management that a rising star was not only underperforming but unlikely to be effective in the future, the risk to me was minimal. I explained the facts objectively and dispassionately, allowing senior management to make an informed and intelligent decision. They respected that ability and our willingness to go beyond traditional auditing to provide them with our insights on the management of Commercial Accounting. By the time I had to report to the audit committee, I had the support of each member of management. The division CEO, who attended the meeting, told the directors he agreed with our assessment and that we had taken the appropriate action.</p><h2>The Fearful CAE <br></h2><p>At my next company, the audit team uncovered financial statement frauds in several U.S. locations within the organization’s largest business unit. The company had more than 100 locations around the world, most of which were underperforming. Senior management was thinking about consolidating operations to cut costs, placing the locations’ general and financial managers under great pressure.</p><p>I wanted to know why so many local U.S. controllers were manipulating their financial results to show profits when, in fact, they were breaking even at best. Our inquiries revealed they were not doing so to put money in their pockets; their motive was to save their unit from closure. But we also uncovered a more significant problem: When the local controllers reported a projected loss to the business unit controller at headquarters (HQ) during their quarterly updates, he consistently asked them to “find a way to make the number.” After discussing the instruction with their local general manager and finding no legitimate means of achieving their financial targets, the unit controllers fabricated profits. </p><p>Once we started auditing, the frauds were easy to find — management subsequently terminated both the local controllers and general managers. But my concern was not limited to whether the business unit controller had acted inappropriately; I also considered the possibility of a pervasive control environment or culture issue.</p><p>The HQ business unit controller did not direct the unit controllers to act inappropriately, but he failed to impress on them the need to act with integrity despite the pressure. When I explained the situation to the corporate CFO, to whom I reported, he expressed confidence in financial management of the business unit at HQ. I had no persuasive evidence that either the CFO or the HQ controller intended the units to manipulate their financial results. I asked the CFO to reinforce the need for integrity by sending a memo to that effect to the company’s entire financial staff, but he said the code of ethics already covered this principle. I suggested a conference call with global finance leadership, but he said that was also unnecessary. I also suggested it might be prudent to have the local controllers report directly to HQ and then to him; he told me that was not how the organization operated.<br></p><p>After completing our investigations, we concluded the frauds were not material to the financial statements. Still, the underlying conditions had not changed, and the possibility remained that additional fraud might be committed. I felt an obligation to share the facts with our audit committee, as well as my belief that the organization’s overall control environment could be improved to help the local controllers do the right thing regardless of pressure.</p><p>When I met with the committee chair, a retired CFO, he listened carefully and agreed that I had an obligation to share the facts, as well as my perspective on the control environment, with the full committee. He also agreed to talk to each of the audit committee members before the meeting to prepare them for the discussion.</p><p>Next, I informed the CFO that this would be on the audit committee’s upcoming meeting agenda and outlined what I would say. I told him I would not imply he or his team was involved in the frauds. And while I offered to forewarn the company’s CEO, the CFO insisted that I leave that conversation to him. The CFO also committed to share his perspective on the issue and what actions should be taken, after I had spoken.</p><p>Unfortunately, the committee meeting did not go well. The chair had not provided sufficient details about my report to all the committee members in advance, and one overreacted. He was afraid the CFO and corporate controller had been involved in the fraud, despite my assurance that I had no reason to believe they were. Although the committee member calmed down, the CFO did not speak up either to comment on the environment that led to the frauds or to suggest corrective actions. The CEO and the audit committee chair remained silent. </p><p>After the meeting, I spoke with the audit committee chair again. He apologized for the way the meeting had gone but said the committee would not support me in a dispute with the CFO. He knew that the CFO had at one point asked me to stop the audits that were identifying the frauds, which I declined to do, and that our relationship was strained. Moreover, he was as surprised as I was that the CFO didn’t comment during the meeting and suspected that was deliberate.</p><p>The audit committee believed in me, but the CFO was also highly respected and “had a bigger business card.” Both the CFO and the CEO wanted this issue to “go away” without having to take action themselves.</p><p>Shortly afterward, the HQ controller reached out to me; he said I had acted with integrity, agreed with my perspectives, and gave me his support. Nonetheless, the CFO and I agreed a few months later that we should part ways, and I left the company some time afterward.</p><p>Was I brave? I knew the CFO did not want this “dirty laundry” aired before the audit committee, and I knew he would likely find a way to remove me at some point. But I was professionally obliged to share the facts and what they meant with the audit committee. In hindsight, I should have spoken to each of the audit committee members myself, despite the chair saying he wanted to do it. Nobody attending the audit committee meeting should have been taken by surprise, as one director clearly was.</p><p>Perhaps others, such as the CAE I mentioned earlier, would have been more prudent. But even with hindsight, I believe I did what I had to do.</p><h2>Take a Stand<br></h2><p>Internal auditors must be determined to tell the harsh truth and do so in a way that clearly explains the facts and any recommended actions. They need to be prepared to sacrifice their job, and even their career, if necessary. Auditors must be brave, acting in the best interests of the organization and consistent with their principles. Anything less is a disservice to the profession and the stakeholders we serve. <br></p>Norman Marks1
Internal Auditing in 2020 Auditing in 2020<h2>What are the biggest risks organizations will face next year?<br></h2><p><strong>Joyce</strong> For many, cybersecurity, data management, and third-party vendor compliance will remain the biggest immediate concerns. Recruitment and retention of skilled employees will be an ongoing challenge. However, we are living in an unusually high period of general uncertainty. The economic and political environments, extreme weather, trade relations, regional military action, etc., all create the potential for “black swan” type risk events that auditors should be thinking about. This may require revising traditional risk assessment approaches to reflect the potential impact of these uncontrollable events.  </p><p><strong>Ybarra</strong> The continual rise of automation, robotics, and the less-than-predictable geopolitical climate will impact how organizations do business and will challenge their resilience. There will be more pressure to ensure operating strategies and staff are agile and flexible enough to withstand a potential recession, impacts to supply chains, and a changing workforce. The talent and platforms that are creating value today may need to quickly shift and adapt as things change more rapidly.<br></p><h2>What risks do digital transformation initiatives present organizations?</h2><p><strong><img src="/2019/PublishingImages/benito-ybarra.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Ybarra</strong> Organizations must ensure that digital transformation initiatives are prioritized and measured based on the criticality of their data assets. Undisciplined approaches that do not consider classification, access, and data security could incur more costs than the transformation is projected to save. Ensuring key players are involved in the development and execution of initiatives is critical to achieving higher success rates.</p><p><strong>Joyce</strong> The first risk would be failing to recognize the need to transform one’s business model quickly enough, and to establish a clear vision of the desired end state. The second risk would be failing to effectively manage these projects. These transformative projects tend to exceed expectations regarding complexity, budget, resource demands on personnel, scope creep, etc. Equally vital is ensuring a flawed process is not digitized in the hope that greater use of technology alone will create value. Like most large projects, a digital transformation initiative requires clearly established objectives that support the stated strategy, adequate resources and support from senior management, continuous supervision, measurable metrics to gauge progress, and contingency and parallel operational capabilities to mitigate delays.<br></p><h2>What opportunities does the recent change to the Statement on the Purpose of a Corporation offer internal audit?</h2><p><strong><img src="/2019/PublishingImages/Mike-Joyce.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Joyce</strong> You are referring to the Business Roundtable’s announcement in August 2019, when more than 180 CEOs committed to lead their companies for the benefit of all stakeholders. This represents a significant conceptual shift from their prior corporate governance statements, which have historically emphasized shareholder primacy as the dominant stakeholder. While it remains to be seen how effective this emphasis will eventually be, the idea that putting customers first, investing in employees and their local communities, engaging fairly and ethically with suppliers, and long-term value creation are directly connected to ultimately positive shareholder returns is certainly one that can be supported through internal audit assurance of the specific goals established to achieve measurable results. </p><p><strong>Ybarra</strong> The potential here is huge, as it calls for the focus of the organization and its leaders to be broader than providing shareholder value. Auditors will need to consider how organizations generate value, in addition to their focus on revenue and expense drivers. For instance, concluding on the organization’s ability to “support the communities in which we work” could be a monumental challenge for some internal auditors; however, focus on areas like this could help further differentiate and elevate an internal auditor’s role and highlight those with dynamic abilities. It will be increasingly important for auditors to communicate with boards and leadership to ensure focus in assessing progress in these areas is supported and aligned with expectations.<br></p><h2>What role should internal audit play in providing assurance over the information going to the board?</h2><p><strong>Ybarra</strong> The mission criticality and necessity of information going to the board should be assessed by internal audit and included, to some extent, in its engagement plan. Boards provide oversight and key approvals based on the information they are provided, and they must be assured that the information can be relied on. Deeper discussions with the executive team and audit committee regarding this level of assurance must occur to ensure their engagement and support.</p><p><strong>Joyce</strong> Clearly, recent survey results have demonstrated an inconsistent confidence level that boards receive the information they need to effectively manage strategic risks. To that end, chief audit executives (CAEs) might start by validating their audit committee’s comfort with the level, depth, and timeliness of information they currently receive to satisfy their oversight responsibilities. Are the internal processes that compile this information designed to promote accuracy and transparency? What information provided is highly valued, and what information is ignored, or found not to be relevant? Obviously, time and effort should be devoted to facilitating those information streams that most directly relate to the board’s strategic and governance accountabilities.</p><h2>How can internal audit help address toxic cultures in an age when corporate behavior is under the microscope?</h2><p><strong>Joyce</strong> There should be no tolerance in today’s world for toxic corporate behavior. It drives away good employees, and will ultimately damage or destroy organizations that fail to identify and correct it. Internal audit is in an ideal position to continually assess the ethical and compliance environment within their organizations, and report opportunities for resolving gaps. They can partner with their compliance, legal, and human resource functions to ensure that employees are encouraged to report potential wrongdoing, and are supported and protected when they do so. They can ensure that any appropriate corrective or disciplinary action is applied timely, fairly, and consistently at all levels. They can measure the actions and examples set by senior management, and reinforce their critical responsibility to serve as behavioral role models. They can ensure that dialogue at the audit committee level includes frank discussions on these subjects when applicable. </p><p><strong>Ybarra</strong> No. 1 is to take a position on identifying and rooting out issues with the culture. Auditors can get stymied by seeking undeniable criteria on which to base their conclusions. It will take: 1) creativity and communication to formulate and agree on the elements of culture that will be evaluated; 2) conducting engagements or including evaluation of these elements in every audit engagement; and 3) having the courage to report results, offer potential solutions, and follow up to ensure effectiveness and sustainability.<br></p><h2>What skills should CAEs be looking for in new internal audit hires going forward?</h2><p><strong>Ybarra</strong> In evaluating potential hires, CAEs should be looking for an ability to listen, process, and demonstrate understanding before offering solutions. I’ve run across too many internal auditors who have answers before the problems are even identified. The mark — and genesis — of internal auditors is in their ability to listen. It’s a basic skill that we need to continue to practice and teach.</p><p><strong>Joyce</strong> In many respects, the attributes of an effective new auditor haven’t changed much in my 36 years in the profession. Basic technical skills will always be required, and the emphasis on adopting and maximizing emerging technology will continue to grow. Having a problem-solving and inquisitive nature also are important. However, soft skills are ultimately what sets a great auditor apart from an average one. The ability to effectively communicate, both verbally and in writing, is more difficult to teach a new auditor than how to sample accounts payable invoices, for example. Much of our job should be engaging with operational staff in a manner that makes them comfortable enough to share information and explain processes in a way that we may not have identified on our own.  <br></p>Staff1
Mastering the Organization the Organization<p>How many times have you been asked by your stakeholders:</p><ul><li>What is the best practice in this process?</li><li>Why should I care about that control?</li><li>How have we addressed risk within our organization?</li><li><p>What about the smaller, less material areas? Are we adequately covered?</p></li></ul><p>Internal auditors, by nature of our position and the work we do, should have some level of expertise in all of the processes we touch. If internal audit's main goals are to 1) protect the organization and 2) add value, then we should always strive to learn and work toward understanding the areas we are assessing. But how does internal audit accomplish this? The internal audit team at US Silica in Katy, Texas, focuses on continually gaining trust, understanding its stakeholders, and stepping in to help. <br></p><h2>Gain Trust</h2><p>The audit function's expertise would be virtually meaningless without stakeholder confidence and trust in our ability to provide value. Our goal is to create a culture where individuals feel comfortable bringing issues to our team and trust that we will help address them, rather than simply writing up a report of the issue, placing blame, and walking away.</p><p>We gain trust by devoting time to educating departments, management, and employees on corporate governance, compliance with the U.S. Sarbanes-Oxley Act of 2002, revenue recognition principles, fraud, and all of the areas with which internal audit is involved. When we acquire a company or bring on new team members in any department, our first step is always to educate. Educating allows us to introduce the role of internal audit and foster a strong governance culture before issues arise or we perform audits. </p><p>Another part of gaining trust is to provide useful insights. To do that, internal audit first must ask the right questions, do our homework, and involve the correct people in our audits to ensure we have all of the puzzle pieces. Our expertise comes from being able to figure out which pieces are important and how they best fit together. For example, we are currently helping one of our locations streamline and automate several of its approval processes to reduce the amount of emails and manual touch points.  </p><h2>Understand Your Stakeholders</h2><p>Some people associate networking with simply learning about someone's personal interests or asking about his or her family. That is one part of getting to know one's colleagues. But for internal auditors to be successful, they must be able to turn the conversation to what is important to the organization's goals and use internal audit's experience to help improve upon the process. We listen to the frustrations that teams may have and think about how we can incorporate automation or systems, or how other departments are handling similar processes that might provide useful solutions.</p><p>When internal audit schedules planning meetings with teams within the company, we spend more time listening than talking. We may come prepared with a few questions based on our research of their role and department, and then we actively listen to what the client has to say. In creating a risk-based audit plan, the most useful audits come from understanding the goals of the organization, teams, and individuals and then shaping the plan around the risks the organization may face in achieving those goals.</p><h2>Walk the Talk</h2><p>This is where the hard work comes in. Internal audit partners with the organization. If there is an emergency or a broken process, we act as part of the team to help fix the problem. In other words, we demonstrate the expertise we've gained by applying it when needed. We do not use internal audit's independence as a scapegoat for not helping.</p><p>There are a multitude of ways internal audit can be a team player and maintain its independence. For instance, internal audit may not be able to post journal entries and put together reconciliations, but we can help find ways to automate processes, research issues, and propose better solutions. Internal audit can even go so far as helping create templates and determine the requirements for the proposed automation and then step aside and let the experts take it from there.</p><p>Not every audit needs to be a major overhaul — the quick wins matter too. Any support internal audit provides to making the company stronger and faster is going to have an impact. For example, our internal audit team helped achieve a quick win by researching and proposing higher materiality thresholds in lower risk processes to ensure the company is focusing on material transactions and reducing time spent in lower risk areas. We've also helped find long-term solutions such as implementing automation with third-party service providers to reduce manual workload and increase data accuracy.</p><p>And walking the talk goes beyond mastering the audits we are performing or processes we help fix to measuring and marketing internal audit's progress. There are countless articles that explain how to build one's brand, and it is just as important to build the internal audit team's brand. Advocating for internal audit will lead to others advocating for the positive change internal audit brings. </p><h2>Repeat and Evolve</h2><p>At US Silica, internal auditors strive to constantly improve. We stay current on industry technologies, tools, and techniques. We stay relevant by actively participating in project teams, reviewing our accomplishments and goals with management, and continually refining our internal audit processes to improve our team's approach. And if we can continue to focus on internal audit's core values, then our success will speak for itself in the work we do. <br></p>Robin Meister0
Audit Wellness Wellness<p style="text-align:justify;">Auditing is a knowledge-based profession, which means its practitioners have to think for a living. We work extensively with data, requiring significant concentration and focus. We evaluate the effectiveness of business operations, necessitating an ability to analyze and problem-solve. Our capacity to perform these activities effectively hinges not only on our expertise, but on how we take care of ourselves.</p><p style="text-align:justify;">The way we treat our bodies affects the chemicals in our brain, which in turn affects the performance of our minds. Without a strong and healthy mind, everything becomes more difficult — working with spreadsheets, performing analytics, communicating with clients, and so on. Even with extensive knowledge of audit standards and robust technical skills, a weak mind inevitably will affect audit effectiveness. For this reason, internal auditors may want to consider several wellness habits that could help fortify the mind and enhance work performance.<br></p><h2>Improve Focus and Concentration </h2><p style="text-align:justify;">Today's world presents a host of distractions — social media, emails, text messages, reminder notifications — that compromise our ability to focus. We have a "need to know now" tendency, where every notification chime or pop-up banner prompts an immediate screen check. But if we don't check Facebook, Twitter, or Instagram during the day — are we really missing anything important? Would the world come to an end if we didn't respond to emails right away? If someone had a truly urgent request or need, wouldn't a phone call likely accompany the emails or texts?</p><p style="text-align:justify;">According to a 2017 OfficeTeam survey of U.S. organizations, office employees spend about five hours each week on their cellphone focused on nonwork activities such as answering personal emails and checking social media accounts. Succumbing to distractions breaks one's concentration. Plus, valuable time and energy can be lost trying to get back into the flow of the previous task. These little distractions add up and over time negatively affect our budgets, project delivery, and work quality. An auditor's attention is already divided — working on different engagements, across multiple audit sections, with different directors and staff members — and the pressure to deliver can be intense. Introducing unnecessary distractions only makes it harder. Turning off the smartphone, or at least minimizing screen time, can go a long way toward maintaining one's attention on tasks at hand. </p><p style="text-align:justify;">Still, no one is born knowing how to focus. And the workplace is full of interruptions beyond our mobile devices. Co-worker drop-bys, impromptu meetings, Slack messages, and last-minute requests are part of most auditors' daily reality. Over time, these constant demands and interruptions take a toll on our attention span.</p><p style="text-align:justify;">Sustained focus is achieved through practice and deliberate actions. One form of focus training that has gained significant attention in recent years is daily meditation. <br></p><p style="text-align:justify;">According to a 2018 article in the <em>Journal of Cognitive Enhancement</em>, "Regular and intensive meditation sessions over the course of a lifetime could help a person remain attentive and focused well into old age." Researchers came to this conclusion based on results of one of the most extensive longitudinal studies examining a group of meditation practitioners. Beyond enhanced focus and concentration, studies also point to stress and anxiety reduction, improved emotional health, enhanced self-awareness, better sleep, and decreased blood pressure as benefits of regular meditation practice. Taking a daily, restorative mental break could help enhance overall well-being and improve readiness for whatever lies ahead. <br></p><h2>Enhance Learning</h2><p style="text-align:justify;">To keep up with the demands of their work, internal auditors must be able to learn quickly. Auditors do not have the luxury of spending years learning and understanding all the various facets of an organization or department. Practitioners need every advantage they can muster to help tackle what is often a steep learning curve. That requires agility and critical thinking, including the ability to apply past experience to new assignments and to find connections across different parts of the business. Without these skills, problems such as budget overruns and failure to provide timely deliverables are more likely to occur.</p><p style="text-align:justify;">One way of increasing mental agility and learning capacity is through physical exercise. According to a 2014 study conducted by the University of British Columbia, regular aerobic exercise boosts the size of the hippocampus — the area of the brain connected to verbal memory and learning. Other research has shown benefits of exercise to include better alertness, attention, and motivation. While exercise may sometimes feel like a drain on one's already busy schedule, the benefits of adding it to a daily or weekly routine can easily outweigh the cost of time it takes to perform.  <br></p><h2>Fight Fatigue</h2><p style="text-align:justify;">According to the book <em>Fatigue Science of Human Health,</em> co-edited by fatigue science expert Yasuyoshi Watanabe, "Mental fatigue caused by prolonged mental work not only [results in] an increase in sensation of fatigue, but also a decrease in work efficiency." Auditors can easily suffer from mental fatigue during busy season, or while working on a large project with several moving parts and a hard deadline. Fatigue can present itself in the form of drowsiness, decreased motivation, irritability, and distraction. The symptoms not only slow down our work, but could lead to errors in judgement, inaccurate interpretation of information, and loss of valuable time and money.</p><p style="text-align:justify;">One way to battle brain fatigue is by maintaining a healthy diet. According to an article by neurosurgery professor Fernando Gomez-Pinilla on, "Because the brain demands such high amounts of energy, the foods we consume greatly affect brain function." Food provides fuel for performance, but not all food is good for the body and mind. In fact, some foods actually reduce energy and can damage mental health and functioning. A 2018 <em>Healthline</em> article, "7 Foods That Drain Your Energy," lists the following culprits: bread and pasta; cereal and yogurts; alcohol; coffee; energy drinks; fried and fast foods; and low-calorie snacks, which can reduce energy levels.</p><p style="text-align:justify;">By contrast, many foods can serve to boost brain health and improve cognitive functioning. In its article, "Foods Linked to Better Brain Power," Harvard Medical School includes green, leafy vegetables, fatty fish, berries, and walnuts among a list of "best brain foods." So when mid-afternoon fatigue sets in during a critical audit engagement, practitioners may want to put down the sugary sweets in favor of these healthier, brain-friendly alternatives.</p><p style="text-align:justify;">Of course, what really sets the stage for mental alertness each day is what happens the night before — the amount of sleep a person gets. In a 2015 <em>Scientific American</em> article, John Peever, director of the Systems Neurobiology Laboratory at the University of Toronto, and Brian J. Murray, director the sleep laboratory of Sunny Health Center, described the function of sleep in this way: "Sleep serves to reenergize the body cells, clear waste from the brain, and support memory and learning." Research from the National Sleep Foundation indicates that adults need between seven and nine hours of uninterrupted sleep.</p><p style="text-align:justify;">Staying up late to binge-watch online content or catch up on social media has consequences. After working a long day, auditors should consider what their brain needs for the following days' work. <br></p><h2>Stay Well</h2><p style="text-align:justify;">Effective audit performance starts from within. Making healthy lifestyle choices can provide a solid foundation for any practitioner's well-being and ability to succeed. As research shows, maintaining a healthy body and mind is key to optimal performance. <br></p>Michelle Swaby1
Don't Just Measure It, Do Something!'t Just Measure It, Do Something!<p>​How do you measure the success of your internal audit department? The subject comes up repeatedly in conferences, articles, research, and chapter meetings. It is obviously an issue that plagues and perplexes audit departments everywhere, and finding the answer seems to be a holy grail quest for the profession.</p><p>The challenge certainly doesn’t come from a lack of possibilities. Everything from audits completed to use of available audit hours to requests for audits to customer satisfaction to corrective actions completed to efficiency improvements identified to certifications achieved to the number of auditors who can dance on the head of a pin have been suggested, adopted, and rejected. But we all continue to search for internal audit’s success-measurement El Dorado. </p><p>The reason our search continues to fail, even with this unending supply of possibilities, is that audit departments forget two important rules pertaining to the development of success measures. Rule No. 1: The measures should be developed in support of the audit department’s mission. If the department cannot demonstrate how the measures support that mission, then they become vanity measures serving no purpose other than saying, “Look at us!” Note also the assumptions built into this rule — internal audit has a mission statement, that mission is in alignment with the organization’s mission, and every auditor knows and can recite the mission statement. Missing any of these elements results in ineffective measures.</p><p>However, most important is rule No. 2: At the end of the day, have a plan for how all those measures will be used. Author and marketing guru Seth Godin once stated, “Don’t measure anything unless the data helps you make a better decision or change your actions.” And unless an audit department uses its measures to improve internal audit’s choices, do better work, or make the department more effective, then collecting the associated data is just a waste of resources, time, and effort. </p><p>Many audit functions measure, but I have seen very few that use those measures to get better. At most, if they are not meeting the criteria promised to the audit committee, there will be much wailing and gnashing of teeth as the chief audit executive promises improvements. Then the failures are merely used as a blunt instrument to bludgeon members of the audit department into doing better. </p><p>Internal audit functions rarely analyze their shortfalls against success measures to determine the root cause. Too often their response is a simple, “We didn’t meet the measures of success this year so, honest, we’ll work harder next time.” This is a response we wouldn’t accept from a client, and one we cannot accept from ourselves.</p><p>Make sure you are measuring the right things. Make sure you are meticulously ensuring the credibility of the resulting data. And then make sure you are using the results to effect positive change. </p><style> p.p1 { line-height:12.0px; } p.p2 { line-height:12.0px; } p.p3 { text-indent:18.0px; line-height:12.0px; } p.p4 { text-indent:9.0px; line-height:12.0px; min-height:11.0px; } p.p5 { line-height:9.0px; font:8.0px 'Interstate Light'; } span.s1 { letter-spacing:-0.1px; } span.s2 { letter-spacing:0.1px; } span.s3 { font:8.0px Interstate; } </style>Mike Jacka1

  • Auditboard_Feb 2020_Premium 1
  • IIA CIA_Feb 2020_Premium 2
  • IIA Training_Feb 2020_Premium 3